Use Active Directory Group to authorize a users on Freeradius 3.0.x

Mon Feb 24 15:06:42 CET 2020

Hi Loius,

My freeradius server is a domain member of mydomain.com and, before I
configured ldap module, I had tested ntlm_auth configuration and it had
worked perfectly. As I've said in the first email of this thread, I had
followed
http://deployingradius.com/documents/configuration/active_directory.html to
configure ntlm_auth.

My problem is the ldap module. The employee that administrates mydomain.com
has said me the ldap server on this domain isn't configured to operate over
TLS or SSL. He has confirmed to me that ldap on dc01 is listening on
389/TCP port and it isn't configured over START TLS, then there aren't need
to accept certificates to connect to it. Due it, I've tried to use SASL +
KRB5 to communicate freeradius server to ldap on dc01.mydomain.com. It
doesn't work, though. When I've tried to run a search with ldapsearch using
SASL on command prompt of freeradius server, it works perfectly fine. My
question is why it doesn't work on freeradius service.

PS1: I can to connect ldap service on dc01 with Apache Studio application
in 389/TCP port with no SSL or TLS configuration.

PS2: I've noticed the freeradius version (3.0.16) on official CentOS 8
repository isn't the latest version. I'll try to install latest (3.0.20)
version from source and try it.

Regards,
--
Igor Sousa

Em seg., 24 de fev. de 2020 às 05:00, L.P.H. van Belle via Freeradius-Users
<freeradius-users at lists.freeradius.org> escreveu:

> Hai Igor,
>
> Samba messages:  Strong(er) authentication required
>
> Thats it.
>
> man smb.conf
>     ntlm auth (G)
>
> And set : ntlm auth = mschapv2-and-ntlmv2-only
> For the AD-Dc's and member's where needed.
>
> bind with (anonymous) to ldap://dc01.mydomain.com:389 failed:
> Local error, you need to setup a separated user to do these ldap binds.
>
> And last, did you setup certicates for the server and services?
> If not i suggest do that and use the ldaps ports, MS is perpairing for
> that also so be ahead of it.
>
> See if above is sufficient to fix it, but im sure this is your problem.
>
>
> Greetz,
>
> Louis
>
>
> > -----Oorspronkelijk bericht-----
> > Van: Freeradius-Users
> > [mailto:freeradius-users-bounces+belle=bazuin.nl at lists.freerad
> ius.org] Namens Igor Sousa
> > Verzonden: zaterdag 22 februari 2020 19:47
> > Aan: FreeRadius users mailing list
> > Onderwerp: Re: Use Active Directory Group to authorize a
> > users on Freeradius 3.0.x
> >
> > I don't see any problem about ldap serach bind. The
> > DN:cn=Administrator,cn=Users,dc=mydomain,dc=com, just as the
> > name says, is
> > the administrator user of mydomain.com and can search any other
> > Organisation Unit of mydomain.com. All my users, except
> > Administrator, are
> > in the ou=drc,dc=mydomain,dc=com. Samba 4 domain works perfectly in
> > Windows/Linux as in other system my company has.
> >
> >
> > When I have tried to run radiusx -X with identity set in ldap
> > module, the
> > radiusd -X has informed
> >
> > rlm_ldap (ldap): Bind with
> > cn=Administrator,cn=Users,dc=mydomain,dc=com to
> > ldap://dc01.mydomain.com:389 failed: Strong(er)
> > authentication required
> > rlm_ldap (ldap): Server said: BindSimple: Transport
> > encryption required.
> >
> >
> > The employee who implemented Samba DC on my company has notified me he
> > hasn't set ldap to run over ssl or start tls. Due it, I have
> > tried to use
> > SASL. It has worked fine when I have tried run a simple search using
> > ldapsearch after kinit like this
> >
> > [root at centos8 ~]# kinit -a Administrator
> > [root at centos8 ~]# ldapsearch -LLL -h dc01.mydomain.com -b
> > "ou=drc,dc=mydomain,dc=com" sAMAccountName
> > SASL/GSS-SPNEGO authentication started
> >
> > SASL username: Administrator at MYDOMAIN.COM
> >
> > SASL SSF: 256
> >
> > SASL data security layer installed.
> >
> > <all users on ou=drc was shown>
> >
> >
> > But it hasn't worked with freeradius ldap module.
> >
> > rlm_ldap (ldap): Opening additional connection (0), 1 of 32
> > pending slots
> > used
> > rlm_ldap (ldap): Connecting to ldap://dc01.mydomain.com:389
> > rlm_ldap (ldap): Starting SASL mech(s): GSSAPI
> > SASL/GSSAPI authentication started
> > rlm_ldap (ldap): Bind with (anonymous) to
> > ldap://dc01.mydomain.com:389 failed:
> > Local error
> > rlm_ldap (ldap): Opening connection failed (0)
> > rlm_ldap (ldap): Removing connection pool
> > /etc/raddb/mods-enabled/ldap[8]: Instantiation failed for
> > module "ldap"
> >
> >
> > PS: I've used freeradius from centos 8 repo, 3.0.16 version,
> > and the host
> > centos8 is a domain member on mydomain.com.
> >
> > --
> > Igor Sousa
> >
> >
> > Em sáb., 22 de fev. de 2020 às 13:17, <uj2.hahn at posteo.de> escreveu:
> >
> > > > rlm_ldap (ldap): Bind with
> > *cn=Administrator,cn=Users,dc=mydomain,dc=com*
> > >
> > > This doesn't match your ldap search binding:
> > > > "ou=drc,dc=mydomain,dc=com"
> > >
> > > May be this is the issue? Please double check your ldap settings!
> > > Regards
> > > Uwe
> > >
> > > On 21.02.2020 23:40, Igor Sousa wrote:
> > > > Hello everybody,
> > > >
> > > > I have had some problems about to authorize users based on Active
> > > Directory
> > > > (Samba 4 DCs) groups.
> > > >
> > > > I have followed
> > > >
> > http://deployingradius.com/documents/configuration/active_dire
> > ctory.html
> > > to
> > > > configure ntlm_auth and it works perfectly.
> > > >
> > > > As I need restrict access to some AD groups, I need to
> > configure ldap
> > > > module. I've alright configured ldap module, but it has been pure
> > > Openldap
> > > > (uid stores username and usePassword stores password).
> > Then, to set up
> > > ldap
> > > > module to access AD ldap, I've read comments on
> > mods-available/ldap  and
> > > I
> > > > have set up "server", "identity", "password" and "base_dn" on the
> > > > mods-enabled/ldap. I have also set up
> > > >
> > > > to use the attribute stores username on AD
> > > > user {
> > > > ...
> > > > filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
> > > > ...
> > > > }
> > > >
> > > > and
> > > >
> > > > group {
> > > > ...
> > > > filter = '(objectClass=group)'
> > > > ...
> > > > name_attribute = cn
> > > >
> > > > membership_filter =
> > > >
> > >
> > "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User
> > -Name}:-%{User-Name}}))"
> > > >
> > > > membership_attribute = 'memberOf'
> > > > ...
> > > > }
> > > >
> > > > When I have tried to run radiusd -X, it has shown a error
> > message about
> > > > bind tried to ldap server:
> > > >
> > > > rlm_ldap (ldap): Opening additional connection (0), 1 of
> > 32 pending slots
> > > > used
> > > > rlm_ldap (ldap): Connecting to ldap://dc01.mydomain.com:389
> > > > rlm_ldap (ldap): Waiting for bind result...
> > > > rlm_ldap (ldap): Bind with
> > cn=Administrator,cn=Users,dc=mydomain,dc=com
> > > to
> > > > ldap://dc01.mydomain.com:389 failed: Strong(er)
> > authentication required
> > > > rlm_ldap (ldap): Server said: BindSimple: Transport
> > encryption required..
> > > > rlm_ldap (ldap): Opening connection failed (0)
> > > > rlm_ldap (ldap): Removing connection pool
> > > > /etc/raddb/mods-enabled/ldap[8]: Instantiation failed for
> > module "ldap"
> > > >
> > > > I've suspected about SASL due I haven't been notify that LDAP use
> > > STARTTLS
> > > > or SSL over TLS. Then I've commented identity and
> > password and radiusd -X
> > > >
> > > > rlm_ldap (ldap): Opening additional connection (0), 1 of
> > 32 pending slots
> > > > used
> > > > rlm_ldap (ldap): Connecting to ldap://dc01.mydomain.com:389
> > > > rlm_ldap (ldap): Starting SASL mech(s): GSSAPI
> > > > SASL/GSSAPI authentication started
> > > > rlm_ldap (ldap): Bind with (anonymous) to
> > ldap://dc01.mydomain.com:389
> > > > failed: Local error
> > > > rlm_ldap (ldap): Opening connection failed (0)
> > > > rlm_ldap (ldap): Removing connection pool
> > > > /etc/raddb/mods-enabled/ldap[8]: Instantiation failed for
> > module "ldap"
> > > >
> > > > I run kinit Administrator before run the ldapsearch below
> > and hasn't
> > > shown
> > > > any ERROR.
> > > >
> > > > Please, can someone help me about my problem?
> > > >
> > > > [root at centos8 ~]# ldapsearch -LLL -h dc01.mydomain.com -b
> > > > "ou=drc,dc=mydomain,dc=com" sAMAccountName
> > > > SASL/GSS-SPNEGO authentication started
> > > >
> > > > SASL username: Administrator at MYDOMAIN.COM
> > > >
> > > > SASL SSF: 256
> > > >
> > > > SASL data security layer installed.
> > > >
> > > > --
> > > > Igor Sousa
> > > > -
> > > > List info/subscribe/unsubscribe? See
> > > http://www.freeradius.org/list/users.html
> > >
> > > -
> > > List info/subscribe/unsubscribe? See
> > > http://www.freeradius.org/list/users.html
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html