Hi Andy Thanks a lot. The problem is that I have a file named ldap inside /etc/raddb/modules directory and it has two ldap modules , ldap1 and ldap2.
ldap ldap1 { server = .... identity = .... (set the appropriate CN) password = password for the above CN basedn = "ou=People,dc=example,dc=com" ... } ldap ldap1 { server = .... identity = .... (set the appropriate CN) password = password for the above CN basedn = "ou=People,dc=example,dc=com" ... } The first server has a user named 'try' and the second one has one named 'catch'. When I try to perform authentication using radtest tool with the username and password (say for try ) , it searches it in the LDAP server which doesn't have it and doesn't search the one which actually has the username. When I try with username 'catch' , it finds the username and the password but then it goes into auth: type Local and fails. WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch) expand: ou=People,dc=example,dc=com -> ou=People,dc=example,dc=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,dc=example,dc=com, with filter (uid=catch) rlm_ldap: Added User-Password = $1$FYblmPWy$fmgebhCOLpHvhdECNP4EG0 in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user catch authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap2] returns ok !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! auth: type Local auth: user supplied User-Password does NOT match local User-Password auth: Failed to validate the user. Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> catch attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 48 to 127.0.0.1 port 1025 Finished request 2. Going to the next request Waking up in 4.9 seconds. Cleaning up request 2 ID 48 with timestamp +39 Ready to process requests. I know its trivial but I am now struggling with this for a long time. (Freeradius version : 2.05) Thanks Sambuddho On Thu, 2008-07-03 at 12:35 -0700, Andy An wrote: > Hi Sambuddho: > > I met similar problem a few weeks ago. > You need to set the ldap identity/password for your freeRadius server at > modules/ldap: > e.g. mine is like: > > server = "ldap.xxx.ca" > identity = "cn=radius,ou=Applications,dc=xxx,dc=ca" > password = "password" > basedn = "ou=People,dc=xxx,dc=ca" > > The default setting is "read-only" anonymous search(i.e. without > identity/password setting) and it will fail because ldap server does not > allow anonymous search for other user's password. > Hope this is helpful. > > Andy > > > [EMAIL PROTECTED] wrote: > > Send Freeradius-Users mailing list submissions to > > freeradius-users@lists.freeradius.org > > > > To subscribe or unsubscribe via the World Wide Web, visit > > http://lists.freeradius.org/mailman/listinfo/freeradius-users > > or, via email, send a message with subject or body 'help' to > > [EMAIL PROTECTED] > > > > You can reach the person managing the list at > > [EMAIL PROTECTED] > > > > When replying, please edit your Subject line so it is more specific > > than "Re: Contents of Freeradius-Users digest..." > > > > > > Today's Topics: > > > > 1. Re: =?UTF-8?Q?freeradius-proxy_+_PAP_works, > > _PEAP_and_the_rest_doesn=C2=B4t?= ([EMAIL PROTECTED]) > > 2. Re: freeradius-proxy + PAP works, PEAP and the rest doesn?t > > (Alan DeKok) > > 3. Re: freeradius-proxy + PAP works, PEAP and the rest doesn?t > > (Ivan Kalik) > > 4. Re: sqlippool (Ivan Kalik) > > 5. Re: freeradius with multiple ldap servers (Sambuddho Chakravarty) > > 6. > > > > Re:=?UTF-8?Q?freeradius-proxy_+_PAP_works,_PEAP_and_the_rest_doesn=C2=B4t?= > > ([EMAIL PROTECTED]) > > > > > > ------------------------------ > > > > Message: 5 > > Date: Thu, 03 Jul 2008 12:50:25 -0400 > > From: Sambuddho Chakravarty <[EMAIL PROTECTED]> > > Subject: Re: freeradius with multiple ldap servers > > To: FreeRadius users mailing list > > <freeradius-users@lists.freeradius.org> > > Message-ID: <[EMAIL PROTECTED]> > > Content-Type: text/plain; charset=utf-8 > > > > Hello Ivan > > But I don't have a field in the database by that name . The name of the > > field is "userPassword" . This is what the openLDAP migration scripts > > generated. Please let me know what mistake I am doing . Also , my > > question on failover. Is the failover used when the first LDAP server is > > down / unresponsive to connection attempts or when it is not able to > > authenticate (example bad username / password) ? > > > > Thanks > > Sambuddho > > On Thu, 2008-07-03 at 10:24 +0100, Ivan Kalik wrote: > > > >> Password (radius) attribute should be Crypt-Password not User-Password. > >> > >> Ivan Kalik > >> Kalik Informatika ISP > >> > >> > >> Dana 3/7/2008, "Sambuddho Chakravarty" <[EMAIL PROTECTED]> pi?e: > >> > >> > >>> Hello > >>> > >>> I set the password_header to = {crypt} and password_attribute to > >>> "userPassword" (Thats the name of the field in the database). Now this > >>> is what the logs show, > >>> > >>> rlm_ldap: performing search in ou=People,dc=example,dc=com, with filter > >>> (uid=try) > >>> rlm_ldap: Added User-Password = $1$n48a7wCp$RfvlOx1pZgiVNfmMmA2xS. in > >>> check items > >>> rlm_ldap: looking for check items in directory... > >>> rlm_ldap: looking for reply items in directory... > >>> rlm_ldap: user try authorized to use remote access > >>> rlm_ldap: ldap_release_conn: Release Id: 0 > >>> +++[ldap1] returns ok > >>> ++- policy redundant returns ok > >>> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! > >>> !!! Replacing User-Password in config items with > >>> Cleartext-Password. !!! > >>> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! > >>> !!! Please update your configuration so that the "known > >>> good" !!! > >>> !!! clear text password is in Cleartext-Password, and not in > >>> User-Password. !!! > >>> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! > >>> auth: type Local > >>> auth: user supplied User-Password does NOT match local User-Password > >>> auth: Failed to validate the user. > >>> Found Post-Auth-Type Reject > >>> +- entering group REJECT > >>> expand: %{User-Name} -> try > >>> attr_filter: Matched entry DEFAULT at line 11 > >>> > >>> > >>> > >>> My guess is authorize{} worked but not authenticate {}. Also , I see > >>> both modules ldap1 and ldap2 being loaded but whenever I try to > >>> authenticate with the username/password that is found in ldap2 , the > >>> radius server never attempts to connect to the other LDAP server. > >>> Instead it search for the entries in the "ldap1"'s server only. > >>> > >>> Any suggestions ? > >>> > >>> Thanks > >>> Sambuddho > >>> > >>> > >>> On Wed, 2008-07-02 at 23:45 +0100, Ivan Kalik wrote: > >>> > >>>> http://wiki.freeradius.org/index.php/Rlm_ldap > >>>> > >>>> See use of password_header and password_attribute. > >>>> > >>>> Ivan Kalik > >>>> Kalik Informatika ISP > >>>> > >>>> > >>>> Dana 2/7/2008, "Sambuddho Chakravarty" <[EMAIL PROTECTED]> pi??e: > >>>> > >>>> > >>>>> Hello > >>>>> I think I know what the problem is. The radius server is looking up > >>>>> using cleartext password , while the LDAP data base stores the hashed > >>>>> passwords. How can I force the radiuse server to search for the password > >>>>> as a hashed value (rather than searching for the clear-text value) ? > >>>>> > >>>>> Thanks > >>>>> Sambuddho > >>>>> On Wed, 2008-07-02 at 17:09 -0400, Sambuddho Chakravarty wrote: > >>>>> > >>>>>> Hello Alan > >>>>>> I made sure this time that rlm_ldap was compiled. Now the following > >>>>>> is > >>>>>> the configuration > >>>>>> > >>>>>> ------/etc/raddb/modules/ldap----------- > >>>>>> > >>>>>> ldap ldap1 { > >>>>>> server = "a.b.c.d" > >>>>>> ... > >>>>>> } > >>>>>> > >>>>>> ldap ldap2 { > >>>>>> server = "w.x.y.z" > >>>>>> ... > >>>>>> } > >>>>>> > >>>>>> -----/etc/raddb/radiusd.conf----- > >>>>>> > >>>>>> > >>>>>> authorize { > >>>>>> ldap1 > >>>>>> > >>>>>> ldap2 > >>>>>> > >>>>>> } > >>>>>> > >>>>>> authenticate { > >>>>>> ldap1 > >>>>>> ldap2 > >>>>>> } > >>>>>> > >>>>>> ------------------------------------ > >>>>>> > >>>>>> When I execute /sbin/radiusd -X > >>>>>> > >>>>>> It shows instantiating module ldap1 and module ldap2 > >>>>>> > >>>>>> .... > >>>>>> Module: Instantiating ldap2 > >>>>>> ldap ldap1 { > >>>>>> server = "a.b.c.d" > >>>>>> port = 389 > >>>>>> .... > >>>>>> Module: Instantiating ldap2 > >>>>>> ldap ldap2 { > >>>>>> server = "w.x.y.z" > >>>>>> port = 389 > >>>>>> .... > >>>>>> > >>>>>> When sending a radtest request using the following command (from the > >>>>>> same machine as one which is running the server) > >>>>>> > >>>>>> $ radtest user "secret" localhost 2 testing123 > >>>>>> > >>>>>> I get ACCESS-REJECT reply from the sever. > >>>>>> > >>>>>> On the server the logs show something like this > >>>>>> --------------------------------------------------- > >>>>>> It shows binding to both LDAP servers one by one through something like > >>>>>> this : > >>>>>> > >>>>>> rlm_ldap: performing user authorization for catch > >>>>>> WARNING: Deprecated conditional expansion ":-". See "man unlang" for > >>>>>> details > >>>>>> expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> > >>>>>> (uid=catch) > >>>>>> expand: ou=People,dc=example,dc=example -> > >>>>>> ou=People,dc=example,dc=example > >>>>>> rlm_ldap: ldap_get_conn: Checking Id: 0 > >>>>>> rlm_ldap: ldap_get_conn: Got Id: 0 > >>>>>> rlm_ldap: attempting LDAP reconnection > >>>>>> rlm_ldap: (re)connect to 30.0.0.2:389, authentication 0 > >>>>>> rlm_ldap: bind as / to 30.0.0.2:389 > >>>>>> rlm_ldap: waiting for bind result ... > >>>>>> rlm_ldap: Bind was successful > >>>>>> rlm_ldap: performing search in ou=People,dc=example,dc=example, with > >>>>>> filter (uid=catch) > >>>>>> rlm_ldap: object not found or got ambiguous search result > >>>>>> rlm_ldap: search failed > >>>>>> rlm_ldap: ldap_release_conn: Release Id: 0 > >>>>>> ++[ldap1] returns notfound > >>>>>> rlm_ldap: - authorize > >>>>>> rlm_ldap: performing user authorization for catch > >>>>>> WARNING: Deprecated conditional expansion ":-". See "man unlang" for > >>>>>> details > >>>>>> expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> > >>>>>> (uid=catch) > >>>>>> expand: ou=People,dc=example,dc=example -> > >>>>>> ou=People,dc=example,dc=example > >>>>>> rlm_ldap: ldap_get_conn: Checking Id: 0 > >>>>>> rlm_ldap: ldap_get_conn: Got Id: 0 > >>>>>> rlm_ldap: attempting LDAP reconnection > >>>>>> rlm_ldap: (re)connect to 10.0.0.1:389, authentication 0 > >>>>>> rlm_ldap: bind as / to 10.0.0.1:389 > >>>>>> rlm_ldap: waiting for bind result ... > >>>>>> rlm_ldap: Bind was successful > >>>>>> rlm_ldap: performing search in ou=People,dc=example,dc=example, with > >>>>>> filter (uid=catch) > >>>>>> rlm_ldap: object not found or got ambiguous search result > >>>>>> rlm_ldap: search failed > >>>>>> rlm_ldap: ldap_release_conn: Release Id: 0 > >>>>>> ++[ldap2] returns notfound > >>>>>> > >>>>>> auth: No authenticate method (Auth-Type) configuration found for the > >>>>>> request: Rejecting the user > >>>>>> auth: Failed to validate the user. > >>>>>> > >>>>>> You can see it is attempting to search both databases but fails. If I > >>>>>> use a simple telnet or ssh to authenticate against the LDAP server it > >>>>>> logs in fine. LDAP client login against the LDAP server is otherwise > >>>>>> working fine. I know I have been bothering using trivial question. But > >>>>>> any help would be appreciated :-) > >>>>>> > >>>>>> Thanks in advance. > >>>>>> Sambuddho > >>>>>> > >>>>>> > >>>>>> > >>>>>> On Tue, 2008-07-01 at 22:33 +0200, Alan DeKok wrote: > >>>>>> > >>>>>>> Sambuddho Chakravarty wrote: > >>>>>>> > >>>>>>>> This is exactly what I did . I forgot to put the separate module > >>>>>>>> names > >>>>>>>> > >>>>>>> The consistent problems you see make me think that the issue is more > >>>>>>> than "forgot". > >>>>>>> > >>>>>>> > >>>>>>>> And now when I try to start the server this is what the error I see : > >>>>>>>> > >>>>>>>> > >>>>>>>> server { > >>>>>>>> modules { > >>>>>>>> Module: Checking authenticate {...} for more modules to load > >>>>>>>> //etc/raddb/modules/ldap1[29]: Failed to link to module 'rlm_ldap': > >>>>>>>> > >>>>>>> So.... was that module built? Apparently not... > >>>>>>> > >>>>>>> > >>>>>>>> When trying with a single server ,it matches the radius request > >>>>>>>> against > >>>>>>>> rlm_pap and not rlm_ldap. I am confused. > >>>>>>>> > >>>>>>> Perhaps reading the debug output (and that of "configure" and > >>>>>>> "make") > >>>>>>> would help. > >>>>>>> > >>>>>>> Alan DeKok. > >>>>>>> - > >>>>>>> List info/subscribe/unsubscribe? See > >>>>>>> http://www.freeradius.org/list/users.html > >>>>>>> > >>>>>> - > >>>>>> List info/subscribe/unsubscribe? See > >>>>>> http://www.freeradius.org/list/users.html > >>>>>> > >>>>> - > >>>>> List info/subscribe/unsubscribe? See > >>>>> http://www.freeradius.org/list/usershtml > >>>>> > >>>>> > >>>>> > >>>> - > >>>> List info/subscribe/unsubscribe? See > >>>> http://www.freeradius.org/list/users.html > >>>> > >>> - > >>> List info/subscribe/unsubscribe? See > >>> http://www.freeradius.org/list/users.html > >>> > >> - > >> List info/subscribe/unsubscribe? See > >> http://www.freeradius.org/list/users.html > >> > > > > > > > > ------------------------------ > > > > Message: 6 > > Date: Thu, 3 Jul 2008 18:00:35 +0100 > > From: [EMAIL PROTECTED] > > Subject: > > > > Re:=?UTF-8?Q?freeradius-proxy_+_PAP_works,_PEAP_and_the_rest_doesn=C2=B4t?= > > > > To: FreeRadius users mailing list > > <freeradius-users@lists.freeradius.org> > > Message-ID: <[EMAIL PROTECTED]> > > Content-Type: text/plain; charset=us-ascii > > > > hi, > > > > if you really are using freeradius as a proxy, as you stated, > > then you dont need certificates...as the system will JUST > > proxy. if you mean you want to terminate EAP on your > > freeradius, then please dont call it a proxy. get the > > terminology correct. > > > > what did you do wrong? > > > > well, since 1.1.7 and 2.0.5 need completely different configs, > > i doubt you could make the same mistake twice...you CANT use a 1.1.7 > > config on a 2.0.5 box. > > > > from what i can see, the daemon is clearly telling you something > > is wrong with your DH stuff. read eap.conf properly. get rid > > of that error. thats your primary task. > > > > alan > > > > > > ------------------------------ > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > > > > End of Freeradius-Users Digest, Vol 39, Issue 18 > > ************************************************ > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html