Use Active Directory Group to authorize a users on Freeradius 3.0.x

Igor Sousa igorvolt at gmail.com
Fri Feb 28 22:21:37 CET 2020


Hello Uwe,

I've tested again and, in this case, I've noticed that my error has been
specify base_dn="dc=mydomain,dc=com". The ldap module has tried to bind to
URL ldap://mydomain.com/CN=Configuration,DC=mydomain,DC=com. Then I've
changed base_dn to "ou=drc,dc=mydomain,dc=com" and it has worked fine.

I would like to thank the freeradius community, in specially Uwe and Louis,
to help about this problem and I inform it has been solved.

--
Igor Sousa


Em qui., 27 de fev. de 2020 às 17:45, Igor Sousa <igorvolt at gmail.com>
escreveu:

> Hi Uwe,
>
> Yes, I have enabled SASL part in ldap module because ldap bind with
> identity and password failed and requests "Strong(er)
> authentication required / Server said: BindSimple: Transport encryption
> required.". The ldap runs on 389/tcp port and no TLS has configured on it.
> I'll test on 3.0.20 version to verify if has a bug that fixed in the latest
> version.
>
> --
> Igor Sousa
>
>
> Em ter., 25 de fev. de 2020 às 04:19, <uj2.hahn at posteo.de> escreveu:
>
>> Seems you enabled the SASL part in ldap module. Is there a reason for it?
>> I guess I run a very similar installation (a test instance with OpenLDAP
>> and a production one
>> with Active Directory). And both work fine w/o SASL.
>> And both I run with ldap protocol on port 389.
>>
>> Uwe
>>
>> On 24.02.2020 15:06, Igor Sousa wrote:
>> > Hi Loius,
>> >
>> > My freeradius server is a domain member of mydomain.com and, before I
>> > configured ldap module, I had tested ntlm_auth configuration and it had
>> > worked perfectly. As I've said in the first email of this thread, I had
>> > followed
>> >
>> http://deployingradius.com/documents/configuration/active_directory.html
>> to
>> > configure ntlm_auth.
>> >
>> > My problem is the ldap module. The employee that administrates
>> mydomain.com
>> > has said me the ldap server on this domain isn't configured to operate
>> over
>> > TLS or SSL. He has confirmed to me that ldap on dc01 is listening on
>> > 389/TCP port and it isn't configured over START TLS, then there aren't
>> need
>> > to accept certificates to connect to it. Due it, I've tried to use SASL
>> +
>> > KRB5 to communicate freeradius server to ldap on dc01.mydomain.com. It
>> > doesn't work, though. When I've tried to run a search with ldapsearch
>> using
>> > SASL on command prompt of freeradius server, it works perfectly fine. My
>> > question is why it doesn't work on freeradius service.
>> >
>> > PS1: I can to connect ldap service on dc01 with Apache Studio
>> application
>> > in 389/TCP port with no SSL or TLS configuration.
>> >
>> > PS2: I've noticed the freeradius version (3.0.16) on official CentOS 8
>> > repository isn't the latest version. I'll try to install latest (3.0.20)
>> > version from source and try it.
>> >
>> > Regards,
>> > --
>> > Igor Sousa
>> >
>> >
>> > Em seg., 24 de fev. de 2020 às 05:00, L.P.H. van Belle via
>> Freeradius-Users
>> > <freeradius-users at lists.freeradius.org> escreveu:
>> >
>> >> Hai Igor,
>> >>
>> >> Samba messages:  Strong(er) authentication required
>> >>
>> >> Thats it.
>> >>
>> >> man smb.conf
>> >>      ntlm auth (G)
>> >>
>> >> And set : ntlm auth = mschapv2-and-ntlmv2-only
>> >> For the AD-Dc's and member's where needed.
>> >>
>> >> bind with (anonymous) to ldap://dc01.mydomain.com:389 failed:
>> >> Local error, you need to setup a separated user to do these ldap binds.
>> >>
>> >> And last, did you setup certicates for the server and services?
>> >> If not i suggest do that and use the ldaps ports, MS is perpairing for
>> >> that also so be ahead of it.
>> >>
