Authenticating users checking Huntgroup-Name in unlang
Hi,
I have set FreeRadius 2.1.12 Server, and configured it to authorize and
authenticate users that are in Active Directory and users file. I have tested
in real wireless environment to authenticate users from Active Directory
users file and it is successful. But according to our organization's
requirement I need to authenticate users to allow or reject users for wireless
or VPN access checking huntgroups and attribute in AD or users file accordingly
so, I have configured huntgroup name in huntgroups wirelesstest and have
configured my NAS-IP-Address as: (Some names IP Address are edited for
privacy)
/usr/local/etc/raddb/huntgroups
wirelesstestNAS-IP-Address == IP Address
wirelesstestNAS-IP-Address == IP Address
wirelesstestNAS-IP-Address == IP Address
Clients are configured in clients.conf file as:
/usr/local/etc/raddb/clients.conf
client Primary_controller{
ipaddr = IP Address
secret = password
shortname = primary
nastype = enterasys
}
In default inner_tunnel files configurations, unlang conditional checking are
done under ldap files sub-sections of authorize section
/usr/local/etc/raddb/sites-enabled/default and
/usr/local/etc/raddb/sites-enabled/inner-tunnel
authorize {
.
ldap
if (%{Huntgroup-Name} == wirelesstest){
if (control:Connect-Type == wireless){
update control {
Auth-Type := Accept
}
}
else {
update control {
Auth-Type := Reject
}
}
}
files
if (%{Huntgroup-Name} == wirelesstest){
if (control:Connect-Type == wireless){
update control {
Auth-Type := Accept
}
}
else {
update control {
Auth-Type := Reject
}
}
}
While testing through radtest it works as expected. Unlang condition is
checked, and attribute is also checked against Active Directory or users file
and authenticate users if it matches and it rejects if it doesn't match.
But in Real wireless environment testing I don't get any response at Client
side, and after long time it says can't connect. But while checking at debug
log doing radiusd -X it shows it is checking the condition and sending
Access-Accept or Access-Reject accordingly.
I tried different conditional checkings in unlang; checking against shortname
as:
if (%{client:shortname} =~ /^primary/){
checking against huntgroup as:
if (%{client:huntgroup} == wireless){
But any of these setting gives me no response at client side although my debug
log shows the condition is being checked and Access-Accept ot Access-Reject is
sent.
Part of debug log is as follows:
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] eaptls_process returned 7
[ttls] Session established. Proceeding to decode tunneled attributes.
[ttls] Got tunneled request
User-Name = test
User-Password = password
FreeRADIUS-Proxied-To = 127.0.0.1
[ttls] Sending tunneled request
User-Name = test
User-Password = password
FreeRADIUS-Proxied-To = 127.0.0.1
NAS-IP-Address = IP Address
NAS-Port = 116
Framed-MTU = 1400
Called-Station-Id = 00:1e:35:7f:ec:35
Calling-Station-Id = 00:35:5c:68:c0:08
NAS-Port-Type = Wireless-802.11
NAS-Identifier = Wireless_Test
Service-Type = Framed-User
Siemens-AP-Serial = 0600010084050956
Siemens-AP-Name = TEST
Siemens-VNS-Name = Wireless_Test
Siemens-SSID = Wireless_Test
Siemens-BSS-MAC = 00:1e:35:7f:ec:35
server inner-tunnel {
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[mschap] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[ldap] performing user authorization for test
[ldap] expand: %{Stripped-User-Name} -
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} - test
[ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -
(sAMAccountName=test)
[ldap] expand: dc=example,dc=com - dc=example,dc=com
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=example,dc=com, with filter
(sAMAccountName=test)
[ldap] looking for check items in directory...
[ldap] extensionAttribute15 - Connect-Type == wireless
[ldap] looking for reply items in directory...
WARNING: No known good password was found in LDAP. Are you sure that the
user is configured correctly?
