'Re: Freeradius/Radtest fails to authenticate against Google LDAP'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    Re: Freeradius/Radtest fails to authenticate against Google LDAP
From:       Alan DeKok <aland () deployingradius ! com>
Date:       2021-02-08 20:08:30
Message-ID: 07955A2A-9C83-4B76-9860-BAE4C05F6837 () deployingradius ! com
[Download RAW message or body]

On Feb 8, 2021, at 12:26 PM, Christian Bednarz <christian.bednarz@lanes-planes.com> \
wrote:
> I try hard to get Freeradius working with Google LDAP, but I feel totally stuck and \
> desperate. 
> My starting point was following the Google documentation ( \
> https://support.google.com/a/answer/9089736?hl=en#zippy=%2Cfreeradius \
> <https://support.google.com/a/answer/9089736?hl=en#zippy=,freeradius> ), which some \
> people pointed to being not really accurate. After some adjustments I find myself \
> stuck in the wood. Admittingly I have just very basic knowledge of Linux (I use \
> Ubuntu 20).

  If Linux is new, configuring RADIUS can be complex.  :(

> (0) Received Access-Request Id 50 from 127.0.0.1:39324 to 127.0.0.1:1812 length 95
> (0)   User-Name = "it-test2@lanes-planes.com"
> (0)   User-Password = „PASSWORD"
> (0)   NAS-IP-Address = 127.0.1.1
> (0)   NAS-Port = 1
> ...
> rlm_ldap (ldap): Reserved connection (0)
> (0) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
> (0) ldap:    --> (uid=it-test2)
> (0) ldap: Performing search in "dc=lanes-planes,dc=com" with filter \
> "(uid=it-test2)", scope "sub" (0) ldap: Waiting for search result...
> (0) ldap: Search returned no results
> rlm_ldap (ldap): Released connection (0)
> Need 5 more connections to reach 10 spares
> rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used
> rlm_ldap (ldap): Connecting to ldaps://ldap.google.com:636
> rlm_ldap (ldap): Waiting for bind result...
> ber_get_next failed.
> rlm_ldap (ldap): Bind successful
> (0)     [ldap] = notfound

  So the user wasn't found in LDAP.   What happens when you run "ldapsearch" \
manually?

  The most recent versions of the server have full documentation on how to use the \
LDAP module configuration with the ldapsearch tool:

https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/mods-available/ldap

> (0)     [expiration] = noop
> (0)     [logintime] = noop
> (0)     if (User-Password) {
> (0)     if (User-Password)  -> TRUE
> (0)     if (User-Password)  {
> (0)       update control {
> (0)         Auth-Type := ldap
> (0)       } # update control = noop
> (0)     } # if (User-Password)  = noop
> Not doing PAP as Auth-Type is already set.
> (0)     [pap] = noop
> (0)   } # authorize = ok
> (0) Found Auth-Type = ldap
> (0) Auth-Type sub-section not found.  Ignoring.

  Well, I don't suggest setting "Auth-type = LDAP" unless you actually have "ldap"  \
configured in the "authenticate" section.

  But you shouldn't need that.  Delete the "update control" section which sets \
"Auth-Type = LDAP".

  And then make sure that the LDAP module configuration works.  i.e. that when \
FreeRADIUS looks for a user in LDAP, the ldap module finds that user, and returns the \
password to FreeRADIUS.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic