Now I am seeing this in the windows dc server log:
A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0xffffffff
I was using the CA certificate but that cannot be exported with the private key (AFAIK). My CA is a member server not a dc.
[EMAIL PROTECTED] wrote: -----
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0xffffffff
I was using the CA certificate but that cannot be exported with the private key (AFAIK). My CA is a member server not a dc.
To: <[EMAIL PROTECTED]>
From: "Tarun Bhushan" <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
Date: 03/18/2004 06:57PM
Subject: RE: Using freeradius to authenticate users to a Windows 2000 ADYes - I did mention this in an earlier mail. Relevant portion of radiusd.conf shown below. The combination of Port=636 AND start_tls=no is important. In my experience, setting start_tls=yes does not work with AD or Novell eDirectory, but does work with OpenLDAP.ldap ldap1 {
server = "somedc.somecompany.com"
port = 636
identity = "cn=lookup,ou=users,dc=somecompany,dc=com"
password = Password
basedn = "dc=somecompany,dc=com"
filter = "(cn=%U)"
# set this to 'yes' to use TLS encrypted connections
# to the LDAP database.
start_tls = no
#tls_mode = no
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
# ldap_cache_timeout = 120
# ldap_cache_size = 0
ldap_connections_number = 10
groupname_attribute = cn
groupmembership_filter = "(&(objectClass=Group)(member=%{Ldap-UserDn}))"
timeout = 10
timelimit = 10
net_timeout = 5
#ldap_debug = 0xFFFF
#ldap_debug = 0x0001
compare_check_items = yes
access_attr_used_for_allow = no
}Tarun-----Original Message-----
From: Steve OBrien [mailto:[EMAIL PROTECTED]
Sent: Friday, 19 March 2004 11:59 AM
To: [EMAIL PROTECTED]
Subject: RE: Using freeradius to authenticate users to a Windows 2000 AD
Do you need to modify the radiusd.conf file to use ldaps?
Steve O'Brien
City of Bend
Network Administrator
[EMAIL PROTECTED]
541-322-6393
"Tarun Bhushan" <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]03/18/2004 04:28 PM
[EMAIL PROTECTED]
<[EMAIL PROTECTED]>
RE: Using freeradius to authenticate users to a Windows 2000 AD
Steve
The instructions are shown below. I see that you have included the group membership check into your filter. I have not done this - I have stuck with the separate group membership check shown in the default FreeRadius radiusd.conf - it does make an extra LDAP call, but it works. Just as a matter of interest, I also use configurable failover to three separate DCs - that works well too - you only need the root CA cert for LDAPS to all of them.
Tarun
==================== Document =============================
In order that LDAP clients can connect to Active Directory with TLS/SSL, we need to make some configuration changes.
Export the Active Directory root CA certificate in DER format. This is usually done on a Windows domain controller running Certification Services. It has been observed that this server needs to have a name without underscores in it. Copy the exported certificate file to the /etc/openldap/demoCA directory - we will use this existing directory for our CA certificates. The file would normally end with .cer.
We need to convert this file to PEM format. This is done with:
shell> openssl x509 -in rootdc.ca.cer -inform d -out rootdc.ca.pem
We now need to modify the file /etc/openldap/ldap.conf to look like:
=========================================================================
# @(#)$Id: ldap.conf,v 1.27 2003/01/17 21:37:12 lukeh Exp $
#
# This is the configuration file for the LDAP nameservice
# switch library and the LDAP PAM module.
#
# PADL Software
# http://www.padl.com
#
# Your LDAP server. Must be resolvable without using LDAP.
# Multiple hosts may be specified, each separated by a
# space. How long nss_ldap takes to failover depends on
# whether your LDAP client library supports configurable
# network or connect timeouts (see bind_timelimit).
host rootdc.somecompany.com
# The distinguished name of the search base.
base dc=somecompany,dc=com
# The LDAP version to use (defaults to 3
# if supported by client library)
#ldap_version 3
# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn uid=lookup,dc=somecompany,dc=com
# The credentials to bind with.
# Optional: default is no credential.
#bindpw nothing
# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
#rootbinddn cn=manager,dc=padl,dc=com
# The port.
# Optional: default is 389.
#port 389
# The search scope.
#scope sub
#scope one
#scope base
# Search timelimit
#timelimit 30
# Bind timelimit
#bind_timelimit 30
# Idle timelimit; client will close connections
# (nss_ldap only) if the server has not been contacted
# for the number of seconds specified below.
#idle_timelimit 3600
# Active Directory SSL options
ssl on
# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
tls_checkpeer no
# CA certificates for server certificate verification
TLS_CACERT /etc/openldap/demoCA/rootdc.ca.pem
=========================================================================
Note the pointer to the CA PEM file we created earlier. It should be noted that the AD servers will need to have SSL (TLS) certificates generated/installed, and have the LDAP interface listening on the LDAPS port (636). As passwords and other authentication/authorisation data will be exchanged across the network, this channel should not be in clear-text.
========================== End Document ==============================
-----Original Message-----
From: Steve OBrien [mailto:[EMAIL PROTECTED]
Sent: Friday, 19 March 2004 10:11 AM
To: [EMAIL PROTECTED]
Subject: RE: Using freeradius to authenticate users to a Windows 2000 AD
Thanks Tarun,
Yes I would like instructions for importing my root CA into my freeradius box!
"Tarun Bhushan" <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]03/18/2004 03:06 PM
[EMAIL PROTECTED]
<[EMAIL PROTECTED]>
RE: Using freeradius to authenticate users to a Windows 2000 AD
Steve
I've seen that "Operations error" before with FreeRadius & AD LDAP
access. It appears to happen consistently when LDAP is used as opposed
to LDAPS (this is more pronounced with Windows Server 2003 DCs, but
happens with Win2K as well). If you change the port to 636 (with
start_tls=no), you will be using LDAPS to AD. In this case, the
"Operations error" does not happen, and the AD lookup works well. You
should note that you will need to import your Windows DC Root CA cert
onto the FreeRadius box for this to work - this is pretty
straightforward by using OpenSSL and OpenLDAP tools. Let me know if you
need instructions to do this latter part.
Also note (this would be happening now with LDAP or LDAPS), that
depending on your base DN and the location of the users in your AD tree,
the AD LDAP server could be returning referrals. These are also chased
by FreeRadius LDAP interface, and could go to DCs that you did not
configure in your radiusd.conf file, depending on the DNS resolution
returned. You can see if this happening by setting ldap_debug = 0x0001.
Tarun
-----Original Message-----
From: Steve OBrien [mailto:[EMAIL PROTECTED]
Sent: Friday, 19 March 2004 2:35 AM
To: [EMAIL PROTECTED]
Subject: RE: Using freeradius to authenticate users to a Windows 2000 AD
Here is the debug output:
Module: Instantiated radutmp (radutmp)
Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on
1814/udp.
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1:38245, id=181,
length=56
User-Name = "test"
User-Password = "test"
NAS-IP-Address = 255.255.255.255
NAS-Port = 1
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "eap" returns noop for request 0
rlm_realm: No '@' in User-Name = "test", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
users: Matched DEFAULT at 152
modcall[authorize]: module "files" returns ok for request 0
modcall[authorize]: module "mschap" returns noop for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type LDAP
auth: type "LDAP"
modcall: entering group Auth-Type for request 0
rlm_ldap: - authenticate
rlm_ldap: login attempt by "test" with password "test"
radius_xlat: '(sAMAccountName=test)'
radius_xlat: 'o=notexist'
ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to cityhalldc1.ci.bend.or.us:389, authentication 0
rlm_ldap: bind as CN=freeradius,CN=Users,DC=my,DC=domain,DC=com/password
to my.dc.com:389
rlm_ldap: waiting for bind result ...
request 1 done
rlm_ldap: performing search in o=notexist, with filter
(sAMAccountName=test)
request 2 done
rlm_ldap: ldap_search() failed: Operations error
ldap_release_conn: Release Id: 0
modcall[authenticate]: module "ldap" returns fail for request 0
modcall: group Auth-Type returns fail for request 0
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Albers Darren <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
03/17/2004 07:46 PM Please respond to
[EMAIL PROTECTED]
[EMAIL PROTECTED]
cc
SubjectRE: Using freeradius to authenticate users to a Windows 2000 AD
Oops, I forgot the link
http://lists.cistron.nl/archives/freeradius-users/2004/03/frm00428.html
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Albers
Darren
Sent: Wednesday, March 17, 2004 10:04 PM
To: [EMAIL PROTECTED]
Subject: RE: Using freeradius to authenticate users to a Windows 2000 AD
Steve,
Here is a link to that earlier post of mine, it might be more helpfull.
