Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    FreeRADIUS + LDAP + AADDS -> 'Failed retrieving values required to evaluate condition'

    Scheduled Pinned Locked Moved
    pfSense Packages
    1
    1
    351
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      roger_fydp
      last edited by

      Into
      We use Azure Active directory as our main Directory Service. We also have Azure Active Directory Domain Services running with LDAPS enabled. Let's Encrypt certificates are provided on that LDAPS server in the form of "aadds.domain.com" and "*.aadds.domain.com".

      Works

      • If we setup an Authentication Server on the "System -> User Manager -> Authentication Server" and point it to the AADDS LDAPS endpoint and then test it via "Diagnostics -> Authentication" it works and we are able to connect to the AADDS LDAPS and even retrieve the user groups that get properly mapped to PfSense 'remote' groups.
      • If we install 'freeradius3' package and configure the proper NAS Client and add it also as an extra "System Authentication Server" and we test it with "Diagnostics -> Authentication" users created within 'freeradius3' package work and can be logged in.

      Doesn't Work
      If we try to setup within 'freeradius3' package LDAP server and enable it, to the same AADDS LDAP server working on stand alone "System -> User Manager -> Authentication Server -> LDAP" things are starting to get tricky for us.

      Our LDAP (freeradius3) set from UI is as follows:

      Enable LDAP Support - Server 1

      • LDAP Authorization Support: Enabled
      • LDAP Authentication Support: Enabled

      General Configuration - Server 1

      • Server Address: aadds.domain.com
      • Server Port: 636
      • Identity: CN=user_with_access,OU=AADDC Users,DC=aadds,DC=domain,DC=com
      • Password: user_with_access_password
      • Base DN: OU=AADDC Users,DC=aadds,DC=domain,DC=com
      • Filter: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})
      • Base Filter: (objectclass=user)

      Scenarios:

      • For tests, if we change Filter to "(objectclass=user)" then we get the error "(0) Login incorrect (ldap: Ambiguous search result, returned XXX_Number_Entries unsorted entries (should return 1 or 0). Enable sorting, or specify a more restrictive base_dn, filter or scope): [loging_user (from client pfsenseAuthServer port 0)". This tell us that the binding is properly done as the LDAP is properly connectiong to the AADDS LDAPS server and detecting in the AADDS Users the correct amount of available "XXX_Number_Entries"

      • If now we go back to the filter we belive is the proper one "%(#db0a0a)(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})" the error changes to "[(0) Login incorrect (Failed retrieving values required to evaluate condition): [loging_user (from client pfsenseAuthServer port 0)".

      And we are stucked here. We've went though the intenret and tried a lot of possible scnarios also provided in the OpenSense docs without suceess.

      Can someone enlight us and tells us what are we doing wrong? Also in the same direction, how will the groups membership be set? As when trying similar configurations that work in "System Authentication Servers -> LDAP" doesn't seem to properly apply as expected in the 'freeradius3' package LDAP server connector; for example to attach groups such as 'pf-vpn-user' from next example response.

      Notes
      If we use Windows "ldp.exe" tool to connect to the AADDS LDAP server, a response for a user will be of the style,

      Expanding base 'CN=loging_user,OU=AADDC Users,DC=aadds,DC=domain,DC=com'...
      Getting 1 entries:
      Dn: CN=loging_user,OU=AADDC Users,DC=aadds,DC=domain,DC=com
      accountExpires: 9223372036854775807 (never);
      badPasswordTime: 26/01/2024 08:29:48 W. Europe Standard Time;
      badPwdCount: 1;
      cn: loging_user;
      codePage: 0;
      countryCode: 0;
      displayName: loging_user;
      distinguishedName: CN=loging_user,OU=AADDC Users,DC=aadds,DC=domain,DC=com;
      dSCorePropagationData: 0x0 = ( );
      employeeID: loging_user;
      givenName: loging_user;
      instanceType: 0x4 = ( WRITE );
      lastLogonTimestamp: 24/01/2024 19:27:22 W. Europe Standard Time;
      memberOf (6): CN=pf-vpn-user,OU=AADDC Users,DC=aadds,DC=domain,DC=com; ...
      msDS-aadObjectId: 78452ede-0cf5-40b8-9ae9-4ae85eae4556;
      msDS-AzureADMailNickname: loging_user;
      msDS-generationSeq: 0;
      name: loging_user;
      objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=aadds,DC=domain,DC=com;
      objectClass (4): top; person; organizationalPerson; user;
      objectGUID: 6d8f1d4b-4cc9-494c-b33f-5499e6c458692;
      objectSid: S-1-5-21-3910772815-2119383665-2056123695-1250;
      primaryGroupID: 513 = ( GROUP_RID_USERS );
      pwdLastSet: 25/01/2024 18:58:44 W. Europe Standard Time;
      sAMAccountName: loging_user;
      sAMAccountType: 805306368 = ( NORMAL_USER_ACCOUNT );
      sn: loging_user;
      userAccountControl: 0x220 = ( PASSWD_NOTREQD | NORMAL_ACCOUNT );
      userPrincipalName: loging_user@domain.com;
      uSNChanged: 4040563;
      uSNCreated: 3994969;
      whenChanged: 25/01/2024 18:59:01 W. Europe Standard Time;
      whenCreated: 23/01/2024 21:09:43 W. Europe Standard Time;

      Thank you very much !

      Sorry if this is a trivial question. Any help is welcome :)

      Roger.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post