Cisco ASA with fall through auth for LDAP and Active Directory
Hi all, I'm trying to setup freeradius-2.x to provide authentication for a Cisco ASA VPN. When the packet comes in I'd like to first check the LDAP database to see if the user/pass combination work and if it not then check against Active Directory (using ntlm_auth). Both LDAP and AD (via ntlm_auth) work separately. I've used the following URL to setup the AD connectivity (via /etc/modules/ntlm_auth for PAP and /etc/modules/mschap for MSCHAP): http://deployingradius.com/documents/configuration/active_directory.html Everything works as expected here. The username and password come across in clear text, from the VPN, and are handed to ntlm_auth which is then able to authenticate the user. I'm stuck at trying to get freeradius to first check LDAP and then check AD if the LDAP server says that the username and password combo are not good. I've searched both the mailing list and google but am confused by some of the answers given, specifically this message seems to be talking about a similar situation: http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg59368.html Any help would be greatly appreciated. Cheers, Harry - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Config. Help please - ldap and Active Directory
> And many requests later you ask about it: > > >++? if (control:Tmp-String-0 == "ldap-student") > >(Attribute control:Tmp-String-0 was not found) > > .. and it's not there. Of course it's not, since it wasn't > set during processing of that Access-Request but much earlier > in the exchange. Obvious when it's pointed out but I really don't understand the whole process yet. I'll keep reading the docs until I do! > I would suggest that you move unlang statements to > inner-tunnel virtual server. You can do update reply and set > Reply-Message in authorize there (forget about temp attribute > and changeing it in post-auth). Just enable > use_tunneled_reply in peap section of eap.conf and > Reply-Message will be passed on from inner tunnel into the > final reply. > All working now. Thank you. Leighton - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Config. Help please - ldap and Active Directory
>Here's the complete debug (excluding the server start-up messages). There's >rather a lot of it which is why I tried to post the bits relevant to what I'm >trying (rather unsuccessfully :-) ) to understand. > >rad_recv: Access-Request packet from host 10.127.240.217 port 1645, id=36, >length=148 .. >[ldap_staff] search failed >rlm_ldap: ldap_release_conn: Release Id: 0 >++[ldap_staff] returns notfound >++? if (ok) >? Evaluating (ok) -> FALSE >++? if (ok) -> FALSE >++- entering else else {...} .. >+++[ldap_student] returns ok >+++? if (ok) >? Evaluating (ok) -> TRUE >+++? if (ok) -> TRUE >+++- entering if (ok) {...} That is the unlang construction - in default virtual server. >[control] returns ok I assume this is where you set temp attribute. >+++- if (ok) returns ok >+++ ... skipping else for request 0: Preceding "if" was taken >++- else else returns ok And then it goes on ... >Sending Access-Challenge of id 36 to 10.127.240.217 port 1645 .. >rad_recv: Access-Request packet from host 10.127.240.217 port 1645, id=37, >length=159 etc. And many requests later you ask about it: >++? if (control:Tmp-String-0 == "ldap-student") >(Attribute control:Tmp-String-0 was not found) .. and it's not there. Of course it's not, since it wasn't set during processing of that Access-Request but much earlier in the exchange. I would suggest that you move unlang statements to inner-tunnel virtual server. You can do update reply and set Reply-Message in authorize there (forget about temp attribute and changeing it in post-auth). Just enable use_tunneled_reply in peap section of eap.conf and Reply-Message will be passed on from inner tunnel into the final reply. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Config. Help please - ldap and Active Directory
> Can you post the whole debug, not just snipetts. Are these > from the same or from different requests in the exchange? > Perhaps you need use_tunneled_reply rather than this. > Here's the complete debug (excluding the server start-up messages). There's rather a lot of it which is why I tried to post the bits relevant to what I'm trying (rather unsuccessfully :-) ) to understand. Leighton rad_recv: Access-Request packet from host 10.127.240.217 port 1645, id=36, length=148 User-Name = "cmsxleig" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-1B-54-DB-BB-01" Calling-Station-Id = "00-1B-63-B0-C9-E9" EAP-Message = 0x0203000d01636d73786c656967 Message-Authenticator = 0xbc90b1b0b5ceba80a6767ff94c59ed43 NAS-Port-Type = Ethernet NAS-Port = 50001 NAS-Port-Id = "FastEthernet0/1" NAS-IP-Address = 10.127.240.217 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "cmsxleig", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "cmsxleig" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 3 length 13 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop [ldap_staff] performing user authorization for cmsxleig [ldap_staff]expand: (sAMAccountName=%{mschap:User-Name:-%{User-Name}}) -> (sAMAccountName=cmsxleig) [ldap_staff]expand: ou=staff, dc=ad, dc=hud, dc=ac, dc=uk -> ou=staff, dc=ad, dc=hud, dc=ac, dc=uk rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to burns.hud.ac.uk:389, authentication 0 rlm_ldap: bind as cn=username,ou=Specials,ou=Staff,dc=ad,dc=hud,dc=ac,dc=uk/passwd to burns.hud.ac.uk:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=staff, dc=ad, dc=hud, dc=ac, dc=uk, with filter (sAMAccountName=cmsxleig) rlm_ldap: object not found or got ambiguous search result [ldap_staff] search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap_staff] returns notfound ++? if (ok) ? Evaluating (ok) -> FALSE ++? if (ok) -> FALSE ++- entering else else {...} [ldap_student] performing user authorization for cmsxleig [ldap_student] expand: (sAMAccountName=%{mschap:User-Name:-%{User-Name}}) -> (sAMAccountName=cmsxleig) [ldap_student] expand: ou=students, dc=ad, dc=hud, dc=ac, dc=uk -> ou=students, dc=ad, dc=hud, dc=ac, dc=uk rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to burns.hud.ac.uk:389, authentication 0 rlm_ldap: bind as cn=username,ou=Specials,ou=Staff,dc=ad,dc=hud,dc=ac,dc=uk/passwd to burns.hud.ac.uk:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=students, dc=ad, dc=hud, dc=ac, dc=uk, with filter (sAMAccountName=cmsxleig) [ldap_student] looking for check items in directory... [ldap_student] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap_student] user cmsxleig authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 +++[ldap_student] returns ok +++? if (ok) ? Evaluating (ok) -> TRUE +++? if (ok) -> TRUE +++- entering if (ok) {...} [control] returns ok +++- if (ok) returns ok +++ ... skipping else for request 0: Preceding "if" was taken ++- else else returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 36 to 10.127.240.217 port 1645 EAP-Message = 0x010400160410d7424da981434c0db858d196aa1331b4 Message-Authenticator = 0x State = 0x5de163455de567c927acd591e49a319b Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.127.240.217 port 1645, id=37, length=159 User-Name = "cmsxleig" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-1B-54-DB-BB-01" Calling-Station-Id = "00-1B-63-B0-C9-E9" EAP-Message = 0x020400060319 Message-Authenticator = 0x4dbcf0832938a2550152bfdcb815ec8c NAS-Port-Type = Ethernet NAS-Port = 50001 NAS-Port-Id = "FastEthernet0/1" State = 0x5de163455de567c927acd591e49a319b NAS-IP-Address = 10.127.240.217 +- entering group authorize {..
