Freeradius 3 with LDAP Authentication Bind as User

Jason Leiby leibyj at gmail.com
Fri May 29 21:31:12 CEST 2020


Correction to previous post.  The snippet is in the authorize section of
the sites-enabled/default file.  Also, when i perform a packet capture, i
see the radius request, a bind request of "<ROOT> simple".  I would assume
that this needs to be the username and password.  Is this set in ldap
module under the sasl section?

On Fri, May 29, 2020 at 1:06 PM Jason Leiby <leibyj at gmail.com> wrote:

> I placed the auth-type update control snippet in the authenticate section
> and I still get the same error message of:
>
> (1) ldap: ERROR: Failed performing search: Please set
> 'chase_referrals=yes' and 'rebind=yes'. See the ldap module configuration
> for details.
> (1) ldap: ERROR: Server said: 000004DC: LdapErr: DSID-0C0907E1, comment:
> In order to perform this operation a successful bind must be completed on
> the connection., data 0, v2580.
>
> What is also strange is that the first error about chase_referrals and
> rebind should be gone as I have those flags uncommented in the ldap module
>
> Here is the full output from radiusd -X
>
> (1) Received Access-Request Id 1 from 1.1.1.201:65511 to 1.1.1.190:1812
> length 58
> (1)   NAS-IP-Address = 0.0.0.0
> (1)   User-Name = "testuser"
> (1)   User-Password = "testpasswd123\000]\n"
> (1)   NAS-Port = 0
> (1) # Executing section authorize from file
> /etc/raddb/sites-enabled/default
> (1)   authorize {
> (1)     policy filter_username {
> (1)       if (&User-Name) {
> (1)       if (&User-Name)  -> TRUE
> (1)       if (&User-Name)  {
> (1)         if (&User-Name =~ / /) {
> (1)         if (&User-Name =~ / /)  -> FALSE
> (1)         if (&User-Name =~ /@[^@]*@/ ) {
> (1)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
> (1)         if (&User-Name =~ /\.\./ ) {
> (1)         if (&User-Name =~ /\.\./ )  -> FALSE
> (1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
> (1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
> -> FALSE
> (1)         if (&User-Name =~ /\.$/)  {
> (1)         if (&User-Name =~ /\.$/)   -> FALSE
> (1)         if (&User-Name =~ /@\./)  {
> (1)         if (&User-Name =~ /@\./)   -> FALSE
> (1)       } # if (&User-Name)  = notfound
> (1)     } # policy filter_username = notfound
> (1)     policy filter_password {
> (1)       if (&User-Password &&            (&User-Password !=
> "%{string:User-Password}")) {
> (1)       EXPAND %{string:User-Password}
> (1)          --> testpasswd123
> (1)       if (&User-Password &&            (&User-Password !=
> "%{string:User-Password}"))  -> TRUE
> (1)       if (&User-Password &&            (&User-Password !=
> "%{string:User-Password}"))  {
> (1)         update request {
> (1)           EXPAND %{string:User-Password}
> (1)              --> testpasswd123
> (1)           &Tmp-String-0 := testpasswd123
> (1)           EXPAND %{string:Tmp-String-0}
> (1)              --> testpasswd123
> (1)           &User-Password := testpasswd123
> (1)         } # update request = noop
> (1)       } # if (&User-Password &&        (&User-Password !=
> "%{string:User-Password}"))  = noop
> (1)     } # policy filter_password = noop
> (1)     [preprocess] = ok
> (1)     [chap] = noop
> (1)     [mschap] = noop
> (1)     [digest] = noop
> (1) suffix: Checking for suffix after "@"
> (1) suffix: No '@' in User-Name = "testuser", looking up realm NULL
> (1) suffix: No such realm "NULL"
> (1)     [suffix] = noop
> (1) eap: No EAP-Message, not doing EAP
> (1)     [eap] = noop
> (1)     [files] = noop
> (1) sql: EXPAND %{User-Name}
> (1) sql:    --> testuser
> (1) sql: SQL-User-Name set to 'testuser'
> rlm_sql (sql): Closing connection (6): Hit idle_timeout, was idle for 163
> seconds
> rlm_sql_mysql: Socket destructor called, closing socket
> rlm_sql (sql): Closing connection (2): Hit idle_timeout, was idle for 163
> seconds
> rlm_sql_mysql: Socket destructor called, closing socket
> rlm_sql (sql): Closing connection (3): Hit idle_timeout, was idle for 163
> seconds
> rlm_sql_mysql: Socket destructor called, closing socket
> rlm_sql (sql): Closing connection (4): Hit idle_timeout, was idle for 163
> seconds
> rlm_sql_mysql: Socket destructor called, closing socket
> rlm_sql (sql): Closing connection (0): Hit idle_timeout, was idle for 163
> seconds
> rlm_sql (sql): You probably need to lower "min"
> rlm_sql_mysql: Socket destructor called, closing socket
> rlm_sql (sql): Closing connection (5): Hit idle_timeout, was idle for 163
> seconds
> rlm_sql (sql): You probably need to lower "min"
> rlm_sql_mysql: Socket destructor called, closing socket
> rlm_sql (sql): Closing connection (1): Hit idle_timeout, was idle for 163
> seconds
> rlm_sql (sql): You probably need to lower "min"
