Hello all...
Freeradius 0.9.2, built as an RPM on RedHat 7.3.
I'm using LDAP support to try and authenticate users against
Novell's eDirectory (which has the LDAP 'interface', as it were).
Our usernames are generally like: (or the full DN)
cn=Anstpbat,ou=NST,ou=AS,o=LSHTM
but they are all over the 'tree', so we have a container (in Novell
speak, don't know if it's an LDAP term!) called 'Login.lshtm', or
'ou=Login,o=LSHTM'.
I've been configuring radiusd.conf with that as the basedn:
basedn = "ou=Login,o=LSHTM"
filter = "(cn=%{Stripped-User-Name:-%{User-Name}})"
And I get:
rad_recv: Access-Request packet from host 127.0.0.1:1619, id=248,
length=60
User-Name = "anstpbat"
User-Password = "qwert1e"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
modcall: entering group authorize for request 0
rlm_realm: No '@' in User-Name = "anstpbat", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for anstpbat
radius_xlat: '(cn=anstpbat)'
radius_xlat: 'ou=Login,o=LSHTM'
ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 193.63.251.176:636, authentication 0
rlm_ldap: setting TLS mode to 1
rlm_ldap: bind as / to 193.63.251.176:636
rlm_ldap: waiting for bind result ...
rlm_ldap: performing search in ou=Login,o=LSHTM, with filter
(cn=anstpbat)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user anstpbat authorized to use remote access
ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type LDAP
auth: type "LDAP"
modcall: entering group Auth-Type for request 0
rlm_ldap: - authenticate
rlm_ldap: login attempt by "anstpbat" with password "qwert1e"
rlm_ldap: user DN: cn=Anstpbat,ou=Login,o=LSHTM
rlm_ldap: (re)connect to 193.63.251.176:636, authentication 1
rlm_ldap: setting TLS mode to 1
rlm_ldap: bind as cn=Anstpbat,ou=Login,o=LSHTM/qwert1e to
193.63.251.176:636
rlm_ldap: waiting for bind result ...
modcall[authenticate]: module "ldap" returns reject for request 0
modcall: group Auth-Type returns reject for request 0
auth: Failed to validate the user.
Login incorrect (rlm_ldap: Bind as user failed): [anstpbat/qwert1e]
(from client localhost port 0)
If I fix the basedn as the actual 'unaliased' container:
basedn = "ou=NST,ou=AS,o=LSHTM"
I get:
rad_recv: Access-Request packet from host 127.0.0.1:1621, id=57,
length=60
User-Name = "anstpbat"
User-Password = "qwert1e"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
modcall: entering group authorize for request 0
rlm_realm: No '@' in User-Name = "anstpbat", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for anstpbat
radius_xlat: '(cn=anstpbat)'
radius_xlat: 'ou=NST,ou=AS,o=LSHTM'
ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 193.63.251.176:636, authentication 0
rlm_ldap: setting TLS mode to 1
rlm_ldap: bind as / to 193.63.251.176:636
rlm_ldap: waiting for bind result ...
rlm_ldap: performing search in ou=NST,ou=AS,o=LSHTM, with filter
(cn=anstpbat)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user anstpbat authorized to use remote access
ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type LDAP
auth: type "LDAP"
modcall: entering group Auth-Type for request 0
rlm_ldap: - authenticate
rlm_ldap: login attempt by "anstpbat" with password "qwert1e"
rlm_ldap: user DN: cn=Anstpbat,ou=NST,ou=AS,o=LSHTM
rlm_ldap: (re)connect to 193.63.251.176:636, authentication 1
rlm_ldap: setting TLS mode to 1
rlm_ldap: bind as cn=Anstpbat,ou=NST,ou=AS,o=LSHTM/qwert1e to
193.63.251.176:636
rlm_ldap: waiting for bind result ...
rlm_ldap: user anstpbat authenticated succesfully
modcall[authenticate]: module "ldap" returns ok for request 0
modcall: group Auth-Type returns ok for request 0
Login OK: [anstpbat] (from client localhost port 0)
Sending Access-Accept of id 57 to 127.0.0.1:1621
So, we have 'rlm_ldap: user anstpbat authorized to use remote access'
in both cases, so it's obviously reading something, but then can't do
the actual bind as the user, unless directed to the complete DN, rather
than trying to follow the 'alias'.
There is an object, 'aliasedObjectName' which contains the complete
name:
aliasedObjectName: cn=Anstpbat,ou=NST,ou=AS,o=LSHTM
Is there a way I can retrieve this initially, and then use this 'cn'
result as the parameter to the bind for the password?
I hope I've explained the above clearly... I'm not sure (but I'm
presuming) that these 'aliases' (essentially shortcuts to other bits of
the tree) are not standard LDAP items. However, we authenticate boxes in
a similar way using PAM and LDAP (for FTP/SSH, etc.), and that does
somehow seem to follow the reference down from 'login.lshtm' down to the
proper DN.
I'd be grateful for any suggestions!
--------------------------------------------------------------------------------------------------->
Peter Bates, Systems Support Officer, Network Support Team.
London School of Hygiene & Tropical Medicine.
Telephone:0207-958 8353 / Fax: 0207- 636 9838
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
