I setup a centos 6.2 server that has freeradius 2.2.0 running on it. I have
the mysql module running. Based on simple mac authentication with the username
and password the mac address of the computer it appears to be working fine.
What I want to do is setup ldap to authenticate against our Windows 2010 server
where the computers are a part of the domain. I would like for it to query
mysql first and then query ldap if it didn't find the computer in mysql.
If I remove ldap for the defaults file I get an Access-Accept reply as
expected. It just that if there is anything after sql in the defaults file
then it will continue on to try and authenticate against another module.
Below you can see a simple query with 'blake' being sent as both the user-name
and password. It queries the db and finds it (as expected). However it
continues to go to ldap and tries to find it to which I get an error. I
understand that I don't have ldap working properly right now. However, first I
just want to get the logic setup to where after finding a name in mysql it will
stop and reply back with an Access-Accept and not query ldap. Is there a
setting you have to put in a conf file?
rad_recv: Access-Request packet from host 10.220.1.107 port 52258, id=10,
length=45
User-Name = "blake"
User-Password = "blake"
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[suffix] No '@' in User-Name = "blake", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[sql] expand: %{Stripped-User-Name} ->
[sql] ... expanding second conditional
[sql] expand: %{User-Name} -> blake
[sql] expand: %{%{User-Name}:-DEFAULT} -> blake
[sql] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> blake
[sql] sql_set_user escaped user --> 'blake'
rlm_sql (sql): Reserving sql socket id: 4
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id ->
SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'blake' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER BY id ->
SELECT id, username, attribute, value, op FROM radreply
WHERE username = 'blake' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname
FROM radusergroup WHERE username = 'blake' ORDER BY
priority
[sql] expand: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER
BY id -> SELECT id, groupname, attribute, Value, op FROM
radgroupcheck WHERE groupname = 'blakegroup' ORDER BY id
[sql] User found in group blakegroup
[sql] expand: SELECT id, groupname, attribute, value, op
FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER
BY id -> SELECT id, groupname, attribute, value, op FROM
radgroupreply WHERE groupname = 'blakegroup' ORDER BY id
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
[ldap] performing user authorization for blake
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> blake
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=blake)
[ldap] expand: o=My Org,c=UA -> o=My Org,c=UA
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to 10.193.0.90:389, authentication 0
[ldap] bind as
CN=srvacct,OU=misc,OU=TechAdmin,OU=District,OU=Staff,DC=crcsd,DC=abc/ to
10.193.0.90:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] performing search in o=My Org,c=UA, with filter (uid=blake)
[ldap] ldap_search() failed: Operations error
[ldap] search failed
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns fail
Using Post-Auth-Type REJECT
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> blake
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.7 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 10 to 10.220.1.107 port 52258
Waking up in 4.9 seconds.
Cleaning up request 0 ID 10 with timestamp +3
Ready to process requests.
Thanks in advance!
-b
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
