Greetings,
I'm new to the FreeRadius world, and frankly pretty new to
radius in general.
My situation is this: I have inherited a Netscape Directory
Server 4.11 using Solaris Extensions and dsradiusd for my
radius authentication. We have added another dialup
provider to our existing services and this one requires CHAP
authentication and an Ascend-Data-Filter form SMTP blocking.
The documentation for dsradiusd is incredibly poor, so if it
can do what I now need it to, I have no real way of knowing.
(If someone knows and can put me out of my misery quick,
that would be ok too) Freeradius however does support
everything I need. And while you say your documentation
needs work, it's far beyond the other projects I've looked
at recently.
I've managed to build and get running the freeradius server,
basic authentication works fine (bob account) but it fails
when I try LDAP authentication against my Netscape Directory
Server. I believe the problem is that my LDAP server is set
up with remoteUser, accounts not posixAccounts for the
classObject. Between looking at the code (rlm_ldap.c) and
the debug output, it appears to be attempting to rebind as
the login user.
What do I need to change to get Freeradius to work with
remoteUsers instead of posixAccounts? Am I on the right
path? And thinkiig a little further ahead - is Freeradius
going to pull the proper attributes from the LDAP server to
forward to the NAS?
Thank you for your help!
Dave Vondracek
CTO, IntNet
[EMAIL PROTECTED]
ps - here are some of the config changes I've made, and
program outputs.
First DEFAULT in users (replaces system auth):
DEFAULT Auth-Type := LDAP
Fall-Through = 1
Changes to radius.conf:
ldap {
[ldap server info]
filter = "(&(Objectclass=remoteUser)(uid=%u))"
[...etc...]
}
authenticate {
# pam
# unix
#chap
pap
ldap
# mschap
# eap
}
Radtest:
# radtest bob "bob" localhost:1245 1 testing123
Sending Access-Request of id 106 to 127.0.0.1:1245
User-Name = "bob"
User-Password = "-\016\001\353.\032\332f\336\n\373M\353\322\241\231"
NAS-IP-Address = archimedes
NAS-Port-Id = "1"
rad_recv: Access-Accept packet from host 127.0.0.1:1245,
id=106, length=32
Reply-Message = "Hello, bob"
# radtest test "test" localhost:1245 1 testing123
Sending Access-Request of id 111 to 127.0.0.1:1245
User-Name = "test"
User-Password = "\277\356\001\347T\226\354s\t\243\227\263\257L\343*"
NAS-IP-Address = archimedes
NAS-Port-Id = "1"
rad_recv: Access-Reject packet from host 127.0.0.1:1245,
id=111, length=20
/usr/local/sbin/radiusd -X -A
<SNIP>
rlm_ldap: - authenticate
rlm_ldap: login attempt by "test" with password "test"
radius_xlat: '(&(Objectclass=remoteUser)(uid=test))'
radius_xlat: 'o=intnet.net'
ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ds1.intnet.net:389, authentication
0
rlm_ldap: bind as uid=ADMIN,ou=People,o=intnet.net/ADMINPASSWORD
rlm_ldap: waiting for bind result ...
request 1 done
rlm_ldap: performing search in o=intnet.net, with filter
(&(Objectclass=remoteUser)(uid=test))
request 2 done
ldap_release_conn: Release Id: 0
rlm_ldap: user DN: uid=test,ou=INO Dial Subscribers,
o=intnet.net
rlm_ldap: (re)connect to ds1.intnet.net:389, authentication
1
rlm_ldap: bind as uid=test,ou=INO Dial Subscribers,
o=intnet.net/test
rlm_ldap: waiting for bind result ...
request 1 done
rlm_ldap: uid=davetest,ou=INO Dial Subscribers, o=intnet.net
bind failed Inappropriate authentication
modcall[authenticate]: module "ldap" returns fail
<SNIP>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
