Hi,
I use Whistle Blower to monitor our servers (mainly to nake sure the servers are still
running). Basically Whistle Blower will attempt to validate a user named WhistleBlower
and validate the packet denying returned by the Radius server.
In our case doing so gives some problems. First of all we authenticate our users via
the users file and via our LDAP server. If the user is not found in the users file then
Radius tries via the LDAP server. It works fine. But of course we do not need to
authenticate
the user WhistleBlower via LDAP. It unnecessary fills the log file with:
Mon Feb 24 10:53:27 2003 : Auth: Login incorrect (rlm_ldap: User not found):
[WhistleBlower] (from client YYY port 1)
What I did than is to create a user WhistleBlower a the beginning of the users file
using
the "Auth-Type := Reject" attribute. Starting radiusd in debug mode and using radtest
I tested that user and access was rejected as expected and radiusd didn't make use of
the rlm_ldap module:
-- test --
# /var/log/radius# radtest WhistleBlower fff 130.225.220.157:1645 0 testing123
Sending Access-Request of id 104 to 130.225.220.157:1645
User-Name = "WhistleBlower"
User-Password = "/D\333\355\026_}\2465zF]\021n\206\322"
NAS-IP-Address = woody
NAS-Port = 0
rad_recv: Access-Reject packet from host 130.225.220.157:1645, id=104, length=63
Reply-Message = "Whistle Blower user. Rejected by default."
# /var/log/radius#
-- end test --
But when starting radiusd normally it seems that it still tries to authenticate the
WhistleBlower user against the LDAP server. It seems to me that Radius ignores the
WhistleBlower user defined at the beginning of the users file:
-- log --
Mon Feb 24 10:47:58 2003 : Auth: Login OK: [keha] (from client XXX port 13 cli
45875082)
Mon Feb 24 10:49:42 2003 : Auth: Login OK: [ncje] (from client XXX port 7 cli 35851819)
Mon Feb 24 10:50:27 2003 : Auth: Login OK: [helno] (from client XXX port 3)
Mon Feb 24 10:50:36 2003 : Auth: Login OK: [bredahl] (from client XXX port 28 cli
59442154)
Mon Feb 24 10:51:21 2003 : Auth: Login OK: [schulz] (from client XXX port 23 cli
46367966)
Mon Feb 24 10:52:26 2003 : Auth: Login OK: [ues] (from client XXX port 20013 cli
46341822)
Mon Feb 24 10:53:27 2003 : Auth: Login incorrect (rlm_ldap: User not found):
[WhistleBlower] (from client YYY port 1)
Mon Feb 24 10:53:47 2003 : Auth: Login incorrect (rlm_ldap: User not found):
[WhistleBlower] (from client YYY port 1)
Mon Feb 24 10:54:07 2003 : Auth: Login incorrect (rlm_ldap: User not found):
[WhistleBlower] (from client YYY port 1)
Mon Feb 24 10:54:07 2003 : Auth: Login OK: [ues] (from client XXX port 20006 cli
46341822)
Mon Feb 24 10:54:47 2003 : Auth: Login OK: [ncje] (from client XXX port 30 cli
35851819)
Mon Feb 24 10:55:04 2003 : Auth: Login OK: [ewt] (from client XXX port 8 cli 44482075)
-- end log --
Client YYY is correctly defined in the clients file...
I thought by doing so I would avoid the WhistleBlower to be authenticated by our LDAP
server...
Any idea what goes wrong or what I could have misunderstood?
clients file is organized as:
1. WhistleBlower user
2. Local users
3. DEFAULT LDAP authentication
Regards,
David
___________________________________________________
David De Maeyer
Roskilde University Center
Computer Science Department
Box 260, Hus 42.1
4000 Roskilde
Denmark
voice (+45) 46 74 38 29 fax (+45) 46 74 30 72
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
