[RADIATOR] Radiator and LDAP2 to Active Directory
Steve Phillips
steve at focb.co.nz
Thu Aug 20 01:29:03 UTC 2020
Hey Hugh,
So I tried adding a single container where I have my userid and I am still getting the same error.
00000000 Thu Aug 20 11:22:15 2020 783507: ERR: AuthLDAP2 Could not bind connection with uid=user001,ou=users1,ou=example users,dc=example,dc=com, **obscured**, error: LDAP_INVALID_CREDENTIALS (server 10.0.0.50 port 389).
I've double checked the password and this works fine if logging in to other systems that auth to AD, and the userid certainly exists in the DN.
Additionally, the user also has ldap privileges as this was the same user that would happy complete the bind with freeradius. (although, that was done with user001 at example.com with no expanded ou=,ou=,dc= stuff)
Any ideas? Is there any way to turn on extra verbose logging for LDAP?
--
Steve.
On 20/8/20, 11:08 am, "radiator on behalf of Steve Phillips" <radiator-bounces at lists.open.com.au on behalf of steve at focb.co.nz> wrote:
Wow, ok ( we have around 49 sub containers - I guess I will only be adding those that really really need radius authenticated device access <g>
I also found the timeout issue was fixed with "FailureBackoffTime 0" which I completely missed in the LDAP section but didn’t seem to appear in the <AuthBy LDAP2> section which I was following.
Thanks heaps Hugh!
--
Steve.
On 20/8/20, 10:59 am, "Hugh Irvine" <hugh at open.com.au> wrote:
Hi Steve -
You would set up two (or more) AuthBy LDAP2 clauses.
Something like this:
<Handler>
AuthByPolicy ContinueUntilAccept
<AuthBy LDAP2>
….
</AuthBy>
<AuthBy LDAP2>
….
</AuthBy>
….
</Handler>
The reference manual “doc/ref.pdf” has been reorganised, see sections 3.9.11 and 3.9.12.
regards
Hugh
> On 20 Aug 2020, at 10:47, Steve Phillips <steve at focb.co.nz> wrote:
>
> Hi Guys,
>
> Just a couple of queries about setting up Radiator 4.24 to bind to LDAP as a user.
>
> I currently have the following AuthBy LDAP2 configuration
>
> <Handler>
> <AuthBy LDAP2>
> Host 10.0.0.50
>
> # Microsoft AD also listens on port 3268, and
> # requests received on that port are reported to be
> # more compliant with standard LDAP, so you may want to use:
> #Port 3268
>
> AuthDN uid=%U
> AuthPassword %P
> BaseDN ou=example users,dc=example,dc=com
> Scope sub
> ServerChecksPassword
> UnbindAfterServerChecksPassword
> UsernameAttr sAMAccountName
> #HoldServerConnection
> AuthAttrDef logonHours,MS-Login-Hours,check
>
> # Get user group memberships from this attribute
> GroupMembershipAttr memberOf
> </AuthBy>
> </Handler>
>
> My users are under a basedn as above but are in two different folders/Org Units
>
> ou=users1,ou=example users,dc=example,dc=com
> ou=users2,ou=example users,dc=example,dc=com
>
> as a result, I can’t easily setup a user auth using “AuthDN uid=%U,ou=users1,ou=example users,dc=example,dc=com” as some users will be in users2
>
> When I was playing with FreeRadius I could set the Ldap-UserDN to %U at example.com and this would successfully authenticate the user, but if I set AuthDN %U at example.com in radiator (I assume this is the same due to the error message saying it attempted a bind as user at example.com) I get a credential error
>
> 00000000 Thu Aug 20 09:48:48 2020 103966: ERR: AuthLDAP2 Could not bind connection with uid=user001 at example.com, **obscured**, error: LDAP_INVALID_CREDENTIALS (server 10.0.0.50 port 389).
> 00000000 Thu Aug 20 09:48:48 2020 104273: ERR: AuthLDAP2 Backing off from 10.0.0.50 port 389 for 600 seconds.
>
> How would you “bind” as that user in radiator when you have users scattered across multiple sub containers (I really don’t want to bind as a robot account as this presents an issue security wise)
>
> I addition to this, someone asked a few years back (2004) about the timeout issue with an incorrect user creating a bad bind with a 10 min backoff. Hugh responded saying to look at section 6.35.19 in the Radiator 3.9 manual and this no longer exists ☺ He mentioned a ‘Timeout” directive, which I tried (Timeout 0) to no effect, how would you reduce this backoff on ‘bad user’ to essentially 0? (or at least, less than 10 Mins each time someone types their password incorrectly) ?
>
> Thanks in advance!
>
> --
> Steve.
>
>
> _______________________________________________
> radiator mailing list
> radiator at lists.open.com.au
> https://lists.open.com.au/mailman/listinfo/radiator
--
Hugh Irvine
hugh at open.com.au
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc.
Full source on Unix, Linux, Windows, macOS, Solaris, VMS, NetWare etc.
_______________________________________________
radiator mailing list
radiator at lists.open.com.au
https://lists.open.com.au/mailman/listinfo/radiator
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5033 bytes
Desc: not available
URL: <https://lists.open.com.au/pipermail/radiator/attachments/20200820/6dee52be/attachment-0001.p7s>
More information about the radiator
mailing list