Results 1 to 5 of 5

Thread: Freeradius auth against Zimbra LDAP

  1. #1
    Join Date
    Jul 2006
    Location
    Iceland
    Posts
    23
    Rep Power
    9

    Default Freeradius auth against Zimbra LDAP

    Hi,

    I have a Zimbra server (NE) up and running. I would like to configure freeradius to authenticate against Zimbra. What I'm trying to accomplish is to allow VPN clients to use their Zimbra login information to authenticate via VPN, using Zimbra LDAP.

    So far I have freeradius up and running but I'm having trouble using the ldap module.

    It is setup like so:
    ldap {
    #
    # Note that this needs to match the name in the LDAP
    # server certificate, if you're using ldaps.
    server = "mail.example.com"
    #identity = "cn=admin,o=My Org,c=UA"
    #password = mypass
    #basedn = "o=My Org,c=UA"
    userdn = "uid=zimbra,cn=admins,cn=zimbra"
    filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
    #base_filter = "(objectclass=radiusprofile)"
    I got the "userdn" line from zmlocalconfig.

    The question is: what ou, cn or uid should I be querying in LDAP?

  2. #2
    Join Date
    Feb 2010
    Location
    Warsaw
    Posts
    9
    Rep Power
    5

    Default

    Quote Originally Posted by addihetja View Post
    Hi,

    I have a Zimbra server (NE) up and running. I would like to configure freeradius to authenticate against Zimbra. What I'm trying to accomplish is to allow VPN clients to use their Zimbra login information to authenticate via VPN, using Zimbra LDAP.

    So far I have freeradius up and running but I'm having trouble using the ldap module.

    It is setup like so:

    I got the "userdn" line from zmlocalconfig.

    The question is: what ou, cn or uid should I be querying in LDAP?
    Hi there,
    I recommend using freeradius2 which works great with Zimbra's ldap. You then can use:

    server = "mail.example.com"
    identity = "uid=zimbra,cn=admins,cn=zimbra"
    password = password for zimbra user, as Zimbra does not allow anonymous ldap queries
    basedn = "dc=example,dc=com"
    filter = "(uid=%{mschap:User-Name:-%{User-Name}})"

    I would also suggest that you use base_filter option to filter users and password_attribute to check for password.
    Remember to use freeradius accounting for VPN as it will not work without it.

    Hope that helps

  3. #3
    Join Date
    Jul 2006
    Location
    Iceland
    Posts
    23
    Rep Power
    9

    Default

    Thanks.

    I'm using freeradius (2.1.8) with these settings:

    server = "192.168.80.1"
    identity = "uid=zimbra,cn=admins,cn=zimbra"
    password = "mypass"
    #also tried password = mypass
    basedn = "dc=com"
    #also tried basedn = "dc=example dc=com"
    #also tried basedn = "dc=mail,dc=example dc=com"
    filter = "(uid=%{mschap:User-Name:-%{User-Name}})"
    #also tried filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"

    When I test, radiusd -X gives me:
    rad_recv: Access-Request packet from host 192.168.80.1 port 62140, id=247, length=57
    User-Name = "admin"
    User-Password = "adminpass"
    NAS-IP-Address = 192.168.80.1
    NAS-Port = 1812
    +- entering group authorize {...}
    ++[preprocess] returns ok
    [auth_log] expand: /opt/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /opt/local/var/log/radius/radacct/192.168.80.1/auth-detail-20100601
    [auth_log] /opt/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /opt/local/var/log/radius/radacct/192.168.80.1/auth-detail-20100601
    [auth_log] expand: %t -> Tue Jun 1 12:13:39 2010
    ++[auth_log] returns ok
    ++[chap] returns noop
    ++[mschap] returns noop
    [suffix] No '@' in User-Name = "admin", looking up realm NULL
    [suffix] No such realm "NULL"
    ++[suffix] returns noop
    [eap] No EAP-Message, not doing EAP
    ++[eap] returns noop
    ++[unix] returns updated
    ++[files] returns noop
    [ldap] performing user authorization for admin
    [ldap] expand: %{Stripped-User-Name} ->
    [ldap] ... expanding second conditional
    [ldap] expand: %{User-Name} -> admin
    [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=admin)
    [ldap] expand: dc=com -> dc=com
    [ldap] ldap_get_conn: Checking Id: 0
    [ldap] ldap_get_conn: Got Id: 0
    [ldap] performing search in dc=com, with filter (uid=admin)
    [ldap] looking for check items in directory...
    [ldap] looking for reply items in directory...
    WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
    [ldap] user admin authorized to use remote access
    [ldap] ldap_release_conn: Release Id: 0
    ++[ldap] returns ok
    ++[expiration] returns noop
    ++[logintime] returns noop
    ++[pap] returns updated
    Found Auth-Type = PAP
    +- entering group PAP {...}
    [pap] login attempt with password "adminpass"
    [pap] Using CRYPT encryption.
    [pap] Passwords don't match
    ++[pap] returns reject
    Failed to authenticate the user.
    Using Post-Auth-Type Reject
    +- entering group REJECT {...}
    [attr_filter.access_reject] expand: %{User-Name} -> admin
    attr_filter: Matched entry DEFAULT at line 11
    ++[attr_filter.access_reject] returns updated
    Delaying reject of request 1 for 1 seconds
    Going to the next request
    Waking up in 0.9 seconds.
    Sending delayed reject for request 1
    Sending Access-Reject of id 247 to 192.168.80.1 port 62140
    Waking up in 4.9 seconds.
    Cleaning up request 1 ID 247 with timestamp +413
    Ready to process requests.

    What I read from the log is that the user is accepted but somehow rejected.

    zmlocalconfig reports "search base" as empty. Isn't that the same property as basedn?

  4. #4
    Join Date
    Jul 2007
    Location
    Baltimore
    Posts
    1,649
    Rep Power
    11

    Default

    how are you testing? with radtest?

  5. #5
    Join Date
    Jul 2006
    Location
    Iceland
    Posts
    23
    Rep Power
    9

    Default

    Yes. I'm using radtest and authenticating perfectly against the users.conf file, but not against the LDAP users

Similar Threads

  1. [SOLVED] Important Mta Issue!!!!!!!!
    By borngunners in forum Migration
    Replies: 2
    Last Post: 01-05-2010, 06:44 AM
  2. [SOLVED] Zimbra logwatch.
    By nishith in forum Administrators
    Replies: 5
    Last Post: 06-10-2009, 05:42 PM
  3. [SOLVED] Clamav problem ? What's happening ?
    By aNt1X in forum Installation
    Replies: 23
    Last Post: 02-14-2008, 05:43 AM
  4. Post instsallation problems
    By Assaf in forum Installation
    Replies: 14
    Last Post: 01-29-2007, 11:38 AM
  5. Fedora Core 3, Clean Install - Not working!
    By pcjackson in forum Installation
    Replies: 17
    Last Post: 03-05-2006, 07:38 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •