Freeradius Authentification with active directory

Etienne CREMILLIEUX etienne.cremillieux at wifirst.fr
Wed Aug 23 15:53:23 UTC 2023 

Hello,

I try a connection my freeradius with active directory.

the command sudo freeradius -X return this :





*(1) ldap:    --> Authenticated at 2023-08-23 17:16:46rlm_ldap (ldap):
Reserved connection (1)(1) ldap: EXPAND
(sAMAccountName=%{Stripped-User-Name}%{user-name}})(1) ldap:    -->
(sAMAccountName=wifirst_test at prodges.local})(1) ldap: Performing search in
"ou=Utilisateurs,dc=prodges,dc=local" with filter
"(sAMAccountName=login_test@**domain*





*.local})", scope "sub"(1) ldap: Waiting for search result...(1) ldap:
Search returned no resultsrlm_ldap (ldap): Released connection (1)Need more
connections to reach 10 sparesrlm_ldap (ldap): Opening additional
connection (6), 1 of 26 pending slots usedrlm_ldap (ldap): Connecting to
ldaps://172.19.16.7:636 <http://172.19.16.7:636>*

I have a FreeRADIUS Version 3.2.1 on Debian GNU/Linux 12 (bookworm)

My conf /etc/freeradius/3.0/mods-enabled/ldap :


























*ldap {        #  Note that this needs to match the name(s) in the LDAP
server        #  certificate, if you're using ldaps.  See OpenLDAP
documentation        #  for the behavioral semantics of specifying more
than one host.        #        #  Depending on the libldap in use, server
may be an LDAP URI.        #  In the case of OpenLDAP this allows
additional the following        #  additional schemes:        #  - ldaps://
(LDAP over SSL)        #  - ldapi:// (LDAP over Unix socket)        #  -
ldapc:// (Connectionless LDAP)        server = 'ldaps://172.19.16.7
<http://172.19.16.7>'#       server = 'ldap.rrdns.example.org
<http://ldap.rrdns.example.org>'#       server = 'ldap.rrdns.example.org
<http://ldap.rrdns.example.org>'        #  Port to connect on, defaults to
389, will be ignored for LDAP URIs.        port = 636        #
 Administrator account for searching and possibly modifying.        #  If
using SASL + KRB5 these should be commented out.        identity =
'login_sync at domain.local'        password = 'password123'        #  Unless
overridden in another section, the dn from which all        #  searches
will start from.         base_dn = 'DC=**domain*
*,DC=local'*




*       user {                #  Where to start searching in the tree for
users                base_dn = "ou=Utilisateurs,dc=**domain*






















*,dc=local"                #  Filter for user objects, should be specific
enough                #  to identify a single user object.
#                #  For Active Directory, you should use                #
 "samaccountname=" instead of "uid="                #                #
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
filter = "(sAMAccountName=%{Stripped-User-Name}%{user-name}})"
  # filter = "(UserPrincipalName=%{Stripped-User-Name}:%{user-name}})"
          #  For Active Directory nested group, you should comment out the
previous 'filter = ...'                #  and use the below. Where 'group'
is the group you are querying for.                #                #  NOTE:
The string '1.2.840.113556.1.4.1941' specifies
LDAP_MATCHING_RULE_IN_CHAIN.                #  This applies only to DN
attributes. This is an extended match operator that walks                #
 the chain of ancestry in objects all the way to the root until it finds a
match.                #  This reveals group nesting. It is available only
on domain controllers with                #  Windows Server 2003 SP2 or
Windows Server 2008 (or above).                #                #  See:
https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx
<https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx>
              #                # filter =
"(&(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})(memberOf:1.2.840.113556.1.4.1941:=ou=Utilisateurs,dc=*
*domain*









*,dc=local))"                #  SASL parameters to use for user binds
          #                #  When we're prompted by the SASL library,
these control                #  the responses given.                #
          #  Any of the config items below may be an attribute ref
      #  or and expansion, so different SASL mechs, proxy IDs
  #  and realms may be used for different users.*

Regards

Etienne

-- 
*Ce message et toutes les pièces jointes (ci-après le "message") sont 
établis à l’intention exclusive des destinataires désignés. Il contient des 
informations confidentielles et pouvant être protégé par le secret 
professionnel. Si vous recevez ce message par erreur, merci d'en avertir 
immédiatement l'expéditeur et de détruire le message. Toute utilisation de 
ce message non conforme à sa destination, toute diffusion ou toute 
publication, totale ou partielle, est interdite, sauf autorisation expresse 
de l'émetteur*

More information about the Freeradius-Users mailing list