problem configuring freeradius with ldap user database
Hello All
I am experiencing a problem while trying to authenticate the
username/password in LDAP through a freeradius server. While a regular
telnet/ssh to the edge running a openLdap client / PAM module works fine
(It is able to authenticate) but the problem arises when trying to
authenticate using the freeradius server .
This is what the log message looks like :
User-Name = try
User-Password = trialanderror
NAS-IP-Address = 127.0.0.1
NAS-Port = 2
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
modcall[authorize]: module chap returns noop for request 0
modcall[authorize]: module mschap returns noop for request 0
rlm_realm: No '@' in User-Name = try, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module eap returns noop for request 0
users: Matched entry DEFAULT at line 152
users: Matched entry DEFAULT at line 155
modcall[authorize]: module files returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for try
radius_xlat: '(uid=try)'
radius_xlat: 'ou=People,dc=example,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 30.0.0.2:389, authentication 0
rlm_ldap: bind as / to 30.0.0.2:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=People,dc=example,dc=com, with filter
(uid=try)
rlm_ldap: Added password {crypt}$1$2Pl0Lm5O$ot8mrXYBaAg12RoBogNDK. in
check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user try authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns ok for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type LDAP
auth: type LDAP
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 0
rlm_ldap: - authenticate
rlm_ldap: login attempt by try with password trialanderror
rlm_ldap: user DN: uid=try,ou=People,dc=example,dc=com
rlm_ldap: (re)connect to 30.0.0.2:389, authentication 1
rlm_ldap: bind as uid=try,ou=People,dc=example,dc=com/trialanderror to
30.0.0.2:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind failed with invalid credentials
modcall[authenticate]: module ldap returns reject for request 0
modcall: group Auth-Type returns reject for request 0
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
Here you can see that the authorization of a user 'try' having password
'trialanderror' works fine but authentication fails. The host running
the freeradius server is Fedora Core 5 running linux 2.6.25. Could you
please suggest where we are going wrong. I am sending you a copy of
the /etc/raddb/users file as well.
DEFAULT Auth-Type = System
Fall-Through = 1
DEFAULT Auth-Type := LDAP
Fall-Through = 0
Any help would be gratefully appreciated.
Thanks
Sambuddho
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius resources
Hi all, just started delving into RADIUS and have begun to take the plunge with FreeRADIUS. Any suggested books on the subject? I see quite a few on the subject: http://tinyurl.com/4xudfm - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius resources
Rogelio wrote: Hi all, just started delving into RADIUS and have begun to take the plunge with FreeRADIUS. Any suggested books on the subject? I see quite a few on the subject: The O'Reilly book is good if you know absolutely nothing about RADIUS. But 1/3 is from the RFC's (paraphrased), and another 1/3 is from the FreeRADIUS documentation. The Wiley book has about 30 pages on RADIUS, the rest is about technologies that you don't use. And the RADIUS stuff is not that useful. Then, there's my book. It's at about 200 pages, and has been at that level for over a year. I'm trying to find time to either finish it, or to clean it up, and put it on the web. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem configuring freeradius with ldap user database
Sambuddho Chakravarty wrote:
I am experiencing a problem while trying to authenticate the
username/password in LDAP through a freeradius server. While a regular
telnet/ssh to the edge running a openLdap client / PAM module works fine
(It is able to authenticate) but the problem arises when trying to
authenticate using the freeradius server .
This is what the log message looks like :
User-Name = try
User-Password = trialanderror
NAS-IP-Address = 127.0.0.1
...
rlm_ldap: performing search in ou=People,dc=example,dc=com, with filter
(uid=try)
rlm_ldap: Added password {crypt}$1$2Pl0Lm5O$ot8mrXYBaAg12RoBogNDK. in
check items
If you do NOTHING more than configure ldap in the default
configuration, this should work.
modcall[authorize]: module ldap returns ok for request 0
modcall: group authorize returns ok for request 0
You're not using 2.0, and you've edited the default configuration. DO
use a recent version. DON'T edit the configuration to re-arrange the
modules in the authorize section.
Here you can see that the authorization of a user 'try' having password
'trialanderror' works fine but authentication fails. The host running
the freeradius server is Fedora Core 5 running linux 2.6.25.
The OS doesn't matter. The version of FreeRADIUS does.
It seems you're using 1.1.x. You should at LEAST upgrade to 1.1.7.
Then, un-comment the references to LDAP, and configure the LDAP module.
