Hi Sambuddho:
I met similar problem a few weeks ago.
You need to set the ldap identity/password for your freeRadius server at modules/ldap:
e.g. mine is like:
server = "ldap.xxx.ca"
identity = "cn=radius,ou=Applications,dc=xxx,dc=ca"
password = "password"
basedn = "ou=People,dc=xxx,dc=ca"
The default setting is "read-only" anonymous search(i.e. without
identity/password setting) and it will fail because ldap server does not
allow anonymous search for other user's password.
Hope this is helpful.
Andy
[EMAIL PROTECTED] wrote:
Send Freeradius-Users mailing list submissions to
freeradius-users@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
[EMAIL PROTECTED]
You can reach the person managing the list at
[EMAIL PROTECTED]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. Re: =?UTF-8?Q?freeradius-proxy_+_PAP_works,
_PEAP_and_the_rest_doesn=C2=B4t?= ([EMAIL PROTECTED])
2. Re: freeradius-proxy + PAP works, PEAP and the rest doesn?t
(Alan DeKok)
3. Re: freeradius-proxy + PAP works, PEAP and the rest doesn?t
(Ivan Kalik)
4. Re: sqlippool (Ivan Kalik)
5. Re: freeradius with multiple ldap servers (Sambuddho Chakravarty)
6.
Re:=?UTF-8?Q?freeradius-proxy_+_PAP_works,_PEAP_and_the_rest_doesn=C2=B4t?=
([EMAIL PROTECTED])
------------------------------
Message: 5
Date: Thu, 03 Jul 2008 12:50:25 -0400
From: Sambuddho Chakravarty <[EMAIL PROTECTED]>
Subject: Re: freeradius with multiple ldap servers
To: FreeRadius users mailing list
<freeradius-users@lists.freeradius.org>
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=utf-8
Hello Ivan
But I don't have a field in the database by that name . The name of the
field is "userPassword" . This is what the openLDAP migration scripts
generated. Please let me know what mistake I am doing . Also , my
question on failover. Is the failover used when the first LDAP server is
down / unresponsive to connection attempts or when it is not able to
authenticate (example bad username / password) ?
Thanks
Sambuddho
On Thu, 2008-07-03 at 10:24 +0100, Ivan Kalik wrote:
Password (radius) attribute should be Crypt-Password not User-Password.
Ivan Kalik
Kalik Informatika ISP
Dana 3/7/2008, "Sambuddho Chakravarty" <[EMAIL PROTECTED]> pi?e:
Hello
I set the password_header to = {crypt} and password_attribute to
"userPassword" (Thats the name of the field in the database). Now this
is what the logs show,
rlm_ldap: performing search in ou=People,dc=example,dc=com, with filter
(uid=try)
rlm_ldap: Added User-Password = $1$n48a7wCp$RfvlOx1pZgiVNfmMmA2xS. in
check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user try authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
+++[ldap1] returns ok
++- policy redundant returns ok
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Replacing User-Password in config items with
Cleartext-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known
good" !!!
!!! clear text password is in Cleartext-Password, and not in
User-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
auth: type Local
auth: user supplied User-Password does NOT match local User-Password
auth: Failed to validate the user.
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> try
attr_filter: Matched entry DEFAULT at line 11
My guess is authorize{} worked but not authenticate {}. Also , I see
both modules ldap1 and ldap2 being loaded but whenever I try to
authenticate with the username/password that is found in ldap2 , the
radius server never attempts to connect to the other LDAP server.
Instead it search for the entries in the "ldap1"'s server only.
Any suggestions ?
Thanks
Sambuddho
On Wed, 2008-07-02 at 23:45 +0100, Ivan Kalik wrote:
http://wiki.freeradius.org/index.php/Rlm_ldap
See use of password_header and password_attribute.
Ivan Kalik
Kalik Informatika ISP
Dana 2/7/2008, "Sambuddho Chakravarty" <[EMAIL PROTECTED]> pi??e:
Hello
I think I know what the problem is. The radius server is looking up
using cleartext password , while the LDAP data base stores the hashed
passwords. How can I force the radiuse server to search for the password
as a hashed value (rather than searching for the clear-text value) ?
Thanks
Sambuddho
On Wed, 2008-07-02 at 17:09 -0400, Sambuddho Chakravarty wrote:
Hello Alan
I made sure this time that rlm_ldap was compiled. Now the following is
the configuration
------/etc/raddb/modules/ldap-----------
ldap ldap1 {
server = "a.b.c.d"
...
}
ldap ldap2 {
server = "w.x.y.z"
...
}
-----/etc/raddb/radiusd.conf-----
authorize {
ldap1
ldap2
}
authenticate {
ldap1
ldap2
}
------------------------------------
When I execute /sbin/radiusd -X
It shows instantiating module ldap1 and module ldap2
....
Module: Instantiating ldap2
ldap ldap1 {
server = "a.b.c.d"
port = 389
....
Module: Instantiating ldap2
ldap ldap2 {
server = "w.x.y.z"
port = 389
....
When sending a radtest request using the following command (from the
same machine as one which is running the server)
$ radtest user "secret" localhost 2 testing123
I get ACCESS-REJECT reply from the sever.
On the server the logs show something like this
---------------------------------------------------
It shows binding to both LDAP servers one by one through something like
this :
rlm_ldap: performing user authorization for catch
WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch)
expand: ou=People,dc=example,dc=example ->
ou=People,dc=example,dc=example
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 30.0.0.2:389, authentication 0
rlm_ldap: bind as / to 30.0.0.2:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=People,dc=example,dc=example, with
filter (uid=catch)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap1] returns notfound
rlm_ldap: - authorize
rlm_ldap: performing user authorization for catch
WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch)
expand: ou=People,dc=example,dc=example ->
ou=People,dc=example,dc=example
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 10.0.0.1:389, authentication 0
rlm_ldap: bind as / to 10.0.0.1:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=People,dc=example,dc=example, with
filter (uid=catch)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap2] returns notfound
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
You can see it is attempting to search both databases but fails. If I
use a simple telnet or ssh to authenticate against the LDAP server it
logs in fine. LDAP client login against the LDAP server is otherwise
working fine. I know I have been bothering using trivial question. But
any help would be appreciated :-)
Thanks in advance.
Sambuddho
On Tue, 2008-07-01 at 22:33 +0200, Alan DeKok wrote:
Sambuddho Chakravarty wrote:
This is exactly what I did . I forgot to put the separate module names
The consistent problems you see make me think that the issue is more
than "forgot".
And now when I try to start the server this is what the error I see :
server {
modules {
Module: Checking authenticate {...} for more modules to load
//etc/raddb/modules/ldap1[29]: Failed to link to module 'rlm_ldap':
So.... was that module built? Apparently not...
When trying with a single server ,it matches the radius request against
rlm_pap and not rlm_ldap. I am confused.
Perhaps reading the debug output (and that of "configure" and "make")
would help.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/usershtml
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
------------------------------
Message: 6
Date: Thu, 3 Jul 2008 18:00:35 +0100
From: [EMAIL PROTECTED]
Subject:
Re:=?UTF-8?Q?freeradius-proxy_+_PAP_works,_PEAP_and_the_rest_doesn=C2=B4t?=
To: FreeRadius users mailing list
<freeradius-users@lists.freeradius.org>
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=us-ascii
hi,
if you really are using freeradius as a proxy, as you stated,
then you dont need certificates...as the system will JUST
proxy. if you mean you want to terminate EAP on your
freeradius, then please dont call it a proxy. get the
terminology correct.
what did you do wrong?
well, since 1.1.7 and 2.0.5 need completely different configs,
i doubt you could make the same mistake twice...you CANT use a 1.1.7
config on a 2.0.5 box.
from what i can see, the daemon is clearly telling you something
is wrong with your DH stuff. read eap.conf properly. get rid
of that error. thats your primary task.
alan
------------------------------
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
End of Freeradius-Users Digest, Vol 39, Issue 18
************************************************
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
