google_ldap and google-ldap-auth

Alan DeKok aland at deployingradius.com
Mon Jun 19 11:56:53 UTC 2023 

On Jun 19, 2023, at 2:59 AM, Mathias Maes <mathias.maes at maerlantatheneum.be> wrote:
> I am trying to get google-ldap-auth working in conjuction with google-ldap.

  Be aware that the google systems are *slow*.  i.e. they might take 1/2 second to respond.

 This is likely deliberate on their end.

> I have enabled the site and the module, also enabled cache-auth and ldap.
> Configured google-ldap with the right credentials. I changed as little as
> possible to the Google config (no groups, custom attributes, etc)
> freeradius -X starts without errors.

  That's good.

> I have not altered the default or inner-tunnel sites. I keep the example
> user 'bob" with password "hello" enabled to check if I did not mess
> anything up.
> 
> radtest bob hello 127.0.0.1 0 testing123 is working.

  That's good.

> radtest mathias.maes at maerlantatheneum.be mypassword 127.0.0.1:18123 0
> testing123
> fails. It seems that "User-Name" is required for tunneled authentication.

  You have enabled the "filter_inner_identity" policy.  I don't know why.  That filter is only for tunneled authentication methods like TTLS or PEAP.

  If you read the debug log, you'll see that it's already running the "filter_username" policy.  So adding another filter isn't helpful.

  If you read the "filter_inner_tunnel" policy (raddb/policy.d/filter), you'll see how it operates.

  If you follow the documentation in "man radiusd", you should be using a slow and methodical approach to changing the configuration.  In which case things would start breaking as soon as you added the the "filter_inner_identity" policy.  At which point you know exactly what is wrong.  Reading the documentation and configuration would then be useful.

  All of this is extensively documented, and the unlang policies are all available to be read.

> So my question is, how to test the outer.request.User-name with radtest? Or
> if I understand the logs totally wrong: Any ideas on what might be
> happening?

  Don't create a broken configuration.

  You can't just blindly follow some random third-party documentation.  You have to understand what you're trying to do, and how the server works.

  I will also note that you didn't say which documentation you followed.  It certainly wasn't any documentation we created.  None of our documentation says to add "filter_inner_identity" to the "default" virtual server.

  There's no magic here.  Just use the default configuration, enable the "ldap" module and point the ldap module to the google servers.  It *will* work.

  If you're following "Official google" documentation on how to get this to work, then don't.  Their documentation is garbage.  I've been trying to get them to fix it for years, but why would they listen to me?  They're google.  They're so smart that they don't care about anyone else.

  Alan DeKok.

More information about the Freeradius-Users mailing list