The test WILL work.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Deploying Freeradius in a HA environment
Hi, I am working on deploying 2 load balancing freeradius in a HA environment. Could someone suggest the best way to do it? I am comfortable with using ldirector as the load balancer, but I am not sure how to do the check-alive for freeradius within ldirector. Any suggestion will be greatly appreciated. Regards, Pete - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Kicking off billing scipt in accounting block
Hi,
I tried to execute a billing script as follows:
accounting{
sql
exec /etc/billing/bill
}
But, I am getting:
/usr/local/etc/raddb/sites-enabled/default[350]: Expecting section start
brace '{' after exec /home/billing/bill
Errors reading /usr/local/etc/raddb/radiusd.conf
What is wrong with my syntax? Is there any sample that I can refer to?
I checked the unlan, but I could not find anything that mentions the
variable that I can use to pass to the script. What I like to do is to call
the script: exec /etc/billing/bill radacctid
That way, I can know which line to process.
Thanks for any suggestion.
Regards,
Pete
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Deploying Freeradius in a HA environment
Don't you think that you are asking this on a wrong list. All you need to know about radius is which ports it is using. Ivan Kalik Kalik Informatika ISP Dana 14/6/2008, Pete Kay [EMAIL PROTECTED] piše: Hi, I am working on deploying 2 load balancing freeradius in a HA environment. Could someone suggest the best way to do it? I am comfortable with using ldirector as the load balancer, but I am not sure how to do the check-alive for freeradius within ldirector. Any suggestion will be greatly appreciated. Regards, Pete - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: aaa with external script
Hi, I am starting my radius in debug mode with this command: radiusd -X when connecting from client machine i m getting this error ...radius tell me like this. rad_recv: Access-Request packet from host 127.0.0.1:32768, id=237 thats not an error - thats a bit of information being printed. why do you think this is an error? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Kicking off billing scipt in accounting block
acct_users file:
DEFAULT Acct-Status-Type = Stop
Exec-Program = /home/billing/bill %{Acct-Session-Id}
You can't use radacctid as that is autogenerated by the database server
and is not part of the accouning request.
Ivan Kalik
Kalik Informatika ISP
Dana 14/6/2008, Pete Kay [EMAIL PROTECTED] piše:
Hi,
I tried to execute a billing script as follows:
accounting{
sql
exec /etc/billing/bill
}
But, I am getting:
/usr/local/etc/raddb/sites-enabled/default[350]: Expecting section start
brace '{' after exec /home/billing/bill
Errors reading /usr/local/etc/raddb/radiusd.conf
What is wrong with my syntax? Is there any sample that I can refer to?
I checked the unlan, but I could not find anything that mentions the
variable that I can use to pass to the script. What I like to do is to call
the script: exec /etc/billing/bill radacctid
That way, I can know which line to process.
Thanks for any suggestion.
Regards,
Pete
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic clients from SQL.
As it seems to me:
if (%{sqlnastype: SELECT nasname FROM nas WHERE nasname =
%{Packet-Src-IP-Address}}) {
misses some ':
if (%{sqlnastype: SELECT nasname FROM nas WHERE nasname =
'%{Packet-Src-IP-Address}'}) {
works.
Norbert Wegener
Alan DeKok schrieb:
$ cvs update
$ more raddb/sites-available/dynamic-clients
It Just Works.
You can now manage clients in an SQL table. When the server receives
packets from a new client, it looks up the IP in SQL. The clients can
expire (so shared secrets can be changed). When 'readclients=yes' is
set in sql.conf, you only need one client entry in the configuration
files.
The dynamic clients can be read from anywhere... not just from SQL.
The configuration needs to be tested, as the SQL example in the
dynamic-clients file may not be exactly correct. But it should be
relatively easy to fix.
Client lookups are rate-limited, so DoS attacks won't affect the
server. The lookups are done NO MORE THAN once a second after the
server starts.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Deploying Freeradius in a HA environment
Pete Kay wrote: I am working on deploying 2 load balancing freeradius in a HA environment. Could someone suggest the best way to do it? I am comfortable with using ldirector as the load balancer, but I am not sure how to do the check-alive for freeradius within ldirector. Any suggestion will be greatly appreciated. Pete, My recollection is that when this has been discussed in the past the consensus was that there's no advantage to running FreeRADIUS in an HA environment since RADIUS already supports redundant servers. Regards, Richard Siddall - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic clients from SQL.
Norbert Wegener wrote:
As it seems to me:
if (%{sqlnastype: SELECT nasname FROM nas WHERE nasname =
'%{Packet-Src-IP-Address}'}) {
works.
Fixed, thanks.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem configuring freeradius with ldap user database
Hello Alan
Thanks a lot! Ill check this out.
Sambuddho
On Sat, 2008-06-14 at 09:22 +0200, Alan DeKok wrote:
Sambuddho Chakravarty wrote:
I am experiencing a problem while trying to authenticate the
username/password in LDAP through a freeradius server. While a regular
telnet/ssh to the edge running a openLdap client / PAM module works fine
(It is able to authenticate) but the problem arises when trying to
authenticate using the freeradius server .
This is what the log message looks like :
User-Name = try
User-Password = trialanderror
NAS-IP-Address = 127.0.0.1
...
rlm_ldap: performing search in ou=People,dc=example,dc=com, with filter
(uid=try)
rlm_ldap: Added password {crypt}$1$2Pl0Lm5O$ot8mrXYBaAg12RoBogNDK. in
check items
If you do NOTHING more than configure ldap in the default
configuration, this should work.
modcall[authorize]: module ldap returns ok for request 0
modcall: group authorize returns ok for request 0
You're not using 2.0, and you've edited the default configuration. DO
use a recent version. DON'T edit the configuration to re-arrange the
modules in the authorize section.
Here you can see that the authorization of a user 'try' having password
'trialanderror' works fine but authentication fails. The host running
the freeradius server is Fedora Core 5 running linux 2.6.25.
The OS doesn't matter. The version of FreeRADIUS does.
It seems you're using 1.1.x. You should at LEAST upgrade to 1.1.7.
Then, un-comment the references to LDAP, and configure the LDAP module.
The test WILL work.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem configuring freeradius with ldap user database
rlm_ldap: Added password {crypt}$1$2Pl0Lm5O$ot8mrXYBaAg12RoBogNDK. in
check items
Are you sure that's crypt? It looks like MD5 to me.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Kicking off billing scipt in accounting block
Hi Ivan,
Sorry to have to ask again. I think you have explain clear enough, but I am
just too new to freeradius.
I tried modifying in /sites-enable/default:
accounting {
detail
radutmp
sql
sql_log
DEFAULT Acct-Status-Type = Stop
Exec-Program=/home/anne/bill %{Acct-Session-Id}
attr_filter.accounting_response
}
But I am getting:
/usr/local/etc/raddb/sites-enabled/default[349]: Expecting section start
brace '{' after DEFAULT Acc-Status-Type
Is this not the right place to add the code?
Thanks alot for all your help.
Pete
2008/6/14 Ivan Kalik [EMAIL PROTECTED]:
acct_users file:
DEFAULT Acct-Status-Type = Stop
Exec-Program = /home/billing/bill %{Acct-Session-Id}
You can't use radacctid as that is autogenerated by the database server
and is not part of the accouning request.
Ivan Kalik
Kalik Informatika ISP
Dana 14/6/2008, Pete Kay [EMAIL PROTECTED] piše:
Hi,
I tried to execute a billing script as follows:
accounting{
sql
exec /etc/billing/bill
}
But, I am getting:
/usr/local/etc/raddb/sites-enabled/default[350]: Expecting section start
brace '{' after exec /home/billing/bill
Errors reading /usr/local/etc/raddb/radiusd.conf
What is wrong with my syntax? Is there any sample that I can refer to?
I checked the unlan, but I could not find anything that mentions the
variable that I can use to pass to the script. What I like to do is to
call
the script: exec /etc/billing/bill radacctid
That way, I can know which line to process.
Thanks for any suggestion.
Regards,
Pete
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Kicking off billing scipt in accounting block
No. acct_users file.
Ivan Kalik
Kalik Informatika ISP
Dana 14/6/2008, Pete Kay [EMAIL PROTECTED] piše:
Hi Ivan,
Sorry to have to ask again. I think you have explain clear enough, but I am
just too new to freeradius.
I tried modifying in /sites-enable/default:
accounting {
detail
radutmp
sql
sql_log
DEFAULT Acct-Status-Type = Stop
Exec-Program=/home/anne/bill %{Acct-Session-Id}
attr_filter.accounting_response
}
But I am getting:
/usr/local/etc/raddb/sites-enabled/default[349]: Expecting section start
brace '{' after DEFAULT Acc-Status-Type
Is this not the right place to add the code?
Thanks alot for all your help.
Pete
2008/6/14 Ivan Kalik [EMAIL PROTECTED]:
acct_users file:
DEFAULT Acct-Status-Type = Stop
Exec-Program = /home/billing/bill %{Acct-Session-Id}
You can't use radacctid as that is autogenerated by the database server
and is not part of the accouning request.
Ivan Kalik
Kalik Informatika ISP
Dana 14/6/2008, Pete Kay [EMAIL PROTECTED] piše:
Hi,
I tried to execute a billing script as follows:
accounting{
sql
exec /etc/billing/bill
}
But, I am getting:
/usr/local/etc/raddb/sites-enabled/default[350]: Expecting section start
brace '{' after exec /home/billing/bill
Errors reading /usr/local/etc/raddb/radiusd.conf
What is wrong with my syntax? Is there any sample that I can refer to?
I checked the unlan, but I could not find anything that mentions the
variable that I can use to pass to the script. What I like to do is to
call
the script: exec /etc/billing/bill radacctid
That way, I can know which line to process.
Thanks for any suggestion.
Regards,
Pete
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius resources
and we as users of freeradius waiting for that . :) 2008/6/14 Alan DeKok [EMAIL PROTECTED]: Rogelio wrote: Hi all, just started delving into RADIUS and have begun to take the plunge with FreeRADIUS. Any suggested books on the subject? I see quite a few on the subject: The O'Reilly book is good if you know absolutely nothing about RADIUS. But 1/3 is from the RFC's (paraphrased), and another 1/3 is from the FreeRADIUS documentation. The Wiley book has about 30 pages on RADIUS, the rest is about technologies that you don't use. And the RADIUS stuff is not that useful. Then, there's my book. It's at about 200 pages, and has been at that level for over a year. I'm trying to find time to either finish it, or to clean it up, and put it on the web. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 2.0.5 Debian dpkg-buildpackage error
hi there. download freeradius as a non-root user. untar the archive. chmod +x -R the untared folder cd to the folder issue dpkg-buildpackage -b -uc as a non-root user. then su and install the deb packages created one directory up. 2008/6/13 Giovanni Lovato [EMAIL PROTECTED]: # dpkg-buildpackage -b -uc dpkg-buildpackage: source package is freeradius dpkg-buildpackage: source version is 2.0.5-0 dpkg-buildpackage: source changed by Alan DeKok [EMAIL PROTECTED] dpkg-buildpackage: host architecture i386 dpkg-buildpackage: source version without epoch 2.0.5-0 debian/rules clean dpatch deapply-all 02-dialupadmin-help not applied to ./ . 01-radiusd-to-freeradius not applied to ./ . rm -rf patch-stamp patch-stampT debian/patched dh_testdir dh_clean rm -f build-arch-stamp build-indep-stamp libltdl/stamp-h1 rm -f install-arch-stamp install-indep-stamp configure-stamp [ -f Make.inc ] make distclean || true # The make clean forgets to remove this build directory [ -d src/modules/lib ] rm -fr src/modules/lib || true # Put the original autotools files back in place [ -f config.sub.dist ] rm config.sub mv config.sub.dist config.sub || true [ -f config.guess.dist ] rm config.guess mv config.guess.dist config.guess || true debian/rules build test -d debian/patched || install -d debian/patched dpatch apply-all applying patch 01-radiusd-to-freeradius to ./ ... failed. make: *** [patch-stamp] Error 1 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: simple web interface
vittore zen. daloradius is ok for your needs. search for it at sourceforge . 2008/6/3 Sascha Kiefer [EMAIL PROTECTED]: I use daloradius But it sucks also. Looks nicer and a little bit easier to use. I'm working on my own ... Regards, Sascha -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Vittore Zen Sent: Dienstag, 3. Juni 2008 14:26 To: freeradius-users@lists.freeradius.org Subject: simple web interface Hi, anyone have a simple php web mysql users interface? More more more simple that dialup admin. The manager will do: 1. insert/modify a user account 2. give a password 3. setup start-end life (time) of account 4. setup a detail (name) Any? v. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Saludos lista
buscar google. 2008/6/2 Yurkis Isaac Ortiz (R) [EMAIL PROTECTED]: Saludos lista. Soy nuevo y necesito saber configurar mi freeradius quiero usar freeradius+portslave+ppp Estoy usando debian etch - Yurkis Isaac Ortiz (R) Administrador de Red Oficina Territorial de Normalización Stgo de Cuba e_mail: [EMAIL PROTECTED] Linux User: 446188 Tel: 641406, 642008, 642044 Ext 136 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
