Freeradius 3 with LDAP Authentication Bind as User

Jason Leiby leibyj at gmail.com
Fri May 29 21:06:16 CEST 2020 

I placed the auth-type update control snippet in the authenticate section
and I still get the same error message of:

(1) ldap: ERROR: Failed performing search: Please set 'chase_referrals=yes'
and 'rebind=yes'. See the ldap module configuration for details.
(1) ldap: ERROR: Server said: 000004DC: LdapErr: DSID-0C0907E1, comment: In
order to perform this operation a successful bind must be completed on the
connection., data 0, v2580.

What is also strange is that the first error about chase_referrals and
rebind should be gone as I have those flags uncommented in the ldap module

Here is the full output from radiusd -X

(1) Received Access-Request Id 1 from 1.1.1.201:65511 to 1.1.1.190:1812
length 58
(1)   NAS-IP-Address = 0.0.0.0
(1)   User-Name = "testuser"
(1)   User-Password = "testpasswd123\000]\n"
(1)   NAS-Port = 0
(1) # Executing section authorize from file /etc/raddb/sites-enabled/default
(1)   authorize {
(1)     policy filter_username {
(1)       if (&User-Name) {
(1)       if (&User-Name)  -> TRUE
(1)       if (&User-Name)  {
(1)         if (&User-Name =~ / /) {
(1)         if (&User-Name =~ / /)  -> FALSE
(1)         if (&User-Name =~ /@[^@]*@/ ) {
(1)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(1)         if (&User-Name =~ /\.\./ ) {
(1)         if (&User-Name =~ /\.\./ )  -> FALSE
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE
(1)         if (&User-Name =~ /\.$/)  {
(1)         if (&User-Name =~ /\.$/)   -> FALSE
(1)         if (&User-Name =~ /@\./)  {
(1)         if (&User-Name =~ /@\./)   -> FALSE
(1)       } # if (&User-Name)  = notfound
(1)     } # policy filter_username = notfound
(1)     policy filter_password {
(1)       if (&User-Password &&            (&User-Password !=
"%{string:User-Password}")) {
(1)       EXPAND %{string:User-Password}
(1)          --> testpasswd123
(1)       if (&User-Password &&            (&User-Password !=
"%{string:User-Password}"))  -> TRUE
(1)       if (&User-Password &&            (&User-Password !=
"%{string:User-Password}"))  {
(1)         update request {
(1)           EXPAND %{string:User-Password}
(1)              --> testpasswd123
(1)           &Tmp-String-0 := testpasswd123
(1)           EXPAND %{string:Tmp-String-0}
(1)              --> testpasswd123
(1)           &User-Password := testpasswd123
(1)         } # update request = noop
(1)       } # if (&User-Password &&        (&User-Password !=
"%{string:User-Password}"))  = noop
(1)     } # policy filter_password = noop
(1)     [preprocess] = ok
(1)     [chap] = noop
(1)     [mschap] = noop
(1)     [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "testuser", looking up realm NULL
(1) suffix: No such realm "NULL"
(1)     [suffix] = noop
(1) eap: No EAP-Message, not doing EAP
(1)     [eap] = noop
(1)     [files] = noop
(1) sql: EXPAND %{User-Name}
(1) sql:    --> testuser
(1) sql: SQL-User-Name set to 'testuser'
rlm_sql (sql): Closing connection (6): Hit idle_timeout, was idle for 163
seconds
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (2): Hit idle_timeout, was idle for 163
seconds
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (3): Hit idle_timeout, was idle for 163
seconds
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (4): Hit idle_timeout, was idle for 163
seconds
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (0): Hit idle_timeout, was idle for 163
seconds
rlm_sql (sql): You probably need to lower "min"
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (5): Hit idle_timeout, was idle for 163
seconds
rlm_sql (sql): You probably need to lower "min"
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (1): Hit idle_timeout, was idle for 163
seconds
rlm_sql (sql): You probably need to lower "min"
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): 0 of 0 connections in use.  You  may need to increase "spare"
rlm_sql (sql): Opening additional connection (7), 1 of 32 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket,
server version 5.5.65-MariaDB, protocol version 10
