RE: Yet Another AD Question
Look at the mschap section of the FR config file, everything is there, you just need to uncomment it. -- Chris Liles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Josh Sent: Thursday, May 25, 2006 11:45 AM To: FreeRadius users mailing list Subject: Re: Yet Another AD Question OK. So I think I'm going to go the Samba route. I've got Samba running on the same host as freeradius. I've tested Samba/AD integration by creating a couple shared folders on the Samba server and using Windows AD accounts to mount/map them from windows machines - it works. Now, I need to get freeradius to send auth requests to samba. I guess there are a few ways to do this, one of which would be LDAP again (now I'm trying to avoid LDAP). I'm not concerned with security (clear text passwords, etc.) between samba and freeradius since they are on the same box. Any good pointers to some documentation on freeradius/samba integration without ldap? What method should I be using other than ldap? __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Yet Another AD Question
OK. So I think I'm going to go the Samba route. I've got Samba running on the same host as freeradius. I've tested Samba/AD integration by creating a couple shared folders on the Samba server and using Windows AD accounts to mount/map them from windows machines - it works. Now, I need to get freeradius to send auth requests to samba. I guess there are a few ways to do this, one of which would be LDAP again (now I'm trying to avoid LDAP). I'm not concerned with security (clear text passwords, etc.) between samba and freeradius since they are on the same box. Any good pointers to some documentation on freeradius/samba integration without ldap? What method should I be using other than ldap? __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Yet Another AD Question
Yes... I had cut all but the final "Bind was successful"... here's more of the bind results: rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to org.my.domain.com:389, authentication 0 rlm_ldap: bind as / to org.my.domain.com:389 ldap_bind ldap_simple_bind ldap_sasl_bind ldap_send_initial_request ldap_new_connection ldap_int_open_connection ldap_connect_to_host: TCP org.my.domain.com:389 ldap_new_socket: 11 ldap_prepare_socket: 11 ldap_connect_to_host: Trying 192.168.10.12:389 ldap_connect_timeout: fd: 11 tm: 1 async: 0 ldap_ndelay_on: 11 ldap_is_sock_ready: 11 ldap_ndelay_off: 11 ldap_open_defconn: successful ldap_send_server_request rlm_ldap: waiting for bind result ... ldap_result msgid 1 ldap_chkResponseList for msgid=1, all=1 ldap_chkResponseList returns NULL wait4msg (timeout 4 sec, 0 usec), msgid 1 wait4msg continue, msgid 1, all 1 ** Connections: * host: org.my.domain.com port: 389 (default) refcnt: 2 status: Connected last used: Wed May 24 12:14:51 2006 ** Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ** Response Queue: Empty ldap_chkResponseList for msgid=1, all=1 ldap_chkResponseList returns NULL ldap_int_select read1msg: msgid 1, all 1 ldap_read: message type bind msgid 1, original id 1 new result: res_errno: 0, res_error: <>, res_matched: <> read1msg: 0 new referrals read1msg: mark request completed, id = 1 request 1 done res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_free_connection ldap_free_connection: refcnt 1 ldap_parse_result ldap_msgfree rlm_ldap: Bind was successful I can also see the successful connection in the event viewer on the DC. Hmm --- [EMAIL PROTECTED] wrote: > Hi, > > > I've crawled the web for info and tried numerous > > things to get FreeRadius authenticating users with > a > > 2003 Active Directory. > > is the system bound into the AD? the error messages > suggest that it isnt... > > alan > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Yet Another AD Question
The only trouble I have with IAS is that most of the users are contained in a seperate AD forest. I have a 2-way trust with another organization. I can authenticate users of the trusted org from my domain over LDAP... however, I can't rely on the trusted domain's "Dial In" settings for IAS. Which is why I'm looking for a way to use LDAP only. I've tried, as you suggested, proxying requests to my AD IAS, but I suppose my remote access policy has issues of its own. --- ho <[EMAIL PROTECTED]> wrote: > Hi, > > i've tried a lot, but at the moment we have got a > very smart solution to > combine the flexibility of freeradius with > authentication of central AD: > > 1) setting up an ms ias server, which is only there > for authenticating, i > have got only one policy! > 2) setting up freeradius to proxy the > authentication-requests to the ias. > 3) Authorization still remains on the freeradius > 4) Accounting with freeradius/mysql > > I've tried to use samba but AD-Gurus were not amused > to integrate a > samba-box into the AD ;-) > > For me it was the "perfect" solution. > > ho > > > ----- Original Message - > From: "Josh" <[EMAIL PROTECTED]> > To: > Sent: Wednesday, May 24, 2006 6:36 PM > Subject: Yet Another AD Question > > > > I've crawled the web for info and tried numerous > > things