Greetings,
I've been using the documentation here:
http://wiki.freeradius.org/Virtual_server attempting to create 2 virtual
servers on the same socket each associated with a client.
I have already configured the ldap module, as well as added some lines
to the users file. Before "virtualizing" I am able to authenticate my
ldap users via radtest.
Here's the config that works against LDAP, before trying to add to a
virtual server:
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct
name = freeradius
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/${name}
db_dir = ${raddbdir}
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/${name}.pid
user = freerad
group = freerad
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
listen {
type = auth
ipaddr = *
port = 1812
}
listen {
ipaddr = *
port = 1813
type = acct
}
client 192.168.1.0/24 {
secret = testing123
}
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log {
destination = files
file = ${logdir}/radius.log
syslog_facility = daemon
stripped_names = yes
auth = yes
auth_badpass = yes
auth_goodpass = no
msg_goodpass = "Great Success!"
msg_badpass = "I'm sorry but you appear to have entered a incorrect
password or you may not be authorized to access this equipment"
}
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
proxy_requests = yes
$INCLUDE proxy.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
$INCLUDE ${confdir}/modules/
$INCLUDE eap.conf
}
instantiate {
exec
expr
expiration
logintime
}
$INCLUDE policy.conf
$INCLUDE sites-enabled/
...And the output from a test in debug mode (edited out passwords and
password hashes):
[ldap] Entering ldap_groupcmp()
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] ldap_release_conn: Release Id: 0
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
rlm_ldap::ldap_groupcmp: User found in group NOC
[ldap] ldap_release_conn: Release Id: 0
[ldap] performing user authorization for cjohnson
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] sambaNtPassword -> NT-Password ==
0xXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
[ldap] sambaLmPassword -> LM-Password ==
0xXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
[ldap] looking for reply items in directory...
[ldap] Setting Auth-Type = LDAP
[ldap] user cjohnson authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
[ldap] login attempt by "cjohnson" with password "s3cret"
[ldap] user DN: uid=cjohnson,ou=Users,dc=corp,dc=example,dc=com
[ldap] (re)connect to 192.168.1.99:389, authentication 1
[ldap] bind as uid=cjohnson,ou=Users,dc=corp,dc=example,dc=com/s3cret
to 192.168.1.99:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] user cjohnson authenticated succesfully
Login OK: [cjohnson] (from client 192.168.1.0/24 port 0) Great Success!
Waking up in 4.0 seconds.
Here's the changes I made to the config, attempting to add current setup
to virtual server "server_one":
...
listen {
type = auth
ipaddr = *
port = 1812
}
listen {
ipaddr = *
port = 1813
type = acct
}
client 192.168.1.0/24 {
virtual_server = server_one
secret = testing123
}
server server_one {
}
...
The rest of the config is the same. The server will start, but now I
can't see my LDAP users, heres the log entry:
server server_one {
Login incorrect: [cjohnson/s3cret] (from client 192.168.1.0/24 port 0)
I'm sorry but you appear to have entered a incorrect password or you may
not be authorized to access this equipment
} # server server_one
Is there something I need to put within server section? It's as if the
ldap module and the users file aren't being referenced anymore.
Any tips or references to complete examples where virtual servers are
set up in this way? If someone could take a moment to point me in the
right direction I would certainly appreciate it.
Cory J
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