Feel free to post your radiusd.conf and I will see if I can help.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve
OBrien
Sent: Wednesday, March 17, 2004 5:21 PM
To: [EMAIL PROTECTED]
Subject: RE: Using freeradius to authenticate users to a Windows 2000 AD
Well it still seems not to be working. And I could not find your other
article, I searched for radiusd.conf and your name and email with no
luck. The output is not helpfull:
Request:
/usr/local/bin/radtest guest "test" localhost 1 testing123
Sending Access-Request of id 104 to 127.0.0.1:1812
User-Name = "guest"
User-Password = "test"
NAS-IP-Address = blade1.ci.bend.or.us
NAS-Port = 1
rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=104,
length=20
Response:
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1:33317, id=104,
length=57
User-Name = "guest"
User-Password = "test"
NAS-IP-Address = 255.255.255.255
NAS-Port = 1
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "eap" returns noop for request 0
rlm_realm: No '@' in User-Name = "guest", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
users: Matched DEFAULT at 152
modcall[authorize]: module "files" returns ok for request 0
modcall[authorize]: module "mschap" returns noop for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type LDAP
auth: type "LDAP"
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
Steve O'Brien
City of Bend
Network Administrator
[EMAIL PROTECTED]
541-322-6393
Albers Darren <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
03/17/2004 11:37 AM
Please respond to
[EMAIL PROTECTED]
To"'[EMAIL PROTECTED]'"
<[EMAIL PROTECTED]>
cc
SubjectRE: Using freeradius to authenticate users to a Windows 2000 AD
With the help of another individual on this list Richard Lucassen we
were able to get it working to authenticate against either a group or
against AD as a whole. To see an example I posted of just authenticated
a user in general against AD look for another post by me with a sample
radiusd.conf.
Here is what Richard and I put together to get group auth working, this
may not be the 100% correct way but it worked for us and if anyone has
any suggestions that would be great. The comments are my comments and
since the formatting will probably be borked please don't just copy and
paste this into your radiusd.conf:
ldap {
server = "FDC of your DC"
#Account in AD with the rights to query ad for the user account
properties, in this example I have an account named freeradius located
in
# my users container in the domain dc.domain.com that I am using to
auth.
identity = "CN=freeradius,CN=Users,DC=dc,DC=domain,DC=com"
#password of the above account
password = password
#Base dn to search from, usually the top of your domain, in this
example it is dc.domain.com
basedn = "DC=dc,DC=domain,DC=com"
#This is the search filter to find the users account and then check
it's group membership. You will see that I used the full path to the
# group including the conatiner it is located in. This example is for
a group named RemoteUser in the users container in the domain
#dc.domain.com
filter
="(&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})(memberOf=CN=Rem
oteUser,CN=Users,DC=dc,DC=domain,DC=com))"
password_attribute = userPassword
timeout = 4
timelimit = 3
net_timeout = 1
compare_check_items = yes
I commented out the groupmembership stuff, but I am not sure if that was
a bad thing or not. Eventually I plan on writing this into a quick
Howto and posting it again.
Let me know if this helps or if you have any further questions and again
my thanks to Richard for all his help in getting this working!
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Steve
OBrien
Sent: Wednesday, March 17, 2004 2:24 PM
To: [EMAIL PROTECTED]
Subject: Using freeradius to authenticate users to a Windows 2000 AD
I have seen threads pertaining to this but I cannot seem to get it to
work. I would like to authenticate users via freeradius against a
windows 2000 ad domain using LDAP. Is this possible if so anyone have a
sample config??
TIA,
Steve
**********************************************************************
The information and any files contained in this e-mail message are
property of WestPoint Stevens Inc., its subsidiaries or affiliates, and
are intended only for use of the individual or entity named above. If
the reader of this message is not the intended recipient, or the
employee or agent responsible to deliver it to the intended recipient,
you hereby are notified that use, dissemination, distribution or copying
of this information is strictly prohibited. If you have received this
communication in error, please immediately notify us by return e-mail
and destroy the original message. Thank you.
**********************************************************************
NOTICE
This e-mail and any attachments are confidential and may contain copyright material of Macquarie Bank or third parties. If you are not the intended recipient of this email you should not read, print, re-transmit, store or act in reliance on this e-mail or any attachments, and should destroy all copies of them. Macquarie Bank does not guarantee the integrity of any emails or any attached files. The views or opinions expressed are the author's own and may not reflect the views or opinions of Macquarie Bank.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
