[prev in list] [next in list] [prev in thread] [next in thread]
List: freeradius-users
Subject: Re: Freeradius/Radtest fails to authenticate against Google LDAP
From: Alan DeKok <aland () deployingradius ! com>
Date: 2021-02-08 20:08:30
Message-ID: 07955A2A-9C83-4B76-9860-BAE4C05F6837 () deployingradius ! com
[Download RAW message or body]
On Feb 8, 2021, at 12:26 PM, Christian Bednarz <christian.bednarz@lanes-planes.com> \
wrote:
> I try hard to get Freeradius working with Google LDAP, but I feel totally stuck and \
> desperate.
> My starting point was following the Google documentation ( \
> https://support.google.com/a/answer/9089736?hl=en#zippy=%2Cfreeradius \
> <https://support.google.com/a/answer/9089736?hl=en#zippy=,freeradius> ), which some \
> people pointed to being not really accurate. After some adjustments I find myself \
> stuck in the wood. Admittingly I have just very basic knowledge of Linux (I use \
> Ubuntu 20).
If Linux is new, configuring RADIUS can be complex. :(
> (0) Received Access-Request Id 50 from 127.0.0.1:39324 to 127.0.0.1:1812 length 95
> (0) User-Name = "it-test2@lanes-planes.com"
> (0) User-Password = „PASSWORD"
> (0) NAS-IP-Address = 127.0.1.1
> (0) NAS-Port = 1
> ...
> rlm_ldap (ldap): Reserved connection (0)
> (0) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
> (0) ldap: --> (uid=it-test2)
> (0) ldap: Performing search in "dc=lanes-planes,dc=com" with filter \
> "(uid=it-test2)", scope "sub" (0) ldap: Waiting for search result...
> (0) ldap: Search returned no results
> rlm_ldap (ldap): Released connection (0)
> Need 5 more connections to reach 10 spares
> rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used
> rlm_ldap (ldap): Connecting to ldaps://ldap.google.com:636
> rlm_ldap (ldap): Waiting for bind result...
> ber_get_next failed.
> rlm_ldap (ldap): Bind successful
> (0) [ldap] = notfound
So the user wasn't found in LDAP. What happens when you run "ldapsearch" \
manually?
The most recent versions of the server have full documentation on how to use the \
LDAP module configuration with the ldapsearch tool:
https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/mods-available/ldap
> (0) [expiration] = noop
> (0) [logintime] = noop
> (0) if (User-Password) {
> (0) if (User-Password) -> TRUE
> (0) if (User-Password) {
> (0) update control {
> (0) Auth-Type := ldap
> (0) } # update control = noop
> (0) } # if (User-Password) = noop
> Not doing PAP as Auth-Type is already set.
> (0) [pap] = noop
> (0) } # authorize = ok
> (0) Found Auth-Type = ldap
> (0) Auth-Type sub-section not found. Ignoring.
Well, I don't suggest setting "Auth-type = LDAP" unless you actually have "ldap" \
configured in the "authenticate" section.
But you shouldn't need that. Delete the "update control" section which sets \
"Auth-Type = LDAP".
And then make sure that the LDAP module configuration works. i.e. that when \
FreeRADIUS looks for a user in LDAP, the ldap module finds that user, and returns the \
password to FreeRADIUS.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic