[prev in list] [next in list] [prev in thread] [next in thread]
List: freeradius-users
Subject: Re: guide on configuring freeradius 3 LDAP
From: Nathan Ward <lists+freeradius () daork ! net>
Date: 2018-01-25 22:36:34
Message-ID: 28F1DDF2-C93B-46E7-A5D0-5062652D52F7 () daork ! net
[Download RAW message or body]
Hi,
> On 24/01/2018, at 3:35 AM, Douglas C Ward <douglas@ugutech.com> wrote:
>
>
>
> > On Jan 21, 2018, at 10:41 PM, Nathan Ward <lists+freeradius@daork.net \
> > <mailto:lists+freeradius@daork.net>> wrote:
> >
> >
> >
> > OK, thanks for that.
> >
> > So this tells us several things.
> > 1) Your admin credentials are correct (though we can actually improve this, more \
> > later) 2) You need to use "cn=" and not "uid=" in the filter.
> > 3) You must do user binds, rather than pull a userPassword attribute from LDAP, \
> > as the userPassword attribute is not visible even to the admin. This means that \
> > you can only use RADIUS for auth when you have a User-Password attribute - i.e. \
> > CHAP etc. will not work. 4) The OneLogin LDAP seems to work OK.. but one more \
> > test.
> > This time, type your "dward" password, *not* the admin password.
> > $ ldapsearch -h ldap.us.onelogin.com <http://ldap.us.onelogin.com/> -x -D \
> > 'cn=dward@iacollaborative.com \
> > <mailto:cn=dward@iacollaborative.com>,ou=users,dc=iacollaborative,dc=onelogin,dc=com' \
> > -W -s sub -b 'dc=iacollaborative,dc=onelogin,dc=com' \
> > '(cn=dward@iacollaborative.com <mailto:cn=dward@iacollaborative.com>)' dn
> > The result should have a success in there, and should say somewhere:
> > dn: cn=dward@iacollaborative.com \
> > <mailto:cn=dward@iacollaborative.com>,ou=users,dc=iacollaborative,dc=onelogin,dc=com
> >
> > If so, we have done a successful "User Bind" - these are almost exactly the same \
> > protocol steps as FreeRADIUS will do (actually slightly more), which means \
> > OneLogin is working great. If not, post the command and response as you did \
> > above, and don't do anything else.
>
> testserver:~ testadmin$ ldapsearch -h ldap.us.onelogin.com \
> <http://ldap.us.onelogin.com/> -x -D 'cn=dward@iacollaborative.com \
> <mailto:cn=dward@iacollaborative.com>,ou=users,dc=iacollaborative,dc=onelogin,dc=com' \
> -W -s sub -b 'dc=iacollaborative,dc=onelogin,dc=com' '(cn=dward@iacollaborative.com \
> <mailto:cn=dward@iacollaborative.com>)' dn
> > <blah blah blah>
> > ldapsearch -h ldap.us.onelogin.com <http://ldap.us.onelogin.com/> -x -D \
> > 'cn=dward@iacollaborative.com \
> > <mailto:cn=dward@iacollaborative.com>,ou=users,dc=iacollaborative,dc=onelogin,dc=com' \
> > -W -s sub -b 'dc=iacollaborative,dc=onelogin,dc=com' \
> > '(cn=dward@iacollaborative.com <mailto:cn=dward@iacollaborative.com>)' dn
> -bash: syntax error near unexpected token `('
> testserver:~ testadmin$ ldapsearch -h ldap.us.onelogin.com \
> <http://ldap.us.onelogin.com/> -x -D 'cn=dward@iacollaborative.com \
> <mailto:cn=dward@iacollaborative.com>,ou=users,dc=iacollaborative,dc=onelogin,dc=com' \
> -W -s sub -b 'dc=iacollaborative,dc=onelogin,dc=com' '(cn=dward@iacollaborative.com \
> <mailto:cn=dward@iacollaborative.com>)' dn Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <dc=iacollaborative,dc=onelogin,dc=com> with scope subtree
> # filter: (cn=dward@iacollaborative.com <mailto:cn=dward@iacollaborative.com>)
> # requesting: dn
> #
>
> # dward@iacollaborative.com <mailto:dward@iacollaborative.com>, users, \
> iacollaborative.onelogin.com <http://iacollaborative.onelogin.com/>
> dn: cn=dward@iacollaborative.com <mailto:cn=dward@iacollaborative.com>, ou=users, \
> dc=iacollaborative, dc=onelogin, d c=com
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
> —————
>
> So I see that the dn= result you anticipated is there, but the result still says \
> "result: 0 success" . Let me know if I should try it with the ldap config edit.
Yeah so that result: 0 Success is referring to the return code of the search \
function. It is 0, which in most C APIs means "success".
You should be able to make the other stuff work, per the rest of my email. Let me \
know how you get on :-)
--
Nathan Ward
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic