On Fri, 14 Nov 2003, Rohaizam Abu Bakar wrote:
>
> any comments in below problem...??
>
> --haizam
>
> ----- Original Message -----
> From: "Rohaizam Abu Bakar" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Wednesday, November 12, 2003 8:59 AM
> Subject: Re: Status... rlm_ldap problem
>
>
> > I've sent all the error log/debug output before .. but Kostas ask me to
> > troubleshoot more.... but i do not know where to start..... I will
> explain
> > again below:
> >
> > Problem A
> > ========
> > - Problem only exist when using FreeBSD 5.1 - with freeradius 0.9.2 & also
> > 0.9.0 (not tested in 0.9.1)
> > - My LDAP server working fine all along(tested using manual ldapsearch
> when
> > problem happen)
When runing ldapsearch did you bind with the problematic DNs or with the admin
DN? I would suggest trying to bind with the user DNs and see what happens
Also check out the ldap server logs for the freeradius bind operations. There
should be something there that will explain what's happening. If there isn't run
the ldap server in debug mode. I don't think there's much else to do in rlm_ldap
to fix the problem.
> >
> >
> > i) Error from radius.log
> >
> > Mon Oct 20 18:37:00 2003 : Error: rlm_ldap:
> > uniqueIdentifier=227523,ou=RADIUS,ou=People,dc=com,dc=my bind to
> x.x.x.x:389
> > failed: timeout
> > Mon Oct 20 18:37:00 2003 : Error: rlm_ldap:
> > uniqueIdentifier=717710,ou=RADIUS,ou=People,dc=com,dc=my bind to
> x.x.x.x:389
> > failed: timeout
> > Mon Oct 20 18:37:03 2003 : Error: rlm_ldap:
> > uniqueIdentifier=983053,ou=RADIUS,ou=People,dc=com,dc=my bind to
> x.x.x.x:389
> > failed: timeout
> >
> >
> > ii) From debug output
> >
> > ...........
> > rlm_ldap: performing search in ou=People,dc=jaring,dc=my, with filter
> > (uid=spts)
> > rlm_ldap: checking if remote access for spts is allowed by dialupAccess
> > rlm_ldap: looking for check items in directory...
> > rlm_ldap: looking for reply items in directory...
> > rlm_ldap: Adding radiusSessionTimeout as Session-Timeout, value 21600 &
> > op=11
> > rlm_ldap: Adding radiusFramedCompression as Framed-Compression, value
> > Van-Jacobson-TCP-IP & op=11
> > rlm_ldap: Adding radiusFramedMTU as Framed-MTU, value 1500 & op=11
> > rlm_ldap: Adding radiusFramedProtocol as Framed-Protocol, value PPP &
> op=11
> > rlm_ldap: Adding radiusServiceType as Service-Type, value Framed-User &
> > op=11
> > rlm_ldap: user spts authorized to use remote access
> > ldap_release_conn: Release Id: 0
> > modcall[authorize]: module "ldap1" returns ok for request 561
> > modcall: group redundant returns ok for request 561
> > modcall: group authorize returns ok for request 561
> > rad_check_password: Found Auth-Type LDAP
> > auth: type "LDAP"
> > modcall: entering group Auth-Type for request 561
> > modcall: entering group redundant for request 561
> > rlm_ldap: - authenticate
> > rlm_ldap: login attempt by "spts" with password "XXXX"
> > rlm_ldap: user DN:
> > uniqueIdentifier=687130,ou=RADIUS,ou=People,dc=jaring,dc=my
> > rlm_ldap: (re)connect to 61.6.32.201:389, authentication 1
> > rlm_ldap: bind as
> > uniqueIdentifier=687130,ou=RADIUS,ou=People,dc=jaring,dc=my/spts2003 to
> > 61.6.32
> > .201:389
> > rlm_ldap: waiting for bind result ...
