Unsubscribe
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP and Groups.
Ok been fiddling some more. What I need to now do is work out which group a user belongs to based on LDAP users and groups. I am assuming this is in the radius.conf @ the section about groups. For Example, This LDAP user. # belld, people, dxi.net dn: uid=belld,ou=people,dc=dxi,dc=net cn: David Bell gidNumber: 100 givenName: David homeDirectory: /home/belld loginShell: /bin/bash objectClass: top objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgPerson shadowInactive: -1 shadowMax: 9 shadowMin: 0 shadowWarning: 7 sn: Bell uid: belld uidNumber: 1000 shadowLastChange: 13920 is a member of this LDAP group # Engineering, group, dxi.net dn: cn=Engineering,ou=group,dc=dxi,dc=net cn: Engineering gidNumber: 1000 member: uid=belld,ou=people,dc=dxi,dc=net objectClass: top objectClass: posixGroup objectClass: groupOfNames How do I do this, so that I can then have my users file grant Cisco-AVPair information based on group membership Thanks David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco AV-PAIRS
That is what I am doing, however they append to the current line, I would like to put a linebreak at the end of each one to make them flow properly David You most likely want operator += to add multiple attributes with the same name. http://wiki.freeradius.org/Operators Ivan Kalik Kalik Informatika ISP Dana 20/2/2008, "David W Bell" <[EMAIL PROTECTED]> piše: yep - tried that :) Hi David, Have you tried putting "\n" to see if that puts a line break into the response? Whether the RADIUS client will barf on that is another matter ;-) Rgds, Guy On 20/02/2008, David W Bell <[EMAIL PROTECTED]> wrote: David W Bell wrote: > Thanks for the info so far. > > Is there a howto on getting this to work? > > Questions I still have on this are. > > 1) Do I need to extend my Schema to include "Cisco-AV-Pair" if so is > there an example I can copy > > 2) What is the exact line that I need to add to my ldap.attrmap file > to then refer to that > > Can this then be expanded to Group Memberships? > > The situation I want is for User David, who is a member of the > Edge_Router group to have full access to the routers for that group, > while having, say, level 6 access to the core routers from membership > of the Core_Router group > > Thanks for any further help > > David > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > Seem to have managed to get a bit further. Is there any way of adding a line-break to a Radius-Reply string? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco AV-PAIRS
yep - tried that :) Hi David, Have you tried putting "\n" to see if that puts a line break into the response? Whether the RADIUS client will barf on that is another matter ;-) Rgds, Guy On 20/02/2008, David W Bell <[EMAIL PROTECTED]> wrote: David W Bell wrote: > Thanks for the info so far. > > Is there a howto on getting this to work? > > Questions I still have on this are. > > 1) Do I need to extend my Schema to include "Cisco-AV-Pair" if so is > there an example I can copy > > 2) What is the exact line that I need to add to my ldap.attrmap file > to then refer to that > > Can this then be expanded to Group Memberships? > > The situation I want is for User David, who is a member of the > Edge_Router group to have full access to the routers for that group, > while having, say, level 6 access to the core routers from membership > of the Core_Router group > > Thanks for any further help > > David > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > Seem to have managed to get a bit further. Is there any way of adding a line-break to a Radius-Reply string? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco AV-PAIRS
David W Bell wrote: Thanks for the info so far. Is there a howto on getting this to work? Questions I still have on this are. 1) Do I need to extend my Schema to include "Cisco-AV-Pair" if so is there an example I can copy 2) What is the exact line that I need to add to my ldap.attrmap file to then refer to that Can this then be expanded to Group Memberships? The situation I want is for User David, who is a member of the Edge_Router group to have full access to the routers for that group, while having, say, level 6 access to the core routers from membership of the Core_Router group Thanks for any further help David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Seem to have managed to get a bit further. Is there any way of adding a line-break to a Radius-Reply string? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco AV-PAIRS
Thanks for the info so far. Is there a howto on getting this to work? Questions I still have on this are. 1) Do I need to extend my Schema to include "Cisco-AV-Pair" if so is there an example I can copy 2) What is the exact line that I need to add to my ldap.attrmap file to then refer to that Can this then be expanded to Group Memberships? The situation I want is for User David, who is a member of the Edge_Router group to have full access to the routers for that group, while having, say, level 6 access to the core routers from membership of the Core_Router group Thanks for any further help David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco AV-PAIRS
Only way I have found to get RADIUS to pass the AV-PAIRS back is from the users file. If I have missed something, please let me know David And why do you have password in two locations? If you store it in Ldap you don't need it in users file and vice versa. Ivan Kalik Kalik Informatika ISP Dana 19/2/2008, "David W Bell" <[EMAIL PROTECTED]> piše: Hi there. My Saga continues I have freeRADIUS working with openLDAP and can log into CISCO kit and pass the priv-level from the raddb/users file. Is there any way that this information can be passed from the openLDAP user details instead? I am looking to do a single-signon system and it seems a little awkward to have to change a password (as is required in the users file) in 2 locations. Thanks David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco AV-PAIRS
Hi there. My Saga continues I have freeRADIUS working with openLDAP and can log into CISCO kit and pass the priv-level from the raddb/users file. Is there any way that this information can be passed from the openLDAP user details instead? I am looking to do a single-signon system and it seems a little awkward to have to change a password (as is required in the users file) in 2 locations. Thanks David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with OpenLDAP (Suse Enterprise 10) [SEC=UNCLASSIFIED]
David W Bell wrote:
David W Bell wrote:
Ranner, Frank MR wrote:
UNCLASSIFIED
Config as requested - I did uncomment and configure the identity
section
- is this not required?
ldap {
#
# Note that this needs to match the name in the LDAP
# server certificate, if you're using ldaps.
server = "localhost"
identity = "cn=Administrator,dc=dxi,dc=net"
password = trPic4n03
basedn = "dc=dxi,dc=net"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
#base_filter = "(objectclass=radiusprofile)"
# How many connections to keep open to the LDAP
server.
# This saves time over opening a new LDAP socket for
# every authentication request.
ldap_connections_number = 5
# seconds to wait for LDAP query to finish.
default: 20
timeout = 4
# seconds LDAP server has to process the query
(server-side
# time limit). default: 20
#
# LDAP_OPT_TIMELIMIT is set to this value.
timelimit = 3
#
# seconds to wait for response of the server.
(network
# failures) default: 10
#
# LDAP_OPT_NETWORK_TIMEOUT is set to this value.
net_timeout = 1
tls {
# Set this to 'yes' to use TLS encrypted
connections
# to the LDAP database by using the
StartTLS extended
# operation.
#
# The StartTLS operation is supposed to be
# used with normal ldap connections instead of
# using ldaps (port 689) connections
start_tls = no
# cacertfile= /path/to/cacert.pem
# cacertdir = /path/to/ca/dir/
# certfile = /path/to/radius.crt
# keyfile = /path/to/radius.key
# randfile = /path/to/rnd
# Certificate Verification requirements. Can
be:
#"never" (don't even bother trying)
#"allow" (try, but don't fail if the
cerificate
# can't be verified)
#"demand" (fail if the certificate doesn't
verify.)
#
# The default is "allow"
# require_cert = "demand"
}
# default_profile =
"cn=radprofile,ou=dialup,o=My Org,c=UA"
# profile_attribute = "radiusProfileDn"
# access_attr = "dialupAccess"
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${confdir}/ldap.attrmap
# Set password_attribute = nspmPassword to get the
# user's password from a Novell eDirectory
# backend. This will work ONLY IF FreeRADIUS has been
# built with the --with-edir configure option.
#
# password_attribute = userPassword
Thanks for the tip - tried it and it didnt work
Worth a try tho - so thanks
David
rlm_ldap: - authorize
rlm_ldap: performing user authorization for belld
WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=belld)
expand: dc=dxi,dc=net -> dc=dxi,dc=net
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as cn=Administrator,dc=dxi,dc=net/trPic4n03 to
localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=dxi,dc=net, with filter (uid=belld)
rlm_ldap: Added User-Password = {crypt}e/2iGeomYrGLo in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user belld authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
rad_check_password: Found Auth-Type
!!!
!!!Replacing User-Password in config items with
Cleartext-Password.
Re: Freeradius with OpenLDAP (Suse Enterprise 10) [SEC=UNCLASSIFIED]
David W Bell wrote:
Ranner, Frank MR wrote:
UNCLASSIFIED
Config as requested - I did uncomment and configure the identity
section
- is this not required?
ldap {
#
# Note that this needs to match the name in the LDAP
# server certificate, if you're using ldaps.
server = "localhost"
identity = "cn=Administrator,dc=dxi,dc=net"
password = trPic4n03
basedn = "dc=dxi,dc=net"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
#base_filter = "(objectclass=radiusprofile)"
# How many connections to keep open to the LDAP
server.
# This saves time over opening a new LDAP socket for
# every authentication request.
ldap_connections_number = 5
# seconds to wait for LDAP query to finish. default: 20
timeout = 4
# seconds LDAP server has to process the query
(server-side
# time limit). default: 20
#
# LDAP_OPT_TIMELIMIT is set to this value.
timelimit = 3
#
# seconds to wait for response of the server. (network
# failures) default: 10
#
# LDAP_OPT_NETWORK_TIMEOUT is set to this value.
net_timeout = 1
tls {
# Set this to 'yes' to use TLS encrypted
connections
# to the LDAP database by using the StartTLS
extended
# operation.
#
# The StartTLS operation is supposed to be
# used with normal ldap connections instead of
# using ldaps (port 689) connections
start_tls = no
# cacertfile= /path/to/cacert.pem
# cacertdir = /path/to/ca/dir/
# certfile = /path/to/radius.crt
# keyfile = /path/to/radius.key
# randfile = /path/to/rnd
# Certificate Verification requirements. Can
be:
#"never" (don't even bother trying)
#"allow" (try, but don't fail if the
cerificate
# can't be verified)
#"demand" (fail if the certificate doesn't
verify.)
#
# The default is "allow"
# require_cert = "demand"
}
# default_profile =
"cn=radprofile,ou=dialup,o=My Org,c=UA"
# profile_attribute = "radiusProfileDn"
# access_attr = "dialupAccess"
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${confdir}/ldap.attrmap
# Set password_attribute = nspmPassword to get the
# user's password from a Novell eDirectory
# backend. This will work ONLY IF FreeRADIUS has been
# built with the --with-edir configure option.
#
# password_attribute = userPassword
Thanks for the tip - tried it and it didnt work
Worth a try tho - so thanks
David
rlm_ldap: - authorize
rlm_ldap: performing user authorization for belld
WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=belld)
expand: dc=dxi,dc=net -> dc=dxi,dc=net
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as cn=Administrator,dc=dxi,dc=net/trPic4n03 to
localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=dxi,dc=net, with filter (uid=belld)
rlm_ldap: Added User-Password = {crypt}e/2iGeomYrGLo in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user belld authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
rad_check_password: Found Auth-Type
!!!
!!!Replacing User-Password in config items with
Cleartext-Password. !!!
Re: Freeradius with OpenLDAP (Suse Enterprise 10) [SEC=UNCLASSIFIED]
Ranner, Frank MR wrote:
UNCLASSIFIED
Config as requested - I did uncomment and configure the identity
section
- is this not required?
ldap {
#
# Note that this needs to match the name in the LDAP
# server certificate, if you're using ldaps.
server = "localhost"
identity = "cn=Administrator,dc=dxi,dc=net"
password = trPic4n03
basedn = "dc=dxi,dc=net"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
#base_filter = "(objectclass=radiusprofile)"
# How many connections to keep open to the LDAP
server.
# This saves time over opening a new LDAP socket for
# every authentication request.
ldap_connections_number = 5
# seconds to wait for LDAP query to finish.
default: 20
timeout = 4
# seconds LDAP server has to process the query
(server-side
# time limit). default: 20
#
# LDAP_OPT_TIMELIMIT is set to this value.
timelimit = 3
#
# seconds to wait for response of the server.
(network
# failures) default: 10
#
# LDAP_OPT_NETWORK_TIMEOUT is set to this value.
net_timeout = 1
tls {
# Set this to 'yes' to use TLS encrypted
connections
# to the LDAP database by using the StartTLS
extended
# operation.
#
# The StartTLS operation is supposed to be
# used with normal ldap connections instead of
# using ldaps (port 689) connections
start_tls = no
# cacertfile= /path/to/cacert.pem
# cacertdir = /path/to/ca/dir/
# certfile = /path/to/radius.crt
# keyfile = /path/to/radius.key
# randfile = /path/to/rnd
# Certificate Verification requirements. Can
be:
#"never" (don't even bother trying)
#"allow" (try, but don't fail if
the cerificate
# can't be verified)
#"demand" (fail if the
certificate doesn't
verify.)