>> >> See if above is sufficient to fix it, but im sure this is your problem.
>> >>
>> >>
>> >> Greetz,
>> >>
>> >> Louis
>> >>
>> >>
>> >>> -----Oorspronkelijk bericht-----
>> >>> Van: Freeradius-Users
>> >>> [mailto:freeradius-users-bounces+belle=bazuin.nl at lists.freerad
>> >> ius.org] Namens Igor Sousa
>> >>> Verzonden: zaterdag 22 februari 2020 19:47
>> >>> Aan: FreeRadius users mailing list
>> >>> Onderwerp: Re: Use Active Directory Group to authorize a
>> >>> users on Freeradius 3.0.x
>> >>>
>> >>> I don't see any problem about ldap serach bind. The
>> >>> DN:cn=Administrator,cn=Users,dc=mydomain,dc=com, just as the
>> >>> name says, is
>> >>> the administrator user of mydomain.com and can search any other
>> >>> Organisation Unit of mydomain.com. All my users, except
>> >>> Administrator, are
>> >>> in the ou=drc,dc=mydomain,dc=com. Samba 4 domain works perfectly in
>> >>> Windows/Linux as in other system my company has.
>> >>>
>> >>>
>> >>> When I have tried to run radiusx -X with identity set in ldap
>> >>> module, the
>> >>> radiusd -X has informed
>> >>>
>> >>> rlm_ldap (ldap): Bind with
>> >>> cn=Administrator,cn=Users,dc=mydomain,dc=com to
>> >>> ldap://dc01.mydomain.com:389 failed: Strong(er)
>> >>> authentication required
>> >>> rlm_ldap (ldap): Server said: BindSimple: Transport
>> >>> encryption required.
>> >>>
>> >>>
>> >>> The employee who implemented Samba DC on my company has notified me he
>> >>> hasn't set ldap to run over ssl or start tls. Due it, I have
>> >>> tried to use
>> >>> SASL. It has worked fine when I have tried run a simple search using
>> >>> ldapsearch after kinit like this
>> >>>
>> >>> [root at centos8 ~]# kinit -a Administrator
>> >>> [root at centos8 ~]# ldapsearch -LLL -h dc01.mydomain.com -b
>> >>> "ou=drc,dc=mydomain,dc=com" sAMAccountName
>> >>> SASL/GSS-SPNEGO authentication started
>> >>>
>> >>> SASL username: Administrator at MYDOMAIN.COM
>> >>>
>> >>> SASL SSF: 256
>> >>>
>> >>> SASL data security layer installed.
>> >>>
>> >>> <all users on ou=drc was shown>
>> >>>
>> >>>
>> >>> But it hasn't worked with freeradius ldap module.
>> >>>
>> >>> rlm_ldap (ldap): Opening additional connection (0), 1 of 32
>> >>> pending slots
>> >>> used
>> >>> rlm_ldap (ldap): Connecting to ldap://dc01.mydomain.com:389
>> >>> rlm_ldap (ldap): Starting SASL mech(s): GSSAPI
>> >>> SASL/GSSAPI authentication started
>> >>> rlm_ldap (ldap): Bind with (anonymous) to
>> >>> ldap://dc01.mydomain.com:389 failed:
>> >>> Local error
>> >>> rlm_ldap (ldap): Opening connection failed (0)
>> >>> rlm_ldap (ldap): Removing connection pool
>> >>> /etc/raddb/mods-enabled/ldap[8]: Instantiation failed for
>> >>> module "ldap"
>> >>>
>> >>>
>> >>> PS: I've used freeradius from centos 8 repo, 3.0.16 version,
>> >>> and the host
>> >>> centos8 is a domain member on mydomain.com.
>> >>>
>> >>> --
>> >>> Igor Sousa
>> >>>
>> >>>
>> >>> Em sáb., 22 de fev. de 2020 às 13:17, <uj2.hahn at posteo.de> escreveu:
>> >>>
>> >>>>> rlm_ldap (ldap): Bind with
>> >>> *cn=Administrator,cn=Users,dc=mydomain,dc=com*
>> >>>> This doesn't match your ldap search binding:
>> >>>>> "ou=drc,dc=mydomain,dc=com"
>> >>>> May be this is the issue? Please double check your ldap settings!
>> >>>> Regards
>> >>>> Uwe
>> >>>>
>> >>>> On 21.02.2020 23:40, Igor Sousa wrote:
>> >>>>> Hello everybody,
>> >>>>>
>> >>>>> I have had some problems about to authorize users based on Active
>> >>>> Directory
>> >>>>> (Samba 4 DCs) groups.
>> >>>>>
>> >>>>> I have followed
>> >>>>>
>> >>> http://deployingradius.com/documents/configuration/active_dire
>> >>> ctory.html
>> >>>> to
>> >>>>> configure ntlm_auth and it works perfectly.
>> >>>>>
>> >>>>> As I need restrict access to some AD groups, I need to
