Zitat von David W Bell <[EMAIL PROTECTED]>:
Markus Krause wrote:Zitat von David W Bell <[EMAIL PROTECTED]>:Markus Krause wrote:Zitat von David W Bell <[EMAIL PROTECTED]>:Markus Krause wrote:Zitat von David W Bell <[EMAIL PROTECTED]>:LDAP is installed and working out of the box, having been set to be used for authenication during the SUSE install.This is proven by the ability to log in to the box, both locally and via SSHI installed freeRADIUS from the latest source and it is working also.freeRADIUS seems unable to find a password for the user during Authenication.I issue the following on my workstation [EMAIL PROTECTED]:~$ echo "User-Name = belld,Password=p455w0rd" | radclient 212.95.255.242:1812 auth testing Received response ID 99, code 3, length = 20 And see the following from freeRADIUS Listening on authentication address * port 1812 Listening on accounting address * port 1813 Ready to process requests. rad_recv: Access-Request packet from host 212.95.252.25 port 20758, id=99, length=45 User-Name = "belld" User-Password = "p455w0rd" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "belld", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for belldWARNING: Deprecated conditional expansion ":-". See "man unlang" for detailsexpand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=belld) expand: dc=dxi,dc=net -> dc=dxi,dc=net rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0rlm_ldap: bind as cn=Administrator,dc=dxi,dc=net/trPic4n03 to localhost:389rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=dxi,dc=net, with filter (uid=belld) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? rlm_ldap: user belld authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [belld/p455w0rd] (from client 212.95.252.25 port 0) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> belld attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 99 to 212.95.252.25 port 20758 Waking up in 4.9 seconds. What I cant work out is whether this is due to an LDAP or a RADIUS config problem.what is the result of the following commands (using a terminal): ldapsearch -x -h localhost -b "dc=dxi,dc=net" uid=belldldapsearch -x -h localhost -b "dc=dxi,dc=net" -D "cn=Administrator,dc=dxi,dc=net" -w trPic4n03 uid=belldif they (especially the latter) do not return a value for the field "userPassword" the problem is on the LDAP side.markus---------------------------------------------------------------------- This message was sent using https://webmail.biochem.mpg.deIf you encounter any problems please report to [EMAIL PROTECTED]------------------------------------------------------------------------ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.htmlThanks Markus. I thought of that - and had done the 1st search and HAD noticed there was no LDAP password set # extended LDIF # # LDAPv3 # base <dc=dxi,dc=net> with scope subtree # filter: uid=belld # requesting: ALL # # belld, people, dxi.net dn: uid=belld,ou=people,dc=dxi,dc=net cn: David Bell gidNumber: 100 givenName: David homeDirectory: /home/belld loginShell: /bin/bash objectClass: top objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgPerson shadowInactive: -1 shadowMax: 99999 shadowMin: 0 shadowWarning: 7 sn: Bell uid: belld uidNumber: 1000 shadowLastChange: 13920 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 [EMAIL PROTECTED]:~> I thought this was because LDAP was handing that aspect over to something else but your second command shows a password. [EMAIL PROTECTED]:~> ldapsearch -x -h localhost -b "dc=dxi,dc=net" -D "cn=Administrator,dc=dxi,dc=net" -w trPic4n03 uid=belld # extended LDIF # # LDAPv3 # base <dc=dxi,dc=net> with scope subtree # filter: uid=belld # requesting: ALL # # belld, people, dxi.net dn: uid=belld,ou=people,dc=dxi,dc=net cn: David Bell gidNumber: 100 givenName: David homeDirectory: /home/belld loginShell: /bin/bash objectClass: top objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgPerson shadowInactive: -1 shadowMax: 99999 shadowMin: 0 shadowWarning: 7 sn: Bell uid: belld uidNumber: 1000 userPassword:: e2NyeXB0fWUvMmlHZW9tWXJHTG8= shadowLastChange: 13920 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 [EMAIL PROTECTED]:~> Any further thoughts? Davidnot showing a userPassword field using an anonymous bind (the first command) as actually expected, as rootdn it should work. i assume the following command does reveal the userPassword as well: ldapsearch -x -h localhost -b "dc=dxi,dc=net" -D "uid=belld,ou=people,dc=dxi,dc=net" -w p455w0rd uid=belldi am wondering why the debug output of the freeradius says your binding as administrator, if the command above works this should not be necessary .. could you post your ldap section of your radiusd.conf?regards markus ---------------------------------------------------------------------- This message was sent using https://webmail.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] ------------------------------------------------------------------------ -List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.htmlConfig as requested - I did uncomment and configure the identity section - is this not required? ldap { # # Note that this needs to match the name in the LDAP # server certificate, if you're using ldaps. server = "localhost" identity = "cn=Administrator,dc=dxi,dc=net" password = trPic4n03 basedn = "dc=dxi,dc=net" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" #base_filter = "(objectclass=radiusprofile)" # How many connections to keep open to the LDAP server. # This saves time over opening a new LDAP socket for # every authentication request. ldap_connections_number = 5 # seconds to wait for LDAP query to finish. default: 20 timeout = 4 # seconds LDAP server has to process the query (server-side # time limit). default: 20 # # LDAP_OPT_TIMELIMIT is set to this value. timelimit = 3 # # seconds to wait for response of the server. (network # failures) default: 10 # # LDAP_OPT_NETWORK_TIMEOUT is set to this value. net_timeout = 1 tls { # Set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # # The StartTLS operation is supposed to be # used with normal ldap connections instead of # using ldaps (port 689) connections start_tls = no # cacertfile = /path/to/cacert.pem # cacertdir = /path/to/ca/dir/ # certfile = /path/to/radius.crt # keyfile = /path/to/radius.key # randfile = /path/to/rnd # Certificate Verification requirements. Can be: # "never" (don't even bother trying) # "allow" (try, but don't fail if the cerificate # can't be verified)# "demand" (fail if the certificate doesn't verify.)# # The default is "allow" # require_cert = "demand" } # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" # profile_attribute = "radiusProfileDn" # access_attr = "dialupAccess" # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${confdir}/ldap.attrmap # Set password_attribute = nspmPassword to get the # user's password from a Novell eDirectory # backend. This will work ONLY IF FreeRADIUS has been # built with the --with-edir configure option. # # password_attribute = userPassword # Un-comment the following to disable Novell # eDirectory account policy check and intruder # detection. This will work *only if* FreeRADIUS is # configured to build with --with-edir option. # edir_account_policy_check = no # # Group membership checking. Disabled by default. # # groupname_attribute = cn # groupmembership_filter ="(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" # groupmembership_attribute = radiusGroupName# compare_check_items = yes # do_xlat = yes # access_attr_used_for_allow = yes # # By default, if the packet contains a User-Password, # and no other module is configured to handle the # authentication, the LDAP module sets itself to do # LDAP bind for authentication. # # THIS WILL ONLY WORK FOR PAP AUTHENTICATION. # # THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP). # # You can disable this behavior by setting the following # configuration entry to "no". # # allowed values: {no, yes} # set_auth_type = yes # ldap_debug: debug flag for LDAP SDK # (see OpenLDAP documentation). Set this to enable # huge amounts of LDAP debugging on the screen. # You should only use this if you are an LDAP expert. # # default: 0x0000 (no debugging messages) # Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS) #ldap_debug = 0x0028 } # # This subsection configures the tls related items # that control how FreeRADIUS connects to an LDAP # server. It contains all of the "tls_*" configuration # entries used in older versions of FreeRADIUS. Those # configuration entries can still be used, but we recommend # using these. #afaik the identity values has to be configured, if you are using the ldap part for more than binding ("check if a password is correct") e.g. for use with PEAP as the radius server then needs access to possibly protected fields like sambalmpassword.what happens/changes if you comment out identity and password? (regarding debug etc.)m. ---------------------------------------------------------------------- This message was sent using https://webmail.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] ------------------------------------------------------------------------ -List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.htmlWith the identity/password section commented out it is still the same Listening on authentication address * port 1812 Listening on accounting address * port 1813 Ready to process requests. rad_recv: Access-Request packet from host 212.95.252.25 port 31542, id=208, length=45 User-Name = "belld" User-Password = "p455w0rd" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "belld", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for belld WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=belld) expand: dc=dxi,dc=net -> dc=dxi,dc=net rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as / to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=dxi,dc=net, with filter (uid=belld) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? rlm_ldap: user belld authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [belld/p455w0rd] (from client 212.95.252.25 port 0) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> belld attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 208 to 212.95.252.25 port 31542 Waking up in 4.9 seconds. Cleaning up request 0 ID 208 with timestamp +3 Ready to process requests. Anything else you can suggest poking at ? Thanks again for your time
hmm, i'll test this tomorrow on my (virtual) testing machine (it is running sles10sp1) and post my config and log output, maybe this reveals something...
regards markus ---------------------------------------------------------------------- This message was sent using https://webmail.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED]
smime.p7s
Description: S/MIME krytographische Unterschrift
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html