to get FreeRadius authenticating users with > a > > 2003 Active Directory. > > > > I'm currently running FreeRadius (with MySQL) on > RHEL4 > > using the RPMs included with RHEL4: > > > > freeradius-1.0.1-3.RHEL4 > > freeradius-mysql-1.0.1-3.RHEL4 > > > > Running radiusd in debug mode (-X) shows a > successful > > bind to the AD server. I then can see rlm_ldap > > performing a search and then eventually fails: > > > > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > > > > > > rlm_ldap: Bind was successful > > rlm_ldap: performing search in > > cn=Users,dc=org,dc=my,dc=domain,dc=com, with > filter > > cn=administrator > > ldap_search > > put_filter: "cn=administrator" > > put_filter: default > > put_simple_filter: "cn=administrator" > > ldap_send_initial_request > > ldap_send_server_request > > ldap_result msgid 2 > > ldap_chkResponseList for msgid=2, all=1 > > ldap_chkResponseList returns NULL > > wait4msg (timeout 4 sec, 0 usec), msgid 2 > > wait4msg continue, msgid 2, all 1 > > ** Connections: > > * host: org.my.domain.com port: 389 (default) > > refcnt: 2 status: Connected > > last used: Wed May 24 12:14:51 2006 > > > > ** Outstanding Requests: > > * msgid 2, origid 2, status InProgress > > outstanding referrals 0, parent count 0 > > ** Response Queue: > > Empty > > ldap_chkResponseList for msgid=2, all=1 > > ldap_chkResponseList returns NULL > > ldap_int_select > > read1msg: msgid 2, all 1 > > ldap_read: message type search-result msgid 2, > > original id 2 > > ldap_chase_referrals > > read1msg: V2 referral chased, mark request > completed, > > id = 2 > > new result: res_errno: 1, res_error: <: > > LdapErr: DSID-0C090627, comment: In order to > perform > > this operation a successful bind must be completed > on > > the connection., data 0, vece>, res_matched: <> > > read1msg: 0 new referrals > > read1msg: mark request completed, id = 2 > > request 2 done > > res_errno: 1, res_error: <: LdapErr: > > DSID-0C090627, comment: In order to perform this > > operation a successful bind must be completed on > the > > connection., data 0, vece>, res_matched: <> > > ldap_free_request (origid 2, msgid 2) > > ldap_free_connection > > ldap_free_connection: refcnt 1 > > ldap_parse_result > > ldap_err2string > > rlm_ldap: ldap_search() failed: Operations error > > ldap_msgfree > > rlm_ldap: ldap_release_conn: Release Id: 0 > > modcall[authenticate]: module "ldap" returns fail > > for request 0 > > modcall: group authenticate returns fail for > request 0 > > auth: Failed to validate the user. > > > > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > > > > I'm not sure if I'm using the wrong ldap search or > > what. Here's my ldap section of radiusd.conf: > > > > server = "org.my.domain.com" > > ldap_debug = 0x > > basedn = > "cn=Users,dc=org,dc=my,dc=domain,dc=com" >
Re: Yet Another AD Question
Josh <[EMAIL PROTECTED]> wrote: > rlm_ldap: ldap_search() failed: Operations error See doc/rlm_ldap in the 1.1.2 release, which should be out real soon now. Or, use CVS to checkout "-r branch_1_1", and see doc/rlm_ldap. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Yet Another AD Question
Hi, i've tried a lot, but at the moment we have got a very smart solution to combine the flexibility of freeradius with authentication of central AD: 1) setting up an ms ias server, which is only there for authenticating, i have got only one policy! 2) setting up freeradius to proxy the authentication-requests to the ias. 3) Authorization still remains on the freeradius 4) Accounting with freeradius/mysql I've tried to use samba but AD-Gurus were not amused to integrate a samba-box into the AD ;-) For me it was the "perfect" solution. ho - Original Message - From: "Josh" <[EMAIL PROTECTED]> To: Sent: Wednesday, May 24, 2006 6:36 PM Subject: Yet Another AD Question I've crawled the web for info and tried numerous things to get FreeRadius authenticating users with a 2003 Active Directory. I'm currently running FreeRadius (with MySQL) on RHEL4 using the RPMs included with RHEL4: freeradius-1.0.1-3.RHEL4 freeradius-mysql-1.0.1-3.RHEL4 Running radiusd in debug mode (-X) shows a successful bind to the AD server. I then can see rlm_ldap performing a search and then eventually fails: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= rlm_ldap: Bind was successful rlm_ldap: performing search in cn=Users,dc=org,dc=my,dc=domain,dc=com, with filter cn=administrator ldap_search put_filter: "cn=administrator" put_filter: default put_simple_filter: "cn=administrator" ldap_send_initial_request ldap_send_server_request ldap_result msgid 2 ldap_chkResponseList for msgid=2, all=1 ldap_chkResponseList returns NULL wait4msg (timeout 4 sec, 0 usec), msgid 2 wait4msg continue, msgid 2, all 1 ** Connections: * host: org.my.domain.com port: 389 (default) refcnt: 2 status: Connected last used: Wed May 24 12:14:51 2006 ** Outstanding Requests: * msgid 2, origid 2, status InProgress outstanding referrals 0, parent count 0 ** Response Queue: Empty ldap_chkResponseList for msgid=2, all=1 ldap_chkResponseList returns NULL ldap_int_select read1msg: msgid 2, all 1 ldap_read: message type search-result msgid 2, original id 2 ldap_chase_referrals read1msg: V2 referral chased, mark request completed, id = 2 new result: res_errno: 1, res_error: <: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece>, res_matched: <> read1msg: 0 new referrals read1msg: mark request completed, id = 2 request 2 done res_errno: 1, res_error: <: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece>, res_matched: <> ldap_free_request (origid 2, msgid 2) ldap_free_connection ldap_free_connection: refcnt 1 ldap_parse_result ldap_err2string rlm_ldap: ldap_search() failed: Operations error ldap_msgfree rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authenticate]: module "ldap" returns fail for request 0 modcall: group authenticate returns fail for request 0 auth: Failed to validate the user. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= I'm not sure if I'm using the wrong ldap search or what. Here's my ldap section of radiusd.conf: server = "org.my.domain.com" ldap_debug = 0x basedn = "cn=Users,dc=org,dc=my,dc=domain,dc=com" filter = "cn=%u" start_tls = no access_attr = "dialupAccess" dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 Although I'd like to avoid it, but, would it be easier to install SAMBA on the RHES4 box and connect SAMBA to AD and then connect FreeRadius to SAMBA? I've also come across possible issues with certain versions of openldap and 2003 AD? As soon as this part is working I'll be authenticating wireless users (using Cisco APs) as well. But I think that should run fairly smooth as soon as FreeRadius and AD are talking the same language. I hope there are some Radius/AD gurus out there? Many thanks in advance... __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Yet Another AD Question
Hi, > I've crawled the web for info and tried numerous > things to get FreeRadius authenticating users with a > 2003 Active Directory. is the system bound into the AD? the error messages suggest that it isnt... alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Yet Another AD Question
I've crawled the web for info and tried numerous things to get FreeRadius authenticating users with a 2003 Active Directory. I'm currently running FreeRadius (with MySQL) on RHEL4 using the RPMs included with RHEL4: freeradius-1.0.1-3.RHEL4 freeradius-mysql-1.0.1-3.RHEL4 Running radiusd in debug mode (-X) shows a successful bind to the AD server. I then can see rlm_ldap performing a search and then eventually fails: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= rlm_ldap: Bind was successful rlm_ldap: performing search in cn=Users,dc=org,dc=my,dc=domain,dc=com, with filter cn=administrator ldap_search put_filter: "cn=administrator" put_filter: default put_simple_filter: "cn=administrator" ldap_send_initial_request ldap_send_server_request ldap_result msgid 2 ldap_chkResponseList for msgid=2, all=1 ldap_chkResponseList returns NULL wait4msg (timeout 4 sec, 0 usec), msgid 2 wait4msg continue, msgid 2, all 1 ** Connections: * host: org.my.domain.com port: 389 (default) refcnt: 2 status: Connected last used: Wed May 24 12:14:51 2006 ** Outstanding Requests: * msgid 2, origid 2, status InProgress outstanding referrals 0, parent count 0 ** Response Queue: Empty ldap_chkResponseList for msgid=2, all=1 ldap_chkResponseList returns NULL ldap_int_select read1msg: msgid 2, all 1 ldap_read: message type search-result msgid 2, original id 2 ldap_chase_referrals read1msg: V2 referral chased, mark request completed, id = 2 new result: res_errno: 1, res_error: <: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece>, res_matched: <> read1msg: 0 new referrals read1msg: mark request completed, id = 2 request 2 done res_errno: 1, res_error: <: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece>, res_matched: <> ldap_free_request (origid 2, msgid 2) ldap_free_connection ldap_free_connection: refcnt 1 ldap_parse_result ldap_err2string rlm_ldap: ldap_search() failed: Operations error ldap_msgfree rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authenticate]: module "ldap" returns fail for request 0 modcall: group authenticate returns fail for request 0 auth: Failed to validate the user. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= I'm not sure if I'm using the wrong ldap search or what. Here's my ldap section of radiusd.conf: server = "org.my.domain.com" ldap_debug = 0x basedn = "cn=Users,dc=org,dc=my,dc=domain,dc=com" filter = "cn=%u" start_tls = no access_attr = "dialupAccess" dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 Although I'd like to avoid it, but, would it be easier to install SAMBA on the RHES4 box and connect SAMBA to AD and then connect FreeRadius to SAMBA? I've also come across possible issues with certain versions of openldap and 2003 AD? As soon as this part is working I'll be authenticating wireless users (using Cisco APs) as well. But I think that should run fairly smooth as soon as FreeRadius and AD are talking the same language. I hope there are some Radius/AD gurus out there? Many thanks in advance... __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html