Freeradius auth against Zimbra LDAP

[addihetja]

Hi,

I have a Zimbra server (NE) up and running. I would like to configure freeradius to authenticate against Zimbra. What I'm trying to accomplish is to allow VPN clients to use their Zimbra login information to authenticate via VPN, using Zimbra LDAP.

So far I have freeradius up and running but I'm having trouble using the ldap module.

It is setup like so:

ldap {
#
# Note that this needs to match the name in the LDAP
# server certificate, if you're using ldaps.
server = "mail.example.com"
#identity = "cn=admin,o=My Org,c=UA"
#password = mypass
#basedn = "o=My Org,c=UA"
userdn = "uid=zimbra,cn=admins,cn=zimbra"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
#base_filter = "(objectclass=radiusprofile)"

I got the "userdn" line from zmlocalconfig.

The question is: what ou, cn or uid should I be querying in LDAP?

[ddrazyk]

Hi,

I have a Zimbra server (NE) up and running. I would like to configure freeradius to authenticate against Zimbra. What I'm trying to accomplish is to allow VPN clients to use their Zimbra login information to authenticate via VPN, using Zimbra LDAP.

So far I have freeradius up and running but I'm having trouble using the ldap module.

It is setup like so:

I got the "userdn" line from zmlocalconfig.

The question is: what ou, cn or uid should I be querying in LDAP?

Hi there,
I recommend using freeradius2 which works great with Zimbra's ldap. You then can use:

server = "mail.example.com"
identity = "uid=zimbra,cn=admins,cn=zimbra"
password = password for zimbra user, as Zimbra does not allow anonymous ldap queries
basedn = "dc=example,dc=com"
filter = "(uid=%{mschap:User-Name:-%{User-Name}})"

I would also suggest that you use base_filter option to filter users and password_attribute to check for password.
Remember to use freeradius accounting for VPN as it will not work without it.

Hope that helps

[addihetja]

Thanks.

I'm using freeradius (2.1.8) with these settings:

server = "192.168.80.1"
identity = "uid=zimbra,cn=admins,cn=zimbra"
password = "mypass"
#also tried password = mypass
basedn = "dc=com"
#also tried basedn = "dc=example dc=com"
#also tried basedn = "dc=mail,dc=example dc=com"
filter = "(uid=%{mschap:User-Name:-%{User-Name}})"
#also tried filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"

When I test, radiusd -X gives me:

rad_recv: Access-Request packet from host 192.168.80.1 port 62140, id=247, length=57
User-Name = "admin"
User-Password = "adminpass"
NAS-IP-Address = 192.168.80.1
NAS-Port = 1812
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: /opt/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /opt/local/var/log/radius/radacct/192.168.80.1/auth-detail-20100601
[auth_log] /opt/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /opt/local/var/log/radius/radacct/192.168.80.1/auth-detail-20100601
[auth_log] expand: %t -> Tue Jun 1 12:13:39 2010
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "admin", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns updated
++[files] returns noop
[ldap] performing user authorization for admin
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> admin
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=admin)
[ldap] expand: dc=com -> dc=com
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=com, with filter (uid=admin)
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
[ldap] user admin authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password "adminpass"
[pap] Using CRYPT encryption.
[pap] Passwords don't match
++[pap] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> admin
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 1 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 1
Sending Access-Reject of id 247 to 192.168.80.1 port 62140
Waking up in 4.9 seconds.
Cleaning up request 1 ID 247 with timestamp +413
Ready to process requests.

What I read from the log is that the user is accepted but somehow rejected.

zmlocalconfig reports "search base" as empty. Isn't that the same property as basedn?

[bdial]

how are you testing? with radtest?

[addihetja]

Yes. I'm using radtest and authenticating perfectly against the users.conf file, but not against the LDAP users