Thank you very much Alexander.
On Thu, Mar 14, 2019 at 1:04 PM Alexander Bokovoy <[email protected]>
wrote:
> Hi Boudjoudad,
>
> On ke, 13 maalis 2019, Boudjoudad Abdelkader via FreeIPA-users wrote:
> >Starting radiusd -X to check the config i got many errors so i did :
> >- Changing the key file in /etc/raddb/mods-enabled/eap:
> >From
> >private_key_file = ${certdir}/server.pem
> >To
> >private_key_file = ${certdir}/radius.key
> ># cp /etc/pki/tls/certs/radius.pem /etc/raddb/certs/server.pm
> ># chmod 0640 /etc/raddb/certs/server.pem
> ># chown root:radiusd /etc/raddb/certs/server.pem
> ># cp -r /etc/raddb/certs.bak/ca.pem /etc/raddb/certs/
> ># chown root:radiusd /etc/raddb/certs/ca.pem
> ># cp /etc/pki/tls/private/radius.key /etc/raddb/certs/
> ># chmod 0640 /etc/raddb/certs/radius.key
> ># chown root:radiusd /etc/raddb/certs/radius.key
> >
> >And now i got this error:
> >rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending slots
> >used
> >rlm_ldap (ldap): Connecting to ldap://freeipa.example.com:389
> >TLSMC: MozNSS compatibility interception begins.
> >tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration
> is
> >present.
> >tlsmc_intercept_initialization: INFO: successfully intercepted TLS
> >initialization. Continuing with OpenSSL only.
> >TLSMC: MozNSS compatibility interception ends.
> >rlm_ldap (ldap): Starting SASL mech(s): GSSAPI
> >SASL/GSSAPI authentication started
> >rlm_ldap (ldap): Bind with (anonymous) to ldap://freeipa.example.com:389
> >failed: Local error
> >rlm_ldap (ldap): Opening connection failed (0)
> >rlm_ldap (ldap): Removing connection pool
> >/etc/raddb/mods-enabled/ldap[8]: Instantiation failed for module "ldap"
>
> Looks like something wrong with the configuration. Unfortunately, right
> now I'm not able to set up a reproducer environment myself, too many
> things ad $dayjob.
>
> >
> >
> >
> >On Wed, Mar 13, 2019 at 11:52 AM Alexander Bokovoy <[email protected]>
> >wrote:
> >
> >> On ke, 13 maalis 2019, Boudjoudad Abdelkader wrote:
> >> >Thank for the quick reply, i followed this steps
> >> ><https://gist.github.com/abbra/a74e171d791cf90113b0272b78919987> but
> it
> >> >seems that its missing some steps, after moving certs the certs.back
> and
> >> >creating a new certificate:
> >> >- The private key and certificate files should be copied in the new
> certs
> >> >directory created
> >> >Or
> >> >- Changing the path in /etc/raddb/mods-enabled/eap for each files ?
> >> For those please follow existing documentation for FreeRADIUS. These
> >> steps are just showing FreeIPA-specific changes. You can always change
> >> the paths in the configuration.
> >>
> >> >
> >> >
> >> >
> >> >On Wed, Mar 13, 2019 at 11:38 AM Alexander Bokovoy <
> [email protected]>
> >> >wrote:
> >> >
> >> >> On ke, 13 maalis 2019, Boudjoudad Abdelkader via FreeIPA-users wrote:
> >> >> >Hi Alexander and thank you for the documents,
> >> >> >
> >> >> >Right i din't configure freeradius to use kerberos authentication
> but
> >> >> >question please: with the radtest command above the authentication
> is
> >> >> >performed and if i see Accept-Accept so it does mean the password
> >> provided
> >> >> >in the command matches the password in ldap ?
> >> >> Perhaps it matches the password but your problem (as I understood)
> was
> >> >> that you weren't able to pull the group membership out of LDAP. These
> >> >> are two different steps -- RADIUS server ldap plugin uses user's
> >> >> password for authentication but it should also use own credentials to
> >> >> bind to ldap for authorization step.
> >> >>
> >> >> >
> >> >> >On Tue, Mar 12, 2019 at 2:59 PM Alexander Bokovoy <
> [email protected]
> >> >
> >> >> >wrote:
> >> >> >
> >> >> >> On ti, 12 maalis 2019, Boudjoudad Abdelkader wrote:
> >> >> >> >Hi Alexander,
> >> >> >> >Thank you for yourquick reply and sorry i very new with
> freeradius.
> >> >> >> >I did:
> >> >> >> >- Changing in /etc/raddb/sites-enabled/default and
> >> >> >> >/etc/raddb/sites-enabled/inner-tunnel
> >> >> >> > -ldap
> >> >> >> >to:
> >> >> >> > ldap
> >> >> >> > if ((ok || updated) && User-Password) {
> >> >> >> > update {
> >> >> >> > control:Auth-Type := ldap
> >> >> >> > }
> >> >> >> > }
> >> >> >> >
> >> >> >> >- /etc/raddb/mods-enabled/ldap
> >> >> >> >ldap {
> >> >> >> > server = 'ldapserver.example.com'
> >> >> >> > # port = 389
> >> >> >> > # password = mypass
> >> >> >> > base_dn = 'cn=users,cn=accounts,dc=example,dc=com'
> >> >> >> >}
> >> >> >> So, above you aren't using any credentials to authenticate to LDAP
> >> >> >> server. You need to define *some* credentials here that radius
> server
> >> >> >> would use to bind to LDAP before checking what it needs.
> >> >> >>
> >> >> >> For basic explanation see
> >> >> >>
> >> >>
> >>
> https://www.redhat.com/archives/freeipa-users/2015-December/msg00170.html
> >> >> >>
> >> >> >> For some example, one can look at
> >> >> >> https://gist.github.com/abbra/a74e171d791cf90113b0272b78919987
> >> >> >> which describes roughly how to make RADIUS authenticating to LDAP
> >> with
> >> >> >> SASL GSSAPI
> >> >> >> instead of a simple bind. It may be missing something, I just
> updated
> >> >> >> Christian's version which is several years old.
> >> >> >>
> >> >> >> >
> >> >> >> >user {
> >> >> >> > base_dn = "${..base_dn}"
> >> >> >> > filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
> >> >> >> > # scope = 'sub'
> >> >> >> > # sort_by = '-uid'
> >> >> >> > # access_attribute = 'dialupAccess'
> >> >> >> > # access_positive = yes
> >> >> >> >}
> >> >> >> >group {
> >> >> >> > base_dn = "${..base_dn}"
> >> >> >> > filter = '(objectClass=posixGroup)'
> >> >> >> > scope = 'sub'
> >> >> >> > name_attribute = cn
> >> >> >> > membership_filter =
> >> >> >>
> >> >> >>
> >> >>
> >>
> >"(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
> >> >> >> >
> >> >> >> > membership_attribute = memberOf
> >> >> >> > cacheable_name = 'yes'
> >> >> >> > cacheable_dn = 'yes'
> >> >> >> > # cache_attribute =
> >> 'LDAP-Cached-Membership'
> >> >> >> >}
> >> >> >> >
> >> >> >> >To test user i did:
> >> >> >> ># radtest ttest2 password ldapserver.example.com 1812 secretkey
> >> >> >> >
> >> >> >> >Thanks,
> >> >> >> >
> >> >> >> >
> >> >> >> >
> >> >> >> >
> >> >> >> >
> >> >> >> >On Tue, Mar 12, 2019 at 2:06 PM Alexander Bokovoy <
> >> [email protected]
> >> >> >
> >> >> >> >wrote:
> >> >> >> >
> >> >> >> >> On ti, 12 maalis 2019, Boudjoudad Abdelkader via FreeIPA-users
> >> wrote:
> >> >> >> >> >Hi,
> >> >> >> >> >I'm trying to check if user is in a given group name in LDAP
> but
> >> it
> >> >> >> >> doesn't
> >> >> >> >> >work, here is the configuration:
> >> >> >> >> >- vi /etc/raddb/mods-enabled/ldap
> >> >> >> >>
> >> >> >> >> How do you connect to the LDAP server? You need to use
> >> authenticated
> >> >> >> >> bind to see member attributes.
> >> >> >> >>
> >> >> >> >> >ldap {
> >> >> >> >> >...
> >> >> >> >> >base_dn = 'cn=users,cn=accounts,dc=server,dc=example,dc=com'
> >> >> >> >> >...
> >> >> >> >> >}
> >> >> >> >> >group {
> >> >> >> >> >base_dn = "${..base_dn}"
> >> >> >> >> >filter = '(objectClass=posixGroup)'
> >> >> >> >> >scope = 'sub'
> >> >> >> >> >name_attribute = cn
> >> >> >> >> >membership_filter =
> >> >> >> >>
> >> >> >> >>
> >> >> >>
> >> >>
> >>
> >"(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
> >> >> >> >> >membership_attribute = memberOf
> >> >> >> >> > cacheable_name = 'yes'
> >> >> >> >> > cacheable_dn = 'yes'
> >> >> >> >> ># cache_attribute = 'LDAP-Cached-Membership'
> >> >> >> >> >
> >> >> >> >> >The result:
> >> >> >> >> >rlm_ldap (ldap): Reserved connection (2)
> >> >> >> >> >(0) Using user DN from request
> >> >> >> >> >"uid=ttest2,cn=users,cn=accounts,dc=server,dc=example,dc=com"
> >> >> >> >> >(0) Checking for user in group objects
> >> >> >> >> >(0) EXPAND
> >> >> >> >>
> >> >> >> >>
> >> >> >>
> >> >>
> >>
> >(&(cn=ipausers)(objectClass=posixGroup)(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}})))
> >> >> >> >> >(0) -->
> >> >> >> >>
> >> >> >> >>
> >> >> >>
> >> >>
> >>
> >(&(cn=ipausers)(objectClass=posixGroup)(|(member=uid\3dttest2\2ccn\3dusers\2ccn\3daccounts\2cdc\3dserver\2cdc\3dexample\2cdc\3com)(memberUid=ttest2)))
> >> >> >> >> >(0) Performing search in
> >> >> >> >> >"cn=users,cn=accounts,dc=server,dc=example,dc=com" with filter
> >> >> >> >>
> >> >> >> >>
> >> >> >>
> >> >>
> >>
> >"(&(cn=ipausers)(objectClass=posixGroup)(|(member=uid\3dttest2\2ccn\3dusers\2ccn\3daccounts\2cdc\3dserver\2cdc\3dexample\2cdc\3dcom)(memberUid=ttest2)))",
> >> >> >> >> >scope "sub"
> >> >> >> >> >(0) Waiting for search result...
> >> >> >> >> >(0) Search returned no results
> >> >> >> >> >(0) Checking user object's memberOf attributes
> >> >> >> >> >(0) Performing unfiltered search in
> >> >> >> >> >"uid=ttest2,cn=users,cn=accounts,dc=server,dc=example,dc=com",
> >> scope
> >> >> >> >> "base"
> >> >> >> >> >(0) Waiting for search result...
> >> >> >> >> >(0) No group membership attribute(s) found in user object
> >> >> >> >> >
> >> >> >> >> >What i'm missing ?
> >> >> >> >> >Thanks,
> >> >> >> >>
> >> >> >> >> >_______________________________________________
> >> >> >> >> >FreeIPA-users mailing list --
> >> [email protected]
> >> >> >> >> >To unsubscribe send an email to
> >> >> >> >> [email protected]
> >> >> >> >> >Fedora Code of Conduct:
> >> https://getfedora.org/code-of-conduct.html
> >> >> >> >> >List Guidelines:
> >> >> >> https://fedoraproject.org/wiki/Mailing_list_guidelines
> >> >> >> >> >List Archives:
> >> >> >> >>
> >> >> >>
> >> >>
> >>
> https://lists.fedorahosted.org/archives/list/[email protected]
> >> >> >> >>
> >> >> >> >>
> >> >> >> >> --
> >> >> >> >> / Alexander Bokovoy
> >> >> >> >> Sr. Principal Software Engineer
> >> >> >> >> Security / Identity Management Engineering
> >> >> >> >> Red Hat Limited, Finland
> >> >> >> >>
> >> >> >>
> >> >> >> --
> >> >> >> / Alexander Bokovoy
> >> >> >> Sr. Principal Software Engineer
> >> >> >> Security / Identity Management Engineering
> >> >> >> Red Hat Limited, Finland
> >> >> >>
> >> >>
> >> >> >_______________________________________________
> >> >> >FreeIPA-users mailing list -- [email protected]
> >> >> >To unsubscribe send an email to
> >> >> [email protected]
> >> >> >Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> >> >> >List Guidelines:
> >> https://fedoraproject.org/wiki/Mailing_list_guidelines
> >> >> >List Archives:
> >> >>
> >>
> https://lists.fedorahosted.org/archives/list/[email protected]
> >> >>
> >> >>
> >> >> --
> >> >> / Alexander Bokovoy
> >> >> Sr. Principal Software Engineer
> >> >> Security / Identity Management Engineering
> >> >> Red Hat Limited, Finland
> >> >>
> >>
> >> --
> >> / Alexander Bokovoy
> >> Sr. Principal Software Engineer
> >> Security / Identity Management Engineering
> >> Red Hat Limited, Finland
> >>
>
> >_______________________________________________
> >FreeIPA-users mailing list -- [email protected]
> >To unsubscribe send an email to
> [email protected]
> >Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> >List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> >List Archives:
> https://lists.fedorahosted.org/archives/list/[email protected]
>
>
> --
> / Alexander Bokovoy
> Sr. Principal Software Engineer
> Security / Identity Management Engineering
> Red Hat Limited, Finland
>
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
