Freeradius/Radtest fails to authenticate against Google LDAP

classic Classic list List threaded Threaded
2 messages Options
| Threaded
Open this post in threaded view
|

Freeradius/Radtest fails to authenticate against Google LDAP

Christian Bednarz
Hi all.

I try hard to get Freeradius working with Google LDAP, but I feel totally stuck and desperate.

My starting point was following the Google documentation ( https://support.google.com/a/answer/9089736?hl=en#zippy=%2Cfreeradius <https://support.google.com/a/answer/9089736?hl=en#zippy=,freeradius> ), which some people pointed to being not really accurate. After some adjustments I find myself stuck in the wood. Admittingly I have just very basic knowledge of Linux (I use Ubuntu 20).

When I run radtest I get this result:

root@freeradius1:/home/serveradmin# radtest [hidden email] <mailto:[hidden email]> PASSWORD 127.0.0.1 1 testing123
Sent Access-Request Id 50 from 0.0.0.0:39324 to 127.0.0.1:1812 length 95
        User-Name = "[hidden email] <mailto:[hidden email]>"
        User-Password = „PASSWORD"
        NAS-IP-Address = 127.0.1.1
        NAS-Port = 1
        Message-Authenticator = 0x00
        Cleartext-Password = „PASSWORD"
Received Access-Reject Id 50 from 127.0.0.1:1812 to 127.0.0.1:39324 length 20
(0) -: Expected Access-Accept got Access-Reject

Here is the debug output of freeradius -X:

(0) Received Access-Request Id 50 from 127.0.0.1:39324 to 127.0.0.1:1812 length 95
(0)   User-Name = "[hidden email]"
(0)   User-Password = „PASSWORD"
(0)   NAS-IP-Address = 127.0.1.1
(0)   NAS-Port = 1
(0)   Message-Authenticator = 0xf9bad2a09e9c1eb0e3c9317b52b40faf
(0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(0)   authorize {
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = notfound
(0)     } # policy filter_username = notfound
(0)     [preprocess] = ok
(0)     [chap] = noop
(0)     [mschap] = noop
(0)     [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: Looking up realm "lanes-planes.com" for User-Name = "[hidden email]"
(0) suffix: Found realm "lanes-planes.com"
(0) suffix: Adding Stripped-User-Name = "it-test2"
(0) suffix: Adding Realm = "lanes-planes.com"
(0) suffix: Authentication realm is LOCAL
(0)     [suffix] = ok
(0) eap: No EAP-Message, not doing EAP
(0)     [eap] = noop
(0)     [files] = noop
rlm_ldap (ldap): Reserved connection (0)
(0) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(0) ldap:    --> (uid=it-test2)
(0) ldap: Performing search in "dc=lanes-planes,dc=com" with filter "(uid=it-test2)", scope "sub"
(0) ldap: Waiting for search result...
(0) ldap: Search returned no results
rlm_ldap (ldap): Released connection (0)
Need 5 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used
rlm_ldap (ldap): Connecting to ldaps://ldap.google.com:636
rlm_ldap (ldap): Waiting for bind result...
ber_get_next failed.
rlm_ldap (ldap): Bind successful
(0)     [ldap] = notfound
(0)     [expiration] = noop
(0)     [logintime] = noop
(0)     if (User-Password) {
(0)     if (User-Password)  -> TRUE
(0)     if (User-Password)  {
(0)       update control {
(0)         Auth-Type := ldap
(0)       } # update control = noop
(0)     } # if (User-Password)  = noop
Not doing PAP as Auth-Type is already set.
(0)     [pap] = noop
(0)   } # authorize = ok
(0) Found Auth-Type = ldap
(0) Auth-Type sub-section not found.  Ignoring.
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0)   Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject:    --> [hidden email]
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0)     [attr_filter.access_reject] = updated
(0)     [eap] = noop
(0)     policy remove_reply_message_if_eap {
(0)       if (&reply:EAP-Message && &reply:Reply-Message) {
(0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(0)       else {
(0)         [noop] = noop
(0)       } # else = noop
(0)     } # policy remove_reply_message_if_eap = noop
(0)   } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1.000000 seconds
Waking up in 0.9 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 50 from 127.0.0.1:1812 to 127.0.0.1:39324 length 20
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 50 with timestamp +39
Ready to process requests


If anyone of you could point me to the right direction what would be need to be corrected to get this work that would be just awesome. If it helps, I would also be willing to share other config files, like sites-enabled/defaults. Thanks.

Best regards
Christian
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Freeradius/Radtest fails to authenticate against Google LDAP

Alan DeKok-2
On Feb 8, 2021, at 12:26 PM, Christian Bednarz <[hidden email]> wrote:
> I try hard to get Freeradius working with Google LDAP, but I feel totally stuck and desperate.
>
> My starting point was following the Google documentation ( https://support.google.com/a/answer/9089736?hl=en#zippy=%2Cfreeradius <https://support.google.com/a/answer/9089736?hl=en#zippy=,freeradius> ), which some people pointed to being not really accurate. After some adjustments I find myself stuck in the wood. Admittingly I have just very basic knowledge of Linux (I use Ubuntu 20).

  If Linux is new, configuring RADIUS can be complex.  :(

> (0) Received Access-Request Id 50 from 127.0.0.1:39324 to 127.0.0.1:1812 length 95
> (0)   User-Name = "[hidden email]"
> (0)   User-Password = „PASSWORD"
> (0)   NAS-IP-Address = 127.0.1.1
> (0)   NAS-Port = 1
> ...
> rlm_ldap (ldap): Reserved connection (0)
> (0) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
> (0) ldap:    --> (uid=it-test2)
> (0) ldap: Performing search in "dc=lanes-planes,dc=com" with filter "(uid=it-test2)", scope "sub"
> (0) ldap: Waiting for search result...
> (0) ldap: Search returned no results
> rlm_ldap (ldap): Released connection (0)
> Need 5 more connections to reach 10 spares
> rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used
> rlm_ldap (ldap): Connecting to ldaps://ldap.google.com:636
> rlm_ldap (ldap): Waiting for bind result...
> ber_get_next failed.
> rlm_ldap (ldap): Bind successful
> (0)     [ldap] = notfound

  So the user wasn't found in LDAP.   What happens when you run "ldapsearch" manually?

  The most recent versions of the server have full documentation on how to use the LDAP module configuration with the ldapsearch tool:

https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/mods-available/ldap

> (0)     [expiration] = noop
> (0)     [logintime] = noop
> (0)     if (User-Password) {
> (0)     if (User-Password)  -> TRUE
> (0)     if (User-Password)  {
> (0)       update control {
> (0)         Auth-Type := ldap
> (0)       } # update control = noop
> (0)     } # if (User-Password)  = noop
> Not doing PAP as Auth-Type is already set.
> (0)     [pap] = noop
> (0)   } # authorize = ok
> (0) Found Auth-Type = ldap
> (0) Auth-Type sub-section not found.  Ignoring.

  Well, I don't suggest setting "Auth-type = LDAP" unless you actually have "ldap"  configured in the "authenticate" section.

  But you shouldn't need that.  Delete the "update control" section which sets "Auth-Type = LDAP".

  And then make sure that the LDAP module configuration works.  i.e. that when FreeRADIUS looks for a user in LDAP, the ldap module finds that user, and returns the password to FreeRADIUS.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html