RE: Config. Help please - ldap and Active Directory
>And I get: > > ++[eap] returns ok >+- entering group post-auth {...} >++[exec] returns noop >++? if (control:Tmp-String-0 == "ldap-student") >(Attribute control:Tmp-String-0 was not found) >Sending Access-Accept of id 129 to 10.127.240.217 port 1645 > >Towards the beginning of the debug output is: > >rlm_ldap: Bind was successful >rlm_ldap: performing search in ou=students, dc=ad, dc=hud, dc=ac, dc=uk, with >filter (sAMAccountName=cmsxleig) >[ldap_student] looking for check items in directory... >[ldap_student] looking for reply items in directory... >WARNING: No "known good" password was found in LDAP. Are you sure that the >user is configured correctly? >[ldap_student] user cmsxleig authorized to use remote access >rlm_ldap: ldap_release_conn: Release Id: 0 >+++[ldap_student] returns ok >+++? if (ok) >? Evaluating (ok) -> TRUE >+++? if (ok) -> TRUE >+++- entering if (ok) {...} >[control] returns ok >+++- if (ok) returns ok >+++ ... skipping else for request 0: Preceding "if" was taken >++- else else returns ok >++[expiration] returns noop >++[logintime] returns noop > Can you post the whole debug, not just snipetts. Are these from the same or from different requests in the exchange? Perhaps you need use_tunneled_reply rather than this. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Config. Help please - ldap and Active Directory
> > Update a server-side attribute when you use the module: > > update control { > Tmp-String-0 = "ldap-student" > } > > then in post-auth: > > if (control:Tm-String-0 == "ldap-student") { > ... > > } > I'm really grateful for all your help but it still doesn't work and after hours of experimenting, here's where I am: I add if (control:Tmp-String-0 == "ldap-student") { update reply { Reply-Message := "User is student" } } To the end of the post-auth section and radiusd -X reports: ++[eap] returns ok +- entering group post-auth {...} ++[exec] returns noop ++? if (control:Tmp-String-0 == "ldap-student") (Attribute control:Tmp-String-0 was not found) Sending Access-Accept of id 53 to 10.127.240.217 port 1645 Fair enough - The user is authenticated but Tmp-String-0 hasn't been assigned a string. I add update control { Tmp-String-0 = "ldap-student" } To the beginning of the post-auth section and radiusd -X reports: ++[eap] returns ok +- entering group post-auth {...} ++[control] returns noop ++[exec] returns noop ++? if (control:Tmp-String-0 == "ldap-student") ? Evaluating (control:Tmp-String-0 == "ldap-student") -> TRUE ++? if (control:Tmp-String-0 == "ldap-student") -> TRUE ++- entering if (control:Tmp-String-0 == "ldap-student") {...} +++[reply] returns noop ++- if (control:Tmp-String-0 == "ldap-student") returns noop Sending Access-Accept of id 101 to 10.127.240.217 port 1645 OK so far, so I move update control { Tmp-String-0 = "ldap-student" } To the authorise section thus: ldap_staff if (ok) { update reply { Reply-Message = "ldap-staff" } } else { ldap_student if (ok) { update control { Tmp-String-0 = "ldap-student" } } else { reject } } And I get: ++[eap] returns ok +- entering group post-auth {...} ++[exec] returns noop ++? if (control:Tmp-String-0 == "ldap-student") (Attribute control:Tmp-String-0 was not found) Sending Access-Accept of id 129 to 10.127.240.217 port 1645 Towards the beginning of the debug output is: rlm_ldap: Bind was successful rlm_ldap: performing search in ou=students, dc=ad, dc=hud, dc=ac, dc=uk, with filter (sAMAccountName=cmsxleig) [ldap_student] looking for check items in directory... [ldap_student] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap_student] user cmsxleig authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 +++[ldap_student] returns ok +++? if (ok) ? Evaluating (ok) -> TRUE +++? if (ok) -> TRUE +++- entering if (ok) {...} [control] returns ok +++- if (ok) returns ok +++ ... skipping else for request 0: Preceding "if" was taken ++- else else returns ok ++[expiration] returns noop ++[logintime] returns noop Does "[control] returns ok" mean the string was successfully assigned? If so, how do I find where it gets lost? A search for ldap-s through the file only produces two matches, one where the string is assigned and the other where it is tested. Similarly a search for Tmp-Str only finds two matches. History | grep vi shows I haven't accidentally edited another file. Leighton - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Config. Help please - ldap and Active Directory
Leighton Man wrote: > Logic now working correctly - Many thanks > Final problem is to return reply attributes in the access accept message. As > a test I added Reply-Message := "User is staff" in the update reply section > and the server duly added it to the next access challenge message. I assume I > need something in the post-auth section? Yes. > How do I pass information about which ldap instance was successful in the > authorize section to post-auth? Update a server-side attribute when you use the module: update control { Tmp-String-0 = "ldap-student" } then in post-auth: if (control:Tm-String-0 == "ldap-student") { ... } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Config. Help please - ldap and Active Directory
> > see "man unlang". The syntax and examples are documented. > Read it many times. The problem is not the documentation, which is great, but my understanding which isn't! I'm working on it but finding it heavy going. > >... >ldap_staff >if (ok) { > update reply { >... > } >} >else { > ldap_student > if (ok) { > update reply { > ... > } > } > else { > reject > } >} Logic now working correctly - Many thanks Final problem is to return reply attributes in the access accept message. As a test I added Reply-Message := "User is staff" in the update reply section and the server duly added it to the next access challenge message. I assume I need something in the post-auth section? How do I pass information about which ldap instance was successful in the authorize section to post-auth? Leighton - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Config. Help please - ldap and Active Directory
Leighton Man wrote: > I've upgraded to 2.1.3 but, sorry, I'm really struggling with the concepts. > I can't do "if Ldap-Group" because there is no container in Active Directory > above staff and student to query. > > What I think I need is: > > if ladp_staff returns "ok" { > update reply{ > .. > } > elsif ladp_student returns "ok" { > update reply{ > .. > } > else { > Auth-Type := Reject > } > > ,where ldap_staff and ldap_student are instances of the ldap module > I simply can't get the syntax right. see "man unlang". The syntax and examples are documented. ... ldap_staff if (ok) { update reply { ... } } else { ldap_student if (ok) { update reply { ... } } else { reject } } Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Config. Help please - ldap and Active Directory
> Now I'm trying to return different reply attributes > depending on Active Directory group membership and restrict > which groups can authenticate. Ldap lookups against the > active directory root fail with operation error. > Reconfiguring Active Directory is not a viable option so I > have to specify an OU= in the query. I have configured > two instances of the ldap module for authorisation, one to > query the staff ou and the other to query the student ou. > Both work OK for valid queries but if the user does not exist > in the ou the server still authenticates the > username/password and grants access if valid. > > You need to upgrade to 2.x and use unlang. See man unlang on > freeradius site. You need something like: > > if Ldap-Group == staff { do something } > elsif Ldap-Group == student { do something else} else update > control { to reject } > I've upgraded to 2.1.3 but, sorry, I'm really struggling with the concepts. I can't do "if Ldap-Group" because there is no container in Active Directory above staff and student to query. What I think I need is: if ladp_staff returns "ok" { update reply{ .. } elsif ladp_student returns "ok" { update reply{ .. } else { Auth-Type := Reject } ,where ldap_staff and ldap_student are instances of the ldap module I simply can't get the syntax right. Am I on the right track? If so, a little help please. Regards, Leighton - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Config. Help please - ldap and Active Directory
Hmm... would it be possible to have to give *more* output? i.e. start from a fresh directory: $ tar -zxf freeradius-server-2.1.3.tar.gz $ cd freeradius-server 2.1.3 $ ./configure $ gmake And show the errors (not the dozens of lines saying "building foo", or the last dozen lines saying "error"), but the real informative errors about building dict.c, and what errors were encountered building dict.c. The only way I can see that error happening is if the source and/or build process is broken. Alan DeKok. >From the beginning: rm -rf freeradius-server-2.1.3 tar xvf freeradius-server-2.1.3.tar (it's already been unzipped with "gzip -d") cd freeradius-server-2.1.3 ./configure | grep configure ...Lots of output including: configure: WARNING: pcap library not found, silently disabling the RADIUS sniffer. config.status: WARNING: ./Make.inc.in seems to ignore the --datarootdir setting config.status: WARNING: ./src/include/build-radpaths-h.in seems to ignore the --datarootdir setting configure: WARNING: silently not building rlm_counter. configure: WARNING: FAILURE: rlm_counter requires: libgdbm. configure: WARNING: EVP_sha256 not found, may have issues wirh WiMAX certificates configure: WARNING: the TNCS libraryconfigure: WARNING: silently not building rlm_ippool. configure: WARNING: FAILURE: rlm_ippool requires: libgdbm. isn't found! configure: WARNING: silently not building rlm_perl. configure: WARNING: FAILURE: rlm_perl requires: EXTERN.h perl.h libperl.so. configure: WARNING: silently not building rlm_eap_tnc. configure: WARNING: FAILURE: rlm_eap_tnc requires: -lTNCS. configure: WARNING: silently not building rlm_eap_ikev2. configure: WARNING: FAILURE: rlm_eap_ikev2 requires: libeap-ikev2 EAPIKEv2/connector.h. configure: WARNING: the comm_err library isn't found! configure: WARNING: silently not building rlm_krb5. configure: WARNING: FAILURE: rlm_krb5 requires: krb5.h.configure: WARNING: silently not building rlm_python. configure: WARNING: FAILURE: rlm_python requires: Python.h libpython2.3. configure: WARNING: silently not building rlm_sql_iodbc. configure: WARNING: FAILURE: rlm_sql_iodbc requires: libiodbc isql.h. configure: WARNING: oracle headers not found. Use --with-oracle-home-dir=. configure: WARNING: silently not building rlm_sql_oracle. configure: WARNING: FAILURE: rlm_sql_oracle requires: oci.h. configure: WARNING: silently not building rlm_sql_unixodbc. configure: WARNING: FAILURE: rlm_sql_unixodbc requires: libodbc sql.h. Then: gmake Got the error about undefined symbol SUN_LEN Edited src/include/radiusd.h Gmake ...and it all compiles OK. Not sure what I did wrong the first time but many thanks for your help. Leighton - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Config. Help please - ldap and Active Directory
> >Is there any way to do what I want without upgrading? > You can try users file: DEFAULT Ldap-Group == staff some reply DEFAULT Ldap-Group == student some other reply DEFAULT Auth-Type := Reject That should be at the end of the users file (ie. anything below this will never match) and you need to fall through if there are other user file entries. These can't have Fall-Through. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Config. Help please - ldap and Active Directory
Leighton Man wrote: > Tried "gmake" from the top directory and "gcc -g -O2 -D_REENTRANT > -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -DNDEBUG -D_LIBRADIUS > -I/export/home/cmsxljm/freeradius-server-2.1.3/src -c dict.c -fPIC -DPIC -o > .libs/dict.o" (copy and paste from the gmake output) from the src/libs > directory. Same error both times. Hmm... would it be possible to have to give *more* output? i.e. start from a fresh directory: $ tar -zxf freeradius-server-2.1.3.tar.gz $ cd freeradius-server 2.1.3 $ ./configure $ gmake And show the errors (not the dozens of lines saying "building foo", or the last dozen lines saying "error"), but the real informative errors about building dict.c, and what errors were encountered building dict.c. The only way I can see that error happening is if the source and/or build process is broken. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Config. Help please - ldap and Active Directory
Huh? It compiles on 3-4 different Solaris boxes that I have access to. Did you run "make" from the TOP directory, or by cd'ing to src/lib? Alan DeKok. Tried "gmake" from the top directory and "gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -DNDEBUG -D_LIBRADIUS -I/export/home/cmsxljm/freeradius-server-2.1.3/src -c dict.c -fPIC -DPIC -o .libs/dict.o" (copy and paste from the gmake output) from the src/libs directory. Same error both times. Leighton - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Config. Help please - ldap and Active Directory
Leighton Man wrote: > Many thanks for this. I'm using 1.1.7 because it's available as a pre-built > package on solaris for both sparc and x86 architectures. The idea is to get > freeradius configured and working as fast as possible so it can be demo'd to > management (I'm trying to retire Cisco ACS). Then to test it on x86 standard > build which is being developed in parallel. Then, if all works, upgrade to > latest version. > Version 2.1.3 won't compile on my solaris box and the problem looks, to me, > non-trivial. (dict.c:83: error: `PW_TYPE_STRING' undeclared here (not in a > function)) Huh? It compiles on 3-4 different Solaris boxes that I have access to. Did you run "make" from the TOP directory, or by cd'ing to src/lib? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Config. Help please - ldap and Active Directory
>I'm new to freeradius (3 weeks experience) and mailing lists (second attempt) >so please have patience. >I have freeradius 1.1.7 (prebuilt package) on Solaris 10 configured to >authenticate against Active Directory using ntlm-auth. >All working OK. >Now I'm trying to return different reply attributes depending on Active >Directory group membership and restrict which groups can authenticate. Ldap >lookups against the active directory root fail with operation error. >Reconfiguring Active Directory is not a viable option so I have to specify an >OU= in the query. I have configured two instances of the ldap module for >authorisation, one to query the staff ou and the other to query the student >ou. Both work OK for valid queries but if the user does not exist in the ou >the server still authenticates the username/password and grants access if >valid. You need to upgrade to 2.x and use unlang. See man unlang on freeradius site. You need something like: if Ldap-Group == staff { do something } elsif Ldap-Group == student { do something else} else update control { to reject } Ivan Kalik Kalik Informatika ISP Many thanks for this. I'm using 1.1.7 because it's available as a pre-built package on solaris for both sparc and x86 architectures. The idea is to get freeradius configured and working as fast as possible so it can be demo'd to management (I'm trying to retire Cisco ACS). Then to test it on x86 standard build which is being developed in parallel. Then, if all works, upgrade to latest version. Version 2.1.3 won't compile on my solaris box and the problem looks, to me, non-trivial. (dict.c:83: error: `PW_TYPE_STRING' undeclared here (not in a function)) Is there any way to do what I want without upgrading? Regards, Leighton - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Config. Help please - ldap and Active Directory
>I'm new to freeradius (3 weeks experience) and mailing lists (second attempt) >so please have patience. >I have freeradius 1.1.7 (prebuilt package) on Solaris 10 configured to >authenticate against Active Directory using ntlm-auth. >All working OK. >Now I'm trying to return different reply attributes depending on Active >Directory group membership and restrict which groups can authenticate. Ldap >lookups against the active directory root fail with operation error. >Reconfiguring Active Directory is not a viable option so I have to specify an >OU= in the query. I have configured two instances of the ldap module for >authorisation, one to query the staff ou and the other to query the student >ou. Both work OK for valid queries but if the user does not exist in the ou >the server still authenticates the username/password and grants access if >valid. You need to upgrade to 2.x and use unlang. See man unlang on freeradius site. You need something like: if Ldap-Group == staff { do something } elsif Ldap-Group == student { do something else} else update control { to reject } Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Config. Help please - ldap and Active Directory
Am 06.03.2009 um 12:20 schrieb Leighton Man: Hi, I'm new to freeradius (3 weeks experience) and mailing lists (second attempt) so please have patience. I have freeradius 1.1.7 (prebuilt package) on Solaris 10 configured to authenticate against Active Directory using ntlm-auth. All working OK. Now I'm trying to return different reply attributes depending on Active Directory group membership and restrict which groups can authenticate. Ldap lookups against the active directory root fail with operation error. Reconfiguring Active Directory is not a viable option so I have to specify an OU= in the query. I have configured two instances of the ldap module for authorisation, one to query the staff ou and the other to query the student ou. Both work OK for valid queries but if the user does not exist in the ou the server still authenticates the username/password and grants access if valid. Relevant debug output: rlm_ldap: performing search in ou=students, dc=ad, dc=hud, dc=ac, dc=uk, with filter (sAMAccountName=stafftest) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap_student" returns notfound for request 8 modcall: leaving group student (returns notfound) for request 8 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 8 rlm_eap: Request found, released from the list ... rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Success rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns ok for request 8 modcall: leaving group authenticate (returns ok) for request 8 Sending Access-Accept of id 104 to 10.127.240.217 port 1645 Relevant bits of radiusd.conf: ldap ldap_student{ server = "server.hud.ac.uk" identity = "cn=user,ou=Specials,ou=Staff,dc=ad,dc=hud,dc=ac,dc=uk" password = secret Try using := instead of = or == You have to assign the password, not compare to it. Also perhaps you should use Cleartext-Password if the password is in clear