>> >>> configure ldap
>> >>>>> module. I've alright configured ldap module, but it has been pure
>> >>>> Openldap
>> >>>>> (uid stores username and usePassword stores password).
>> >>> Then, to set up
>> >>>> ldap
>> >>>>> module to access AD ldap, I've read comments on
>> >>> mods-available/ldap  and
>> >>>> I
>> >>>>> have set up "server", "identity", "password" and "base_dn" on the
>> >>>>> mods-enabled/ldap. I have also set up
>> >>>>>
>> >>>>> to use the attribute stores username on AD
>> >>>>> user {
>> >>>>> ...
>> >>>>> filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
>> >>>>> ...
>> >>>>> }
>> >>>>>
>> >>>>> and
>> >>>>>
>> >>>>> group {
>> >>>>> ...
>> >>>>> filter = '(objectClass=group)'
>> >>>>> ...
>> >>>>> name_attribute = cn
>> >>>>>
>> >>>>> membership_filter =
>> >>>>>
>> >>> "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User
>> >>> -Name}:-%{User-Name}}))"
>> >>>>> membership_attribute = 'memberOf'
>> >>>>> ...
>> >>>>> }
>> >>>>>
>> >>>>> When I have tried to run radiusd -X, it has shown a error
>> >>> message about
>> >>>>> bind tried to ldap server:
>> >>>>>
>> >>>>> rlm_ldap (ldap): Opening additional connection (0), 1 of
>> >>> 32 pending slots
>> >>>>> used
>> >>>>> rlm_ldap (ldap): Connecting to ldap://dc01.mydomain.com:389
>> >>>>> rlm_ldap (ldap): Waiting for bind result...
>> >>>>> rlm_ldap (ldap): Bind with
>> >>> cn=Administrator,cn=Users,dc=mydomain,dc=com
>> >>>> to
>> >>>>> ldap://dc01.mydomain.com:389 failed: Strong(er)
>> >>> authentication required
>> >>>>> rlm_ldap (ldap): Server said: BindSimple: Transport
>> >>> encryption required..
>> >>>>> rlm_ldap (ldap): Opening connection failed (0)
>> >>>>> rlm_ldap (ldap): Removing connection pool
>> >>>>> /etc/raddb/mods-enabled/ldap[8]: Instantiation failed for
>> >>> module "ldap"
>> >>>>> I've suspected about SASL due I haven't been notify that LDAP use
>> >>>> STARTTLS
>> >>>>> or SSL over TLS. Then I've commented identity and
>> >>> password and radiusd -X
>> >>>>> rlm_ldap (ldap): Opening additional connection (0), 1 of
>> >>> 32 pending slots
>> >>>>> used
>> >>>>> rlm_ldap (ldap): Connecting to ldap://dc01.mydomain.com:389
>> >>>>> rlm_ldap (ldap): Starting SASL mech(s): GSSAPI
>> >>>>> SASL/GSSAPI authentication started
>> >>>>> rlm_ldap (ldap): Bind with (anonymous) to
>> >>> ldap://dc01.mydomain.com:389
>> >>>>> failed: Local error
>> >>>>> rlm_ldap (ldap): Opening connection failed (0)
>> >>>>> rlm_ldap (ldap): Removing connection pool
>> >>>>> /etc/raddb/mods-enabled/ldap[8]: Instantiation failed for
>> >>> module "ldap"
>> >>>>> I run kinit Administrator before run the ldapsearch below
>> >>> and hasn't
>> >>>> shown
>> >>>>> any ERROR.
>> >>>>>
>> >>>>> Please, can someone help me about my problem?
>> >>>>>
>> >>>>> [root at centos8 ~]# ldapsearch -LLL -h dc01.mydomain.com -b
>> >>>>> "ou=drc,dc=mydomain,dc=com" sAMAccountName
>> >>>>> SASL/GSS-SPNEGO authentication started
>> >>>>>
>> >>>>> SASL username: Administrator at MYDOMAIN.COM
>> >>>>>
>> >>>>> SASL SSF: 256
>> >>>>>
>> >>>>> SASL data security layer installed.
>> >>>>>
>> >>>>> --
>> >>>>> Igor Sousa
>> >>>>> -
>> >>>>> List info/subscribe/unsubscribe? See
>> >>>> http://www.freeradius.org/list/users.html
>> >>>>
>> >>>> -
>> >>>> List info/subscribe/unsubscribe? See
>> >>>> http://www.freeradius.org/list/users.html
>> >>> -
>> >>> List info/subscribe/unsubscribe? See
>> >>> http://www.freeradius.org/list/users.html
>> >>>
>> >>
>> >> -
>> >> List info/subscribe/unsubscribe? See
>> >> http://www.freeradius.org/list/users.html
>> > -
>> > List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>
>


More information about the Freeradius-Users mailing list