On 28/03/12 15:05, Sebastijan Šilec wrote:
I'm upgrading FreeRadius form version 1.x to 2.x and transfered the
configs.
I have a problem with definig authrize and authenticate sections.
I've defined 2 ldap modules (ldap and ldap1) connecting to same LDAP
servers but to different OU's
The old configs have this in users setup:
DEFAULT Realm == mydomain.com, Freeradius-Proxied-To == 127.0.0.1,
Auth-Type := PAP
User-Name = `%{User-Name}`,
Fall-Through = yes
DEFAULT Realm == mydomain.com, Freeradius-Proxied-To == 127.0.0.1,
Autz-Type := LDAP
DEFAULT User-Name =~
"^[Aa][Nn][Oo][Nn][Yy][Mm][Oo][Uu][Ss]|[Aa][Nn][Oo][Nn][Yy][Mm][Oo][Uu][Ss]@mydomain.com",
Auth-Type := EAP
In radiusd.conf
### authorize
Autz-Type LDAP {
ldap
}
###
###authenticate
Auth-Type PAP {
pap
ldap1
}
####
LDAP conf
ldap ldap {
#
# Note that this needs to match the name in the LDAP
# server certificate, if you're using ldaps.
server = "ldap.mydomain.com"
identity = "cn=root,dc=my,dc=domain,dc=com"
password = "test"
basedn = "ou=workers,dc=my,dc=domain,dc=com"
filter = "(eduPersonPrincipalName=%{User-Name})"
#base_filter = "(objectclass=radiusprofile)"
start_tls = no
ldap ldap1 {
#
# Note that this needs to match the name in the LDAP
# server certificate, if you're using ldaps.
server = "ldap.mydomain.com"
identity = "cn=root,dc=my,dc=domain,dc=com"
password = "test"
basedn = "ou=nonworkers,dc=my,dc=domain,dc=com"
filter =
"(&(eduPersonPrincipalName=%{User-Name})(schacUserStatus=eduroam:access:enabled))"
#base_filter = "(objectclass=radiusprofile)"
start_tls = no
This setup works on old freeradius.
This setup forwards request for anonymous user with EAP and goes to LDAP
for local users with mydomain.com
But this setup doesn't work with new version.
I get this:
rad_recv: Access-Request packet from host 127.0.0.1 port 59814, id=0,
length=90
User-Name = "[email protected]"
User-Password = "test"
NAS-IP-Address = 88.200.21.64
NAS-Port = 1
Message-Authenticator = 0x035a720374f2f7d52319ed9431aed16e
Wed Mar 28 15:17:25 2012 : Info: # Executing section authorize from file
/etc/raddb/sites-enabled/default
Wed Mar 28 15:17:25 2012 : Info: +- entering group authorize {...}
Wed Mar 28 15:17:25 2012 : Info: ++[preprocess] returns ok
Wed Mar 28 15:17:25 2012 : Info: [suffix] Looking up realm
"mydomain.com" for User-Name = "[email protected]"
Wed Mar 28 15:17:25 2012 : Info: [suffix] Found realm "mydomain.com"
Wed Mar 28 15:17:25 2012 : Info: [suffix] Adding Realm = "mydomain.comi"
Wed Mar 28 15:17:25 2012 : Info: [suffix] Authentication realm is LOCAL.
Wed Mar 28 15:17:25 2012 : Info: ++[suffix] returns ok
Wed Mar 28 15:17:25 2012 : Info: [eap] No EAP-Message, not doing EAP
Wed Mar 28 15:17:25 2012 : Info: ++[eap] returns noop
Wed Mar 28 15:17:25 2012 : Info: [files] expand: %{User-Name} ->
[email protected]
Wed Mar 28 15:17:25 2012 : Info: ++[files] returns noop
Wed Mar 28 15:17:25 2012 : Info: ++[expiration] returns noop
Wed Mar 28 15:17:25 2012 : Info: ++[logintime] returns noop
Wed Mar 28 15:17:25 2012 : Info: [pap] WARNING! No "known good" password
found for the user. Authentication may fail because of this.
Wed Mar 28 15:17:25 2012 : Info: ++[pap] returns noop
Wed Mar 28 15:17:25 2012 : Info: ERROR: No authenticate method
(Auth-Type) found for the request: Rejecting the user
Wed Mar 28 15:17:25 2012 : Info: Failed to authenticate the user.
Wed Mar 28 15:17:25 2012 : Auth: Login incorrect:
[[email protected]/test] (from client loopback port 1)
Wed Mar 28 15:17:25 2012 : Info: Using Post-Auth-Type Reject
Wed Mar 28 15:17:25 2012 : Info: # Executing group from file
/etc/raddb/sites-enabled/default
Wed Mar 28 15:17:25 2012 : Info: +- entering group REJECT {...}
Wed Mar 28 15:17:25 2012 : Info: [attr_filter.access_reject] expand:
%{User-Name} -> [email protected]
Wed Mar 28 15:17:25 2012 : Debug: attr_filter: Matched entry DEFAULT at
line 11
Wed Mar 28 15:17:25 2012 : Info: ++[attr_filter.access_reject] returns
updated
Wed Mar 28 15:17:25 2012 : Info: Delaying reject of request 12 for 1
seconds
Wed Mar 28 15:17:25 2012 : Debug: Going to the next request
Wed Mar 28 15:17:25 2012 : Debug: Waking up in 0.9 seconds.
Wed Mar 28 15:17:26 2012 : Info: Sending delayed reject for request 12
It looks it doesn't use LDAP at all.
If I enable both ldap setups in authorize section in
sites-available/default
#authorize
ldap
ldap1
pap
###
Then it doesn't use users file and always tryes to bind to first LDAP.
For anonymous user too, which is wrong.
Any pointers?
1. Don't set Auth-Type. It's almost always wrong, and confusing
2. Don't use Autz-Type any more. Use an "unlang" block (see below)
3. Please spell out in a bit more detail what process you want; it's
unclear from your email. When do you want ldap, ldap1 to be called? How
does "pap" work unless you're setting a cleartext password? why
How about something like this:
authorize {
...
suffix
...
if (Realm == mydomain.com) {
# only call ldap module for these users
ldap
# only permit pap for these users
pap
}
else {
# permit EAP for other users
eap
}
}
authenticate {
...
}
Unless you specify the rules you want to choose ldap1 instead of ldap,
it's not obvious where "ldap1" fits in here.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