[ldap] Setting Auth-Type = LDAP
[ldap] user test authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++? if
Creating Certificates for EAP
Hi, I am trying to create certificates in Freeradius going inside /usr/local/etc/raddb/certs. I need these certificates for EAP-TTLS authentication for wireless access points. As suggested in deployingradius.com and README inside /usr/local/etc/raddb/certs; I tried to create Test Certificates for testing purpose at first. I tried the command make inside /usr/local/etc/raddb/certs, but it doesn't do anything, i.e. doesn't show any certificates building. Also I tried ./bootstrap going inside the same certs directory; it also doesn't do anything. I don't see any certificates like root CA that has been built after I run make or ./bootstrap command inside certs directory. I have already installed openssl in my machine with freebsd in which freeradius server is installed. Is there anything I am missing? Your suggestions would be greately appreciated. Thanks -- View this message in context: http://freeradius.1045715.n5.nabble.com/Creating-Certificates-for-EAP-tp5564660p5564660.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Creating Certificates for EAP
I tried: openssl dhparam -out dh 1024 as you suggested and dh file is created as below: #openssl dhparam -out dh 1024 Generating DH parameters, 1024 bit long safe prime, generator 2 This is going to take a long time ...+...++...+...+...+.+++...+..+..+.+.++*++*++* Inside Dh file I can see: -BEGIN DH PARAMETERS- MIGHAoGBAKUwai2pBXG3jEBbBRk08wDTE+l0m6USXQcq5AF1FMM/3RxFOZvfgotu qEqQJAYvUawmG2JScnPqPNeP2kHOCPyGrtCgAeXXKu0kbN8liniRLWpvUoy9LlJE XMr0RyuNUJFUvnBdGL8Hup5X7pqIezIKTpvrgGmnNze+tytw8ZkjAgEC -END DH PARAMETERS- *Does this mean my OpenSSL is ok?* I have used make install to install ports in freebsd and this command works and everything is working good till now. I have already configured Freeradius for the users in Active directory; everything is working perfect for other authentications method. Should I try make install command instead of make or ./bootstrap going inside /usr/local/etc/raddb/certs directory? Thanks -- View this message in context: http://freeradius.1045715.n5.nabble.com/Creating-Certificates-for-EAP-tp5564660p5564962.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorization with Active Directory
Hi,
I had implemented the idea given by Phil for authorizing the users of Active
directory to use VPN or Wifi or whatever for which they are for depending
upon the value of Active directory's extensionAttribute10 attribute as:
## /usr/local/etc/raddb/modules/ldap:
filter =
((extensionAttribute10=%{control:Tmp-String-0})(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}))
I have used extensionAttribute10 for storing values as VPN,wifi depending
upon the users.
## /usr/local/etc/raddb/sites-enabled/default
## I tried using Called-Station-Id to check the condition; which is ok for
now for testing ; but which I guess is not feasible if there are thousands
of NAS devices. I don't know what would be best test condition for this.
authorize {
...
if (Called-Station-Id == ...) {
update control {
Tmp-String-0 := VPN
}
}
else {
update control {
Tmp-String-0 := Wifi
}
}
ldap
if (notfound) {
reject
}
...
}
And also, I have implemented the idea of returning filter-id for the users
of Active directory looking at OU of domain as:
ldap
if (control:Ldap-UserDN =~ /^[^,]+,OU=([^,]+),/)
update control {
Tmp-String-1 := %{1}
}
And returning the value of Filter-Id through users file as:
DEFAULT
Filter-Id := Enterasys:version=1:policy=%{control:Tmp-String-1}
But now I am facing the problem that I can't use more than one If conditions
inside unlang to test the conditions inside Ldap module. (If I am correct on
my understanding)
And, also using the filter defined as above inside Ldap module some user of
active directory which doesn't have extensionAttribute10 might get rejected.
These users should get default acceptance; but should be granted to access
VPN, or wifi if value is assigned to them on extensionAttribute10. If don't
have attribute defined still get accepted as default user.
If I just use: filter =
(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})
This allows all the users in Active Directory get accepted (doesn't reject
if there is no extensionAttribute10 also); But how to get the goal of
granting the authorization for VPN, wifi users accordingly if I use this?
Is there any easy way to check condition for the particular attribute of
active directory? And I don't know where to check this, If I am already
using If conditional statement for returning the Filter-Id inside Ldap
module.
In my understanding; people use to check this type of condition for the
users that are defined in users file as;
bob User-Password == testing, Connection-Type := VPN
But I am not sure how to check like this eventhough If I define in
ldap.attrmap as:
checkItem Connection-TypeextensionAttribute10
I don't know; whether I am confused or I am not getting how to achieve this.
Your valuable idea would be really appreciated.
Thanks,
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/Authorization-with-Active-Directory-tp5117364p5433010.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorization with Active Directory
Thanks a lot again for showing me the direction.
Everything works perfect except the conditional checking for
Client-Shortname. I tried using:
*if (Client-Shortname =~ /^localhost/) {*
It didn't work saying Client-Shortname as unknown attribute.
Again I tried using:
* if (%{client: shortname} =~ /^localhost/) {*
It also showed the following test result:
I am testing it with localhost; In the debug mode output it shows:
+++? if (%{client: shortname} =~ /^localhost/)
expand: %{client: shortname} -
? Evaluating (%{client: shortname} =~ /^localhost/) - FALSE
+++? if (%{client: shortname} =~ /^localhost/) - FALSE
Why is the condition checking for localhost is evaluated as FALSE?
In my clients.conf I have just listed the default FreeRadius configuration
for localhost as:
client localhost {
ipaddr = 127.0.0.1
secret = testing123
nastype = other
}
Can't it be tested using localhost shortname; should I need to use client in
real environment testing instead of localhost ? OR is there any silly thing
I am missing again..
For just trial purpose I used NAS-IP-Address and supplied my localhost IP
address inside If condition; it is works.
Thanks,
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/Authorization-with-Active-Directory-tp5117364p5434013.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to return Filter-ID attribute value for the users in Active Directory?
Hi,
I tried to return the value of Filter-ID as:
authorize {
...
ldap
if (distinguishedName =~ /^[^,]+,OU=([^,]+),/) {
update control {
Tmp-String-1 := %{1}
}
}
...
}
post-auth {
update reply {
Filter-Id := Enterasys:version=1:policy=%{control:Tmp-String-1}
}
}
In my active directory I have the attribute named distinguishedName which
I am using inside if statement. If I use Ldap-UserDN attribute inside
if statement (as suggested) it says: No attribute named Ldap-UserDN.
*Example*: In Active Directory distinguishedName attribute for the user is
listed as:
CN=test,OU=Staff,OU=Employees,OU=Users,DC=example,DC=com
But, when I run in debug mode I see: while checking the if condition; it
shows:
++? if (distinguishedName =~ /^[^,]+,OU=([^,]+),/)
? Evaluating (distinguishedName =~ /^[^,]+,OU=([^,]+),/) - FALSE
++? if (distinguishedName =~ /^[^,]+,OU=([^,]+),/) - FALSE
*Why this if condition is being evaluated as FALSE?*
And it returns the post-auth value as:
Filter-Id = Enterasys:version=1:policy=
It doesn't return anything as: staff, administrators, etc for policy.
The part of debug mode output and radtest are as shown below:
##Debug mode output:
#radiusd -X :
rad_recv: Access-Request packet from host 127.0.0.1 port 43666, id=225,
length=80
User-Name = test
User-Password = hello
NAS-IP-Address = IP Address
NAS-Port = 0
Message-Authenticator = 0x8ab06794e7069587309aa626d315269e
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[ldap] performing user authorization for test
[ldap] expand: %{Stripped-User-Name} -
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} - test
[ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -
(sAMAccountName=test)
[ldap] expand: dc=example,dc=com - dc=example,dc=com
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to server.example.com:389, authentication 0
[ldap] bind as
cn=test,ou=Staff,ou=Employees,ou=Users,dc=example,dc=com/hello to
server.example.com:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] performing search in dc=example,dc=com, with filter
(sAMAccountName=test)
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No known good password was found in LDAP. Are you sure that the
user is configured correctly?
[ldap] Setting Auth-Type = LDAP
[ldap] user test authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++? if (distinguishedName =~ /^[^,]+,OU=([^,]+),/)
? Evaluating (distinguishedName =~ /^[^,]+,OU=([^,]+),/) - FALSE
++? if (distinguishedName =~ /^[^,]+,OU=([^,]+),/) - FALSE
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = LDAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group LDAP {...}
[ldap] login attempt by test with password hello
[ldap] user DN: CN=test,OU=Staff,OU=Employees,OU=Users,DC=example,DC=com
[ldap] (re)connect to server.example.com:389, authentication 1
[ldap] bind as
CN=test,OU=Staff,OU=Employees,OU=Users,DC=example,DC=com/hello to
server.example.com:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] user test authenticated succesfully
++[ldap] returns ok
Login OK: [test] (from client localhost port 0)
# Executing section post-auth from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group post-auth {...}
expand: Enterasys:version=1:policy=%{control:Tmp-String-1} -
Enterasys:version=1:policy=
++[reply] returns noop
++[exec] returns noop
Sending Access-Accept of id 225 to 127.0.0.1 port 43666
Filter-Id = Enterasys:version=1:policy=
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 225 with timestamp +8
Ready to process requests.
##radtest output:
#radtest test hello localhost 0 testing123
Sending Access-Request of id 225 to 127.0.0.1 port 1812
User-Name = test
User-Password = hello
NAS-IP-Address = IP Address
NAS-Port = 0
Message-Authenticator = 0x
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=225,
length=49
Filter-Id = Enterasys:version=1:policy=
Please correct me If I am doing something wrong.
Thanks,
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/How-to-return-Filter-ID-attribute-value-for-the-users-in-Active-Directory-tp5155068p5158499.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to return Filter-ID attribute value for the users in Active Directory?
Thank you so much Alan for pointing out the mistake suggesting the solution. Using: if (control:Ldap-UserDN =~ /^[^,]+,OU=([^,]+),/) *solved this issue.* Still trying to become more familiar with attributes and learning. In my understanding there are different attributes list as :request, reply, control, proxy-request, proxy-reply, outer.request, outer.reply, etc. Is there any way to see what attributes request list contains ; or reply list contains, etc. When searching I see the following FreeRadius site lists the attribute lists: http://freeradius.org/rfc/attributes.html But, is there any way to know what attributes is contained by what list. For example: Ldap-UserDN is inside control attribute list. How to figure out this? (It is not in the attributes list mentioned in above site) Is there any way to find it that I am unaware of ? Thanks -- View this message in context: http://freeradius.1045715.n5.nabble.com/How-to-return-Filter-ID-attribute-value-for-the-users-in-Active-Directory-tp5155068p5158770.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to return Filter-ID attribute value for the users in Active Directory?
Hi, I am able to do authentication and authorization of the users that are in Active Directory after FreeRadius and Active Directory integration. I am now testing in real test environment with Enterasys product (Switch) in which Policy manager is already configured to assign different roles to different users. Depending upon the Filter-ID attribute value returned by FreeRadius, Enterasys switch decides what role can be assigned to the user. In my understanding I know there is the way to achieve this goal if we have Ldap-Group so that we can use as: DEFAULT Ldap-Group == Staff Filter-ID := Enterasys:version=1:policy=staff, Fall-Through = No But, How to do same like this for the users in Active Directory; How to return the Filter-ID attribute value if there is no group configured in Active Directory; there is just users listings who can be authenticated and authorized using the passwords provided. The main point is: I don't have any Group configured as Ldap-Group for staff or admin or for different types of users in Active Directory. I would really appreciate if someone can give me the idea on this. Thanks, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to return Filter-ID attribute value for the users in Active Directory?
There are different users under Staff, Administrators, Retirees, etc in active directory as: OU=Staff OU=Administrators OU=Retirees CN=users CN=users CN=users I have to return the filterID value for staff users as: Filter-Id := Enterasys:version=1:policy=staff Also, filterID value for Administrators users as: Filter-Id := Enterasys:version=1:policy=Administrators similarly for others. If you want to return a different filter for different users, you will obviously need some kind of lookup table from user-filter. That will need to live somewhere. How to do this? Can the lookup table be created inside Active Directory using the attribute? If so, how to return that user's filter attribute value that is created from Active Directory back to NAS again. Thanks, -- View this message in context: http://freeradius.1045715.n5.nabble.com/How-to-return-Filter-ID-attribute-value-for-the-users-in-Active-Directory-tp5155068p5155212.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorization with Active Directory
Phil,
I modified the LDAP module configuration as you suggested:
filter = ((extensionAttribute10=%{control:Tmp-String-0})
(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}))
Also I did change in authorize section of my configuration of default and
inner-tunnel files; But I got confused with the conditional part: if
(Some-Condition == Some-Value). I don't know where this should be defined or
supplied while doing user testing using radtest.
where should this condition be defined or passed?
After configuration changes, I run server in debug mode as *radiusd -X*; and
run *radtest username password localhost 0 testing123* which just supplies
username and password; where to supply extension attribute value check
during radtest or where should condition be defined. OR how server knows to
check extension attribute for the username and password supplied during
radtest? Can you please make me clear?
In extensionAttribute10 of my active directory I have just put the values
for Wifi and VPN to test.
The configuration modification I have done as you suggested as:
#Not sure of if (Some-Condition == Some-Value) part so; tried putting if
(value == 0) which didn't work
*if (Some-Condition == Some-Value)* {
update control{
Tmp-String-0 := Wifi
}
}
else{
update control{
Tmp-String-0 := VPN
}
}
ldap
if(notfound){
reject
}
I am really sorry if this is the simple question.
Thanks for the reply
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/Authorization-with-Active-Directory-tp5117364p5119621.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authorization with Active Directory
Hi,
I have configured freeradius server to authenticate authorize user with
the supplied username and password against active directory. Till this
stage; The user can be authenticated and authorized successfully with
credentials provided. For this purpose; user is just authenticated and
authorized depending upon the filter of LDAP module which I have set. My
LDAP module filter configuration is as:
filter = (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})
But Now, I want to go deep on authenticating and authorizing user to allow
or reject VPN or Wifi access, etc. For this purpose I have created extension
attribute in Active directory and has assigned the value as VPN , Wifi,
etc. Now my question is: How can I set the filter in Ldap module of
FreeRadius to just allow the user belonging to VPN or wifi ? Should I need
to add the extension attribute filter to the above mentioned filter? OR
should I need to define 2 filters: the above one and another for extension
attribute? I tried defining 2 filters separately; it didn't work.
I know some people use the concept of Group for this purpose. In my case,
I can't use Group. I just have to authenticate and authorize user just using
Active Directory attribute.
I don't know whether this is way to do or not. Any idea would be really
helpful.
This forum has really helped a lot to the beginner like me to reach till
this stage.
Thanks everyone
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/Authorization-with-Active-Directory-tp5117364p5117364.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius, Active Directory, LDAP Authorization
Hi, After configuration and running the FreeRadius in debug mode, I see that binding with LDAP server is successful as : *[ldap] Bind was successful* Then it does searching of user with filter and gives the error as : *[ldap] ldap_search() failed: Operations error after* *[ldap] search failed* Is there anything I am missing due to which I am getting this error? Is this related to any configuration that needs to be done in LDAP server side or any change I need to do in /usr/local/etc/raddb/dictionary and /usr/local/etc/raddb/ldap.attrmap. I am doing Authentication using ntlm_auth as suggested by deployingradius.com, which is successful. Now, I am doing Authorization using LDAP. Thanks -- View this message in context: http://freeradius.1045715.n5.nabble.com/FreeRadius-Active-Directory-LDAP-Authorization-tp5049129p5055785.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius, Active Directory, LDAP Authorization
Thank you all for the suggestions.
I have already installed FreeRadius 2.1.12 which I am running, an I have got
ldap in file /usr/local/etc/raddb/modules/ldap; I have gone through it and I
am still not sure where the problem lies.
I have here included below the part of debug mode output that I have got
running radiusd -X. I have illustrated the output part after Linked to
module rlm_ldap
Module: Linked to module rlm_ldap
Module: Instantiating module ldap from file
/usr/local/etc/raddb/modules/ldap
ldap {
server = Example.com
port = 389
password =
identity =
net_timeout = 1
timeout = 4
timelimit = 3
tls_mode = no
start_tls = no
tls_require_cert = allow
tls {
start_tls = no
require_cert = allow
}
basedn = dc=Example,dc=com
filter = (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})
base_filter = (objectclass=radiusprofile)
auto_header = no
access_attr_used_for_allow = yes
groupname_attribute = cn
groupmembership_filter =
(|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
dictionary_mapping = /usr/local/etc/raddb/ldap.attrmap
ldap_debug = 0
ldap_connections_number = 5
compare_check_items = no
do_xlat = yes
set_auth_type = yes
}
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: Over-riding set_auth_type, as there is no module ldap listed in
the authenticate section.
rlm_ldap: reading ldap-radius mappings from file
/usr/local/etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password
rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS
Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS
Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS
Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type
rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type
rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS
Tunnel-Private-Group-Id
conns: 0x2853e2e0
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module acct_unique from file
/usr/local/etc/raddb/modules/acct_unique
acct_unique {
key =
FreeRadius, Active Directory, LDAP Authorization
Hi,
I have installed FreeRadius server 2.1.12, installed and configured
Kerberos, Samba; configured ntlm_auth program for FreeRadius Authentication
with Active Directory. Everything is successful and running smoothly till
this stage. Now, I am in the phase of configuration of Authorization in
FreeRadius. For Authorization process I want to use LDAP database which is
already up and running in another server (not in the server where FreeRadius
is installed). The authorization should be granted in such a way that some
users should be allowed/restricted VPN, some should be allowed/restricted
wifi, etc... I am not sure whether this is the best way to do
Authorization using LDAP or not because it is first time I am trying this in
FreeRadius. After changing the configuration as mentioned below and running
FreeRadius in debug mode, I get successful Ready to process requests but
while supplying user credentials I get rad_recv: *Access-Reject *packet from
host 127.0.0.1 port 1812, id=60, length=20.
What I have done so far is: I uncommented the LDAP in authorize section of
both files /usr/local/etc/raddb/sites-enabled/default and
/usr/local/etc/raddb/sites-enabled/inner-tunnel. I have changed the
configuration in /usr/local/etc/raddb/modules/ldap accordingly as: (Some
parts are left blank for privacy)
ldap {
server = *My ldap server name*
identity = cn= ,dc= ,dc=
password =
basedn = dc=,dc=
filter = (uid=%{%{Stripped-User-Name}:-%{User-Name}})
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = no
}
dictionary_mapping = ${raddbdir}/ldap.attrmap
edir_account_policy_check = no
}
In /usr/local/etc/raddb/users file:
DEFAULT Auth-Type = ntlm_auth
bob Cleartext-Password := hello
I havn't done any change in Authenticate section of both
/usr/local/etc/raddb/sites-enabled/default and
/usr/local/etc/raddb/sites-enabled/inner-tunnel files related to LDAP. I
have listed authenticate section of ntlm_auth by following
deployingradius.com.
But while following *rlm_ldap* doc I have seen that it is mentioned:
LDAP and Active Directory
-
*You can only use PAP, and then only if you list ldap in the
authenticate section.*
Does this mean I need to list ldap in authenticate section also. If I list
it, what about ntlm_auth that is already enabled for authentication. I am
confused with this.
Should I need to install openldap openssl also in the machine where
freeradius is installed to make LDAP authorisation work properly?
Please suggest me whether the configuration process I am following related
to LDAP is the good way to do or not. If not what is the best way to achieve
it. Any documentation/site/thread suggestion regarding this would be
greately appreciated.
Thanks,
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/FreeRadius-Active-Directory-LDAP-Authorization-tp5049129p5049129.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: Failed to send packet; No response from Server
Alan, I updated the ports tree in FreeBSD which upgraded FreeRadius to 2.1.12 from 2.1.10. After installation I am successful on doing basic PAP Authentication. It solved this issue. Thank You so much! -- View this message in context: http://freeradius.1045715.n5.nabble.com/Error-Failed-to-send-packet-No-response-from-Server-tp5030058p5036729.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error: Failed to send packet; No response from Server
Hi,
I was successful to install Freeradius 2.1.10 and basic PAP authentication,
Authentication against Active Directory was successful when I installed
Freeradius for first time. But I had to deinstall and reinstall Freeradius
2.1.10 again due to some missing libraries. I am following the same
deployingradius.com site for basic testing. I can start the server in
debugging mode successfully using radiusd -X, which shows Ready to process
requests. But while doing basic radtest for PAP authentication it gives
error:
radclient: Failed to send packet for ID 85: (unknown error)
radclient: no response from server for ID 85 socket 3
The last part of debug mode output when I run radiusd -X is:
radiusd: Opening IP addresses and Ports
listen {
type = auth
ipaddr = *
port = 0
}
listen {
type = acct
ipaddr = *
port = 0
}
listen {
type = auth
ipaddr = 127.0.0.1
port = 18120
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on authentication address 127.0.0.1 port 18120 as server
inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
The error I got using radtest is as follows:
#radtest bob hello localhost 0 testing123
Sending Access-Request of id 85 to 127.0.0.1 port 1812
User-Name = bob
User-Password = hello
NAS-IP-Address = *This is ommitted for privacy, It shows my radius
server IP address*
NAS-Port = 0
radclient: Failed to send packet for ID 85: (unknown error)
Sending Access-Request of id 85 to 127.0.0.1 port 1812
User-Name = bob
User-Password = hello
NAS-IP-Address = *This is ommitted for privacy, It shows my radius
server IP address*
NAS-Port = 0
radclient: Failed to send packet for ID 85: (unknown error)
Sending Access-Request of id 85 to 127.0.0.1 port 1812
User-Name = bob
User-Password = hello
NAS-IP-Address = *This is ommitted for privacy, It shows my radius
server IP address*
NAS-Port = 0
radclient: Failed to send packet for ID 85: (unknown error)
radclient: no response from server for ID 85 socket 3
I was successful to do basic PAP authentication, and also authentication
against active directory before. But this time I am getting this error. Can
anyone please tell me what might be wrong.
Thanks,
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/Error-Failed-to-send-packet-No-response-from-Server-tp5030058p5030058.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: ldap+freeradius
Guys, I configured FreeRadius for Authentication with Active Directory by following the steps as suggested by Alan's deployingradius.com. Everything is working successfully like Samba, Kerberos, ntlm_auth configuration, I can successfully join the domain as an administrator and also user can be authenticated by their credentials successfully. Now I need one suggestion here: Is there any way that administrator be able to read and write the information about user's access privileges by joining the domain. Such as users are allowed/denied for WIFi access, VPN access etc. I don't know whether it is possible or not by confguring anything with Samba/Kerberos/ntlm_auth/FreeRadius or should I need any other program to obtain this goal. I am configuring FreeRadius for the 1st time so, your idea will be greately appreciated. Thanks, Date: Wed, 9 Nov 2011 18:06:16 -0800 From: ml-node+s1045715n4979784...@n5.nabble.com To: samanaupadh...@hotmail.com Subject: Re: ldap+freeradius Hi, *Sorry for the confusion I made. I have put the name of LDAP server accordingly , not the localhost. Just for privacy I didn't put here.* okay Here is the output of radiusd -X command: and there. bingo. libdir = /usr/local/lib/freeradius-2.1.10 urgh. why? really...why? when you did the ./configure stage did you ask for it to go into this special non-standard directory? if its therethen you need to ensure that your system knows its there too - and a default server wont. you will need to edit the configuration file for your dynamic linker - usually /etc/ld.so.conf ..and then re-run /sbin/ldconfig ..you need to ensure your linker shows that it knows this /sbin/ldconfig -vif you need to check and double-check. if you dont see the freeradius libraries there at all then you need to check again. finally...if you dont see the rlm_ldap.so then go back one more step...and check that the LDAP module was actually built int he first place! ./configure --with-whatever-options | grep WARN you need to ensure you have LDAP support installed - the ldap development libraries usually something like openldap-devel in your package manager the fact that all the other bits work suggests that the other .so files are found..which points to the lack of ldap development libraries as the main culprit /usr/local/etc/raddb/modules/ldap[29]: Failed to link to module 'rlm_ldap': file not found /usr/local/etc/raddb/sites-enabled/inner-tunnel[237]: Failed to load module ldap. /usr/local/etc/raddb/sites-enabled/inner-tunnel[237]: Failed to parse ldap entry. yep. the .so dynamic library file cannot be loaded alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html If you reply to this email, your message will be added to the discussion below:http://freeradius.1045715.n5.nabble.com/ldap-freeradius-tp2781398p4979784.html To unsubscribe from ldap+freeradius, click here. See how NAML generates this email -- View this message in context: http://freeradius.1045715.n5.nabble.com/ldap-freeradius-tp2781398p4984367.html Sent from the FreeRadius - User mailing list archive at Nabble.com.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap+freeradius
I searched throught the threads and found this thread exactly matching to my error I am getting. I am getting following error while debugging freeradius for using LDAP: /usr/local/etc/raddb/modules/ldap[29]: Failed to link to module 'rlm_ldap': file not found /usr/local/etc/raddb/sites-enabled/inner-tunnel[237]: Failed to load module ldap. /usr/local/etc/raddb/sites-enabled/inner-tunnel[237]: Failed to parse ldap entry. David, How did you solve this problem? I don't know what to do... Your suggestions would be greately appreciated. Thanks, -- View this message in context: http://freeradius.1045715.n5.nabble.com/ldap-freeradius-tp2781398p4978124.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap+freeradius
Alan, I tried the 3 steps that is suggested in FAQ, that isn't working. Also, As suggested in 3rd (b) step; I found the 'radiusd.conf' file inside /usr/local/etc/raddb/radiusd.conf. Inside radiusd.conf file it is suggesting to do : To work around the problem, find out which library contains that symbol, # and add the directory containing that library to the end of 'libdir', # with a colon separating the directory names. NO spaces are allowed. # # e.g. libdir = /usr/local/lib:/opt/package/lib Does this mean I should add libdir for rlm_ldap just below the '/usr/local/share/doc/freeradius/rlm_ldap' line of radiusd.conf as follows: *libdir = /usr/local/share/doc/freeradius/rlm_ldap* When doing locate rlm_ldap command I just see rlm_ldap path as */usr/local/share/doc/freeradius/rlm_ldap* I am confused on this. Thanks, -- View this message in context: http://freeradius.1045715.n5.nabble.com/ldap-freeradius-tp2781398p4978260.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap+freeradius
Alan,
The LDAP server was already configred in other machine by System
Administrator. I am trying to link FreeRadius to that existing and already
running LDAP server and authenticate the users using already configured
attribute. I didn't download LDAP on this machine where FreeRadius is
running. I made the LDAP option on during the FreeRadius installation
like:
== The following configuration options are available for
freeradius-2.1.10_2:
USER=on Run as user freeradius, group freeradius
KERBEROS=on With Kerberos support
HEIMDAL=off With Heimdal Kerberos support
LDAP=on With LDAP database support
MYSQL=on With MySQL database support
PGSQL=on With PostgreSQL database support
UNIXODBC=on With unixODBC database support
FIREBIRD=on With Firebird database support (EXPERIMENTAL)
PERL=on With Perl support
PYTHON=on With Python support
OCI8=on With Oracle support (currently experimental)
RUBY=on With Ruby support (EXPERIMENTAL)
DHCP=on With DHCP support (EXPERIMENTAL)
EXPERIMENTAL=on Build experimental modules
UDPFROMTO=on Compile in UDPFROMTO support
=== Use 'make config' to modify these settings
*The scenario is LDAP is already running in one server and Freeradius is
running in another server. I just changed the configuration settings on
freeBSD server where FreeRadius is running as:*
*/usr/local/etc/raddb/modules/ldap :*
ldap {
# Define the LDAP server and the base domain name
server = localhost
basedn = dc=example,dc=com
# Define which attribute from an LDAP ldapsearch query
# is the password. Create a filter to extract the password
# from the ldapsearch output
password_attribute = userPassword
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
# The following are RADIUS defaults
start_tls = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
}
*/usr/local/etc/raddb/sites-enabled/default :*
authorize {
...
...
#
# The ldap module will set Auth-Type to LDAP if it has not
# already been set
Ldap
...
...
}
Auth-Type LDAP {
ldap
}
Also, same type of modifications has been done on :
*/usr/local/etc/raddb/sites-enabled/inner-tunnel*
Also, change has been made to users file adding LDAP user authentication.
Thanks for the suggestions...
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/ldap-freeradius-tp2781398p4978695.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap+freeradius
Alan,
*Sorry for the confusion I made. I have put the name of LDAP server
accordingly , not the localhost. Just for privacy I didn't put here.*
Here is the output of radiusd -X command:
# radiusd -X
FreeRADIUS Version 2.1.10, for host i386-portbld-freebsd8.2, built on Oct 21
2011 at 11:26:0 7
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/modules/
including configuration file /usr/local/etc/raddb/modules/wimax
including configuration file /usr/local/etc/raddb/modules/always
including configuration file /usr/local/etc/raddb/modules/attr_filter
including configuration file /usr/local/etc/raddb/modules/attr_rewrite
including configuration file /usr/local/etc/raddb/modules/chap
including configuration file /usr/local/etc/raddb/modules/checkval
including configuration file /usr/local/etc/raddb/modules/counter
including configuration file /usr/local/etc/raddb/modules/cui
including configuration file /usr/local/etc/raddb/modules/detail
including configuration file /usr/local/etc/raddb/modules/detail.example.com
including configuration file /usr/local/etc/raddb/modules/detail.log
including configuration file /usr/local/etc/raddb/modules/digest
including configuration file /usr/local/etc/raddb/modules/dynamic_clients
including configuration file /usr/local/etc/raddb/modules/echo
including configuration file /usr/local/etc/raddb/modules/etc_group
including configuration file /usr/local/etc/raddb/modules/exec
including configuration file /usr/local/etc/raddb/modules/expiration
including configuration file /usr/local/etc/raddb/modules/expr
including configuration file /usr/local/etc/raddb/modules/files
including configuration file /usr/local/etc/raddb/modules/inner-eap
including configuration file /usr/local/etc/raddb/modules/ippool
including configuration file /usr/local/etc/raddb/modules/krb5
including configuration file /usr/local/etc/raddb/modules/ldap
including configuration file /usr/local/etc/raddb/modules/linelog
including configuration file /usr/local/etc/raddb/modules/logintime
including configuration file /usr/local/etc/raddb/modules/otp
including configuration file /usr/local/etc/raddb/modules/mac2ip
including configuration file /usr/local/etc/raddb/modules/mschap
including configuration file /usr/local/etc/raddb/modules/mac2vlan
including configuration file /usr/local/etc/raddb/modules/ntlm_auth
including configuration file /usr/local/etc/raddb/modules/opendirectory
including configuration file /usr/local/etc/raddb/modules/pam
including configuration file /usr/local/etc/raddb/modules/pap
including configuration file /usr/local/etc/raddb/modules/passwd
including configuration file /usr/local/etc/raddb/modules/perl
including configuration file /usr/local/etc/raddb/modules/policy
including configuration file /usr/local/etc/raddb/modules/preprocess
including configuration file /usr/local/etc/raddb/modules/radutmp
including configuration file /usr/local/etc/raddb/modules/realm
including configuration file /usr/local/etc/raddb/modules/smbpasswd
including configuration file /usr/local/etc/raddb/modules/smsotp
including configuration file /usr/local/etc/raddb/modules/sql_log
including configuration file
/usr/local/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /usr/local/etc/raddb/modules/sradutmp
including configuration file /usr/local/etc/raddb/modules/unix
including configuration file /usr/local/etc/raddb/modules/acct_unique
including configuration file /usr/local/etc/raddb/eap.conf
including configuration file /usr/local/etc/raddb/policy.conf
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/default
including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
including configuration file
/usr/local/etc/raddb/sites-enabled/control-socket
main {
allow_core_dumps = no
}
including dictionary file /usr/local/etc/raddb/dictionary
main {
prefix = /usr/local
localstatedir = /var
logdir = /var/log
libdir = /usr/local/lib/freeradius-2.1.10
radacctdir = /var/log/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = /var/run/radiusd/radiusd.pid
checkrad = /usr/local/sbin/checkrad
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security
RE: ldap+freeradius
Alan, Sorry for any inconvenience caused by it. I just put the output 3rd time since Alan Buxey asked for the complete radiusd-X output, not the small 3 line output to get the complete picture. Yesterday only I joined this freeradius list. Yesterday I opened the thread thinking to get suggestion where you were the one to give suggestion, I couldn't figure out how to solve that; and today I found this 'LDAP+Freeradius' thread with the same issue and posted here thinking I Might get quick response from the individual who already faced and solved this issue. My intention is not to trouble by sending the same post. I just want suggestion from this group. Again, Sorry if my questions troubled you guys. Thanks Date: Wed, 9 Nov 2011 12:19:15 -0800 From: ml-node+s1045715n4978982...@n5.nabble.com To: samanaupadh...@hotmail.com Subject: Re: ldap+freeradius Alan DeKok wrote too quickly: But you need to posting the same question. If you do, you can be unsubscribed. You need to *stop* posting the same question. I think I might set up a bot to monitor the list. The same question 3 times from someone results in them being unsubscribed. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html If you reply to this email, your message will be added to the discussion below:http://freeradius.1045715.n5.nabble.com/ldap-freeradius-tp2781398p4978982.html To unsubscribe from ldap+freeradius, click here. See how NAML generates this email -- View this message in context: http://freeradius.1045715.n5.nabble.com/ldap-freeradius-tp2781398p4979011.html Sent from the FreeRadius - User mailing list archive at Nabble.com.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem: FreeRadius Authentication using LDAP
Hi,
I have configured FreeRadius to authenticate against LDAP. I have installed
and configured FreeRadius in FreeBSD Server and LDAP is already set up in
another server. I configured as below: (Changes on file are shown on bold
letter)
*/usr/local/etc/raddb/modules/ldap :*
ldap {
# Define the LDAP server and the base domain name
server = *localhost*
basedn = *dc=example,dc=com*
# Define which attribute from an LDAP ldapsearch query
# is the password. Create a filter to extract the password
# from the ldapsearch output
password_attribute = userPassword
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
# The following are RADIUS defaults
start_tls = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
}
*/usr/local/etc/raddb/sites-enabled/default :*
authorize {
...
...
#
# The ldap module will set Auth-Type to LDAP if it has not
# already been set
Ldap
...
...
}
Auth-Type LDAP {
ldap
}
Also, same type of modifications has been done on :
*/usr/local/etc/raddb/sites-enabled/inner-tunnel*
Also, change has been made to users file adding LDAP user authentication.
But when I run radiusd -X command to run freeradius on debug mode, it gives
following error:
/usr/local/etc/raddb/modules/ldap[29]: Failed to link to module 'rlm_ldap':
file not found
/usr/local/etc/raddb/sites-enabled/inner-tunnel[237]: Failed to load module
ldap.
/usr/local/etc/raddb/sites-enabled/inner-tunnel[237]: Failed to parse ldap
entry.
I don't know what to do? I would appreciate anyone's idea.
Should I need to configure anything if I have freeradius server on one
machine and LDAP server on another machine. They are not on same
machine/host.
Thanks
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/Problem-FreeRadius-Authentication-using-LDAP-tp4974896p4974896.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem: FreeRadius Authentication using LDAP
Alan, Are you talking about the following FAQ: http://wiki.freeradius.org/FAQ#How+do+I+make+CHAP+work+with+LDAP%3F I have followed the same configuration method it has suggested. Or is there any other FAQ which mentions about this error and method to solve this? Thank you so much for your suggestion. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Problem-FreeRadius-Authentication-using-LDAP-tp4974896p4975206.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
