Problem with LDAP against Active Directory
Hi folks, I want authenticate users from a WLAN with freeradius. The Users are stored in the Active Directory of a Windows 2003 Server. With some Tutorials from the Internet I have configured freeradius to make that. Unfortunately the Authentication function not succesfully. Thats the output from FreeRadius during the Authentication: rad_recv: Access-Request packet from host 192.168.210.15:4596, id=13, length=100 NAS-Port-Type = Ethernet Service-Type = Login-User User-Name = ldap User-Password = ldap Called-Station-Id = 00:01:02:ad:64:f7 Calling-Station-Id = 00:c0:49:54:b5:43 NAS-Port = 1 Mon Apr 3 11:12:08 2006 : Debug: Processing the authorize section of radiusd.conf Mon Apr 3 11:12:08 2006 : Debug: modcall: entering group authorize for request 2 Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 2 Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 2 Mon Apr 3 11:12:08 2006 : Debug: modcall[authorize]: module preprocess returns ok for request 2 Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 2 Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 2 Mon Apr 3 11:12:08 2006 : Debug: modcall[authorize]: module chap returns noop for request 2 Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 2 Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 2 Mon Apr 3 11:12:08 2006 : Debug: modcall[authorize]: module mschap returns noop for request 2 Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 2 Mon Apr 3 11:12:08 2006 : Debug: rlm_realm: No '@' in User-Name = ldap, looking up realm NULL Mon Apr 3 11:12:08 2006 : Debug: rlm_realm: No such realm NULL Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 2 Mon Apr 3 11:12:08 2006 : Debug: modcall[authorize]: module suffix returns noop for request 2 Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 2 Mon Apr 3 11:12:08 2006 : Debug: rlm_eap: No EAP-Message, not doing EAP Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 2 Mon Apr 3 11:12:08 2006 : Debug: modcall[authorize]: module eap returns noop for request 2 Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: calling files (rlm_files) for request 2 Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 2 Mon Apr 3 11:12:08 2006 : Debug: modcall[authorize]: module files returns notfound for request 2 Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: calling ldap (rlm_ldap) for request 2 Mon Apr 3 11:12:08 2006 : Debug: rlm_ldap: - authorize Mon Apr 3 11:12:08 2006 : Debug: rlm_ldap: performing user authorization for ldap Mon Apr 3 11:12:08 2006 : Debug: radius_xlat: '(uid=ldap)' Mon Apr 3 11:12:08 2006 : Debug: radius_xlat: 'ou=Sion, o=ad.ch' Mon Apr 3 11:12:08 2006 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0 Mon Apr 3 11:12:08 2006 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0 Mon Apr 3 11:12:08 2006 : Debug: rlm_ldap: attempting LDAP reconnection Mon Apr 3 11:12:08 2006 : Debug: rlm_ldap: closing existing LDAP connection Mon Apr 3 11:12:08 2006 : Debug: rlm_ldap: (re)connect to ad.ch:389, authentication 0 Mon Apr 3 11:12:08 2006 : Debug: rlm_ldap: bind as / to ad.ch:389 Mon Apr 3 11:12:18 2006 : Debug: rlm_ldap: waiting for bind result ... Mon Apr 3 11:12:18 2006 : Debug: rlm_ldap: Bind was successful Mon Apr 3 11:12:18 2006 : Debug: rlm_ldap: performing search in ou=Sion, o=ad.ch, with filter (uid=ldap) Mon Apr 3 11:12:18 2006 : Error: rlm_ldap: ldap_search() failed: Operations error Mon Apr 3 11:12:18 2006 : Debug: rlm_ldap: search failed Mon Apr 3 11:12:18 2006 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Mon Apr 3 11:12:18 2006 : Debug: modsingle[authorize]: returned from ldap (rlm_ldap) for request 2 Mon Apr 3 11:12:18 2006 : Debug: modcall[authorize]: module ldap returns fail for request 2 Mon Apr 3 11:12:18 2006 : Debug: modcall: group authorize returns fail for request 2 Mon Apr 3 11:12:18 2006 : Debug: Finished request 2 Mon Apr 3 11:12:18 2006 : Debug: Going to the next request Mon Apr 3 11:12:18 2006 : Debug: --- Walking the entire request list --- Mon Apr 3 11:12:18 2006 : Debug: Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.210.15:4596, id=13, length=100 Mon Apr 3 11:12:18 2006 : Debug: Discarding duplicate request from client testnet:4596 - ID: 13 Mon Apr 3 11:12:18 2006 : Debug: --- Walking the entire request list --- Mon Apr 3 11:12:18 2006 : Debug: Cleaning up request 2 ID 13 with
