Problems to authenticate against an Azure AD -Ldap

Uwe Faber uf at zkm.de
Fri Sep 22 13:56:09 UTC 2023 

Alan DeKok schrieb:
> On Sep 21, 2023, at 10:59 AM, Uwe Faber <uf at zkm.de> wrote:
>> here the debug output
>> ...
>> (5) eap_ttls:   User-Name = "testuser at karlshochschule.de"
>> (5) eap_ttls:   User-Password = "password"
>    So EAP-TTLS with PAP.  That's good.
>
>> (5) ldap_khs: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute
>> (5) ldap_khs: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
>    yeah...
>
>    Read https://github.com/FreeRADIUS/freeradius-server/blob/v3.2.x/raddb/mods-available/ldap
>
>    There's documentation for this.
>
>> ldap_msgfree
>> rlm_ldap (ldap_khs): Released connection (5)
>> Need 4 more connections to reach min connections (5)
>> rlm_ldap (ldap_khs): Opening additional connection (6), 1 of 9 pending slots used
>> rlm_ldap (ldap_khs): Connecting to ldaps://ldap.karlshochschule.de:636
>> ldap_create
>> ldap_url_parse_ext(ldaps://ldap.karlshochschule.de:636)
>> TLS: warning: cacertdir not implemented for gnutls
>    And using gnutls (in libldap) with OpenSSL (for EAP-TTLS) is likely to cause issues.
>
>    We've put more checks and warnings into v3 which complain about this issue.  But they exist only in the debug output, which usually means that they're hard to find.
>
>    Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi alan,
i changed the code in the inner tunnel as described in the Link you gave 
the result is :

/etc/freeradius/3.0/sites-enabled/inner-khs[12]: Unknown or invalid 
value "ldap" for attribute Auth-Type
/etc/freeradius/3.0/sites-enabled/inner-khs[11]: Failed to parse 
"update" subsection.
/etc/freeradius/3.0/sites-enabled/inner-khs[2]: Errors parsing authorize 
section.




here the code:
server inner-tunnel {
     authorize {
         filter_username
         suffix
         update control {
             &Proxy-To-Realm := LOCAL
         }
         ldap_khs
         #text
         if ((ok || updated) && User-Password && !control:Auth-Type) {
                 update {
                     control:Auth-Type := ldap
                 }
         }
         #ende text
         inner_eap {
             ok = return
         }
         pap
     }

     authenticate {
         Auth-Type PAP {
             pap
         }
         Auth-Type MS-CHAP {
             mschap
         }
         Auth-Type inner_eap {
             inner_eap
         }
     }

     post-auth {
         inner_tunnel_linelog

         Post-Auth-Type REJECT {
             inner_tunnel_linelog
             attr_filter.access_reject
             update outer.session-state {
                 &Module-Failure-Message := &request:Module-Failure-Message
             }
         }
     }
}

More information about the Freeradius-Users mailing list