Hi all
I have an issue where i'm trying to use realms to determine what LDAP
server to authenticate a user against. What seems to happen is that the
realm in my users file is never matched and hence the authentication
fails. Any help would be greatly appreciated.
My users file is -
DEFAULT Realm == "NULL", Auth-Type := ldap-default, Autz-Type :=
ldap-default
DEFAULT Realm == "test.com", Auth-Type :=test.com, Autz-Type := test.com
DEFAULT Auth-Type := Reject
my proxy.conf has the following -
realm test.com {
type = radius
authhost = LOCAL
accthost = LOCAL
nostrip
}
realm NULL {
type = radius
authhost = LOCAL
accthost = LOCAL
}
realm LOCAL {
type = radius
authhost = LOCAL
accthost = LOCAL
}
The radius.conf is -
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = ${localstatedir}/log/radius
raddbdir = /etc/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run
log_file = ${logdir}/radiusd.log
pidfile = ${run_dir}/radiusd.pid
user = radiusd
group = radiusd
libdir = /usr/lib/freeradius
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 256
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = yes
log_auth = yes
log_auth_badpass = yes
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf
$INCLUDE ${confdir}/clients.conf
snmp = no
thread pool {
start_servers = 1
max_servers = 4
min_spare_servers = 1
max_spare_servers = 3
max_requests_per_server = 0
}
modules {
pap {
#auto_header = yes
encryption_scheme = crypt
}
chap {
authtype = CHAP
}
$INCLUDE ${confdir}/eap.conf
mschap {
authtype = MS-CHAP
use_mppe = yes
require_encryption = yes
require_strong = yes
authtype = MS-CHAP
# with_ntdomain_hack = yes
}
files {
usersfile = ${confdir}/users
compat = no
}
### Added
ldap test.com {
server = "ldap1.test.com"
#port = 389
port = 636
identity = "cn=xxxx"
password = "xxx"
basedn = "o=xxx"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
tls_mode = yes
tls_cacertfile = /etc/raddb/certs/cert.b64
tls_cacertdir = /etc/raddb/certs/
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
edir_account_policy_check=no
timeout = 4
timelimit = 3
net_timeout = 1
set_auth_type = yes
password_attribute = nspmPassword
}
ldap ldap-default {
server = "ldap1.test.com"
#port = 389
port = 636
identity = "cn=xxxl"
password = "xxx"
basedn = "o=xxx"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
tls_mode = yes
tls_cacertfile = /etc/raddb/certs/cert.b64
tls_cacertdir = /etc/raddb/certs/
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
edir_account_policy_check=no
timeout = 4
timelimit = 3
net_timeout = 1
set_auth_type = yes
password_attribute = nspmPassword
}
### //
realm suffix {
format = suffix
delimiter = "@"
ignore_default = no
ignore_null = no
}
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
### Added
Auth-Type test.com {
test.com
}
Auth-Type ldap-default {
ldap-default
}
### //
eap
}
authorize {
chap
mschap
eap
files
### Added
Autz-Type test.com {
test.com
}
Autz-Type ldap-default {
ldap-default
}
### //
}
post-auth {
ldap-default
Post-Auth-Type REJECT {
ldap-default
}
}
I then see the following -
rad_recv: Access-Request packet from host xxx:40485, id=38, length=63
User-Name = "[email protected]"
User-Password = "xx"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
modcall[authorize]: module "chap" returns noop for request 2
modcall[authorize]: module "mschap" returns noop for request 2
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 2
users: Matched entry DEFAULT at line 9
modcall[authorize]: module "files" returns ok for request 2
modcall: leaving group authorize (returns ok) for request 2
rad_check_password: Found Auth-Type Reject
rad_check_password: Auth-Type = Reject, rejecting user
auth: Failed to validate the user.
Login incorrect: [[email protected]/xxx] (from client xxx port 0)
Found Post-Auth-Type
Processing the post-auth section of radiusd.conf
modcall: entering group REJECT for request 2
modcall[post-auth]: module "ldap-default" returns noop for request 2
modcall: leaving group REJECT (returns noop) for request 2
Delaying request 2 for 1 seconds
Finished request 2
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
