Freeradius/Radtest fails to authenticate against Google LDAP
Alan DeKok
aland at deployingradius.com
Mon Feb 8 21:08:30 CET 2021
On Feb 8, 2021, at 12:26 PM, Christian Bednarz <christian.bednarz at lanes-planes.com> wrote:
> I try hard to get Freeradius working with Google LDAP, but I feel totally stuck and desperate.
>
> My starting point was following the Google documentation ( https://support.google.com/a/answer/9089736?hl=en#zippy=%2Cfreeradius <https://support.google.com/a/answer/9089736?hl=en#zippy=,freeradius> ), which some people pointed to being not really accurate. After some adjustments I find myself stuck in the wood. Admittingly I have just very basic knowledge of Linux (I use Ubuntu 20).
If Linux is new, configuring RADIUS can be complex. :(
> (0) Received Access-Request Id 50 from 127.0.0.1:39324 to 127.0.0.1:1812 length 95
> (0) User-Name = "it-test2 at lanes-planes.com"
> (0) User-Password = „PASSWORD"
> (0) NAS-IP-Address = 127.0.1.1
> (0) NAS-Port = 1
> ...
> rlm_ldap (ldap): Reserved connection (0)
> (0) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
> (0) ldap: --> (uid=it-test2)
> (0) ldap: Performing search in "dc=lanes-planes,dc=com" with filter "(uid=it-test2)", scope "sub"
> (0) ldap: Waiting for search result...
> (0) ldap: Search returned no results
> rlm_ldap (ldap): Released connection (0)
> Need 5 more connections to reach 10 spares
> rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used
> rlm_ldap (ldap): Connecting to ldaps://ldap.google.com:636
> rlm_ldap (ldap): Waiting for bind result...
> ber_get_next failed.
> rlm_ldap (ldap): Bind successful
> (0) [ldap] = notfound
So the user wasn't found in LDAP. What happens when you run "ldapsearch" manually?
The most recent versions of the server have full documentation on how to use the LDAP module configuration with the ldapsearch tool:
https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/mods-available/ldap
> (0) [expiration] = noop
> (0) [logintime] = noop
> (0) if (User-Password) {
> (0) if (User-Password) -> TRUE
> (0) if (User-Password) {
> (0) update control {
> (0) Auth-Type := ldap
> (0) } # update control = noop
> (0) } # if (User-Password) = noop
> Not doing PAP as Auth-Type is already set.
> (0) [pap] = noop
> (0) } # authorize = ok
> (0) Found Auth-Type = ldap
> (0) Auth-Type sub-section not found. Ignoring.
Well, I don't suggest setting "Auth-type = LDAP" unless you actually have "ldap" configured in the "authenticate" section.
But you shouldn't need that. Delete the "update control" section which sets "Auth-Type = LDAP".
And then make sure that the LDAP module configuration works. i.e. that when FreeRADIUS looks for a user in LDAP, the ldap module finds that user, and returns the password to FreeRADIUS.
Alan DeKok.
More information about the Freeradius-Users
mailing list