here. port = 636 basedn = "ou=students, dc=ad, dc=hud, dc=ac, dc=uk" filter = "(sAMAccountName=%{mschap:User-Name:-% {User-Name}})" start_tls = no access_attr = "dialupAccess" dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 groupname_attribute = cn groupmembership_filter = "(|(& (objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(& (objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" groupmembership_attribute = radiusGroupName timeout = 4 timelimit = 3 net_timeout = 1 } instantiate { exec expr ldap_staff ldap_student } authorize { preprocess mschap suffix eap Autz-Type staff{ ldap_staff } Autz-Type student{ ldap_student } files } authenticate { Auth-Type MS-CHAP { mschap } eap } I want to reject the user if they are not in the relevant ou. I must be missing something obvious. Can anyone help please? Thanks in advance, Leighton - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Config. Help please - ldap and Active Directory
Hi, I'm new to freeradius (3 weeks experience) and mailing lists (second attempt) so please have patience. I have freeradius 1.1.7 (prebuilt package) on Solaris 10 configured to authenticate against Active Directory using ntlm-auth. All working OK. Now I'm trying to return different reply attributes depending on Active Directory group membership and restrict which groups can authenticate. Ldap lookups against the active directory root fail with operation error. Reconfiguring Active Directory is not a viable option so I have to specify an OU= in the query. I have configured two instances of the ldap module for authorisation, one to query the staff ou and the other to query the student ou. Both work OK for valid queries but if the user does not exist in the ou the server still authenticates the username/password and grants access if valid. Relevant debug output: rlm_ldap: performing search in ou=students, dc=ad, dc=hud, dc=ac, dc=uk, with filter (sAMAccountName=stafftest) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap_student" returns notfound for request 8 modcall: leaving group student (returns notfound) for request 8 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 8 rlm_eap: Request found, released from the list ... rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Success rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns ok for request 8 modcall: leaving group authenticate (returns ok) for request 8 Sending Access-Accept of id 104 to 10.127.240.217 port 1645 Relevant bits of radiusd.conf: ldap ldap_student{ server = "server.hud.ac.uk" identity = "cn=user,ou=Specials,ou=Staff,dc=ad,dc=hud,dc=ac,dc=uk" password = secret port = 636 basedn = "ou=students, dc=ad, dc=hud, dc=ac, dc=uk" filter = "(sAMAccountName=%{mschap:User-Name:-%{User-Name}})" start_tls = no access_attr = "dialupAccess" dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 groupname_attribute = cn groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" groupmembership_attribute = radiusGroupName timeout = 4 timelimit = 3 net_timeout = 1 } instantiate { exec expr ldap_staff ldap_student } authorize { preprocess mschap suffix eap Autz-Type staff{ ldap_staff } Autz-Type student{ ldap_student } files } authenticate { Auth-Type MS-CHAP { mschap } eap } I want to reject the user if they are not in the relevant ou. I must be missing something obvious. Can anyone help please? Thanks in advance, Leighton - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: LDAP and Active Directory
Hello Marc, Sunday, July 4, 2004, 2:32:45 PM, you wrote: MJ> Just a last question : MJ> I need OpenLDAP when I compile FreeRadius, but once FreeRadius is compiled, MJ> can I remove OpenLDAP or must I keep it running ? I guess you should keep OpenLDAP installation because of freeradius dependency on libldap etc. -- Best regards, Alexandermailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP and Active Directory
Thx, this will help me, Just a last question : I need OpenLDAP when I compile FreeRadius, but once FreeRadius is compiled, can I remove OpenLDAP or must I keep it running ? Marc - Original Message - From: "Dustin Doris" <[EMAIL PROTECTED]> To: "freeradius-users" <[EMAIL PROTECTED]> Sent: Friday, July 02, 2004 17:12 Subject: Re: LDAP and Active Directory > Hi, > > This may look like a reccuring question, but I've checked the > whole mailing list and many other websites but this isn't > clear to me. > > > I'm currently working on a gateway using a very poor but > strong configuration of free radius. > This gateway has installed the minimal configuration to made > it as lightweight and strong as possible ! > > My question is the following : > My bosses wants me to make my Linux box join some of the > centralized user db we