> rlm_sql_mysql: Socket destructor called, closing socket
> rlm_sql (sql): 0 of 0 connections in use.  You  may need to increase
> "spare"
> rlm_sql (sql): Opening additional connection (7), 1 of 32 pending slots
> used
> rlm_sql_mysql: Starting connect to MySQL server
> rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX
> socket, server version 5.5.65-MariaDB, protocol version 10
> rlm_sql (sql): Reserved connection (7)
> (1) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck
> WHERE username = '%{SQL-User-Name}' ORDER BY id
> (1) sql:    --> SELECT id, username, attribute, value, op FROM radcheck
> WHERE username = 'testuser' ORDER BY id
> (1) sql: Executing select query: SELECT id, username, attribute, value, op
> FROM radcheck WHERE username = 'testuser' ORDER BY id
> (1) sql: User found in radcheck table
> (1) sql: Conditional check items matched, merging assignment check items
> (1) sql:   Auth-Type := PAP
> (1) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply
> WHERE username = '%{SQL-User-Name}' ORDER BY id
> (1) sql:    --> SELECT id, username, attribute, value, op FROM radreply
> WHERE username = 'testuser' ORDER BY id
> (1) sql: Executing select query: SELECT id, username, attribute, value, op
> FROM radreply WHERE username = 'testuser' ORDER BY id
> (1) sql: EXPAND SELECT groupname FROM radusergroup WHERE username =
> '%{SQL-User-Name}' ORDER BY priority
> (1) sql:    --> SELECT groupname FROM radusergroup WHERE username =
> 'testuser' ORDER BY priority
> (1) sql: Executing select query: SELECT groupname FROM radusergroup WHERE
> username = 'testuser' ORDER BY priority
> (1) sql: User found in the group table
> (1) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM
> radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id
> (1) sql:    --> SELECT id, groupname, attribute, Value, op FROM
> radgroupcheck WHERE groupname = 'sonus-admin' ORDER BY id
> (1) sql: Executing select query: SELECT id, groupname, attribute, Value,
> op FROM radgroupcheck WHERE groupname = 'sonus-admin' ORDER BY id
> (1) sql: Group "sonus-admin": Conditional check items matched
> (1) sql: Group "sonus-admin": Merging assignment check items
> (1) sql: EXPAND SELECT id, groupname, attribute, value, op FROM
> radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id
> (1) sql:    --> SELECT id, groupname, attribute, value, op FROM
> radgroupreply WHERE groupname = 'sonus-admin' ORDER BY id
> (1) sql: Executing select query: SELECT id, groupname, attribute, value,
> op FROM radgroupreply WHERE groupname = 'sonus-admin' ORDER BY id
> (1) sql: Group "sonus-admin": Merging reply items
> (1) sql:   GroupName := "Administrator"
> rlm_sql (sql): Released connection (7)
> Need 2 more connections to reach min connections (3)
> rlm_sql (sql): Opening additional connection (8), 1 of 31 pending slots
> used
> rlm_sql_mysql: Starting connect to MySQL server
> rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX
> socket, server version 5.5.65-MariaDB, protocol version 10
> (1)     [sql] = ok
> rlm_ldap (ldap): Closing connection (1): Hit idle_timeout, was idle for
> 184 seconds
> rlm_ldap (ldap): Closing connection (2): Hit idle_timeout, was idle for
> 183 seconds
> rlm_ldap (ldap): Closing connection (3): Hit idle_timeout, was idle for
> 183 seconds
> rlm_ldap (ldap): Closing connection (4): Hit idle_timeout, was idle for
> 183 seconds
> rlm_ldap (ldap): You probably need to lower "min"
> rlm_ldap (ldap): Closing connection (0): Hit idle_timeout, was idle for
> 163 seconds
> rlm_ldap (ldap): You probably need to lower "min"
> rlm_ldap (ldap): Closing connection (5): Hit idle_timeout, was idle for
> 163 seconds
> rlm_ldap (ldap): You probably need to lower "min"
> rlm_ldap (ldap): 0 of 0 connections in use.  You  may need to increase
> "spare"
> rlm_ldap (ldap): Opening additional connection (6), 1 of 32 pending slots
> used
> rlm_ldap (ldap): Connecting to ldap://ldap.example.com:389
> TLSMC: MozNSS compatibility interception begins.
> tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration
> is present.
> tlsmc_intercept_initialization: INFO: successfully intercepted TLS
> initialization. Continuing with OpenSSL only.
> TLSMC: MozNSS compatibility interception ends.
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Bind successful
> rlm_ldap (ldap): Reserved connection (6)
> (1) ldap: EXPAND (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})
> (1) ldap:    --> (samaccountname=testuser)
> (1) ldap: Performing search in "OU=Employees,OU=Domain
> Users,DC=example,DC=com" with filter "(samaccountname=testuser)", scope
> "sub"
> (1) ldap: Waiting for search result...
> (1) ldap: ERROR: Failed performing search: Please set
