How "bind as user" mode works?
Rodrigo Abrantes Antunes
rodrigoantunes at pelotas.ifsul.edu.br
Thu Aug 17 16:18:40 UTC 2023
Following this link I found that my inner tunnel file is missing the
authorize section for ldap
https://github.com/FreeRADIUS/freeradius-server/blob/v3.2.x/raddb/sites-available/inner-tunnel
I added this in the end of authorize in inner tunnel:
if (!&control.Auth-Type && &User-Password) {
update control {
&Auth-Type := LDAP
}
}
Then I got this:
FreeRADIUS Version 3.2.1
Copyright (C) 1999-2022 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/freeradius/3.0/dictionary
including configuration file /etc/freeradius/3.0/radiusd.conf
including configuration file /etc/freeradius/3.0/proxy.conf
including configuration file /etc/freeradius/3.0/clients.conf
including files in directory /etc/freeradius/3.0/mods-enabled/
including configuration file /etc/freeradius/3.0/mods-enabled/unpack
including configuration file /etc/freeradius/3.0/mods-enabled/utf8
including configuration file /etc/freeradius/3.0/mods-enabled/preprocess
including configuration file /etc/freeradius/3.0/mods-enabled/logintime
including configuration file /etc/freeradius/3.0/mods-enabled/expiration
including configuration file /etc/freeradius/3.0/mods-enabled/expr
including configuration file /etc/freeradius/3.0/mods-enabled/realm
including configuration file /etc/freeradius/3.0/mods-enabled/replicate
including configuration file /etc/freeradius/3.0/mods-enabled/unix
including configuration file /etc/freeradius/3.0/mods-enabled/echo
including configuration file /etc/freeradius/3.0/mods-enabled/eap
including configuration file /etc/freeradius/3.0/mods-enabled/sradutmp
including configuration file /etc/freeradius/3.0/mods-enabled/pap
including configuration file /etc/freeradius/3.0/mods-enabled/ntlm_auth
including configuration file /etc/freeradius/3.0/mods-enabled/exec
including configuration file /etc/freeradius/3.0/mods-enabled/attr_filter
including configuration file /etc/freeradius/3.0/mods-enabled/ldap
including configuration file /etc/freeradius/3.0/mods-enabled/always
including configuration file /etc/freeradius/3.0/mods-enabled/radutmp
including configuration file /etc/freeradius/3.0/mods-enabled/passwd
including configuration file /etc/freeradius/3.0/mods-enabled/chap
including configuration file /etc/freeradius/3.0/mods-enabled/digest
including configuration file /etc/freeradius/3.0/mods-enabled/files
including configuration file /etc/freeradius/3.0/mods-enabled/detail.log
including configuration file /etc/freeradius/3.0/mods-enabled/detail
including configuration file /etc/freeradius/3.0/mods-enabled/soh
including configuration file /etc/freeradius/3.0/mods-enabled/linelog
including configuration file /etc/freeradius/3.0/mods-enabled/dynamic_clients
including configuration file /etc/freeradius/3.0/mods-enabled/mschap
including files in directory /etc/freeradius/3.0/policy.d/
including configuration file /etc/freeradius/3.0/policy.d/filter
including configuration file /etc/freeradius/3.0/policy.d/control
including configuration file /etc/freeradius/3.0/policy.d/accounting
including configuration file /etc/freeradius/3.0/policy.d/eap
including configuration file /etc/freeradius/3.0/policy.d/abfab-tr
including configuration file /etc/freeradius/3.0/policy.d/dhcp
including configuration file /etc/freeradius/3.0/policy.d/rfc7542
including configuration file /etc/freeradius/3.0/policy.d/cui
including configuration file /etc/freeradius/3.0/policy.d/canonicalization
including configuration file /etc/freeradius/3.0/policy.d/operator-name
including configuration file /etc/freeradius/3.0/policy.d/debug
including configuration file
/etc/freeradius/3.0/policy.d/moonshot-targeted-ids
including files in directory /etc/freeradius/3.0/sites-enabled/
including configuration file /etc/freeradius/3.0/sites-enabled/inner-tunnel
/etc/freeradius/3.0/sites-enabled/inner-tunnel[176]: Parse error in condition
/etc/freeradius/3.0/sites-enabled/inner-tunnel[176]:
(!&control.Auth-Type && &User-Password) {
/etc/freeradius/3.0/sites-enabled/inner-tunnel[176]: ^ Invalid
request qualifier
Errors reading or parsing /etc/freeradius/3.0/radiusd.conf
Citando Alan DeKok <aland at deployingradius.com>:
> On Aug 17, 2023, at 11:22 AM, Rodrigo Abrantes Antunes
> <rodrigoantunes at pelotas.ifsul.edu.br> wrote:
>> You have to know that there are some people that aren't an expert
>> like you, you probably have years of expertise in freeradius, I
>> started to learn it this month.
>
> You don't have to be an expert to read the documentation. You don't
> have to be an expert to clearly describe what you did.
>
>> I've thought the full debug output wouldn't be needed in this case,
>> thats why I didn't post in the first message. You could have asked
>> for it in your first message and I would happily provide and all of
>> this would be avoided.
>
> Or, you could have read the documentation as you were told to do
> when you joined the list.
>
> When you join the list, you get an email saying POST THE FULL DEBUG
> OUTPUT OR PEOPLE WILL BE MAD AT YOU.
>
> All of the "getting started" guides, including the "man" page say to
> look at the debug output and when asking questions on the list, post
> the full debug output.
>
> Go read it: http://wiki.freeradius.org/list-help
>
>> The documentation I am reading says nothing about post all the
>> debug output in the list:
>> https://wiki.freeradius.org/guide/freeradius-active-directory-integration-howto
>
> Yes, because we don't update every single page to explain how to run
> the debug output. Instead, the documentation says for ANY problem,
> RUN IT IN DEBUG MODE AND READ THE OUTPUT.
>
>> Your guess was wrong because you totally ignored what I said
>> earlier, I said that I was not doing MSCHAP.
>
> Given you were confused and vague about much else of what you did, I
> didn't take that part seriously.
>
>> I configured the LDAP "bind as user" functionality exactly like in
>> the guide I sent you earlier, there is said nothing about inner
>> tunnel.
>
> Which is why we suggest reading the debug output, and thinking about it.
>
> If you see the password in the inner-tunnel, should you configure
> "bind as user" in the inner-tunnel?
>
> Again, it's OK to not be an expert. It's not OK to give vague
> descriptions "I did stuff and it didn't work". It's not OK to
> ignore the documentation you get sent when you join the list.
>
> Alan DeKok.
>
> -List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list