Here is the debug output:
Module: Instantiated radutmp (radutmp)
Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp.
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1:38245, id=181, length=56
User-Name = "test"
User-Password = "test"
NAS-IP-Address = 255.255.255.255
NAS-Port = 1
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "eap" returns noop for request 0
rlm_realm: No '@' in User-Name = "test", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
users: Matched DEFAULT at 152
modcall[authorize]: module "files" returns ok for request 0
modcall[authorize]: module "mschap" returns noop for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type LDAP
auth: type "LDAP"
modcall: entering group Auth-Type for request 0
rlm_ldap: - authenticate
rlm_ldap: login attempt by "test" with password "test"
radius_xlat: '(sAMAccountName=test)'
radius_xlat: 'o=notexist'
ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to cityhalldc1.ci.bend.or.us:389, authentication 0
rlm_ldap: bind as CN=freeradius,CN=Users,DC=my,DC=domain,DC=com/password to my.dc.com:389
rlm_ldap: waiting for bind result ...
request 1 done
rlm_ldap: performing search in o=notexist, with filter (sAMAccountName=test)
request 2 done
rlm_ldap: ldap_search() failed: Operations error
ldap_release_conn: Release Id: 0
modcall[authenticate]: module "ldap" returns fail for request 0
modcall: group Auth-Type returns fail for request 0
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
| Albers Darren <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED] 03/17/2004 07:46 PM
|
|
Oops, I forgot the link
http://lists.cistron.nl/archives/freeradius-users/2004/03/frm00428.html
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Albers Darren
Sent: Wednesday, March 17, 2004 10:04 PM
To: [EMAIL PROTECTED]
Subject: RE: Using freeradius to authenticate users to a Windows 2000 AD
Steve,
Here is a link to that earlier post of mine, it might be more helpfull. Feel free to post your radiusd.conf and I will see if I can help.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve OBrien
Sent: Wednesday, March 17, 2004 5:21 PM
To: [EMAIL PROTECTED]
Subject: RE: Using freeradius to authenticate users to a Windows 2000 AD
Well it still seems not to be working. And I could not find your other article, I searched for radiusd.conf and your name and email with no luck. The output is not helpfull:
Request:
/usr/local/bin/radtest guest "test" localhost 1 testing123
Sending Access-Request of id 104 to 127.0.0.1:1812
User-Name = "guest"
User-Password = "test"
NAS-IP-Address = blade1.ci.bend.or.us
NAS-Port = 1
rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=104, length=20
Response:
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1:33317, id=104, length=57
User-Name = "guest"
User-Password = "test"
NAS-IP-Address = 255.255.255.255
NAS-Port = 1
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "eap" returns noop for request 0
rlm_realm: No '@' in User-Name = "guest", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
users: Matched DEFAULT at 152
modcall[authorize]: module "files" returns ok for request 0
modcall[authorize]: module "mschap" returns noop for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type LDAP
auth: type "LDAP"
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
Steve O'Brien
City of Bend
Network Administrator
[EMAIL PROTECTED]
541-322-6393
| Albers Darren <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED] 03/17/2004 11:37 AM
|
|
With the help of another individual on this list Richard Lucassen we were able to get it working to authenticate against either a group or against AD as a whole. To see an example I posted of just authenticated a user in general against AD look for another post by me with a sample radiusd.conf.
Here is what Richard and I put together to get group auth working, this may not be the 100% correct way but it worked for us and if anyone has any suggestions that would be great. The comments are my comments and since the formatting will probably be borked please don't just copy and paste this into your radiusd.conf:
ldap {
server = "FDC of your DC"
#Account in AD with the rights to query ad for the user account properties, in this example I have an account named freeradius located in
# my users container in the domain dc.domain.com that I am using to auth.
identity = "CN=freeradius,CN=Users,DC=dc,DC=domain,DC=com"
#password of the above account
password = password
#Base dn to search from, usually the top of your domain, in this example it is dc.domain.com
basedn = "DC=dc,DC=domain,DC=com"
#This is the search filter to find the users account and then check it's group membership. You will see that I used the full path to the
# group including the conatiner it is located in. This example is for a group named RemoteUser in the users container in the domain
#dc.domain.com
filter ="(&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})(memberOf=CN=RemoteUser,CN=Users,DC=dc,DC=domain,DC=com))"
password_attribute = userPassword
timeout = 4
timelimit = 3
net_timeout = 1
compare_check_items = yes
I commented out the groupmembership stuff, but I am not sure if that was a bad thing or not. Eventually I plan on writing this into a quick Howto and posting it again.
Let me know if this helps or if you have any further questions and again my thanks to Richard for all his help in getting this working!
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Steve OBrien
Sent: Wednesday, March 17, 2004 2:24 PM
To: [EMAIL PROTECTED]
Subject: Using freeradius to authenticate users to a Windows 2000 AD
I have seen threads pertaining to this but I cannot seem to get it to work. I would like to authenticate users via freeradius against a windows 2000 ad domain using LDAP. Is this possible if so anyone have a sample config??
TIA,
Steve
**********************************************************************
The information and any files contained in this e-mail message are property of WestPoint Stevens Inc., its subsidiaries or affiliates, and are intended only for use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you hereby are notified that use, dissemination, distribution or copying of this information is strictly prohibited. If you have received this communication in error, please immediately notify us by return e-mail and destroy the original message. Thank you.
**********************************************************************