> 'chase_referrals=yes' and 'rebind=yes'. See the ldap module configuration
> for details.
> (1) ldap: ERROR: Server said: 000004DC: LdapErr: DSID-0C0907E1, comment:
> In order to perform this operation a successful bind must be completed on
> the connection., data 0, v2580.
> rlm_ldap (ldap): Released connection (6)
> Need 2 more connections to reach min connections (3)
> rlm_ldap (ldap): Opening additional connection (7), 1 of 31 pending slots
> used
> rlm_ldap (ldap): Connecting to ldap://ldap.example.com:389
> TLSMC: MozNSS compatibility interception begins.
> tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration
> is present.
> tlsmc_intercept_initialization: INFO: successfully intercepted TLS
> initialization. Continuing with OpenSSL only.
> TLSMC: MozNSS compatibility interception ends.
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Bind successful
> (1)     [ldap] = fail
> (1)   } # authorize = fail
> (1) Using Post-Auth-Type Reject
> (1) # Executing group from file /etc/raddb/sites-enabled/default
> (1)   Post-Auth-Type REJECT {
> (1) sql: EXPAND .query
> (1) sql:    --> .query
> (1) sql: Using query template 'query'
> rlm_sql (sql): Reserved connection (7)
> (1) sql: EXPAND %{User-Name}
> (1) sql:    --> testuser
> (1) sql: SQL-User-Name set to 'testuser'
> (1) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate)
> VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}',
> '%{reply:Packet-Type}', '%S')
> (1) sql:    --> INSERT INTO radpostauth (username, pass, reply, authdate)
> VALUES ( 'testuser', 'testpasswd123', 'Access-Reject', '2020-05-29
> 13:57:40.965576')
> (1) sql: Executing query: INSERT INTO radpostauth (username, pass, reply,
> authdate) VALUES ( 'testuser', 'testpasswd123', 'Access-Reject',
> '2020-05-29 13:57:40.965576')
> (1) sql: SQL query returned: success
> (1) sql: 1 record(s) updated
> rlm_sql (sql): Released connection (7)
> Need 1 more connections to reach min connections (3)
> rlm_sql (sql): Opening additional connection (9), 1 of 30 pending slots
> used
> rlm_sql_mysql: Starting connect to MySQL server
> rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX
> socket, server version 5.5.65-MariaDB, protocol version 10
> (1)     [sql] = ok
> (1) attr_filter.access_reject: EXPAND %{User-Name}
> (1) attr_filter.access_reject:    --> testuser
> (1) attr_filter.access_reject: Matched entry DEFAULT at line 11
> (1)     [attr_filter.access_reject] = updated
> (1)     [eap] = noop
> (1)     policy remove_reply_message_if_eap {
> (1)       if (&reply:EAP-Message && &reply:Reply-Message) {
> (1)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
> (1)       else {
> (1)         [noop] = noop
> (1)       } # else = noop
> (1)     } # policy remove_reply_message_if_eap = noop
> (1)   } # Post-Auth-Type REJECT = updated
> (1) Delaying response for 1.000000 seconds
> Waking up in 0.9 seconds.
> (1) (1) Discarding duplicate request from client 1.1.1.201 port 65511 -
> ID: 1 due to delayed response
> Waking up in 0.3 seconds.
> (1) Sending delayed response
> (1) Sent Access-Reject Id 1 from 1.1.1.190:1812 to 1.1.1.201:65511 length
> 20
> Waking up in 3.9 seconds.
> (1) Cleaning up request packet ID 1 with timestamp +183
> Ready to process requests
>
> On Fri, May 29, 2020 at 10:42 AM Klemen forneci <forneci at gmail.com> wrote:
>
>> Check the help in the ldap module. There are update control Auth type
>> lines
>> inside that set the Auth type to ldap and will Auth with bind instead of
>> reading the password from ldap
>>
>> V pet., 29. maj 2020 18:12 je oseba Jason Leiby <leibyj at gmail.com>
>> napisala:
>>
>> > Hi Experts,
>> >
>> > I am trying to setup my radius server to authenticate users with their
>> AD
>> > password.  I do not have access to our corporate Active Directory so I
>> > cannot use Samba and winbind, I only have access to the LDAP server that
>> > ties into AD.  Each user has read only access to LDAP so they can bind
>> with
>> > the correct credentials and verify the password.
>> >
>> >
>> >
>> > I have successfully setup freeradius to connect to the LDAP server and
>> > verify credentials as long as the ‘identity’ and ‘password’ are
>> provided in
>> > the ldap module.  What I would like to do is bind as the verifying user
>> > instead of using a single account.  Scouring the internet has proven
>> > fruitless, so I was hoping you can point me in the correct direction.
>> I am
>> > happy to provide logs and configs if needed.  I would first like to
>> confirm
>> > that this is feasible.
>> >
>> >
>> >
>> > Thank you,
>> >
>> > Jason
>> > -
>> > List info/subscribe/unsubscribe? See
>> > http://www.freeradius.org/list/users.html
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>
>


More information about the Freeradius-Users mailing list