rlm_sql (sql): Reserved connection (7)
(1) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck
WHERE username = '%{SQL-User-Name}' ORDER BY id
(1) sql:    --> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'testuser' ORDER BY id
(1) sql: Executing select query: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = 'testuser' ORDER BY id
(1) sql: User found in radcheck table
(1) sql: Conditional check items matched, merging assignment check items
(1) sql:   Auth-Type := PAP
(1) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply
WHERE username = '%{SQL-User-Name}' ORDER BY id
(1) sql:    --> SELECT id, username, attribute, value, op FROM radreply
WHERE username = 'testuser' ORDER BY id
(1) sql: Executing select query: SELECT id, username, attribute, value, op
FROM radreply WHERE username = 'testuser' ORDER BY id
(1) sql: EXPAND SELECT groupname FROM radusergroup WHERE username =
'%{SQL-User-Name}' ORDER BY priority
(1) sql:    --> SELECT groupname FROM radusergroup WHERE username =
'testuser' ORDER BY priority
(1) sql: Executing select query: SELECT groupname FROM radusergroup WHERE
username = 'testuser' ORDER BY priority
(1) sql: User found in the group table
(1) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM
radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id
(1) sql:    --> SELECT id, groupname, attribute, Value, op FROM
radgroupcheck WHERE groupname = 'sonus-admin' ORDER BY id
(1) sql: Executing select query: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = 'sonus-admin' ORDER BY id
(1) sql: Group "sonus-admin": Conditional check items matched
(1) sql: Group "sonus-admin": Merging assignment check items
(1) sql: EXPAND SELECT id, groupname, attribute, value, op FROM
radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id
(1) sql:    --> SELECT id, groupname, attribute, value, op FROM
radgroupreply WHERE groupname = 'sonus-admin' ORDER BY id
(1) sql: Executing select query: SELECT id, groupname, attribute, value, op
FROM radgroupreply WHERE groupname = 'sonus-admin' ORDER BY id
(1) sql: Group "sonus-admin": Merging reply items
(1) sql:   GroupName := "Administrator"
rlm_sql (sql): Released connection (7)
Need 2 more connections to reach min connections (3)
rlm_sql (sql): Opening additional connection (8), 1 of 31 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket,
server version 5.5.65-MariaDB, protocol version 10
(1)     [sql] = ok
rlm_ldap (ldap): Closing connection (1): Hit idle_timeout, was idle for 184
seconds
rlm_ldap (ldap): Closing connection (2): Hit idle_timeout, was idle for 183
seconds
rlm_ldap (ldap): Closing connection (3): Hit idle_timeout, was idle for 183
seconds
rlm_ldap (ldap): Closing connection (4): Hit idle_timeout, was idle for 183
seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): Closing connection (0): Hit idle_timeout, was idle for 163
seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): Closing connection (5): Hit idle_timeout, was idle for 163
seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): 0 of 0 connections in use.  You  may need to increase
"spare"
rlm_ldap (ldap): Opening additional connection (6), 1 of 32 pending slots
used
rlm_ldap (ldap): Connecting to ldap://ldap.example.com:389
TLSMC: MozNSS compatibility interception begins.
tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration is
present.
tlsmc_intercept_initialization: INFO: successfully intercepted TLS
initialization. Continuing with OpenSSL only.
TLSMC: MozNSS compatibility interception ends.
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Reserved connection (6)
(1) ldap: EXPAND (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})
(1) ldap:    --> (samaccountname=testuser)
(1) ldap: Performing search in "OU=Employees,OU=Domain
Users,DC=example,DC=com" with filter "(samaccountname=testuser)", scope
"sub"
(1) ldap: Waiting for search result...
(1) ldap: ERROR: Failed performing search: Please set 'chase_referrals=yes'
and 'rebind=yes'. See the ldap module configuration for details.
(1) ldap: ERROR: Server said: 000004DC: LdapErr: DSID-0C0907E1, comment: In
