Project

General

Profile

Actions

Bug #13404

closed

LDAP authentication does not working

Added by Ettore Caprella about 2 months ago. Updated 30 days ago.

Status:
Not a Bug
Priority:
Normal
Assignee:
-
Category:
FreeRADIUS
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
2.6.0
Affected Plus Version:
Affected Architecture:
amd64

Description

Hi all,
has anyone encountered this particular issue with Freeradius3 0.15.7_33 with LDAP when a user tries to authenticate using username/password?
(0) Login incorrect (Failed retrieving values required to evaluate condition): [ettore] (from client localhost port 0)

Since I have a standalone instance of freeradius that works well I modified manually the file /usr/local/etc/raddb/sites-enabled/default and, using the same configuration I have on the standalone instance, everything works fine.

Attached you can find the original virtual-server-default.conf and the patched one and you can easily find the diffs.

In the mods-available/ldap file there is a comment with the instructions to use in order to configure the ldap authentication/authorization: these instructions are not present in the original virtual-server-default.conf in the authorize section.

        #  Note: set_auth_type was removed in v3.x.x
        #
        #  Equivalent functionality can be achieved by adding the
        #  following "if" statement to the authorize {} section of
        #  the virtual server, after the "ldap" module.  For example:
        #
        #    ...
        #    ldap
        #    if ((ok || updated) && User-Password && !control:Auth-Type) {
        #        update {
        #            control:Auth-Type := ldap
        #        }
        #    }
        #    ...
        #

In the patched virtual-server-default.conf I added these lines and I needed to comment some other instructions.

Of course I can propose a PR in order to build a valid virtual-server-default file for ldap authentication but I cannot figure out the impact on the other authentication mechanisms.


Files

bug-pfsense-freeradius-ldap-auth-ok.log (4.63 KB) bug-pfsense-freeradius-ldap-auth-ok.log Ettore Caprella, 08/11/2022 04:51 AM
virtual-server-default.conf.patched (3.67 KB) virtual-server-default.conf.patched Ettore Caprella, 08/11/2022 04:51 AM
ldap.conf (8.17 KB) ldap.conf Ettore Caprella, 08/11/2022 04:51 AM
virtual-server-default.conf (3.44 KB) virtual-server-default.conf Ettore Caprella, 08/11/2022 04:51 AM
bug-pfsense-freeradius-ldap-auth-fail.log (4.83 KB) bug-pfsense-freeradius-ldap-auth-fail.log Ettore Caprella, 08/11/2022 04:51 AM
Actions #1

Updated by Ettore Caprella about 2 months ago

I can add moreover that I don't have any admin privileges on the ldap server and the ldap doesn't store any password so, in order to authenticate the users, a successful bind is needed.

Actions #2

Updated by Kris Phillips about 1 month ago

Hello,

The virtual-server-default config file is generated from the webConfigurator in freeRADIUS. You shouldn't need to manually edit it and should only need to set the correct settings in the GUI. Are you stating that the options here in this config are not present in the UI?

Actions #3

Updated by Ettore Caprella about 1 month ago

Hello,
yes, I can't find the right options that allow me to configure ldap authentication when you don't have admin privileges on the ldap server or when the ldap server does not expose the user password.

I modified the virtual-server-default config generated from the webConfigurator only to find/test the correct configuration.

Actions #4

Updated by Kris Phillips 30 days ago

  • Status changed from New to Not a Bug

Ettore Caprella wrote in #note-3:

Hello,
yes, I can't find the right options that allow me to configure ldap authentication when you don't have admin privileges on the ldap server or when the ldap server does not expose the user password.

I modified the virtual-server-default config generated from the webConfigurator only to find/test the correct configuration.

Hello Ettore,

This issue is not a bug, as you're simply not using best practices for freeRADIUS, which I imagine is why this option is not exposed. The "solution" you are using is the "not recommended" workaround way of correcting the issue you're running into.

Per the documentation here: https://github.com/FreeRADIUS/freeradius-server/blob/master/doc/antora/modules/howto/pages/modules/ldap/authentication.adoc

change the permissions of the LDAP credentials used so that FreeRADIUS can read the LDAP userPassword attribute

If you adjust the permissions of the bind user you're using, this should fix the issues you're having.

Actions

Also available in: Atom PDF