I recently had to integrate FreeRADIUS with a Secure LDAP (LDAPS, or LDAP over SSL) service running in Azure cloud. This post is an attempt to consolidate all the steps that were required to make it work successfully.
Introduction to LDAPS
LDAP (Lightweight Directory Access Protocol) traffic uses TCP and UDP port 389 and is unencrypted by default. LDAPS, on the other hand, uses TCP port 636 and encrypts communication between client and server.
LDAP uses bind operation to authenticate users. It can either use simple bind, which means username & password are sent unencrypted, or SASL (simple authentication and security layer), which provides several authentication methods like MD5, Kerberos etc.
For encryption LDAP can either use LDAPS or StartTLS. StartTLS is the preferred encryption method that works with LDAP while LDAPS is deprecated.
FreeRADIUS can use LDAP as an authentication oracle, meaning FreeRADIUS passes authentication credentials to LDAP, and LDAP returns a pass/fail response. FreeRADIUS can then generate an Access-Accept or Access-Reject packet based on that. A method to make LDAP work with CHAP/MS-CHAT/PEAP is documented here, but it only works with cleartext passwords.
Integration Parameters
We will be using LDAP “bind as user” with simple bind instead of SASL. As my customer was using LDAPS so this guide is based on that.
FreeRADIUS Installation
I recommend using FreeRADIUS v3.0.17. Version 3.0.15 and some older versions have a bug where during LDAP authentication FreeRADIUS server crashes with a “segment fault” error.
The is the procedure to install FreeRADIUS on Ubuntu 16.04.5 LTS with the dependencies required to compile FreeRADIUS with LDAP support:
apt-get install libssl-dev libtalloc-dev libkqueue-dev build-essential libmysqlclient-dev libgcrypt11-dev libldap2-dev ldap-utils
git clone https://github.com/FreeRADIUS/freeradius-server.git
cd freeradius-server
git checkout release_3_0_17
./configure
make
make installAt this point you should be able to successfully run FreeRADIUS in debug mode using the following command:
radiusd -XLDAPS Setup
Before configuring LDAPS in FreeRADIUS we should first test it locally using ldapsearch utility (for Linux) or ldp.exe (for Windows).
You might need to add your server’s certificate to the Trusted Root Certification Authorities’ store. On Linux, you would need to convert .pfx certificates .crt format. It can be done using this command:
openssl pkcs12 -in [certificate.pfx] -clcerts -nokeys -out [certificate.crt] After conversion, place your .crt certificate file in /usr/share/ca-certificates/extra/ directory:
mkdir /usr/share/ca-certificates/extra
cp [certificate.crt] /usr/share/ca-certificates/extra/certificate.crt
dpkg-reconfigure ca-certificatesThe dpkg-reconfigure ca-certificates command will run an interactive wizard where you’ll need to select your newly added certificate to add it to CA certificate configuration.
Now you can use ldapsearch to connect to LDAPS. Assuming the domain for which you’re setting this up is example.com, and the LDAPS server is located at ldaps.example.com:
ldapsearch -H ldaps://ldaps.example.com:636 -x -D <username>@example.com -w <password> -b "DC=example,DC=com" -a always "(objectClass=User)" cnAnother useful command to verify user credentials is ldapwhoami:
ldapwhoami -v -H ldaps://ldaps.example.com:636 -D <username>@example.com -x -w <password>If there are any issues in connectivity at this point you would need to troubleshoot them. If it connects successfully it means we are ready to setup FreeRADIUS for LDAPS.
LDAPS on FreeRADIUS
FreeRADIUS certificates are stored in raddb/certs directory. We need to convert our .pfx certificate to .pem format and place that certificate in raddb/certs directory:
openssl pkcs12 -in certificate.pfx -clcerts -nokeys -out certificate.pem
mkdir /usr/local/etc/raddb/certs/ldaps
cp certificate.pem /usr/local/etc/raddb/certs/ldapsEnable LDAP module in FreeRADIUS like this:
cd /usr/local/etc/raddb/mods-enabled
ln -s ../mods-available/ldap ldapOpen LDAP’s configuration file for editing:
nano /usr/local/etc/raddb/mods-available/ldapConfigure LDAP module like this:
ldap {
server = 'ldaps://ldaps.example.com'
port = 636
# Login credentials for a special user for FreeRADIUS which has the required permissions
identity = <username>@example.com
password = <password>
base_dn = 'DC=example,DC=com'
user {
# Comment out the default filter which uses uid and replace that with samaccountname
#filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
filter = "(samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})"
}
tls {
ca_file = /usr/local/etc/raddb/certs/ldaps/publiccert.pem
}
}Save the file and exit.
Virtual Server Configuration
Open the configuration file for default virtual server:
nano /raddb/sites-available/defaultIn authorize section locate ldap and add the following code:
-ldap
if ((ok || updated) && User-Password) {
update {
control:Auth-Type := ldap
}
}Uncomment this in authenticate section:
Auth-Type LDAP {
ldap
}Save and exit.
Testing
Open FreeRADIUS in debug mode using radiusd -X. If FreeRADIUS in unable to start and displays an error, check the debug output for error details and troubleshoot accordingly. Once it starts successfully, open another session to the server and use radtest utility to test authentication:
radtest <username> <password> localhost -0 testing123If everything goes well you should receive an Accept-Accept packet, indicating that FreeRADIUS is successfully integrated with LDAPS.
Спасибо
And what about using MSCHAP?
Please check this link
This config doesn’t work. radtest succeeds but eapol_test does not. AADDS does not allow the userPassword field to be accessible, there is no auth on behalf phase so it never auths.
It only works with PAP, which is not very practical, I have to admit.
add :
apt install gcc libcrypto-dev for ubuntu 20.04
😉
Thanks!
Hi,
I did excactly the same, (ok i had an issue with libcrypted11, but it in the end installed all) but i receive always this error during radiusd -X, any ideas why?
rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending slots used
rlm_ldap (ldap): Connecting to ldaps://ldaps.xxx.qqq:636
TLS: can’t connect: (unknown error code).
rlm_ldap (ldap): Bind with CN=Salih,OU=AADDC Users,DC=xxx,DC=qqq to ldaps://ldaps.xxx.qqq:636 failed: Can’t contact LDAP server
rlm_ldap (ldap): Opening connection failed (0)
rlm_ldap (ldap): Removing connection pool
/usr/local/etc/raddb/mods-enabled/ldap[8]: Instantiation failed for module “ldap”
Are you able to connect to LDAP server and authenticate using ldapsearch?
Yes i am. Meanwhile I got the hint from freeradius support:
# Certificate Verification requirements. Can be:
# ‘never’ (do not even bother trying)
# ‘allow’ (try, but don’t fail if the certificate
# cannot be verified)
# ‘demand’ (fail if the certificate does not verify)
# ‘hard’ (similar to ‘demand’ but fails if TLS
# cannot negotiate)
#
# The default is libldap’s default, which varies based
# on the contents of ldap.conf.
require_cert = ‘never’
Other question: I want to use this as authentication for Windows 10/macOS and Smartphones. Currently I just can test Windows 10 and for this i got the message:
(178) mschap: ERROR: FAILED: No NT-Password. Cannot perform authentication
(178) mschap: ERROR: MS-CHAP2-Response is incorrect
and also the warning:
(178) ldap: WARNING: No “known good” password added. Ensure the admin user has permission to read the password attribute
(178) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
I checked the link above but I didn’t understand this.
In general, is this possible or not?
You can check out this blog post for G Suite integration, perhaps the configs mentioned here will help.
I’ve Tried your config using ubuntu 18 and I run into the following issue everytime
lm_ldap (ldap): Failed setting connection option new TLS context: Unknown error
rlm_ldap (ldap): Opening connection failed (0)
rlm_ldap (ldap): Removing connection pool
/etc/freeradius/mods-enabled/ldap[1]: Instantiation failed for module “ldap”
ldapsearch works on port 636 but I can’t get freeradius to connect
Hello, i have followed the tutorial but seems i can not connect to google ldap.
Freeradius says:
Error: rlm_ldap (ldap): Failed setting connection option new TLS context: Unknown error
Sat Apr 3 10:21:37 2021 : Debug: rlm_ldap: Closing libldap handle 0x55fc4f964ec0
Sat Apr 3 10:21:37 2021 : Error: rlm_ldap (ldap): Opening connection failed (0)
Sat Apr 3 10:21:37 2021 : Debug: rlm_ldap (ldap): Removing connection pool
Sat Apr 3 10:21:37 2021 : Error: /etc/freeradius/3.0/mods-enabled/ldap[8]: Instantiation failed for module “ldap”
and ldapsearch
ldapsearch -H ldaps://ldap.google.com:636 -x -D username -w mysecretpassword -b “DC=example,DC=it” -a always “(objectClass=User)” cn
ldap_sasl_bind(SIMPLE): Can’t contact LDAP server (-1)
a simple ping to ldap.google.com works
do you have any idea ?
Hello, in your configuration, is
Auth-Type LDAP {
ldap
}
meanwhile there is such a note in the original configuration file
# We do NOT recommend using this. LDAP servers are databases.
# They are NOT authentication servers. FreeRADIUS is an
# authentication server, and knows what to do with authentication.
# LDAP servers do not.
I understand that ldaps 636 forces encryption… could you explain it? very much please 🙂
I also don’t recommend using this :). However, if you have to use it, this is one method of making it happen.