Steve I've seen that "Operations error" before with FreeRadius & AD LDAP access. It appears to happen consistently when LDAP is used as opposed to LDAPS (this is more pronounced with Windows Server 2003 DCs, but happens with Win2K as well). If you change the port to 636 (with start_tls=no), you will be using LDAPS to AD. In this case, the "Operations error" does not happen, and the AD lookup works well. You should note that you will need to import your Windows DC Root CA cert onto the FreeRadius box for this to work - this is pretty straightforward by using OpenSSL and OpenLDAP tools. Let me know if you need instructions to do this latter part.
Also note (this would be happening now with LDAP or LDAPS), that depending on your base DN and the location of the users in your AD tree, the AD LDAP server could be returning referrals. These are also chased by FreeRadius LDAP interface, and could go to DCs that you did not configure in your radiusd.conf file, depending on the DNS resolution returned. You can see if this happening by setting ldap_debug = 0x0001. Tarun -----Original Message----- From: Steve OBrien [mailto:[EMAIL PROTECTED] Sent: Friday, 19 March 2004 2:35 AM To: [EMAIL PROTECTED] Subject: RE: Using freeradius to authenticate users to a Windows 2000 AD Here is the debug output: Module: Instantiated radutmp (radutmp) Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp. Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:38245, id=181, length=56 User-Name = "test" User-Password = "test" NAS-IP-Address = 255.255.255.255 NAS-Port = 1 modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "eap" returns noop for request 0 rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 users: Matched DEFAULT at 152 modcall[authorize]: module "files" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" modcall: entering group Auth-Type for request 0 rlm_ldap: - authenticate rlm_ldap: login attempt by "test" with password "test" radius_xlat: '(sAMAccountName=test)' radius_xlat: 'o=notexist' ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to cityhalldc1.ci.bend.or.us:389, authentication 0 rlm_ldap: bind as CN=freeradius,CN=Users,DC=my,DC=domain,DC=com/password to my.dc.com:389 rlm_ldap: waiting for bind result ... request 1 done rlm_ldap: performing search in o=notexist, with filter (sAMAccountName=test) request 2 done rlm_ldap: ldap_search() failed: Operations error ldap_release_conn: Release Id: 0 modcall[authenticate]: module "ldap" returns fail for request 0 modcall: group Auth-Type returns fail for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Albers Darren <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 03/17/2004 07:46 PM Please respond to [EMAIL PROTECTED] [EMAIL PROTECTED] cc SubjectRE: Using freeradius to authenticate users to a Windows 2000 AD Oops, I forgot the link http://lists.cistron.nl/archives/freeradius-users/2004/03/frm00428.html From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Albers Darren Sent: Wednesday, March 17, 2004 10:04 PM To: [EMAIL PROTECTED] Subject: RE: Using freeradius to authenticate users to a Windows 2000 AD Steve, Here is a link to that earlier post of mine, it might be more helpfull. Feel free to post your radiusd.conf and I will see if I can help. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve OBrien Sent: Wednesday, March 17, 2004 5:21 PM To: [EMAIL PROTECTED] Subject: RE: Using freeradius to authenticate users to a Windows 2000 AD Well it still seems not to be working. And I could not find your other article, I searched for radiusd.conf and your name and email with no luck. The output is not helpfull: Request: /usr/local/bin/radtest guest "test" localhost 1 testing123 Sending Access-Request of id 104 to 127.0.0.1:1812 User-Name = "guest" User-Password = "test" NAS-IP-Address = blade1.ci.bend.or.us NAS-Port = 1 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=104, length=20 Response: Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:33317, id=104, length=57 User-Name = "guest" User-Password = "test" NAS-IP-Address = 255.255.255.255 NAS-Port = 1 modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "eap" returns noop for request 0 rlm_realm: No '@' in User-Name = "guest", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 users: Matched DEFAULT at 152 modcall[authorize]: module "files" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request Steve O'Brien City of Bend Network Administrator [EMAIL PROTECTED] 541-322-6393 Albers Darren <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 03/17/2004 11:37 AM Please respond to [EMAIL PROTECTED] To"'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> cc SubjectRE: Using freeradius to authenticate users to a Windows 2000 AD With the help of another individual on this list Richard Lucassen we were able to get it working to authenticate against either a group or against AD as a whole. To see an example I posted of just authenticated a user in general against AD look for another post by me with a sample radiusd.conf. Here is what Richard and I put together to get group auth working, this may not be the 100% correct way but it worked for us and if anyone has any suggestions that would be great. The comments are my comments and since the formatting will probably be borked please don't just copy and paste this into your radiusd.conf: ldap { server = "FDC of your DC" #Account in AD with the rights to query ad for the user account properties, in this example I have an account named freeradius located in # my users container in the domain dc.domain.com that I am using to auth. identity = "CN=freeradius,CN=Users,DC=dc,DC=domain,DC=com" #password of the above account password = password #Base dn to search from, usually the top of your domain, in this example it is dc.domain.com basedn = "DC=dc,DC=domain,DC=com" #This is the search filter to find the users account and then check it's group membership. You will see that I used the full path to the # group including the conatiner it is located in. This example is for a group named RemoteUser in the users container in the domain #dc.domain.com filter ="(&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})(memberOf=CN=Rem oteUser,CN=Users,DC=dc,DC=domain,DC=com))" password_attribute = userPassword timeout = 4 timelimit = 3 net_timeout = 1 compare_check_items = yes I commented out the groupmembership stuff, but I am not sure if that was a bad thing or not. Eventually I plan on writing this into a quick Howto and posting it again. Let me know if this helps or if you have any further questions and again my thanks to Richard for all his help in getting this working! -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Steve OBrien Sent: Wednesday, March 17, 2004 2:24 PM To: [EMAIL PROTECTED] Subject: Using freeradius to authenticate users to a Windows 2000 AD I have seen threads pertaining to this but I cannot seem to get it to work. I would like to authenticate users via freeradius against a windows 2000 ad domain using LDAP. Is this possible if so anyone have a sample config?? TIA, Steve ********************************************************************** The information and any files contained in this e-mail message are property of WestPoint Stevens Inc., its subsidiaries or affiliates, and are intended only for use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you hereby are notified that use, dissemination, distribution or copying of this information is strictly prohibited. If you have received this communication in error, please immediately notify us by return e-mail and destroy the original message. Thank you. ********************************************************************** NOTICE This e-mail and any attachments are confidential and may contain copyright material of Macquarie Bank or third parties. If you are not the intended recipient of this email you should not read, print, re-transmit, store or act in reliance on this e-mail or any attachments, and should destroy all copies of them. Macquarie Bank does not guarantee the integrity of any emails or any attached files. The views or opinions expressed are the author's own and may not reflect the views or opinions of Macquarie Bank. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
