FreeRarius with multiple LDAP

Wed, 28 Mar 2012 07:13:39 -0700 

I'm upgrading FreeRadius form version 1.x to 2.x and transfered the configs.

I have a problem with definig authrize and authenticate sections.
I've defined 2 ldap modules (ldap and ldap1) connecting to same LDAP servers but to different OU's 

The old configs have this in users setup:
DEFAULT Realm == mydomain.com, Freeradius-Proxied-To == 127.0.0.1, Auth-Type := PAP 
    User-Name = `%{User-Name}`,
    Fall-Through = yes
DEFAULT Realm == mydomain.com, Freeradius-Proxied-To == 127.0.0.1, Autz-Type := LDAP
DEFAULT User-Name =~ "^[Aa][Nn][Oo][Nn][Yy][Mm][Oo][Uu][Ss]|[Aa][Nn][Oo][Nn][Yy][Mm][Oo][Uu][Ss]@mydomain.com", Auth-Type := EAP 



In radiusd.conf
### authorize
        Autz-Type LDAP {
            ldap
        }
###

###authenticate
        Auth-Type PAP {
                pap
                ldap1
        }

####

LDAP conf

ldap ldap {
        #
        #  Note that this needs to match the name in the LDAP
        #  server certificate, if you're using ldaps.
        server = "ldap.mydomain.com"
        identity = "cn=root,dc=my,dc=domain,dc=com"
        password = "test"
        basedn = "ou=workers,dc=my,dc=domain,dc=com"
        filter = "(eduPersonPrincipalName=%{User-Name})"
        #base_filter = "(objectclass=radiusprofile)"

        start_tls = no

ldap ldap1 {
        #
        #  Note that this needs to match the name in the LDAP
        #  server certificate, if you're using ldaps.
        server = "ldap.mydomain.com"
        identity = "cn=root,dc=my,dc=domain,dc=com"
        password = "test"
        basedn = "ou=nonworkers,dc=my,dc=domain,dc=com"
filter = "(&(eduPersonPrincipalName=%{User-Name})(schacUserStatus=eduroam:access:enabled))" 
        #base_filter = "(objectclass=radiusprofile)"

        start_tls = no



This setup works on old freeradius.
This setup forwards request for anonymous user with EAP and goes to LDAP for local users with mydomain.com 


But this setup doesn't work with new version.

I get this:
rad_recv: Access-Request packet from host 127.0.0.1 port 59814, id=0, length=90 
        User-Name = "[email protected]"
        User-Password = "test"
        NAS-IP-Address = 88.200.21.64
        NAS-Port = 1
        Message-Authenticator = 0x035a720374f2f7d52319ed9431aed16e
Wed Mar 28 15:17:25 2012 : Info: # Executing section authorize from file /etc/raddb/sites-enabled/default 
Wed Mar 28 15:17:25 2012 : Info: +- entering group authorize {...}
Wed Mar 28 15:17:25 2012 : Info: ++[preprocess] returns ok
Wed Mar 28 15:17:25 2012 : Info: [suffix] Looking up realm "mydomain.com" for User-Name = "[email protected]" 
Wed Mar 28 15:17:25 2012 : Info: [suffix] Found realm "mydomain.com"
Wed Mar 28 15:17:25 2012 : Info: [suffix] Adding Realm = "mydomain.comi"
Wed Mar 28 15:17:25 2012 : Info: [suffix] Authentication realm is LOCAL.
Wed Mar 28 15:17:25 2012 : Info: ++[suffix] returns ok
Wed Mar 28 15:17:25 2012 : Info: [eap] No EAP-Message, not doing EAP
Wed Mar 28 15:17:25 2012 : Info: ++[eap] returns noop
Wed Mar 28 15:17:25 2012 : Info: [files] expand: %{User-Name} -> [email protected] 
Wed Mar 28 15:17:25 2012 : Info: ++[files] returns noop
Wed Mar 28 15:17:25 2012 : Info: ++[expiration] returns noop
Wed Mar 28 15:17:25 2012 : Info: ++[logintime] returns noop
Wed Mar 28 15:17:25 2012 : Info: [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. 
Wed Mar 28 15:17:25 2012 : Info: ++[pap] returns noop
Wed Mar 28 15:17:25 2012 : Info: ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user 
Wed Mar 28 15:17:25 2012 : Info: Failed to authenticate the user.
Wed Mar 28 15:17:25 2012 : Auth: Login incorrect: [[email protected]/test] (from client loopback port 1) 
Wed Mar 28 15:17:25 2012 : Info: Using Post-Auth-Type Reject
Wed Mar 28 15:17:25 2012 : Info: # Executing group from file /etc/raddb/sites-enabled/default 
Wed Mar 28 15:17:25 2012 : Info: +- entering group REJECT {...}
Wed Mar 28 15:17:25 2012 : Info: [attr_filter.access_reject] expand: %{User-Name} -> [email protected] Wed Mar 28 15:17:25 2012 : Debug: attr_filter: Matched entry DEFAULT at line 11 Wed Mar 28 15:17:25 2012 : Info: ++[attr_filter.access_reject] returns updated 
Wed Mar 28 15:17:25 2012 : Info: Delaying reject of request 12 for 1 seconds
Wed Mar 28 15:17:25 2012 : Debug: Going to the next request
Wed Mar 28 15:17:25 2012 : Debug: Waking up in 0.9 seconds.
Wed Mar 28 15:17:26 2012 : Info: Sending delayed reject for request 12

It looks it doesn't use LDAP at all.

If I enable both ldap setups in authorize section in sites-available/default

#authorize

ldap
ldap1
pap

###
Then it doesn't use users file and always tryes to bind to first LDAP. For anonymous user too, which is wrong. 


Any pointers?

Thanks


S.

<<attachment: sebastijan_silec.vcf>>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to