Currently the radius configuration used by Zentyal 2.3 Community Beta is not compatible with Samba4.
The zentyal setup still assumes the following aspects about how user and group data is stored in the ldap database :
* users will have a objectClass of "posixAccount"
* users group membership will only be described in a separate ldap entry (and tree)
* groups are having a objectClass of "groupOfNames"
* that group objects are under a separate ldap tree : OU=Groups,blahblah
All of these assumptions are now wrong in Samba4.
Here is the reality:
A Group created by Zentyal 2.3 with Samba4
dn: CN=wifi,CN=Users,DC=zentyal,DC=domain
objectClass: group
objectClass: top
groupType: -2147483646
instanceType: 4
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=zentyal,DC=domain
cn: wifi
distinguishedName: CN=wifi,CN=Users,DC=zentyal,DC=domain
member: CN=Jane Doe,CN=Users,DC=zentyal,DC=domain
member: CN=John Doe,CN=Users,DC=zentyal,DC=domain
name: wifi
objectGUID:: Za9b4OfWRkKLAuU1/zPyrA==
objectSid:: AQUAAAAAAAUVAAAAllabmZd1SQdnd4y4UgQAAA==
sAMAccountName: wifi
sAMAccountType: 268435456
uSNChanged: 3660
uSNCreated: 3658
whenChanged: 20120317091826.0Z
whenCreated: 20120317091812.0Z
A User Created in Zentyal 2.3 with Samba4
dn: CN=John Doe,CN=Users,DC=zentyal,DC=domain
objectClass: organizationalPerson
objectClass: person
objectClass: top
objectClass: user
cn: John Doe
instanceType: 4
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=zentyal,DC=domain
accountExpires: 9223372036854775807
badPasswordTime: 0
badPwdCount: 0
codePage: 0
countryCode: 0
displayName: John Doe
distinguishedName: CN=John Doe,CN=Users,DC=zentyal,DC=domain
givenName: John
lastLogoff: 0
lastLogon: 0
logonCount: 0
memberOf: CN=wifi,CN=Users,DC=zentyal,DC=domain
name: John Doe
objectGUID:: 3qBTtpvCeUWpyrkUYBg8uA==
objectSid:: AQUAAAAAAAUVAAAAllabmZd1SQdnd4y4UAQAAA==
primaryGroupID: 513
pwdLastSet: 129764595980000000
sAMAccountName: johndoe
sAMAccountType: 805306368
sn: Doe
userAccountControl: 640
userPrincipalName: johndoe@zentyal.domain
uSNChanged: 3661
uSNCreated: 3650
whenChanged: 20120317120638.0Z
whenCreated: 20120317090353.0Z
I was forced to look into this since my wifi access is controlled by radius.
So when the recent update occured none of my users could authenticate anymore (since radius is configured to search with all the wrong parameters)
So far I have come up with this :
/etc/freeradius/modules/ldap
ldap {
server = "10.0.0.1"
identity = "CN=Administrator,CN=Users,DC=zentyal,DC=domain"
password = Zentyal1234
basedn = "dc=zentyal,dc=domain"
filter = "(&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})(memberOf=CN=wifi,CN=Users,DC=zentyal,DC=domain))"
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = no
}
access_attr = "msNPAllowDialin"
dictionary_mapping = ${confdir}/ldap.attrmap
edir_account_policy_check = no
}
However while running :
sudo freeradius -x
I see two things :
1. some posixGroup stuff being added to the search (i can't find where to delete this extra search stuff)
[files] expand: (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=)))
2. radius expects to find passwords in the ldap user object.
WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
because these two things make the query fail i can't authenticat my users through radius for wifi access.
Topic: 2.3, Samba4 & Radius (Read 4385 times)