The issue in my previous post was resolved by following the instructions in:
http://support.microsoft.com/kb/326690 As I stated in my previous post I was running a 2000 SP4 domain and we just upgraded to a 2003 domain. After the upgrade ldap queries were failing. This basically allows anonymous ldap lookups (limited information) as 2000 did. I did put authentication credentials in for my ldap user so I'm not sure why it's using anonymous bind still. I would prefer to have the added security of 2003. My ldap configuration is below if anyone has any advice so I wouldn't have to enable anonymous bind within the domain. ___________________________________________________________ kesm0724 wrote: > > Hello All, > > I had FreeRADIUS Version 2.0.5 working fine until I upgraded our domain > this past weekend to Server 2003. When I try to authenticate to our > configured devices this morning I see the following generic error in the > debug: > > rlm_ldap: search failed > rlm_ldap: ldap_release_conn: Release Id: 0 > ++[ldap] returns fails > > The odd part about it is that I still have our previous 2000 domain > controllers in place but it appears LDAP group checking is not working. I > have only dcpromo'd the new 2003 controllers and have not made them global > catalogs. Would anyone have any idea why my group checking would no > longer be working? > > With LDAP debug turned on....not much more informative: > > rlm_ldap: performing user authorization for voila\webtest > expand: (sAMAccountName=%{mschap:User-Name:-%{User-Name}}) -> > (sAMAccountName=webtest) > expand: dc=voila,dc=com -> dc=voila,dc=com > rlm_ldap: ldap_get_conn: Checking Id: 0 > rlm_ldap: ldap_get_conn: Got Id: 0 > rlm_ldap: attempting LDAP reconnection > rlm_ldap: closing existing LDAP connection > rlm_ldap: (re)connect to control.voila.com:389, authentication 0 > rlm_ldap: bind as cn=testuser,cn=users,dc=voila,dc=com/mypass to > control.voila.com:389 > rlm_ldap: waiting for bind result ... > request done: ld 0x98c6708 msgid 1 > rlm_ldap: Bind was successful > rlm_ldap: performing search in dc=voila,dc=com, with filter > (sAMAccountName=webtest) > request done: ld 0x98c6708 msgid 4 > request done: ld 0x98c6708 msgid 2 > rlm_ldap: ldap_search() failed: Operations error > rlm_ldap: search failed > rlm_ldap: ldap_release_conn: Release Id: 0 > ++[ldap] returns fail > Invalid user: [voila\\webtest/<via Auth-Type = mschap>] (from client Test > port 1176 cli xxxxxxxxx) > Found Post-Auth-Type Reject > +- entering group REJECT > expand: %{User-Name} -> voila\webtest > > > > > Complete Debug: > > Listening on authentication address * port 1812 > Listening on accounting address * port 1813 > Ready to process requests. > rad_recv: Access-Request packet from host xxxxxxxxxxx port 1059, id=117, > length=191 > User-Name = "voila\\testuser" > NAS-Port = 1175 > Service-Type = Framed-User > Framed-Protocol = PPP > Called-Station-Id = "xxxxxxxxxxx" > Calling-Station-Id = "xxxxxxxxxx" > Tunnel-Client-Endpoint:0 = "xxxxxxxxxxxxx" > MS-CHAP-Challenge = 0x949d0f260c0a83423f766c1ba4786e6f > MS-CHAP2-Response = > 0x00008c51e82b0b401baffa11bbe4804841af0000000000000000b90e47cdede219ef0896903add05ea5ada973c6c8d58d431 > NAS-IP-Address = xxxxxxxxxx > NAS-Port-Type = Virtual > +- entering group authorize > ++[preprocess] returns ok > expand: > /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> > /var/log/radius/radacct/xxxxxxxxx/auth-detail-20080915 > rlm_detail: > /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to > /var/log/radius/radacct/xxxxxxxxxx/auth-detail-20080915 > expand: %t -> Mon Sep 15 11:52:00 2008 > ++[auth_log] returns ok > ++[chap] returns noop > rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' > ++[mschap] returns ok > rlm_realm: No '@' in User-Name = "voila\testuser", looking up realm > NULL > rlm_realm: No such realm "NULL" > ++[suffix] returns noop > rlm_realm: No '"' in User-Name = "voila\testuser", looking up realm > NULL > rlm_realm: No such realm "NULL" > ++[ntdomain] returns noop > ++[unix] returns notfound > rlm_ldap: Entering ldap_groupcmp() > expand: dc=voila,dc=com -> dc=voila,dc=com > expand: (sAMAccountName=%{mschap:User-Name:-%{User-Name}}) -> > (sAMAccountName=testuser) > rlm_ldap: ldap_get_conn: Checking Id: 0 > rlm_ldap: ldap_get_conn: Got Id: 0 > rlm_ldap: attempting LDAP reconnection > rlm_ldap: (re)connect to control.voila.com:389, authentication 0 > rlm_ldap: bind as cn=project,cn=users,dc=voila,dc=com/mypass to > control.voila.com:389 > rlm_ldap: waiting for bind result ... > rlm_ldap: Bind was successful > rlm_ldap: performing search in dc=voila,dc=com, with filter > (sAMAccountName=testuser) > rlm_ldap: ldap_search() failed: Operations error > rlm_ldap::ldap_groupcmp: search failed > rlm_ldap: ldap_release_conn: Release Id: 0 > ++[files] returns noop > rlm_ldap: - authorize > rlm_ldap: performing user authorization for voila\testuser > expand: (sAMAccountName=%{mschap:User-Name:-%{User-Name}}) -> > (sAMAccountName=testuser) > expand: dc=voila,dc=com -> dc=voila,dc=com > rlm_ldap: ldap_get_conn: Checking Id: 0 > rlm_ldap: ldap_get_conn: Got Id: 0 > rlm_ldap: attempting LDAP reconnection > rlm_ldap: closing existing LDAP connection > rlm_ldap: (re)connect to control.voila.com:389, authentication 0 > rlm_ldap: bind as cn=project,cn=users,dc=voila,dc=com/mypass to > control.voila.com:389 > rlm_ldap: waiting for bind result ... > rlm_ldap: Bind was successful > rlm_ldap: performing search in dc=voila,dc=com, with filter > (sAMAccountName=testuser) > rlm_ldap: ldap_search() failed: Operations error > rlm_ldap: search failed > rlm_ldap: ldap_release_conn: Release Id: 0 > ++[ldap] returns fail > Invalid user: [voila\\testuser/<via Auth-Type = mschap>] (from client Test > port 1175 cli xxxxxxxxxxxxx) > Found Post-Auth-Type Reject > +- entering group REJECT > expand: %{User-Name} -> voila\testuser > attr_filter: Matched entry DEFAULT at line 11 > ++[attr_filter.access_reject] returns updated > Sending Access-Reject of id 117 to xxxxxxxxxxxx port 1059 > Finished request 0. > Going to the next request > Waking up in 4.9 seconds. > Cleaning up request 0 ID 117 with timestamp +18 > Ready to process requests. > > ___________ > > Freeradius - 2.0.5 > > [EMAIL PROTECTED] modules]# rpm -qa | grep openldap > openldap-devel-2.3.27-8.el5_2.4 > openldap-2.3.27-8.el5_2.4 > [EMAIL PROTECTED] modules]# rpm -qa | grep samba > samba-common-3.0.28-1.el5_2.1 > samba-3.0.28-1.el5_2.1 > samba-client-3.0.28-1.el5_2.1 > > ______________________________________________ > > LDAP.CONF > > ldap { > # > # Note that this needs to match the name in the LDAP > # server certificate, if you're using ldaps. > server = "control.voila.com" > identity = "cn=testuser,cn=users,dc=voila,dc=com" > password = mypass > basedn = "dc=voila,dc=com" > > # CHANGED filter object search to look for 'SamAccountName' > > # filter = "(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})" > filter = "(sAMAccountName=%{mschap:User-Name:-%{User-Name}})" > # filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" > > # base_filter = "(objectclass=radiusprofile)" > > # How many connections to keep open to the LDAP server. > # This saves time over opening a new LDAP socket for > # every authentication request. > ldap_connections_number = 5 > > # seconds to wait for LDAP query to finish. default: 20 > # seconds to wait for LDAP query to finish. default: 20 > timeout = 4 > > # seconds LDAP server has to process the query (server-side > # time limit). default: 20 > # > # LDAP_OPT_TIMELIMIT is set to this value. > timelimit = 3 > > # > # seconds to wait for response of the server. (network > # failures) default: 10 > # > # LDAP_OPT_NETWORK_TIMEOUT is set to this value. > net_timeout = 1 > > # > # This subsection configures the tls related items > # that control how FreeRADIUS connects to an LDAP > # server. It contains all of the "tls_*" configuration > # entries used in older versions of FreeRADIUS. Those > # configuration entries can still be used, but we recommend > # using these. > # > tls { > # Set this to 'yes' to use TLS encrypted connections > # to the LDAP database by using the StartTLS extended > # operation. > # > # The StartTLS operation is supposed to be > # used with normal ldap connections instead of > # using ldaps (port 689) connections > start_tls = no > > # cacertfile = /path/to/cacert.pem > # cacertdir = /path/to/ca/dir/ > # certfile = /path/to/radius.crt > # keyfile = /path/to/radius.key > # randfile = /path/to/rnd > > # Certificate Verification requirements. Can be: > # "never" (don't even bother trying) > # "allow" (try, but don't fail if the cerificate > # can't be verified) > # "demand" (fail if the certificate doesn't verify.) > # > # The default is "allow" > # require_cert = "demand" > } > # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" > # profile_attribute = "radiusProfileDn" > # access_attr = "User-Password" > > # Mapping of RADIUS dictionary attributes to LDAP > # directory attributes. > dictionary_mapping = ${confdir}/ldap.attrmap > > # Set password_attribute = nspmPassword to get the > # user's password from a Novell eDirectory > # backend. This will work ONLY IF FreeRADIUS has been > # built with the --with-edir configure option. > # > # See also the following links: > # > # http://www.novell.com/coolsolutions/appnote/16745.html > > # > https://secure-support.novell.com/KanisaPlatform/Publishing/558/3009668_f.SAL_Public.html > # > # Novell may require TLS encrypted sessions before returning > # the user's password. > # > # password_attribute = User-Password > > # Un-comment the following to disable Novell > # eDirectory account policy check and intruder > # detection. This will work *only if* FreeRADIUS is > # configured to build with --with-edir option. > # > edir_account_policy_check = no > > # > # Group membership checking. Disabled by default. > # > groupname_attribute = cn > #groupmembership_filter = > "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" > groupmembership_filter = > "(|(&(objectClass=group)(member=%{check:LDAP-UserDn}))(&(objectClass=GroupOfNames)(member=%{check:LDAP-UserDn})))" > groupmembership_attribute = memberOf > > # compare_check_items = yes > do_xlat = yes > # access_attr_used_for_allow = yes > > # > # By default, if the packet contains a User-Password, > # and no other module is configured to handle the > # authentication, the LDAP module sets itself to do > # LDAP bind for authentication. > # > # > # THIS WILL ONLY WORK FOR PAP AUTHENTICATION. > # > # THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP). > # > # You can disable this behavior by setting the following > # configuration entry to "no". > # > # allowed values: {no, yes} > > # set_auth_type = yes > > # ldap_debug: debug flag for LDAP SDK > # (see OpenLDAP documentation). Set this to enable > # huge amounts of LDAP debugging on the screen. > # You should only use this if you are an LDAP expert. > # > # default: 0x0000 (no debugging messages) > # Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS) > ldap_debug = 0x0028 > > ______________________________________________________ > > Samba / Windbind responses: > > [EMAIL PROTECTED] modules]# wbinfo -t > checking the trust secret via RPC calls succeeded > > [EMAIL PROTECTED] modules]# wbinfo -a testuser%mypass > plaintext password authentication failed > error code was NT_STATUS_NO_SUCH_USER (0xc0000064) > error messsage was: No such user > Could not authenticate user testuser%mypass with plaintext password > challenge/response password authentication succeeded > > wbinfo -u and wbinfo -g enumerate all users/groups. > > > > > > -- View this message in context: http://www.nabble.com/LDAP-Group-membership-check-not-working-after-upgrade-to-Windows-Server-2003-tp19496304p19544572.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