have. Our society has 4 kind of > (different) user databases including NIS, LDAP, Active > Directory, MySQL, ... > > So to make radius authenticate using NIS there is no problem. > But to add (or just modify) the authentication server to > Active Directory I understood (from many sources) that this is > possible, but not how to do that. > > Is the Radius configuration file enough or should I install > some applications ? Such as OpenLDAP ? Kerberos ? OpenSSL ? > Samba NTLM ? You'll need to install openldap before you compile freeradius for it to use ldap. > Any advice will be appriciated. Thx... > > Marc > Hope that helps. Dusty Doris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP and Active Directory
> Hi, > > This may look like a reccuring question, but I've checked the > whole mailing list and many other websites but this isn't > clear to me. > > > I'm currently working on a gateway using a very poor but > strong configuration of free radius. > This gateway has installed the minimal configuration to made > it as lightweight and strong as possible ! > > My question is the following : > My bosses wants me to make my Linux box join some of the > centralized user db we have. Our society has 4 kind of > (different) user databases including NIS, LDAP, Active > Directory, MySQL, ... > > So to make radius authenticate using NIS there is no problem. > But to add (or just modify) the authentication server to > Active Directory I understood (from many sources) that this is > possible, but not how to do that. > > Is the Radius configuration file enough or should I install > some applications ? Such as OpenLDAP ? Kerberos ? OpenSSL ? > Samba NTLM ? You'll need to install openldap before you compile freeradius for it to use ldap. > > Moreover, I haven't a direct access to a Windows PDC, should I > need one ? You will need to have direct access to the windows active directory server, port 389 (if that's what it listens on). > I don't know LDAP well, so can someone which as a common > configuration give me a sample configuration file(s). The radiusd.conf file will show this most of what you need to do. You'll need to modify the ldap section of that file. Please make sure you create a user in Active Directory with read access. This is the user that you will put in identity and password. You'll need to bind with that user to active directory to do a search on the user logging in. AD doesn't allow anonymous searches, so you'll need to create a user with read access. In basedn, you'll specify the base of where your users are stored in Active Directory. It will look something like this. basedn = "ou=system users,dc=yourdomain,dc=com" You'll have to find out where in the ldap directory the users are stored and modify basedn to fit that. Then in filter, you will specify the lookup for the user. It will look something like this. filter = "(cn=%{Stripped-User-Name:-%{User-Name}})" > > Can FreeRadius been extended in a SSO architecure ? Sure, if all your users are located in a place that freeradius can connect to, such as active directory. > Any advice will be appriciated. Thx... > > Marc > > Accédez au courrier électronique de La Poste : www.laposte.net ; > 3615 LAPOSTENET (0,34/mn) ; tél : 08 92 68 13 50 (0,34/mn) > Hope that helps. Dusty Doris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP and Active Directory
Hi, This may look like a reccuring question, but I've checked the whole mailing list and many other websites but this isn't clear to me. I'm currently working on a gateway using a very poor but strong configuration of free radius. This gateway has installed the minimal configuration to made it as lightweight and strong as possible ! My question is the following : My bosses wants me to make my Linux box join some of the centralized user db we have. Our society has 4 kind of (different) user databases including NIS, LDAP, Active Directory, MySQL, ... So to make radius authenticate using NIS there is no problem. But to add (or just modify) the authentication server to Active Directory I understood (from many sources) that this is possible, but not how to do that. Is the Radius configuration file enough or should I install some applications ? Such as OpenLDAP ? Kerberos ? OpenSSL ? Samba NTLM ? Moreover, I haven't a direct access to a Windows PDC, should I need one ? I don't know LDAP well, so can someone which as a common configuration give me a sample configuration file(s). Can FreeRadius been extended in a SSO architecure ? Any advice will be appriciated. Thx... Marc Accédez au courrier électronique de La Poste : www.laposte.net ; 3615 LAPOSTENET (0,34/mn) ; tél : 08 92 68 13 50 (0,34/mn) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html