Hey guys,
Just to let you know where I am at, I have included the message I just
sent to the freeradius-users list. If we cannot get this resolved soon, we
may have to look into another RADIUS solution. Of the free
implementations, it was the only one that used LDAP. There is a patch for
the Cistron RADIUS server, but it is a crude, home-grown thing that may not
be maintained forever. Otherwise, we may have to look at a commercial
product to stay with RADIUS.
We could run the server in non-threaded mode, but I am not certain of the
performance consequences of that action. I could ignore this problem and
hope performance will not be too terrible (I could even compile the
thing without threads support)... then I could at least start to
figure out what it will take to get the different services we need
supported running. However, we may find performance unacceptable and I
will have wasted a good deal of time.
If either of you want to help me with this, I would welcome another brain.
Otherwise, at this point I may not have RADIUS ready by the deadline.
sam
---------- Forwarded message ----------
Date: Tue, 26 Nov 2002 14:29:06 -0700 (MST)
From: Samuel T Patterson <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Re: LDAP bind problem
Hello again,
Here is some more information about the problem I am seeing. Running with debug flags
shows a "Can't contact LDAP server" message. The bind is successful if the "-s"
argument is used. I would prefer to run FreeRADIUS in multi-threaded mode, but cannot
seem to get it to work! This is a 0.8 server on Solaris 8.
Doing a snoop, I found that in "multi-threaded mode" the server would send a syn
packet and then without waiting for a response, immediately send a reset.
Below I have included the LDAP portion of my radiusd.conf file. I have changed very
little in this file as I am just beginning testing to see if I can use FreeRADIUS.
Almost everything else I have left "default", and have checked all settings I have
changed to see if they affect this problem.
I am totally new to RADIUS so any advice would be greatly appreciated.
### WITH -xxx FLAGS ###
Tue Nov 26 11:50:46 2002 : Info: Ready to process requests.
Tue Nov 26 11:50:46 2002 : Debug: Thread 2 waiting to be assigned a request
Tue Nov 26 11:50:46 2002 : Debug: Thread 3 waiting to be assigned a request
Tue Nov 26 11:50:46 2002 : Debug: Thread 4 waiting to be assigned a request
Tue Nov 26 11:50:46 2002 : Debug: Thread 5 waiting to be assigned a request
rad_recv: Access-Request packet from host 134.114.70.9:1981, id=22, length=44
Tue Nov 26 11:50:55 2002 : Debug: Thread 1 assigned request 0
Tue Nov 26 11:50:55 2002 : Debug: Thread 1 handling request 0, (1 handled so far)
User-Name = "bob"
User-Password = "********"
Tue Nov 26 11:50:55 2002 : Debug: rad_lowerpair: User-Name now 'bob'
Tue Nov 26 11:50:55 2002 : Debug: modcall: entering group authorize
Tue Nov 26 11:50:55 2002 : Debug: modcall[authorize]: module "preprocess" returns ok
Tue Nov 26 11:50:55 2002 : Debug: rlm_chap: Could not find proper Chap-Password
attribute in request
Tue Nov 26 11:50:55 2002 : Debug: modcall[authorize]: module "chap" returns noop
Tue Nov 26 11:50:55 2002 : Debug: modcall[authorize]: module "mschap" returns
notfound
Tue Nov 26 11:50:55 2002 : Debug: rlm_realm: No '@' in User-Name = "bob", looking
up realm NULL
Tue Nov 26 11:50:55 2002 : Debug: rlm_realm: No such realm NULL
Tue Nov 26 11:50:55 2002 : Debug: modcall[authorize]: module "suffix" returns noop
Tue Nov 26 11:50:55 2002 : Debug: users: Matched DEFAULT at 152
Tue Nov 26 11:50:55 2002 : Debug: modcall[authorize]: module "files" returns ok
Tue Nov 26 11:50:55 2002 : Debug: rlm_ldap: - authorize
Tue Nov 26 11:50:55 2002 : Debug: rlm_ldap: performing user authorization for bob
Tue Nov 26 11:50:55 2002 : Debug: radius_xlat: '(uid=bob)'
Tue Nov 26 11:50:55 2002 : Debug: radius_xlat: 'ou=people,dc=blah,dc=blah'
Tue Nov 26 11:50:55 2002 : Debug: ldap_get_conn: Got Id: 0
Tue Nov 26 11:50:55 2002 : Debug: rlm_ldap: attempting LDAP reconnection
Tue Nov 26 11:50:55 2002 : Debug: rlm_ldap: (re)connect to ldap.nau.edu:389,
authentication 0
Tue Nov 26 11:50:55 2002 : Debug: rlm_ldap: bind as
cn=Radius,ou=applications,dc=blah,dc=blah/******** to ldap.nau.edu:389
Tue Nov 26 11:50:55 2002 : Error: rlm_ldap: cn=Radius,ou=applications,dc=blah,dc=blah
bind to ldap1.nau.edu:389 failed: Can't contact LDAP server
Tue Nov 26 11:50:55 2002 : Error: rlm_ldap: (re)connection attempt failed
Tue Nov 26 11:50:55 2002 : Debug: rlm_ldap: search failed
Tue Nov 26 11:50:55 2002 : Debug: ldap_release_conn: Release Id: 0
Tue Nov 26 11:50:55 2002 : Debug: modcall[authorize]: module "ldap" returns fail
Tue Nov 26 11:50:55 2002 : Debug: modcall: group authorize returns fail
Tue Nov 26 11:50:55 2002 : Debug: Finished request 0
Tue Nov 26 11:50:55 2002 : Debug: Going to the next request
Tue Nov 26 11:50:55 2002 : Debug: Thread 1 waiting to be assigned a request
Tue Nov 26 11:50:55 2002 : Debug: --- Walking the entire request list ---
Tue Nov 26 11:50:55 2002 : Debug: Threads: total/active/spare threads = 5/0/5
Tue Nov 26 11:50:55 2002 : Debug: Waking up in 6 seconds...
Tue Nov 26 11:51:01 2002 : Debug: --- Walking the entire request list ---
Tue Nov 26 11:51:01 2002 : Debug: Cleaning up request 0 ID 22 with timestamp 3de3c28f
Tue Nov 26 11:51:01 2002 : Debug: Nothing to do. Sleeping until we see a request.
### WITH -sxxx FLAGS ###
Tue Nov 26 11:51:19 2002 : Info: Ready to process requests.
rad_recv: Access-Request packet from host 134.114.70.9:1982, id=23, length=44
User-Name = "bob"
User-Password = "********"
Tue Nov 26 11:51:26 2002 : Debug: rad_lowerpair: User-Name now 'bob'
Tue Nov 26 11:51:26 2002 : Debug: modcall: entering group authorize
Tue Nov 26 11:51:26 2002 : Debug: modcall[authorize]: module "preprocess" returns ok
Tue Nov 26 11:51:26 2002 : Debug: rlm_chap: Could not find proper Chap-Password
attribute in request
Tue Nov 26 11:51:26 2002 : Debug: modcall[authorize]: module "chap" returns noop
Tue Nov 26 11:51:26 2002 : Debug: modcall[authorize]: module "mschap" returns
notfound
Tue Nov 26 11:51:26 2002 : Debug: rlm_realm: No '@' in User-Name = "bob", looking
up realm NULL
Tue Nov 26 11:51:26 2002 : Debug: rlm_realm: No such realm NULL
Tue Nov 26 11:51:26 2002 : Debug: modcall[authorize]: module "suffix" returns noop
Tue Nov 26 11:51:26 2002 : Debug: users: Matched DEFAULT at 152
Tue Nov 26 11:51:26 2002 : Debug: modcall[authorize]: module "files" returns ok
Tue Nov 26 11:51:26 2002 : Debug: rlm_ldap: - authorize
Tue Nov 26 11:51:26 2002 : Debug: rlm_ldap: performing user authorization for bob
Tue Nov 26 11:51:26 2002 : Debug: radius_xlat: '(uid=bob)'
Tue Nov 26 11:51:26 2002 : Debug: radius_xlat: 'ou=people,dc=blah,dc=blah'
Tue Nov 26 11:51:26 2002 : Debug: ldap_get_conn: Got Id: 0
Tue Nov 26 11:51:26 2002 : Debug: rlm_ldap: attempting LDAP reconnection
Tue Nov 26 11:51:26 2002 : Debug: rlm_ldap: (re)connect to ldap1.nau.edu:389,
authentication 0
Tue Nov 26 11:51:26 2002 : Debug: rlm_ldap: bind as
cn=Radius,ou=applications,dc=blah,dc=blah/******** to ldap1.nau.edu:389
Tue Nov 26 11:51:26 2002 : Debug: rlm_ldap: waiting for bind result ...
Tue Nov 26 11:51:26 2002 : Debug: rlm_ldap: performing search in
ou=people,dc=blah,dc=blah, with filter (uid=bob)
Tue Nov 26 11:51:26 2002 : Debug: rlm_ldap: looking for check items in directory...
Tue Nov 26 11:51:26 2002 : Debug: rlm_ldap: looking for reply items in directory...
Tue Nov 26 11:51:26 2002 : Debug: rlm_ldap: user bob authorized to use remote access
Tue Nov 26 11:51:26 2002 : Debug: ldap_release_conn: Release Id: 0
Tue Nov 26 11:51:26 2002 : Debug: modcall[authorize]: module "ldap" returns ok
Tue Nov 26 11:51:26 2002 : Debug: modcall: group authorize returns ok
Tue Nov 26 11:51:26 2002 : Debug: rad_check_password: Found Auth-Type System
Tue Nov 26 11:51:26 2002 : Debug: auth: type "System"
Tue Nov 26 11:51:26 2002 : Debug: modcall: entering group authenticate
Tue Nov 26 11:51:26 2002 : Auth: rlm_unix: [bob]: invalid password
Tue Nov 26 11:51:26 2002 : Debug: modcall[authenticate]: module "unix" returns reject
Tue Nov 26 11:51:26 2002 : Debug: modcall: group authenticate returns reject
Tue Nov 26 11:51:26 2002 : Debug: auth: Failed to validate the user.
Tue Nov 26 11:51:26 2002 : Auth: Login incorrect: [bob] (from client ucc174-test port
0)
Tue Nov 26 11:51:26 2002 : Debug: Delaying request 0 for 1 seconds
Tue Nov 26 11:51:26 2002 : Debug: Finished request 0
Tue Nov 26 11:51:26 2002 : Debug: Going to the next request
Tue Nov 26 11:51:26 2002 : Debug: --- Walking the entire request list ---
Tue Nov 26 11:51:26 2002 : Debug: Waking up in 1 seconds...
Tue Nov 26 11:51:27 2002 : Debug: --- Walking the entire request list ---
Tue Nov 26 11:51:27 2002 : Debug: Waking up in 1 seconds...
Tue Nov 26 11:51:28 2002 : Debug: --- Walking the entire request list ---
Sending Access-Reject of id 23 to 134.114.70.9:1982
Tue Nov 26 11:51:28 2002 : Debug: Waking up in 4 seconds...
Tue Nov 26 11:51:32 2002 : Debug: --- Walking the entire request list ---
Tue Nov 26 11:51:32 2002 : Debug: Cleaning up request 0 ID 23 with timestamp 3de3c2ae
Tue Nov 26 11:51:32 2002 : Debug: Nothing to do. Sleeping until we see a request.
### radiusd.conf LDAP stuff ###
ldap {
server = "ldap1.ucc.nau.edu"
identity = "cn=Radius,ou=applications,dc=nau,dc=edu"
password = Wh0Ru?
basedn = "ou=people,dc=nau,dc=edu"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
start_tls = no
tls_mode = no
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
access_attr_used_for_allow = no
}
### more radiusd.conf ###
authorize {
preprocess
chap
mschap
suffix
# files
ldap
}
authenticate {
authtype PAP {
pap
}
authtype CHAP {
chap
}
authtype MS-CHAP {
mschap
}
# pam
unix
authtype LDAP {
# We are using ldap... stp2
ldap
}
}
I thank in advance anyone who can offer an insight into this problem!
--
Samuel T Patterson
Systems Programmer
Northern Arizona University
Information and Technology Services
[EMAIL PROTECTED]
--
Samuel T Patterson
Systems Programmer
Northern Arizona University
Information and Technology Services
[EMAIL PROTECTED]
Work: (928) 523-8246
Pager: (928) 213-5176
P.O. Box 5100
Flagstaff, AZ 86011
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
