Steve I don't know the Windows side well - you might need to do some Googling to find out what this error means. Sorry.
Also, you definitely do not export the private key. That remains on the CA. Regards Tarun -----Original Message----- From: Steve OBrien [mailto:[EMAIL PROTECTED] Sent: Friday, 19 March 2004 5:51 PM To: [EMAIL PROTECTED] Subject: RE: Using freeradius to authenticate users to a Windows 2000 AD Now I am seeing this in the windows dc server log: A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0xffffffff I was using the CA certificate but that cannot be exported with the private key (AFAIK). My CA is a member server not a dc. [EMAIL PROTECTED] wrote: ----- To: <[EMAIL PROTECTED]> From: "Tarun Bhushan" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] Date: 03/18/2004 06:57PM Subject: RE: Using freeradius to authenticate users to a Windows 2000 AD Yes - I did mention this in an earlier mail. Relevant portion of radiusd.conf shown below. The combination of Port=636 AND start_tls=no is important. In my experience, setting start_tls=yes does not work with AD or Novell eDirectory, but does work with OpenLDAP. ldap ldap1 { server = "somedc.somecompany.com" port = 636 identity = "cn=lookup,ou=users,dc=somecompany,dc=com" password = Password basedn = "dc=somecompany,dc=com" filter = "(cn=%U)" # set this to 'yes' to use TLS encrypted connections # to the LDAP database. start_tls = no #tls_mode = no # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap # ldap_cache_timeout = 120 # ldap_cache_size = 0 ldap_connections_number = 10 groupname_attribute = cn groupmembership_filter = "(&(objectClass=Group)(member=%{Ldap-UserDn}))" timeout = 10 timelimit = 10 net_timeout = 5 #ldap_debug = 0xFFFF #ldap_debug = 0x0001 compare_check_items = yes access_attr_used_for_allow = no } Tarun -----Original Message----- From: Steve OBrien [mailto:[EMAIL PROTECTED] Sent: Friday, 19 March 2004 11:59 AM To: [EMAIL PROTECTED] Subject: RE: Using freeradius to authenticate users to a Windows 2000 AD Do you need to modify the radiusd.conf file to use ldaps? Steve O'Brien City of Bend Network Administrator [EMAIL PROTECTED] 541-322-6393 "Tarun Bhushan" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 03/18/2004 04:28 PM Please respond to [EMAIL PROTECTED] To <[EMAIL PROTECTED]> cc Subject RE: Using freeradius to authenticate users to a Windows 2000 AD Steve The instructions are shown below. I see that you have included the group membership check into your filter. I have not done this - I have stuck with the separate group membership check shown in the default FreeRadius radiusd.conf - it does make an extra LDAP call, but it works. Just as a matter of interest, I also use configurable failover to three separate DCs - that works well too - you only need the root CA cert for LDAPS to all of them. Tarun ==================== Document ============================= In order that LDAP clients can connect to Active Directory with TLS/SSL, we need to make some configuration changes. Export the Active Directory root CA certificate in DER format. This is usually done on a Windows domain controller running Certification Services. It has been observed that this server needs to have a name without underscores in it. Copy the exported certificate file to the /etc/openldap/demoCA directory - we will use this existing directory for our CA certificates. The file would normally end with .cer. We need to convert this file to PEM format. This is done with: shell> openssl x509 -in rootdc.ca.cer -inform d -out rootdc.ca.pem We now need to modify the file /etc/openldap/ldap.conf to look like: ========================================================================= # @(#)$Id: ldap.conf,v 1.27 2003/01/17 21:37:12 lukeh Exp $ # # This is the configuration file for the LDAP nameservice # switch library and the LDAP PAM module. # # PADL Software # http://www.padl.com # # Your LDAP server. Must be resolvable without using LDAP. # Multiple hosts may be specified, each separated by a # space. How long nss_ldap takes to failover depends on # whether your LDAP client library supports configurable # network or connect timeouts (see bind_timelimit). host rootdc.somecompany.com # The distinguished name of the search base. base dc=somecompany,dc=com # The LDAP version to use (defaults to 3 # if supported by client library) #ldap_version 3 # The distinguished name to bind to the server with. # Optional: default is to bind anonymously. #binddn uid=lookup,dc=somecompany,dc=com # The credentials to bind with. # Optional: default is no credential. #bindpw nothing # The distinguished name to bind to the server with # if the effective user ID is root. Password is # stored in /etc/ldap.secret (mode 600) #rootbinddn cn=manager,dc=padl,dc=com # The port. # Optional: default is 389. #port 389 # The search scope. #scope sub #scope one #scope base # Search timelimit #timelimit 30 # Bind timelimit #bind_timelimit 30 # Idle timelimit; client will close connections # (nss_ldap only) if the server has not been contacted # for the number of seconds specified below. #idle_timelimit 3600 # Active Directory SSL options ssl on # OpenLDAP SSL options # Require and verify server certificate (yes/no) tls_checkpeer no # CA certificates for server certificate verification TLS_CACERT /etc/openldap/demoCA/rootdc.ca.pem ========================================================================= Note the pointer to the CA PEM file we created earlier. It should be noted that the AD servers will need to have SSL (TLS) certificates generated/installed, and have the LDAP interface listening on the LDAPS port (636). As passwords and other authentication/authorisation data will be exchanged across the network, this channel should not be in clear-text. ========================== End Document ============================== -----Original Message----- From: Steve OBrien [mailto:[EMAIL PROTECTED] Sent: Friday, 19 March 2004 10:11 AM To: [EMAIL PROTECTED] Subject: RE: Using freeradius to authenticate users to a Windows 2000 AD Thanks Tarun, Yes I would like instructions for importing my root CA into my freeradius box! "Tarun Bhushan" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 03/18/2004 03:06 PM Please respond to [EMAIL PROTECTED] To <[EMAIL PROTECTED]> cc Subject RE: Using freeradius to authenticate users to a Windows 2000 AD Steve I've seen that "Operations error" before with FreeRadius & AD LDAP access. It appears to happen consistently when LDAP is used as opposed to LDAPS (this is more pronounced with Windows Server 2003 DCs, but happens with Win2K as well). If you change the port to 636 (with start_tls=no), you will be using LDAPS to AD. In this case, the "Operations error" does not happen, and the AD lookup works well. You should note that you will need to import your Windows DC Root CA cert onto the FreeRadius box for this to work - this is pretty straightforward by using OpenSSL and OpenLDAP tools. Let me know if you need instructions to do this latter part. Also note (this would be happening now with LDAP or LDAPS), that depending on your base DN and the location of the users in your AD tree, the AD LDAP server could be returning referrals. These are also chased by FreeRadius LDAP interface, and could go to DCs that you did not configure in your radiusd.conf file, depending on the DNS resolution returned. You can see if this happening by setting ldap_debug = 0x0001. Tarun -----Original Message----- From: Steve OBrien [mailto:[EMAIL PROTECTED] Sent: Friday, 19 March 2004 2:35 AM To: [EMAIL PROTECTED] Subject: RE: Using freeradius to authenticate users to a Windows 2000 AD Here is the debug output: Module: Instantiated radutmp (radutmp) Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp. Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:38245, id=181, length=56 User-Name = "test" User-Password = "test" NAS-IP-Address = 255.255.255.255 NAS-Port = 1 modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "eap" returns noop for request 0 rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 users: Matched DEFAULT at 152 modcall[authorize]: module "files" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" modcall: entering group Auth-Type for request 0 rlm_ldap: - authenticate rlm_ldap: login attempt by "test" with password "test" radius_xlat: '(sAMAccountName=test)' radius_xlat: 'o=notexist' ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to cityhalldc1.ci.bend.or.us:389, authentication 0 rlm_ldap: bind as CN=freeradius,CN=Users,DC=my,DC=domain,DC=com/password to my.dc.com:389 rlm_ldap: waiting for bind result ... request 1 done rlm_ldap: performing search in o=notexist, with filter (sAMAccountName=test) request 2 done rlm_ldap: ldap_search() failed: Operations error ldap_release_conn: Release Id: 0 modcall[authenticate]: module "ldap" returns fail for request 0 modcall: group Auth-Type returns fail for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Albers Darren <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 03/17/2004 07:46 PM Please respond to [EMAIL PROTECTED] [EMAIL PROTECTED] cc SubjectRE: Using freeradius to authenticate users to a Windows 2000 AD Oops, I forgot the link http://lists.cistron.nl/archives/freeradius-users/2004/03/frm00428.html From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Albers Darren Sent: Wednesday, March 17, 2004 10:04 PM To: [EMAIL PROTECTED] Subject: RE: Using freeradius to authenticate users to a Windows 2000 AD Steve, Here is a link to that earlier post of mine, it might be more helpfull. Feel free to post your radiusd.conf and I will see if I can help. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve OBrien Sent: Wednesday, March 17, 2004 5:21 PM To: [EMAIL PROTECTED] Subject: RE: Using freeradius to authenticate users to a Windows 2000 AD Well it still seems not to be working. And I could not find your other article, I searched for radiusd.conf and your name and email with no luck. The output is not helpfull: Request: /usr/local/bin/radtest guest "test" localhost 1 testing123 Sending Access-Request of id 104 to 127.0.0.1:1812 User-Name = "guest" User-Password = "test" NAS-IP-Address = blade1.ci.bend.or.us NAS-Port = 1 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=104, length=20 Response: Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:33317, id=104, length=57 User-Name = "guest" User-Password = "test" NAS-IP-Address = 255.255.255.255 NAS-Port = 1 modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "eap" returns noop for request 0 rlm_realm: No '@' in User-Name = "guest", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 users: Matched DEFAULT at 152 modcall[authorize]: module "files" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request Steve O'Brien City of Bend Network Administrator [EMAIL PROTECTED] 541-322-6393 Albers Darren <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 03/17/2004 11:37 AM Please respond to [EMAIL PROTECTED] To"'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> cc SubjectRE: Using freeradius to authenticate users to a Windows 2000 AD With the help of another individual on this list Richard Lucassen we were able to get it working to authenticate against either a group or against AD as a whole. To see an example I posted of just authenticated a user in general against AD look for another post by me with a sample radiusd.conf. Here is what Richard and I put together to get group auth working, this may not be the 100% correct way but it worked for us and if anyone has any suggestions that would be great. The comments are my comments and since the formatting will probably be borked please don't just copy and paste this into your radiusd.conf: ldap { server = "FDC of your DC" #Account in AD with the rights to query ad for the user account properties, in this example I have an account named freeradius located in # my users container in the domain dc.domain.com that I am using to auth. identity = "CN=freeradius,CN=Users,DC=dc,DC=domain,DC=com" #password of the above account password = password #Base dn to search from, usually the top of your domain, in this example it is dc.domain.com basedn = "DC=dc,DC=domain,DC=com" #This is the search filter to find the users account and then check it's group membership. You will see that I used the full path to the # group including the conatiner it is located in. This example is for a group named RemoteUser in the users container in the domain #dc.domain.com filter ="(&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})(memberOf=CN=Rem oteUser,CN=Users,DC=dc,DC=domain,DC=com))" password_attribute = userPassword timeout = 4 timelimit = 3 net_timeout = 1 compare_check_items = yes I commented out the groupmembership stuff, but I am not sure if that was a bad thing or not. Eventually I plan on writing this into a quick Howto and posting it again. Let me know if this helps or if you have any further questions and again my thanks to Richard for all his help in getting this working! -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Steve OBrien Sent: Wednesday, March 17, 2004 2:24 PM To: [EMAIL PROTECTED] Subject: Using freeradius to authenticate users to a Windows 2000 AD I have seen threads pertaining to this but I cannot seem to get it to work. I would like to authenticate users via freeradius against a windows 2000 ad domain using LDAP. Is this possible if so anyone have a sample config?? TIA, Steve ********************************************************************** The information and any files contained in this e-mail message are property of WestPoint Stevens Inc., its subsidiaries or affiliates, and are intended only for use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you hereby are notified that use, dissemination, distribution or copying of this information is strictly prohibited. If you have received this communication in error, please immediately notify us by return e-mail and destroy the original message. Thank you. ********************************************************************** NOTICE This e-mail and any attachments are confidential and may contain copyright material of Macquarie Bank or third parties. If you are not the intended recipient of this email you should not read, print, re-transmit, store or act in reliance on this e-mail or any attachments, and should destroy all copies of them. Macquarie Bank does not guarantee the integrity of any emails or any attached files. The views or opinions expressed are the author's own and may not reflect the views or opinions of Macquarie Bank. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
