[RADIATOR] AuthBy LDAP2 to AD
Hartmaier Alexander
alexander.hartmaier at t-systems.at
Sun Dec 20 13:49:55 CST 2015
@Heikki: could you add a section in the AuthBy LDAP2 which covers the
topic Microsoft Active Directory?
Thanks, Alex
On 2015-12-20 07:47, Joe Honnold wrote:
> Got it all sorted. Thanks for the pointers. Here is what my working
> config for AD looks like.
>
> Foreground
> LogStdout
> LogDir/var/log/radius
> DbDir/etc/radiator
> # User a lower trace level in production systems:
> Trace 4
> #
> AuthPort1645
> AcctPort1646
>
> <Client 10.0.0.8>
> SecretIMNOTTELLLING
> </Client>
>
> <Handler>
> <AuthBy LDAP2>
> Debug 255
> NoDefault
> Host10.0.50.80 10.0.50.82
> # Microsoft AD also listens on port 3268, and
> # requests received on that port are reported to be
> # more compliant with standard LDAP, so you may want to use:
> Port 3268
> AuthDNcn=ADAccount, OU=Unit3, DC=MS, DC=DOMAIN, DC=COM
> AuthPasswordPLAINTEXTPASSWORD
> BaseDN
> PasswordAttr
> ServerChecksPassword
> UsernameAttr sAMAccountName
> HoldServerConnection
> FailureBackoffTime 0
> AuthAttrDef MobileNumber,Callback-Number,request
> </AuthBy>
> </Handler>
>
>
>> On Dec 17, 2015, at 9:06 AM, Hartmaier Alexander
>> <alexander.hartmaier at t-systems.at
>> <mailto:alexander.hartmaier at t-systems.at>> wrote:
>>
>> Hi,
>> sadly HoldServerConnection doesn't work for Active Directory for us.
>> Not sure if that's the source of your problem though.
>> If you search the Global Catalog (3268 for LDAP and 3269 for LDAPS)
>> you can't specify a BaseDN, leave it empty!
>> Just
>> BaseDN
>>
>> Best regards, Alex
>>
>> On 2015-12-15 18:18, Joe Honnold wrote:
>>> Hi.
>>>
>>> I am working towards a config that does AD authentication with the
>>> addition of OTP. I have started the AD config and have hit an issue
>>> that I can not seem to get around.
>>> The log file states:
>>>
>>> Tue Dec 15 10:34:24 2015: DEBUG: Radius::AuthLDAP2 REJECT: Bad
>>> Encrypted password: UserJ [UserJ]
>>>
>>> I have completed some research via the docs and internet searching
>>> but nothing has pointed me in the right direction yet.
>>> Any input towards a resolution would be appreciated as I need this
>>> to work prior to adding the OTP settings to the config.
>>>
>>> radius.cfg file
>>> ======
>>> # ad-ldap.cfg
>>> #
>>> # Example Radiator configuration file for authenticating from
>>> # Active Directory via LDAP2, possibly from a Unix host.
>>> #
>>> # This very simple file will allow you to get started with
>>> # a simple LDAP authentication system from AD.
>>> #
>>> # We suggest you start simple, prove to yourself that it
>>> # works and then develop a more complicated configuration.
>>> #
>>> #
>>> # You should consider this file to be a starting point only
>>> # $Id: ad-ldap.cfg,v 1.4 2015/06/02 19:37:27 hvn Exp $
>>>
>>> Foreground
>>> LogStdout
>>> LogDir/var/log/radius
>>> DbDir/etc/radiator
>>> # User a lower trace level in production systems:
>>> Trace 4
>>> #
>>> AuthPort1645
>>> AcctPort1646
>>>
>>> # You will probably want to add other Clients to suit your site.
>>> <Client 10.0.0.8>
>>> SecretIMNOTTELLLING
>>> </Client>
>>>
>>> # Authenticates users in the Organisational Unit called 'csx users'
>>> # The user name coming from the NAS must match the sAMAccountName
>>> # attribute of a user in that OU./ Users that are not in 'csx users'
>>> # will not be able to log in.
>>> <Handler>
>>> <AuthBy LDAP2>
>>> Debug 255
>>> NoDefault
>>> Host10.0.50.80 10.0.50.82
>>> # Microsoft AD also listens on port 3268, and
>>> # requests received on that port are reported to be
>>> # more compliant with standard LDAP, so you may want to use:
>>> Port 3268
>>> AuthDNcn=ADAccount, OU=Unit3, DC=MS, DC=DOMAIN, DC=COM
>>> AuthPasswordPLAINTEXTPASSWORD
>>> BaseDNDC=MS, DC=DOMAIN, DC=com
>>> ServerChecksPassword
>>> UsernameAttr sAMAccountName
>>> HoldServerConnection
>>> FailureBackoffTime 0
>>> AuthAttrDef logonHours,MS-Login-Hours,check
>>> </AuthBy>
>>> </Handler>
>>>
>>> ======
>>>
>>> Cleansed log dump
>>> ======
>>> Tue Dec 15 10:34:24 2015: DEBUG: Packet dump:
>>> *** Received from 10.0.100.8 port 58652 ....
>>> Code: Access-Request
>>> Identifier: 188
>>> Authentic: <220><190><27><254>r<234><233>@<187>CR<161><231>C<241><4>
>>> Attributes:
>>> User-Name = "UserJ"
>>> User-Password = <214><134>.<29><11>4<137><178><135>z<148>B<31>ivJ
>>> Service-Type = Login-User
>>> NAS-IP-Address = 10.0.100.8
>>>
>>> Tue Dec 15 10:34:24 2015: DEBUG: Handling request with Handler '',
>>> Identifier ''
>>> Tue Dec 15 10:34:24 2015: DEBUG: Deleting session for UserJ,
>>> 10.0.100.8,
>>> Tue Dec 15 10:34:24 2015: DEBUG: Handling with Radius::AuthLDAP2:
>>> Tue Dec 15 10:34:24 2015: INFO: Connecting to 10.0.50.80:3268
>>> 10.0.50.82:3268
>>> Tue Dec 15 10:34:24 2015: INFO: Connected to 10.0.50.80:3268
>>> Tue Dec 15 10:34:24 2015: INFO: Attempting to bind to LDAP server
>>> 10.0.50.80:3268
>>> Tue Dec 15 10:34:24 2015: DEBUG: LDAP got result for CN=Joe
>>> User,OU=Unit1,OU=Unit2,DC=ms,DC=domain,DC=com
>>> Tue Dec 15 10:34:24 2015: DEBUG: Radius::AuthLDAP2 looks for match
>>> with UserJ [UserJ]
>>> Tue Dec 15 10:34:24 2015: DEBUG: Radius::AuthLDAP2 REJECT: Bad
>>> Encrypted password: UserJ [UserJ]
>>> Tue Dec 15 10:34:24 2015: DEBUG: AuthBy LDAP2 result: REJECT, Bad
>>> Encrypted password
>>> Tue Dec 15 10:34:24 2015: INFO: Access rejected for UserJ: Bad
>>> Encrypted password
>>> Tue Dec 15 10:34:24 2015: DEBUG: Packet dump:
>>> *** Sending to 10.0.100.8 port 58652 ....
>>> Code: Access-Reject
>>> Identifier: 188
>>> Authentic: T<143>B*<10><203><165><29>6I<4>0<129><234><251>9
>>> Attributes:
>>> Reply-Message = "Request Denied"
>>>
>>> Tue Dec 15 10:34:29 2015: DEBUG: Packet dump:
>>> *** Received from 10.0.100.8 port 58652 ....
>>> Code: Access-Request
>>> Identifier: 188
>>> Authentic: <220><190><27><254>r<234><233>@<187>CR<161><231>C<241><4>
>>> Attributes:
>>> User-Name = "UserJ"
>>> User-Password = <214><134>.<29><11>4<137><178><135>z<148>B<31>ivJ
>>> Service-Type = Login-User
>>> NAS-IP-Address = 10.0.100.8
>>>
>>> Tue Dec 15 10:34:29 2015: INFO: Duplicate request id 188 received
>>> from 10.0.100.8(58652): retransmit reply
>>> Tue Dec 15 10:34:29 2015: DEBUG: Packet dump:
>>> *** Sending to 10.0.100.8 port 58652 ....
>>> Code: Access-Reject
>>> Identifier: 188
>>> Authentic: T<143>B*<10><203><165><29>6I<4>0<129><234><251>9
>>> Attributes:
>>> Reply-Message = "Request Denied"
>>>
>>> Tue Dec 15 10:34:34 2015: DEBUG: Packet dump:
>>> *** Received from 10.0.100.8 port 58652 ....
>>> Code: Access-Request
>>> Identifier: 188
>>> Authentic: <220><190><27><254>r<234><233>@<187>CR<161><231>C<241><4>
>>> Attributes:
>>> User-Name = "UserJ"
>>> User-Password = <214><134>.<29><11>4<137><178><135>z<148>B<31>ivJ
>>> Service-Type = Login-User
>>> NAS-IP-Address = 10.0.100.8
>>>
>>> Tue Dec 15 10:34:34 2015: INFO: Duplicate request id 188 received
>>> from 10.0.100.8(58652): retransmit reply
>>> Tue Dec 15 10:34:34 2015: DEBUG: Packet dump:
>>> *** Sending to 10.0.100.8 port 58652 ....
>>> Code: Access-Reject
>>> Identifier: 188
>>> Authentic: T<143>B*<10><203><165><29>6I<4>0<129><234><251>9
>>> Attributes:
>>> Reply-Message = "Request Denied"
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> radiator mailing list
>>> radiator at open.com.au
>>> http://www.open.com.au/mailman/listinfo/radiator
>>
>>
>>
>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>> T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
>> Handelsgericht Wien, FN 79340b
>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>> Notice: This e-mail contains information that is confidential and may
>> be privileged.
>> If you are not the intended recipient, please notify the sender and then
>> delete this e-mail immediately.
>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au <mailto:radiator at open.com.au>
>> http://www.open.com.au/mailman/listinfo/radiator
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20151220/c8360438/attachment-0001.html
More information about the radiator
mailing list