Use Active Directory Group to authorize a users on Freeradius 3.0.x

uj2.hahn at posteo.de uj2.hahn at posteo.de
Tue Feb 25 08:19:04 CET 2020


Seems you enabled the SASL part in ldap module. Is there a reason for it?
I guess I run a very similar installation (a test instance with OpenLDAP 
and a production one
with Active Directory). And both work fine w/o SASL.
And both I run with ldap protocol on port 389.

Uwe

On 24.02.2020 15:06, Igor Sousa wrote:
> Hi Loius,
>
> My freeradius server is a domain member of mydomain.com and, before I
> configured ldap module, I had tested ntlm_auth configuration and it had
> worked perfectly. As I've said in the first email of this thread, I had
> followed
> http://deployingradius.com/documents/configuration/active_directory.html to
> configure ntlm_auth.
>
> My problem is the ldap module. The employee that administrates mydomain.com
> has said me the ldap server on this domain isn't configured to operate over
> TLS or SSL. He has confirmed to me that ldap on dc01 is listening on
> 389/TCP port and it isn't configured over START TLS, then there aren't need
> to accept certificates to connect to it. Due it, I've tried to use SASL +
> KRB5 to communicate freeradius server to ldap on dc01.mydomain.com. It
> doesn't work, though. When I've tried to run a search with ldapsearch using
> SASL on command prompt of freeradius server, it works perfectly fine. My
> question is why it doesn't work on freeradius service.
>
> PS1: I can to connect ldap service on dc01 with Apache Studio application
> in 389/TCP port with no SSL or TLS configuration.
>
> PS2: I've noticed the freeradius version (3.0.16) on official CentOS 8
> repository isn't the latest version. I'll try to install latest (3.0.20)
> version from source and try it.
>
> Regards,
> --
> Igor Sousa
>
>
> Em seg., 24 de fev. de 2020 às 05:00, L.P.H. van Belle via Freeradius-Users
> <freeradius-users at lists.freeradius.org> escreveu:
>
>> Hai Igor,
>>
>> Samba messages:  Strong(er) authentication required
>>
>> Thats it.
>>
>> man smb.conf
>>      ntlm auth (G)
>>
>> And set : ntlm auth = mschapv2-and-ntlmv2-only
>> For the AD-Dc's and member's where needed.
>>
>> bind with (anonymous) to ldap://dc01.mydomain.com:389 failed:
>> Local error, you need to setup a separated user to do these ldap binds.
>>
>> And last, did you setup certicates for the server and services?
>> If not i suggest do that and use the ldaps ports, MS is perpairing for
>> that also so be ahead of it.
>>
>> See if above is sufficient to fix it, but im sure this is your problem.
>>
>>
>> Greetz,
>>
>> Louis
>>
>>
>>> -----Oorspronkelijk bericht-----
>>> Van: Freeradius-Users
>>> [mailto:freeradius-users-bounces+belle=bazuin.nl at lists.freerad
>> ius.org] Namens Igor Sousa
>>> Verzonden: zaterdag 22 februari 2020 19:47
>>> Aan: FreeRadius users mailing list
>>> Onderwerp: Re: Use Active Directory Group to authorize a
>>> users on Freeradius 3.0.x
>>>
>>> I don't see any problem about ldap serach bind. The
>>> DN:cn=Administrator,cn=Users,dc=mydomain,dc=com, just as the
>>> name says, is
>>> the administrator user of mydomain.com and can search any other
>>> Organisation Unit of mydomain.com. All my users, except
>>> Administrator, are
>>> in the ou=drc,dc=mydomain,dc=com. Samba 4 domain works perfectly in
>>> Windows/Linux as in other system my company has.
>>>
>>>
>>> When I have tried to run radiusx -X with identity set in ldap
>>> module, the
>>> radiusd -X has informed
>>>
>>> rlm_ldap (ldap): Bind with
>>> cn=Administrator,cn=Users,dc=mydomain,dc=com to
>>> ldap://dc01.mydomain.com:389 failed: Strong(er)
>>> authentication required
>>> rlm_ldap (ldap): Server said: BindSimple: Transport
>>> encryption required.
>>>
>>>
>>> The employee who implemented Samba DC on my company has notified me he
>>> hasn't set ldap to run over ssl or start tls. Due it, I have
>>> tried to use
>>> SASL. It has worked fine when I have tried run a simple search using
>>> ldapsearch after kinit like this
>>>
>>> [root at centos8 ~]# kinit -a Administrator
>>> [root at centos8 ~]# ldapsearch -LLL -h dc01.mydomain.com -b
>>> "ou=drc,dc=mydomain,dc=com" sAMAccountName
>>> SASL/GSS-SPNEGO authentication started
>>>
>>> SASL username: Administrator at MYDOMAIN.COM
>>>
>>> SASL SSF: 256
>>>
>>> SASL data security layer installed.
>>>
>>> <all users on ou=drc was shown>
>>>
>>>
>>> But it hasn't worked with freeradius ldap module.
>>>
>>> rlm_ldap (ldap): Opening additional connection (0), 1 of 32
>>> pending slots
>>> used
>>> rlm_ldap (ldap): Connecting to ldap://dc01.mydomain.com:389
>>> rlm_ldap (ldap): Starting SASL mech(s): GSSAPI
>>> SASL/GSSAPI authentication started
>>> rlm_ldap (ldap): Bind with (anonymous) to
>>> ldap://dc01.mydomain.com:389 failed:
>>> Local error
>>> rlm_ldap (ldap): Opening connection failed (0)
>>> rlm_ldap (ldap): Removing connection pool
>>> /etc/raddb/mods-enabled/ldap[8]: Instantiation failed for
>>> module "ldap"
>>>
>>>
>>> PS: I've used freeradius from centos 8 repo, 3.0.16 version,
>>> and the host
>>> centos8 is a domain member on mydomain.com.
>>>
>>> --
>>> Igor Sousa
>>>
>>>
>>> Em sáb., 22 de fev. de 2020 às 13:17, <uj2.hahn at posteo.de> escreveu:
>>>
>>>>> rlm_ldap (ldap): Bind with
>>> *cn=Administrator,cn=Users,dc=mydomain,dc=com*
>>>> This doesn't match your ldap search binding:
>>>>> "ou=drc,dc=mydomain,dc=com"
>>>> May be this is the issue? Please double check your ldap settings!
>>>> Regards
>>>> Uwe
>>>>
>>>> On 21.02.2020 23:40, Igor Sousa wrote:
>>>>> Hello everybody,
>>>>>
>>>>> I have had some problems about to authorize users based on Active
>>>> Directory
>>>>> (Samba 4 DCs) groups.
>>>>>
>>>>> I have followed
>>>>>
>>> http://deployingradius.com/documents/configuration/active_dire
>>> ctory.html
>>>> to
>>>>> configure ntlm_auth and it works perfectly.
>>>>>
>>>>> As I need restrict access to some AD groups, I need to
>>> configure ldap
>>>>> module. I've alright configured ldap module, but it has been pure
>>>> Openldap
>>>>> (uid stores username and usePassword stores password).
>>> Then, to set up
>>>> ldap
>>>>> module to access AD ldap, I've read comments on
>>> mods-available/ldap  and
>>>> I
>>>>> have set up "server", "identity", "password" and "base_dn" on the
>>>>> mods-enabled/ldap. I have also set up
>>>>>
>>>>> to use the attribute stores username on AD
>>>>> user {
>>>>> ...
>>>>> filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
>>>>> ...
>>>>> }
>>>>>
>>>>> and
>>>>>
>>>>> group {
>>>>> ...
>>>>> filter = '(objectClass=group)'
>>>>> ...
>>>>> name_attribute = cn
>>>>>
>>>>> membership_filter =
>>>>>
>>> "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User
>>> -Name}:-%{User-Name}}))"
>>>>> membership_attribute = 'memberOf'
>>>>> ...
>>>>> }
>>>>>
>>>>> When I have tried to run radiusd -X, it has shown a error
>>> message about
>>>>> bind tried to ldap server:
>>>>>
>>>>> rlm_ldap (ldap): Opening additional connection (0), 1 of
>>> 32 pending slots
>>>>> used
>>>>> rlm_ldap (ldap): Connecting to ldap://dc01.mydomain.com:389
>>>>> rlm_ldap (ldap): Waiting for bind result...
>>>>> rlm_ldap (ldap): Bind with
>>> cn=Administrator,cn=Users,dc=mydomain,dc=com
>>>> to
>>>>> ldap://dc01.mydomain.com:389 failed: Strong(er)
>>> authentication required
>>>>> rlm_ldap (ldap): Server said: BindSimple: Transport
>>> encryption required..
>>>>> rlm_ldap (ldap): Opening connection failed (0)
>>>>> rlm_ldap (ldap): Removing connection pool
>>>>> /etc/raddb/mods-enabled/ldap[8]: Instantiation failed for
>>> module "ldap"
>>>>> I've suspected about SASL due I haven't been notify that LDAP use
>>>> STARTTLS
>>>>> or SSL over TLS. Then I've commented identity and
>>> password and radiusd -X
>>>>> rlm_ldap (ldap): Opening additional connection (0), 1 of
>>> 32 pending slots
>>>>> used
>>>>> rlm_ldap (ldap): Connecting to ldap://dc01.mydomain.com:389
>>>>> rlm_ldap (ldap): Starting SASL mech(s): GSSAPI
>>>>> SASL/GSSAPI authentication started
>>>>> rlm_ldap (ldap): Bind with (anonymous) to
>>> ldap://dc01.mydomain.com:389
>>>>> failed: Local error
>>>>> rlm_ldap (ldap): Opening connection failed (0)
>>>>> rlm_ldap (ldap): Removing connection pool
>>>>> /etc/raddb/mods-enabled/ldap[8]: Instantiation failed for
>>> module "ldap"
>>>>> I run kinit Administrator before run the ldapsearch below
>>> and hasn't
>>>> shown
>>>>> any ERROR.
>>>>>
>>>>> Please, can someone help me about my problem?
>>>>>
>>>>> [root at centos8 ~]# ldapsearch -LLL -h dc01.mydomain.com -b
>>>>> "ou=drc,dc=mydomain,dc=com" sAMAccountName
>>>>> SASL/GSS-SPNEGO authentication started
>>>>>
>>>>> SASL username: Administrator at MYDOMAIN.COM
>>>>>
>>>>> SASL SSF: 256
>>>>>
>>>>> SASL data security layer installed.
>>>>>
>>>>> --
>>>>> Igor Sousa
>>>>> -
>>>>> List info/subscribe/unsubscribe? See
>>>> http://www.freeradius.org/list/users.html
>>>>
>>>> -
>>>> List info/subscribe/unsubscribe? See
>>>> http://www.freeradius.org/list/users.html
>>> -
>>> List info/subscribe/unsubscribe? See
>>> http://www.freeradius.org/list/users.html
>>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list