> > rlm_ldap: ldap_result()
> > rlm_ldap: uniqueIdentifier=687130,ou=RADIUS,ou=People,dc=jaring,dc=my bind
> > to 61.6.32.201:389 fai
> > led: timeout
> > rlm_ldap: ldap_connect() failed
> > modcall[authenticate]: module "ldap1" returns fail for request 561
> > rlm_ldap: - authenticate
> > rlm_ldap: login attempt by "spts" with password "XXXX"
> > rlm_ldap: user DN:
> > uniqueIdentifier=687130,ou=RADIUS,ou=People,dc=jaring,dc=my
> > rlm_ldap: (re)connect to 61.6.32.97:389, authentication 1
> > rlm_ldap: bind as
> > uniqueIdentifier=687130,ou=RADIUS,ou=People,dc=jaring,dc=my/spts2003 to
> > 61.6.32
> > .97:389
> > rlm_ldap: waiting for bind result ...
> > rlm_ldap: ldap_result()
> > rlm_ldap: uniqueIdentifier=687130,ou=RADIUS,ou=People,dc=jaring,dc=my bind
> > to 61.6.32.97:389 fail
> > ed: timeout
> > rlm_ldap: ldap_connect() failed
> > modcall[authenticate]: module "ldap2" returns fail for request 561
> > modcall: group redundant returns fail for request 561
> > modcall: group Auth-Type returns fail for request 561
> > auth: Failed to validate the user.
> > Login incorrect: [spts] (from client jhb34 port 239 cli 072270533)
> > Delaying request 561 for 1 seconds
> > Finished request 561
> > Going to the next request
> > .................
> >
> >
> > Problem B
> > ========
> >
> > - ADDED to above problem.. I'm still having "Unresponsive child" problem
> > - LDAP working fine...
> > - not that critical compare to above...
> >
> > i) From radius.log
> >
> > Wed Nov 12 00:59:52 2003 : Error: WARNING: Unresponsive child (id
> 136795136)
> > for request 322196
> > Wed Nov 12 01:00:13 2003 : Error: WARNING: Unresponsive child (id
> 136585216)
> > for request 322292
> > Wed Nov 12 08:42:48 2003 : Error: WARNING: Unresponsive child (id
> 135698432)
> > for request 15206
It's normal since rlm_ldap takes a long time to timeout
> >
> >
> > ii) My ldap setting in radiusd.conf - maybe tuning is needed here.....
> >
> >
> > max_request_time = 30
> > delete_blocked_requests = no
> > cleanup_delay = 5
> > max_requests = 256000
> > hostname_lookups = yes
> > allow_core_dumps = no
> >
> > start_servers = 20
> > max_servers = 1024
> > min_spare_servers = 10
> > max_spare_servers = 20
> >
> >
> > ldap ldap2 {
> > server = "10.1.1.1"
> > identity = "cn=Sysadmin,ou=Applications,dc=jaring,dc=my"
> > password = XXXXXX
> > basedn = "ou=People,dc=jaring,dc=my"
> > filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
> > start_tls = no
> > access_attr = "dialupAccess"
> > dictionary_mapping = ${raddbdir}/ldap.attrmap
> > ldap_connections_number = 256
> > timeout = 10
> > timelimit =10
> > net_timeout = 5
> > }
> >
> >
> >
> > Hopefully above info good enough to troubleshoot the problem...
> >
> >
> > --haizam
> >
> >
> > ----- Original Message -----
> > From: "Alan DeKok" <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>
> > Sent: Monday, November 10, 2003 10:47 PM
> > Subject: Re: Status...
> >
> >
> > > "Rohaizam Abu Bakar" <[EMAIL PROTECTED]> wrote:
> > > > Hopefully in 1.0 release, rlm_ldap can work well with FreeBSD 5.1
> > > > Currently it has problem.. so i stick with FreeBSD 4.8 (and 4.9)
> > >
> > > Are you willing to tell us what those problems are?
> > >
> > > Alan DeKok.
> > >
> > > -
> > > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
> >
> >
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> >
> > [ Scanned by JARING E-Mail Virus Scanner ( http://www.jaring.my ) ]
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
