search

hacor / unifi-freeradius-ldap

A freeradius docker container to connect to the Google Secure LDAP service
80 stars 31 forks source link

ldap: ERROR: Bind was not permitted: Insufficient access. Check the identity and password configuration directives #11

Closed lcgogo closed 4 years ago

lcgogo commented 4 years ago

The freeradius can read my information but met followed error

unifi-freeradius-ldap_1 | (1) ldap: Login attempt by "lcgogo" unifi-freeradius-ldap_1 | (1) ldap: Using user DN from request "uid=lcgogo,ou=Dev,ou=Users,dc=mycompany,dc=com" unifi-freeradius-ldap_1 | (1) ldap: Waiting for bind result... unifi-freeradius-ldap_1 | (1) ldap: ERROR: Bind was not permitted: Insufficient access. Check the identity and password configuration directives unifi-freeradius-ldap_1 | rlm_ldap (ldap): Released connection (7) unifi-freeradius-ldap_1 | Need 1 more connections to reach min connections (3) unifi-freeradius-ldap_1 | rlm_ldap (ldap): Opening additional connection (9), 1 of 30 pending slots used unifi-freeradius-ldap_1 | rlm_ldap (ldap): Connecting to ldaps://ldap.google.com:636 unifi-freeradius-ldap_1 | rlm_ldap (ldap): Waiting for bind result...

I used radtest like below to test

radtest "lcgogo@mycompany.com" "mypassword" 127.0.0.1 0 "testing123"

lcgogo commented 4 years ago

@hacor
I test google ldap crt key

LDAPTLS_CERT=Google_2023_11_10_26079.crt LDAPTLS_KEY=Google_2023_11_10_26079.key ldapsearch -H ldaps://ldap.google.com:636 -b dc=mycompany,dc=com '(uid=lcgogo)'

and the printout is OK

hacor commented 4 years ago

@lcgogo From what I read in your logs and description of the problem, I think you didn't enter the correct access credentials for Google LDAP. It seems Google declines your LDAP access request. The certificates are one side of the security, but the Google-generated username and password are the second. Are you sure that the environment values GOOGLE_LDAP_USERNAME GOOGLE_LDAP_USERNAME are correctly provided? Those are used when connecting to Google LDAP aside from the certificates. That's why ldapsearch command functions perfectly.

You can find this username and password in Google Admin -> Apps -> Secure LDAP -> your-name -> Authentication -> Access credentials

Hope you can get this to work.

lcgogo commented 4 years ago

Many thanks. I have checked GOOGLE_LDAP_USERNAME and GOOGLE_LDAP_PASSWORD but the issue is same.

I read the Google LDAP Audit Log and find the error code 50 like below guide description:

https://support.google.com/a/answer/9167101?hl=en

​INSUFFICIENT_ACCESS_RIGHTS (50) Returned when the the Secure LDAP service is OFF for the LDAP client Returned when the customer is not licensed to use the Secure LDAP service Returned when the Bind request specifies a user that is not licensed to use Secure LDAP Returned when the Bind request specifies a user that is disabled Returned when a subsequent Bind request (rebind) specifies a user that doesn't belong to an organizational unit that's enabled for authentication in the Secure LDAP configuration Returned when a SIMPLE Bind request specifies no credentials (unauthenticated)

Which google G Suite do you used? I think my G Suite edition is G Suite Basic and has no feature of Secure LDAP like the guide list.

https://support.google.com/a/answer/9048516?hl=en&ref_topic=9048334

About the Secure LDAP service Supported editions for this feature: Business Plus; Enterprise; Education and Enterprise for Education. Compare your edition

But I confuse why I can create Secure LDAP crt and key without any notification in Google console.

hacor commented 4 years ago

I don't think you have a basic subscription, for my company I also have a basic G suite and there I don't have the Secure LDAP service. This means the error should be related to wrong configured access rights. Are you sure those are correct? (Hopefully you have the access to change those?)

I fear this issue is not related to this repo

lcgogo commented 4 years ago

I don't think you have a basic subscription, for my company I also have a basic G suite and there I don't have the Secure LDAP service. This means the error should be related to wrong configured access rights. Are you sure those are correct? (Hopefully you have the access to change those?)

I fear this issue is not related to this repo

I don't find any permission settings for each user and the Secure LDAP configuration? I active all the Secure LDAP permission but meet the same issue.

lcgogo commented 4 years ago

I don't think you have a basic subscription, for my company I also have a basic G suite and there I don't have the Secure LDAP service. This means the error should be related to wrong configured access rights. Are you sure those are correct? (Hopefully you have the access to change those?)

I fear this issue is not related to this repo

I create another G suite account with Business Plus edition with Secure LDAP service actived and the WiFi login is ok now.

Now, I know why I have LDAP shows in App when I has G Suite Basic only edition because I book a subscription named Cloud Identity Premium which makes App show LDAP. However, the LDAP is not a completed authorized one, so the LDAP audit log always show Insufficient access.

@hacor Many thanks for your support! This repo gives me a great help.