Re: LDAP bind problem

Samuel T Patterson Tue, 26 Nov 2002 15:15:26 -0800

Hello again,

Here is some more information about the problem I am seeing. Running with debug flags 
shows a "Can't contact LDAP server" message. The bind is successful if the "-s" 
argument is used. I would prefer to run FreeRADIUS in multi-threaded mode, but cannot 
seem to get it to work! This is a 0.8 server on Solaris 8.


Doing a snoop, I found that in "multi-threaded mode" the server would send a syn 
packet and then without waiting for a response, immediately send a reset.

Below I have included the LDAP portion of my radiusd.conf file. I have changed very 
little in this file as I am just beginning testing to see if I can use FreeRADIUS. 
Almost everything else I have left "default", and have checked all settings I have 
changed to see if they affect this problem.

I am totally new to RADIUS so any advice would be greatly appreciated.

### WITH -xxx FLAGS ###
Tue Nov 26 11:50:46 2002 : Info: Ready to process requests.
Tue Nov 26 11:50:46 2002 : Debug: Thread 2 waiting to be assigned a request
Tue Nov 26 11:50:46 2002 : Debug: Thread 3 waiting to be assigned a request
Tue Nov 26 11:50:46 2002 : Debug: Thread 4 waiting to be assigned a request
Tue Nov 26 11:50:46 2002 : Debug: Thread 5 waiting to be assigned a request
rad_recv: Access-Request packet from host 134.114.70.9:1981, id=22, length=44
Tue Nov 26 11:50:55 2002 : Debug: Thread 1 assigned request 0
Tue Nov 26 11:50:55 2002 : Debug: Thread 1 handling request 0, (1 handled so far)
        User-Name = "bob"
        User-Password = "********"
Tue Nov 26 11:50:55 2002 : Debug: rad_lowerpair:  User-Name now 'bob'
Tue Nov 26 11:50:55 2002 : Debug: modcall: entering group authorize
Tue Nov 26 11:50:55 2002 : Debug:   modcall[authorize]: module "preprocess" returns ok
Tue Nov 26 11:50:55 2002 : Debug: rlm_chap: Could not find proper Chap-Password 
attribute in request
Tue Nov 26 11:50:55 2002 : Debug:   modcall[authorize]: module "chap" returns noop
Tue Nov 26 11:50:55 2002 : Debug:   modcall[authorize]: module "mschap" returns 
notfound
Tue Nov 26 11:50:55 2002 : Debug:     rlm_realm: No '@' in User-Name = "bob", looking 
up realm NULL
Tue Nov 26 11:50:55 2002 : Debug:     rlm_realm: No such realm NULL
Tue Nov 26 11:50:55 2002 : Debug:   modcall[authorize]: module "suffix" returns noop
Tue Nov 26 11:50:55 2002 : Debug:     users: Matched DEFAULT at 152
Tue Nov 26 11:50:55 2002 : Debug:   modcall[authorize]: module "files" returns ok
Tue Nov 26 11:50:55 2002 : Debug: rlm_ldap: - authorize
Tue Nov 26 11:50:55 2002 : Debug: rlm_ldap: performing user authorization for bob
Tue Nov 26 11:50:55 2002 : Debug: radius_xlat:  '(uid=bob)'
Tue Nov 26 11:50:55 2002 : Debug: radius_xlat:  'ou=people,dc=blah,dc=blah'
Tue Nov 26 11:50:55 2002 : Debug: ldap_get_conn: Got Id: 0
Tue Nov 26 11:50:55 2002 : Debug: rlm_ldap: attempting LDAP reconnection
Tue Nov 26 11:50:55 2002 : Debug: rlm_ldap: (re)connect to ldap.nau.edu:389, 
authentication 0
Tue Nov 26 11:50:55 2002 : Debug: rlm_ldap: bind as 
cn=Radius,ou=applications,dc=blah,dc=blah/******** to ldap.nau.edu:389
Tue Nov 26 11:50:55 2002 : Error: rlm_ldap: cn=Radius,ou=applications,dc=blah,dc=blah 
bind to ldap1.nau.edu:389 failed: Can't contact LDAP server
Tue Nov 26 11:50:55 2002 : Error: rlm_ldap: (re)connection attempt failed
Tue Nov 26 11:50:55 2002 : Debug: rlm_ldap: search failed
Tue Nov 26 11:50:55 2002 : Debug: ldap_release_conn: Release Id: 0
Tue Nov 26 11:50:55 2002 : Debug:   modcall[authorize]: module "ldap" returns fail
Tue Nov 26 11:50:55 2002 : Debug: modcall: group authorize returns fail
Tue Nov 26 11:50:55 2002 : Debug: Finished request 0
Tue Nov 26 11:50:55 2002 : Debug: Going to the next request
Tue Nov 26 11:50:55 2002 : Debug: Thread 1 waiting to be assigned a request
Tue Nov 26 11:50:55 2002 : Debug: --- Walking the entire request list ---
Tue Nov 26 11:50:55 2002 : Debug: Threads: total/active/spare threads = 5/0/5
Tue Nov 26 11:50:55 2002 : Debug: Waking up in 6 seconds...
Tue Nov 26 11:51:01 2002 : Debug: --- Walking the entire request list ---
Tue Nov 26 11:51:01 2002 : Debug: Cleaning up request 0 ID 22 with timestamp 3de3c28f
Tue Nov 26 11:51:01 2002 : Debug: Nothing to do.  Sleeping until we see a request.

### WITH -sxxx FLAGS ###
Tue Nov 26 11:51:19 2002 : Info: Ready to process requests.
rad_recv: Access-Request packet from host 134.114.70.9:1982, id=23, length=44
        User-Name = "bob"
        User-Password = "********"
Tue Nov 26 11:51:26 2002 : Debug: rad_lowerpair:  User-Name now 'bob'
Tue Nov 26 11:51:26 2002 : Debug: modcall: entering group authorize
Tue Nov 26 11:51:26 2002 : Debug:   modcall[authorize]: module "preprocess" returns ok
Tue Nov 26 11:51:26 2002 : Debug: rlm_chap: Could not find proper Chap-Password 
attribute in request
Tue Nov 26 11:51:26 2002 : Debug:   modcall[authorize]: module "chap" returns noop
Tue Nov 26 11:51:26 2002 : Debug:   modcall[authorize]: module "mschap" returns 
notfound
Tue Nov 26 11:51:26 2002 : Debug:     rlm_realm: No '@' in User-Name = "bob", looking 
up realm NULL
Tue Nov 26 11:51:26 2002 : Debug:     rlm_realm: No such realm NULL
Tue Nov 26 11:51:26 2002 : Debug:   modcall[authorize]: module "suffix" returns noop
Tue Nov 26 11:51:26 2002 : Debug:     users: Matched DEFAULT at 152
Tue Nov 26 11:51:26 2002 : Debug:   modcall[authorize]: module "files" returns ok
Tue Nov 26 11:51:26 2002 : Debug: rlm_ldap: - authorize
Tue Nov 26 11:51:26 2002 : Debug: rlm_ldap: performing user authorization for bob
Tue Nov 26 11:51:26 2002 : Debug: radius_xlat:  '(uid=bob)'
Tue Nov 26 11:51:26 2002 : Debug: radius_xlat:  'ou=people,dc=blah,dc=blah'
Tue Nov 26 11:51:26 2002 : Debug: ldap_get_conn: Got Id: 0
Tue Nov 26 11:51:26 2002 : Debug: rlm_ldap: attempting LDAP reconnection
Tue Nov 26 11:51:26 2002 : Debug: rlm_ldap: (re)connect to ldap1.nau.edu:389, 
authentication 0
Tue Nov 26 11:51:26 2002 : Debug: rlm_ldap: bind as 
cn=Radius,ou=applications,dc=blah,dc=blah/******** to ldap1.nau.edu:389
Tue Nov 26 11:51:26 2002 : Debug: rlm_ldap: waiting for bind result ...
Tue Nov 26 11:51:26 2002 : Debug: rlm_ldap: performing search in 
ou=people,dc=blah,dc=blah, with filter (uid=bob)
Tue Nov 26 11:51:26 2002 : Debug: rlm_ldap: looking for check items in directory...
Tue Nov 26 11:51:26 2002 : Debug: rlm_ldap: looking for reply items in directory...
Tue Nov 26 11:51:26 2002 : Debug: rlm_ldap: user bob authorized to use remote access
Tue Nov 26 11:51:26 2002 : Debug: ldap_release_conn: Release Id: 0
Tue Nov 26 11:51:26 2002 : Debug:   modcall[authorize]: module "ldap" returns ok
Tue Nov 26 11:51:26 2002 : Debug: modcall: group authorize returns ok
Tue Nov 26 11:51:26 2002 : Debug:   rad_check_password:  Found Auth-Type System
Tue Nov 26 11:51:26 2002 : Debug: auth: type "System"
Tue Nov 26 11:51:26 2002 : Debug: modcall: entering group authenticate
Tue Nov 26 11:51:26 2002 : Auth: rlm_unix: [bob]: invalid password
Tue Nov 26 11:51:26 2002 : Debug:   modcall[authenticate]: module "unix" returns reject
Tue Nov 26 11:51:26 2002 : Debug: modcall: group authenticate returns reject
Tue Nov 26 11:51:26 2002 : Debug: auth: Failed to validate the user.
Tue Nov 26 11:51:26 2002 : Auth: Login incorrect: [bob] (from client ucc174-test port 
0)
Tue Nov 26 11:51:26 2002 : Debug: Delaying request 0 for 1 seconds
Tue Nov 26 11:51:26 2002 : Debug: Finished request 0
Tue Nov 26 11:51:26 2002 : Debug: Going to the next request
Tue Nov 26 11:51:26 2002 : Debug: --- Walking the entire request list ---
Tue Nov 26 11:51:26 2002 : Debug: Waking up in 1 seconds...
Tue Nov 26 11:51:27 2002 : Debug: --- Walking the entire request list ---
Tue Nov 26 11:51:27 2002 : Debug: Waking up in 1 seconds...
Tue Nov 26 11:51:28 2002 : Debug: --- Walking the entire request list ---
Sending Access-Reject of id 23 to 134.114.70.9:1982
Tue Nov 26 11:51:28 2002 : Debug: Waking up in 4 seconds...
Tue Nov 26 11:51:32 2002 : Debug: --- Walking the entire request list ---
Tue Nov 26 11:51:32 2002 : Debug: Cleaning up request 0 ID 23 with timestamp 3de3c2ae
Tue Nov 26 11:51:32 2002 : Debug: Nothing to do.  Sleeping until we see a request.

### radiusd.conf LDAP stuff ###
        ldap {
                server = "ldap1.ucc.nau.edu"
                identity = "cn=Radius,ou=applications,dc=nau,dc=edu"
                password = Wh0Ru?
                basedn = "ou=people,dc=nau,dc=edu"
                filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
                start_tls = no
                tls_mode = no
                ldap_connections_number = 5
                timeout = 4
                timelimit = 3
                net_timeout = 1
                access_attr_used_for_allow = no
        }

### more radiusd.conf ###
authorize {
        preprocess
        chap
        mschap
        suffix
#       files
        ldap
}
authenticate {
        authtype PAP {
                pap
        }
        authtype CHAP {
                chap
        }
        authtype MS-CHAP {
                mschap
        }
#       pam
        unix
        authtype LDAP {
                # We are using ldap... stp2
                ldap
        }
}

I thank in advance anyone who can offer an insight into this problem!

-- 
Samuel T Patterson
Systems Programmer
Northern Arizona University
Information and Technology Services
[EMAIL PROTECTED]


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: LDAP bind problem

Reply via email to