[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    Re: guide on configuring freeradius 3 LDAP
From:       Nathan Ward <lists+freeradius () daork ! net>
Date:       2018-01-25 22:36:34
Message-ID: 28F1DDF2-C93B-46E7-A5D0-5062652D52F7 () daork ! net
[Download RAW message or body]

Hi,

> On 24/01/2018, at 3:35 AM, Douglas C Ward <douglas@ugutech.com> wrote:
> 
> 
> 
> > On Jan 21, 2018, at 10:41 PM, Nathan Ward <lists+freeradius@daork.net \
> > <mailto:lists+freeradius@daork.net>> wrote: 
> > 
> > 
> > 
> > OK, thanks for that.
> > 
> > So this tells us several things.
> > 1) Your admin credentials are correct (though we can actually improve this, more \
> > later) 2) You need to use "cn=" and not "uid=" in the filter.
> > 3) You must do user binds, rather than pull a userPassword attribute from LDAP, \
> > as the userPassword attribute is not visible even to the admin. This means that \
> > you can only use RADIUS for auth when you have a User-Password attribute - i.e. \
> > CHAP etc. will not work. 4) The OneLogin LDAP seems to work OK.. but one more \
> > test. 
> > This time, type your "dward" password, *not* the admin password.
> > $ ldapsearch -h ldap.us.onelogin.com <http://ldap.us.onelogin.com/> -x -D \
> > 'cn=dward@iacollaborative.com \
> > <mailto:cn=dward@iacollaborative.com>,ou=users,dc=iacollaborative,dc=onelogin,dc=com' \
> > -W -s sub -b 'dc=iacollaborative,dc=onelogin,dc=com' \
> > '(cn=dward@iacollaborative.com <mailto:cn=dward@iacollaborative.com>)' dn 
> > The result should have a success in there, and should say somewhere:
> > dn: cn=dward@iacollaborative.com \
> > <mailto:cn=dward@iacollaborative.com>,ou=users,dc=iacollaborative,dc=onelogin,dc=com
> >  
> > If so, we have done a successful "User Bind" - these are almost exactly the same \
> > protocol steps as FreeRADIUS will do (actually slightly more), which means \
> > OneLogin is working great. If not, post the command and response as you did \
> > above, and don't do anything else.
> 
> testserver:~ testadmin$ ldapsearch -h ldap.us.onelogin.com \
> <http://ldap.us.onelogin.com/> -x -D 'cn=dward@iacollaborative.com \
> <mailto:cn=dward@iacollaborative.com>,ou=users,dc=iacollaborative,dc=onelogin,dc=com' \
> -W -s sub -b 'dc=iacollaborative,dc=onelogin,dc=com' '(cn=dward@iacollaborative.com \
> <mailto:cn=dward@iacollaborative.com>)' dn
> > <blah blah blah>
> > ldapsearch -h ldap.us.onelogin.com <http://ldap.us.onelogin.com/> -x -D \
> > 'cn=dward@iacollaborative.com \
> > <mailto:cn=dward@iacollaborative.com>,ou=users,dc=iacollaborative,dc=onelogin,dc=com' \
> > -W -s sub -b 'dc=iacollaborative,dc=onelogin,dc=com' \
> > '(cn=dward@iacollaborative.com <mailto:cn=dward@iacollaborative.com>)' dn
> -bash: syntax error near unexpected token `('
> testserver:~ testadmin$ ldapsearch -h ldap.us.onelogin.com \
> <http://ldap.us.onelogin.com/> -x -D 'cn=dward@iacollaborative.com \
> <mailto:cn=dward@iacollaborative.com>,ou=users,dc=iacollaborative,dc=onelogin,dc=com' \
> -W -s sub -b 'dc=iacollaborative,dc=onelogin,dc=com' '(cn=dward@iacollaborative.com \
> <mailto:cn=dward@iacollaborative.com>)' dn Enter LDAP Password: 
> # extended LDIF
> #
> # LDAPv3
> # base <dc=iacollaborative,dc=onelogin,dc=com> with scope subtree
> # filter: (cn=dward@iacollaborative.com <mailto:cn=dward@iacollaborative.com>)
> # requesting: dn 
> #
> 
> # dward@iacollaborative.com <mailto:dward@iacollaborative.com>, users, \
>                 iacollaborative.onelogin.com <http://iacollaborative.onelogin.com/>
> dn: cn=dward@iacollaborative.com <mailto:cn=dward@iacollaborative.com>, ou=users, \
> dc=iacollaborative, dc=onelogin, d c=com
> 
> # search result
> search: 2
> result: 0 Success
> 
> # numResponses: 2
> # numEntries: 1
> 
> —————
> 
> So I see that the dn= result you anticipated is there, but the result still says \
> "result: 0 success" . Let me know if I should try it with the ldap config edit.

Yeah so that result: 0 Success is referring to the return code of the search \
function. It is 0, which in most C APIs means "success".

You should be able to make the other stuff work, per the rest of my email. Let me \
know how you get on :-)

--
Nathan Ward

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


[prev in list] [next in list] [prev in thread] [next in thread]