How "bind as user" mode works?

Rodrigo Abrantes Antunes rodrigoantunes at pelotas.ifsul.edu.br
Thu Aug 17 15:22:57 UTC 2023 

  You have to know that there are some people that aren't an expert  
like you, you probably have years of expertise in freeradius, I  
started to learn it this month.

I've thought the full debug output wouldn't be needed in this case,  
thats why I didn't post in the first message. You could have asked for  
it in your first message and I would happily provide and all of this  
would be avoided.

The documentation I am reading says nothing about post all the debug  
output in the list:  
https://wiki.freeradius.org/guide/freeradius-active-directory-integration-howto

Your guess was wrong because you totally ignored what I said earlier,  
I said that I was not doing MSCHAP.

I configured the LDAP "bind as user" functionality exactly like in the  
guide I sent you earlier,  there is said nothing about inner tunnel.

In the default tunnel I uncomented this in authorize:

#  If you're using Active Directory and PAP, then uncomment
#  the following lines, and the "Auth-Type LDAP" section below.
#
#  This will let you do PAP authentication to AD.
#

if ((ok || updated) && User-Password && !control:Auth-Type) {
                update control {
                        &Auth-Type := ldap
                }
        }

And this in authenticate:

#  Uncomment it if you want to use ldap for authentication
#
#  Note that this means "check plain-text password against
#  the ldap database", which means that EAP won't work,
#  as it does not supply a plain-text password.
#
#  We do NOT recommend using this.  LDAP servers are databases.
#  They are NOT authentication servers.  FreeRADIUS is an
#  authentication server, and knows what to do with authentication.
#  LDAP servers do not.
#
#  However, it is necessary for Active Directory, because
#  Active Directory won't give the passwords to FreeRADIUS.
#

Auth-Type LDAP {
                ldap
        }

In the inner tunnel there isn't this text: "However, it is necessary  
for Active Directory, because Active Directory won't give the  
passwords to FreeRADIUS."

That's why I have missed it, sorry. And sorry if I have not yet  
mastered all of the concepts of freeradius.

Citando Alan DeKok <aland at deployingradius.com>:

> On Aug 17, 2023, at 10:17 AM, Rodrigo Abrantes Antunes  
> <rodrigoantunes at pelotas.ifsul.edu.br> wrote:
>> Can you point me where in the debug output it shows that i'ts doing  
>> PEAP+MSCHAP?
>
> The point is not to just post to the list and complain.  The point  
> is to *understand* what the server is doing.
>
> You should also not be surprised that my guess is wrong, because  
> you've been careful to provide as little information as possible  
> until about 4 messages into the conversation.  I don't understand  
> why there's such a need to ignore the documentation, and to post  
> vague questions.
>
> I also said that TTLS + PAP will work.  The only condition is that  
> it needs to be configured properly.  With LDAP "bind as user" set in  
> the inner tunnel.
>
> The debug log shows the important bit:
>
>> ...
>> (5) ldap: WARNING: No "known good" password added. Ensure the admin  
>> user has permission to read the password attribute
>> (5) ldap: WARNING: PAP authentication will *NOT* work with Active  
>> Directory (if that is what you were trying to configure)
>> rlm_ldap (ldap): Released connection (1)
>> (5)       [ldap] = ok
>> (5)       [expiration] = noop
>> (5)       [logintime] = noop
>> (5)       [pap] = noop
>> (5)     } # authorize = ok
>> (5)   ERROR: No Auth-Type found: rejecting the user via  
>> Post-Auth-Type = Reject
>
> If you had posted the full debug log at the start, all of this back  
> and forth could have been avoided.  You would have had a simple and  
> clear answer within about ten minutes.  Instead, you're getting  
> frustrated that you don't have a solution, and I'm frustrated that  
> you're working hard to avoid getting a solution.
>
> And even here you've edited the debug output to remove a good chunk  
> of it.  The beginning pieces are often useful when fixing problems  
> like this.  That's why we keep saying in ALL of the documentation to  
> post ALL of the debug output.  Just... read the documentation and do  
> what it says.  It's not hard, and it makes everything easier.
>
> The problem here is that you didn't configure the LDAP "bind as  
> user" functionality.  Which I said was needed for AD.
>
> Go back and read raddb/sites-enabled/inner-tunnel.
>
> Look for:
>
>         #  Uncomment this section if you want to use ldap for
>         #  authentication.  The "Auth-Type ldap { ...}" configuration
>         #  section below also has to be uncommented.
>
> And then follow the instructions.
>
> If the "inner-tunnel" doesn't contain that text, then either it was  
> deleted, or you're running an old version of the server which hasn't  
> had the documentation updated.  But I don't know what version you're  
> actually running, because the debug output has been edited, and  
> doesn't show that.
>
> You can read the updated documentation on GitHub:   
> https://github.com/FreeRADIUS/freeradius-server/blob/v3.2.x/raddb/sites-available/inner-tunnel
>
> Follow those instructions, add the "Auth-Type := LDAP" as  
> documented, and it will work.
>
> This is why we write documentation.  This is why we ask people to  
> follow documentation.  These issues with AD have been known for 15+  
> years.  The main reason people still have difficulty with this is  
> because the documentation is being ignored.
>
> Alan DeKok.
>
> -List info/subscribe/unsubscribe? See  
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list