OPNsense Forum
Archive => 19.7 Legacy Series => Topic started by: johnstonjs on November 10, 2019, 03:08:25 am
-
Has anyone had success with using LDAP authentication for FreeRADIUS? If I create FreeRADIUS users using the OPNSense GUI, then I can successfully authenticate to an IPSec VPN and WiFi. However, if I configure FreeRADIUS to point to my OpenLDAP server, I receive the following error:
Auth: (5) Login incorrect (mschap: FAILED: No NT/LM-Password. Cannot perform authentication): [user1]
Reviewing the configuration settings on OPNSense for FreeRADIUS, it appears that it may be configured to use MSCHAPv2 and NT or LM password hashes. I'm exclusively using SSHA password hashes on my OpenLDAP server, so this may be the source of the problem.
Relevant contents of /usr/local/etc/raddb/mods-enabled/ldap
...
update {
...
control: LM-Password := 'lmPassword'
control: NT-Password := 'ntPassword'
control: LM-Password := 'sambaLmPassword'
control: NT-Password := 'sambaNtPassword'
control: LM-Password := 'dBCSPwd'
control: Password-With-Header += 'userPassword'
It doesn't seem like there's any way to change these settings in the OPNSense GUI.
My OpenLDAP configuration works for authentication with OPNSense itself in the System-Access-Servers settings. The detailed configurations for my OpenLDAP server are described here: https://github.com/johnstonjs/easyldap (https://github.com/johnstonjs/easyldap)
The settings within the Services-FreeRADIUS-LDAP settings are (anonymized):
Protocol Type: LDAPS
Server: ldap.example.com
Bind User: cn=radius,ou=Clients,dc=example,dc=com
Base DN: ou=People,dc=example,dc=com
User Filter: (uid=%{%{Stripped-User-Name}:-%{User-Name}})
Group Filter: (objectClass=posixGroup)
Note: ou=Clients has the necessary permissions to read the LDAP database for Bind
I've spent a significant amount of time trying to understand the User Filter, and am concerned that may also be the source of the problem. I've tried other filters used on my other LDAP authentication clients (Gitea, Nextcloud) that are more appropriate, such as:
(&(uid=%s)(memberOf=cn=radius,ou=Lists,dc=theshire,dc=me))
Where user1 is a member of cn=radius,ou=Lists. Unfortunately, this filter (or variations on it) don't seem to work for FreeRADIUS.
Auth: (1) Invalid user (ldap: Unable to create filter): [user1]
Auth: (1) Login incorrect (ldap: Unable to create filter): [user1]
I'd greatly appreciate any insights, observations, or assistance.
-
Do you have a working config example for mschapv2? Then I can try to add it to the plugin :)
-
Thanks for responding so quickly!
I do not have a working config example for mxchapv2, and actually am concerned that it's being inadvertently implemented (hence the demand for NT/LM password hashes).
Let me see if I can build a working instance of FreeRADIUS on another system and provide you the config.
One thing that would be very useful to add to the plugin would be in-GUI selection and feedback for the LDAP configuration page. The System-Access-Servers configuration page for LDAP servers actually conducts a login to the server and lets the user select a Base DN. Even better would be to let us check the validity of our User and Group Filters and show the list of users/groups available based on each filter.
My programming skills are not much to speak of, but I'm open to helping do this if you can point me to the right sections in the source.
-
Currently out of scope. But if you have a running setup I try to adopt it :)