RE: Problem with LDAP against Active Directory
Hi Dominique There appears to be something wrong with the search base definition for your LDAP search. It looks like you are using the traditional LDAP basename which goes ou=mydepartment, o=mycompany, c=ch. Active Directory uses basenames that look like dc=ad, dc=ch. Your LDAP server is returning operations error, so I should look in its log file for more details. By the way, bear in mind that unless you use Microsoft IAS, you can only do RADIUS authentication against AD using PAP (i.e. users send passwords in cleartext), which isn't too secure. Max Caines -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] eeradius.o rg]On Behalf Of [EMAIL PROTECTED] Sent: 03 April 2006 10:27 To: freeradius-users@lists.freeradius.org Subject: Problem with LDAP against Active Directory Hi folks, I want authenticate users from a WLAN with freeradius. The Users are stored in the Active Directory of a Windows 2003 Server. With some Tutorials from the Internet I have configured freeradius to make that. Unfortunately the Authentication function not succesfully. Thats the output from FreeRadius during the Authentication: rad_recv: Access-Request packet from host 192.168.210.15:4596, id=13, length=100 NAS-Port-Type = Ethernet Service-Type = Login-User User-Name = ldap User-Password = ldap Called-Station-Id = 00:01:02:ad:64:f7 Calling-Station-Id = 00:c0:49:54:b5:43 NAS-Port = 1 Mon Apr 3 11:12:08 2006 : Debug: Processing the authorize section of radiusd.conf Mon Apr 3 11:12:08 2006 : Debug: modcall: entering group authorize for request 2 Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 2 Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 2 Mon Apr 3 11:12:08 2006 : Debug: modcall[authorize]: module preprocess returns ok for request 2 Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 2 Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 2 Mon Apr 3 11:12:08 2006 : Debug: modcall[authorize]: module chap returns noop for request 2 Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 2 Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 2 Mon Apr 3 11:12:08 2006 : Debug: modcall[authorize]: module mschap returns noop for request 2 Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 2 Mon Apr 3 11:12:08 2006 : Debug: rlm_realm: No '@' in User-Name = ldap, looking up realm NULL Mon Apr 3 11:12:08 2006 : Debug: rlm_realm: No such realm NULL Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 2 Mon Apr 3 11:12:08 2006 : Debug: modcall[authorize]: module suffix returns noop for request 2 Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 2 Mon Apr 3 11:12:08 2006 : Debug: rlm_eap: No EAP-Message, not doing EAP Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 2 Mon Apr 3 11:12:08 2006 : Debug: modcall[authorize]: module eap returns noop for request 2 Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: calling files (rlm_files) for request 2 Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 2 Mon Apr 3 11:12:08 2006 : Debug: modcall[authorize]: module files returns notfound for request 2 Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: calling ldap (rlm_ldap) for request 2 Mon Apr 3 11:12:08 2006 : Debug: rlm_ldap: - authorize Mon Apr 3 11:12:08 2006 : Debug: rlm_ldap: performing user authorization for ldap Mon Apr 3 11:12:08 2006 : Debug: radius_xlat: '(uid=ldap)' Mon Apr 3 11:12:08 2006 : Debug: radius_xlat: 'ou=Sion, o=ad.ch' Mon Apr 3 11:12:08 2006 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0 Mon Apr 3 11:12:08 2006 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0 Mon Apr 3 11:12:08 2006 : Debug: rlm_ldap: attempting LDAP reconnection Mon Apr 3 11:12:08 2006 : Debug: rlm_ldap: closing existing LDAP connection Mon Apr 3 11:12:08 2006 : Debug: rlm_ldap: (re)connect to ad.ch:389, authentication 0 Mon Apr 3 11:12:08 2006 : Debug: rlm_ldap: bind as / to ad.ch:389 Mon Apr 3 11:12:18 2006 : Debug: rlm_ldap: waiting for bind result ... Mon Apr 3 11:12:18 2006 : Debug: rlm_ldap: Bind was successful Mon Apr 3 11:12:18 2006 : Debug: rlm_ldap: performing search in ou=Sion, o=ad.ch, with filter (uid=ldap) Mon Apr 3 11:12:18 2006 : Error: rlm_ldap: ldap_search() failed: Operations error Mon Apr 3 11:12:18 2006 : Debug: rlm_ldap: search failed Mon
RE: Problem with LDAP against Active Directory
Hello, Can you say me, which log-file I must control? I use already the other basename and also I use PAP. Greets Dominique PS: Sorry for my bad english! Which log-File Am Montag, den 03.04.2006, 14:42 +0100 schrieb Caines, Max: Hi Dominique There appears to be something wrong with the search base definition for your LDAP search. It looks like you are using the traditional LDAP basename which goes ou=mydepartment, o=mycompany, c=ch. Active Directory uses basenames that look like dc=ad, dc=ch. Your LDAP server is returning operations error, so I should look in its log file for more details. By the way, bear in mind that unless you use Microsoft IAS, you can only do RADIUS authentication against AD using PAP (i.e. users send passwords in cleartext), which isn't too secure. Max Caines -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] eeradius.o rg]On Behalf Of [EMAIL PROTECTED] Sent: 03 April 2006 10:27 To: freeradius-users@lists.freeradius.org Subject: Problem with LDAP against Active Directory Hi folks, I want authenticate users from a WLAN with freeradius. The Users are stored in the Active Directory of a Windows 2003 Server. With some Tutorials from the Internet I have configured freeradius to make that. Unfortunately the Authentication function not succesfully. Thats the output from FreeRadius during the Authentication: rad_recv: Access-Request packet from host 192.168.210.15:4596, id=13, length=100 NAS-Port-Type = Ethernet Service-Type = Login-User User-Name = ldap User-Password = ldap Called-Station-Id = 00:01:02:ad:64:f7 Calling-Station-Id = 00:c0:49:54:b5:43 NAS-Port = 1 Mon Apr 3 11:12:08 2006 : Debug: Processing the authorize section of radiusd.conf Mon Apr 3 11:12:08 2006 : Debug: modcall: entering group authorize for request 2 Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 2 Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 2 Mon Apr 3 11:12:08 2006 : Debug: modcall[authorize]: module preprocess returns ok for request 2 Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 2 Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 2 Mon Apr 3 11:12:08 2006 : Debug: modcall[authorize]: module chap returns noop for request 2 Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 2 Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 2 Mon Apr 3 11:12:08 2006 : Debug: modcall[authorize]: module mschap returns noop for request 2 Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 2 Mon Apr 3 11:12:08 2006 : Debug: rlm_realm: No '@' in User-Name = ldap, looking up realm NULL Mon Apr 3 11:12:08 2006 : Debug: rlm_realm: No such realm NULL Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 2 Mon Apr 3 11:12:08 2006 : Debug: modcall[authorize]: module suffix returns noop for request 2 Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 2 Mon Apr 3 11:12:08 2006 : Debug: rlm_eap: No EAP-Message, not doing EAP Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 2 Mon Apr 3 11:12:08 2006 : Debug: modcall[authorize]: module eap returns noop for request 2 Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: calling files (rlm_files) for request 2 Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 2 Mon Apr 3 11:12:08 2006 : Debug: modcall[authorize]: module files returns notfound for request 2 Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: calling ldap (rlm_ldap) for request 2 Mon Apr 3 11:12:08 2006 : Debug: rlm_ldap: - authorize Mon Apr 3 11:12:08 2006 : Debug: rlm_ldap: performing user authorization for ldap Mon Apr 3 11:12:08 2006 : Debug: radius_xlat: '(uid=ldap)' Mon Apr 3 11:12:08 2006 : Debug: radius_xlat: 'ou=Sion, o=ad.ch' Mon Apr 3 11:12:08 2006 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0 Mon Apr 3 11:12:08 2006 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0 Mon Apr 3 11:12:08 2006 : Debug: rlm_ldap: attempting LDAP reconnection Mon Apr 3 11:12:08 2006 : Debug: rlm_ldap: closing existing LDAP connection Mon Apr 3 11:12:08 2006 : Debug: rlm_ldap: (re)connect to ad.ch:389, authentication 0 Mon Apr 3 11:12:08 2006 : Debug: rlm_ldap: bind as / to ad.ch:389 Mon Apr 3 11:12:18 2006 : Debug: rlm_ldap