I'm currently using FreeRadius - just upgraded to 0.4 - to
authenticate users with account info in /etc/passwd and
/etc/shadow.
Currently all I use is a default entry in
/usr/local/etc/raddb/users.
This works fine.
However, I'm testing a setup where as much information as possible will
go into a MySQL database. I'm also setting up LDAP
for authentication, so I'm using an LDAP account to test... As you
will see, this is not an LDAP issue...
Here's the contents of the relevant fields out of my database
[radcheck]
+----+----------------------+-----------+-------+
| id |
UserName
| Attribute | Value |
+----+----------------------+-----------+-------+
| 11 | [EMAIL PROTECTED] | Auth-Type | LDAP |
+----+----------------------+-----------+-------+
[usergroup]
+----+----------------------+-----------+
| id |
UserName
| GroupName |
+----+----------------------+-----------+
| 4 | [EMAIL PROTECTED] | ldap
|
+----+----------------------+-----------+
[radgroupcheck]
+----+-----------+-----------+-------+
| id | GroupName | Attribute | Value |
+----+-----------+-----------+-------+
| 6 | ldap | Auth-Type | Ldap
|
+----+-----------+-----------+-------+
[radgroupreply]
+----+-----------+-------------------+-----------------+
| id | GroupName |
Attribute |
Value |
+----+-----------+-------------------+-----------------+
| 10 | ldap |
Idle-Timeout |
600
|
| 9 | ldap |
Port-Limit |
1
|
| 13 | ldap |
Service-Type |
Framed-User |
| 14 | ldap | Framed-Protocol |
PPP
|
| 15 | ldap | Framed-IP-Address |
255.255.255.254 |
| 20 | ldap | Framed-IP-Netmask |
255.255.255.255 |
| 19 | ldap | Session-Timeout |
28800 |
+----+-----------+-------------------+-----------------+
Ok, first: If the account isn't in radcheck, usergroup doesn't get
checked for the username.
The next apparent step if the account isn't in radcheck is that the
various tables are checked
for DEFAULT - and this seems like a bug to me.
Now... This is what happens when I try to dial in using
sjs-ldap
Thread 1 handling request 0, (1 handled so far)
User-Name =
"[EMAIL PROTECTED]"
Password =
"\352{\252\236M4\257}3KwZl\006\274["
NAS-IP-Address =
64.24.224.229
NAS-Port = 44
NAS-Port-Type = Async
Service-Type =
Framed-User
Framed-Protocol = PPP
Connect-Info = "16800
LAPM/V42BIS"
Called-Station-Id =
"4408560016"
Calling-Station-Id =
"4402098862"
Proxy-State =
0x3c3b74724018e0e5040210007c1462fc83ad10f33842ef6c7294576d
rad_lowerpair: User-Name now '[EMAIL PROTECTED]'
rad_lowerpair: Password now 'myDialupPassword'
rad_rmspace_pair: User-Name now '[EMAIL PROTECTED]'
rad_rmspace_pair: Password now 'myDialupPassword'
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
modcall[authorize]: module "suffix" returns ok
rlm_sql: Reserving sql socket id: 4
radius_xlat: '[EMAIL PROTECTED]'
sql_escape in: '[EMAIL PROTECTED]'
sql_escape out: '[EMAIL PROTECTED]'
sql_set_user: escaped user --> '[EMAIL PROTECTED]'
radius_xlat: 'SELECT id,UserName,Attribute,Value FROM radcheck
WHERE Username = '[EMAIL PROTECTED]' ORDER BY id'
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value
FROM radgroupcheck,usergroup WHERE usergroup.Username =
'[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupcheck.GroupName
ORDER BY radgroupcheck.id'
radius_xlat: 'SELECT id,UserName,Attribute,Value FROM radreply
WHERE Username = '[EMAIL PROTECTED]' ORDER BY id'
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value
FROM radgroupreply,usergroup WHERE usergroup.Username =
'[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupreply.GroupName
ORDER BY radgroupreply.id'
rlm_sql: Released sql socket id: 4
rlm_sql: Pairs do not match [[EMAIL PROTECTED]]
modcall[authorize]: module "sql" returns notfound
users: Matched DEFAULT at 2
modcall[authorize]: module "files" returns ok
modcall: group authorize returns ok
rad_check_password: Found Auth-Type System
auth: type "System"
modcall: entering group authenticate
modcall[authenticate]: module "unix" returns
notfound
modcall: group authenticate returns notfound
auth: Failed to validate the user.
Sending Access-Reject of id 109 to 216.126.128.8:1650
Proxy-State =
0x3c3b74724018e0e5040210007c1462fc83ad10f33842ef6c7294576d
Finished request 0
Going to the next request
Now, for some reason, enabling debugging on 0.4 doesn't print the results
of the
SQL queries. :( However, with 0.3, I'd see that the check and reply items
were being retrieved correctly.
Even so, and even though the reply pairs are what my dialup provider
expects to see, I still
get the "pairs do not match" message. rlm_sql fails, and
control falls through to the users file, which only has one entry that
specifies that the user is to be authenticated through the passwd
file. This, of course, doesn't work. sjs-ldap doesn't exist in
/etc/passwd, only in LDAP.
I'm at a total loss - I can't figure out why this is happening. Help
:(
Thanks, S
--
JustThe.net LLC - Steve "Web Dude" Sobol,
CTO ICQ: 56972932/WebDude216
website:
http://JustThe.net
email: [EMAIL PROTECTED] phone: 216.619.2NET
postal: 5686 Davis Drive, Mentor On The Lake, OH 44060-2752 DalNet:
ZX-2