order to perform this operation a successful bind must be completed on the
connection., data 0, v2580.
rlm_ldap (ldap): Released connection (6)
Need 2 more connections to reach min connections (3)
rlm_ldap (ldap): Opening additional connection (7), 1 of 31 pending slots
used
rlm_ldap (ldap): Connecting to ldap://ldap.example.com:389
TLSMC: MozNSS compatibility interception begins.
tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration is
present.
tlsmc_intercept_initialization: INFO: successfully intercepted TLS
initialization. Continuing with OpenSSL only.
TLSMC: MozNSS compatibility interception ends.
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(1)     [ldap] = fail
(1)   } # authorize = fail
(1) Using Post-Auth-Type Reject
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1)   Post-Auth-Type REJECT {
(1) sql: EXPAND .query
(1) sql:    --> .query
(1) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (7)
(1) sql: EXPAND %{User-Name}
(1) sql:    --> testuser
(1) sql: SQL-User-Name set to 'testuser'
(1) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate)
VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S')
(1) sql:    --> INSERT INTO radpostauth (username, pass, reply, authdate)
VALUES ( 'testuser', 'testpasswd123', 'Access-Reject', '2020-05-29
13:57:40.965576')
(1) sql: Executing query: INSERT INTO radpostauth (username, pass, reply,
authdate) VALUES ( 'testuser', 'testpasswd123', 'Access-Reject',
'2020-05-29 13:57:40.965576')
(1) sql: SQL query returned: success
(1) sql: 1 record(s) updated
rlm_sql (sql): Released connection (7)
Need 1 more connections to reach min connections (3)
rlm_sql (sql): Opening additional connection (9), 1 of 30 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket,
server version 5.5.65-MariaDB, protocol version 10
(1)     [sql] = ok
(1) attr_filter.access_reject: EXPAND %{User-Name}
(1) attr_filter.access_reject:    --> testuser
(1) attr_filter.access_reject: Matched entry DEFAULT at line 11
(1)     [attr_filter.access_reject] = updated
(1)     [eap] = noop
(1)     policy remove_reply_message_if_eap {
(1)       if (&reply:EAP-Message && &reply:Reply-Message) {
(1)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(1)       else {
(1)         [noop] = noop
(1)       } # else = noop
(1)     } # policy remove_reply_message_if_eap = noop
(1)   } # Post-Auth-Type REJECT = updated
(1) Delaying response for 1.000000 seconds
Waking up in 0.9 seconds.
(1) (1) Discarding duplicate request from client 1.1.1.201 port 65511 - ID:
1 due to delayed response
Waking up in 0.3 seconds.
(1) Sending delayed response
(1) Sent Access-Reject Id 1 from 1.1.1.190:1812 to 1.1.1.201:65511 length 20
Waking up in 3.9 seconds.
(1) Cleaning up request packet ID 1 with timestamp +183
Ready to process requests

On Fri, May 29, 2020 at 10:42 AM Klemen forneci <forneci at gmail.com> wrote:

> Check the help in the ldap module. There are update control Auth type lines
> inside that set the Auth type to ldap and will Auth with bind instead of
> reading the password from ldap
>
> V pet., 29. maj 2020 18:12 je oseba Jason Leiby <leibyj at gmail.com>
> napisala:
>
> > Hi Experts,
> >
> > I am trying to setup my radius server to authenticate users with their AD
> > password.  I do not have access to our corporate Active Directory so I
> > cannot use Samba and winbind, I only have access to the LDAP server that
> > ties into AD.  Each user has read only access to LDAP so they can bind
> with
> > the correct credentials and verify the password.
> >
> >
> >
> > I have successfully setup freeradius to connect to the LDAP server and
> > verify credentials as long as the ‘identity’ and ‘password’ are provided
> in
> > the ldap module.  What I would like to do is bind as the verifying user
> > instead of using a single account.  Scouring the internet has proven
> > fruitless, so I was hoping you can point me in the correct direction.  I
> am
> > happy to provide logs and configs if needed.  I would first like to
> confirm
> > that this is feasible.
> >
> >
> >
> > Thank you,
> >
> > Jason
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list