#
# The default is "allow"
# require_cert = "demand"
}
# default_profile =
"cn=radprofile,ou=dialup,o=My Org,c=UA"
# profile_attribute = "radiusProfileDn"
# access_attr = "dialupAccess"
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${confdir}/ldap.attrmap
# Set password_attribute = nspmPassword to get the
# user's password from a Novell eDirectory
# backend. This will work ONLY IF FreeRADIUS has been
# built with the --with-edir configure option.
#
# password_attribute = userPassword
Thanks for the tip - tried it and it didnt work
Worth a try tho - so thanks
David
rlm_ldap: - authorize
rlm_ldap: performing user authorization for belld
WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=belld)
expand: dc=dxi,dc=net -> dc=dxi,dc=net
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as cn=Administrator,dc=dxi,dc=net/trPic4n03 to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=dxi,dc=net, with filter (uid=belld)
rlm_ldap: Added User-Password = {crypt}e/2iGeomYrGLo in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user belld authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
rad_check_password: Found Auth-Type
!!!
!!!Replacing User-Password in config items with
Cleartext-Password. !!!
!!!
!!! Please update your configuration so that the "known
good" !!!
!!! clear text password is in Cleartext-Password, and not in
User-Password
Re: Freeradius with OpenLDAP (Suse Enterprise 10)
Markus Krause wrote:
Zitat von David W Bell <[EMAIL PROTECTED]>:
Markus Krause wrote:
Zitat von David W Bell <[EMAIL PROTECTED]>:
Markus Krause wrote:
Zitat von David W Bell <[EMAIL PROTECTED]>:
LDAP is installed and working out of the box, having been set to be
used for authenication during the SUSE install.
This is proven by the ability to log in to the box, both locally
and via SSH
I installed freeRADIUS from the latest source and it is working
also.
freeRADIUS seems unable to find a password for the user during
Authenication.
I issue the following on my workstation
[EMAIL PROTECTED]:~$ echo "User-Name = belld,Password=p455w0rd" |
radclient 212.95.255.242:1812 auth testing
Received response ID 99, code 3, length = 20
And see the following from freeRADIUS Listening on authentication
address * port 1812
Listening on accounting address * port 1813
Ready to process requests.
rad_recv: Access-Request packet from host 212.95.252.25 port 20758,
id=99, length=45
User-Name = "belld"
User-Password = "p455w0rd"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "belld", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
rlm_ldap: - authorize
rlm_ldap: performing user authorization for belld
WARNING: Deprecated conditional expansion ":-". See "man
unlang" for details
expand: (uid=%{Stripped-User-Name:-%{User-Name}}) ->
(uid=belld)
expand: dc=dxi,dc=net -> dc=dxi,dc=net
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as cn=Administrator,dc=dxi,dc=net/trPic4n03 to
localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=dxi,dc=net, with filter
(uid=belld)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you
sure that
the user is configured correctly?
rlm_ldap: user belld authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Login incorrect: [belld/p455w0rd] (from client 212.95.252.25 port 0)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> belld
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 99 to 212.95.252.25 port 20758
Waking up in 4.9 seconds.
What I cant work out is whether this is due to an LDAP or a RADIUS
config problem.
what is the result of the following commands (using a terminal):
ldapsearch -x -h localhost -b "dc=dxi,dc=net" uid=belld
ldapsearch -x -h localhost -b "dc=dxi,dc=net" -D
"cn=Administrator,dc=dxi,dc=net" -w trPic4n03 uid=belld
if they (especially the latter) do not return a value for the
field "userPassword" the problem is on the LDAP side.
markus
--
This message was sent using https://webmail.biochem.mpg.de
If you encounter any problems please report to
[EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Thanks Markus.
I thought of that - and had done the 1st search and HAD noticed there
was no LDAP password set
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: uid=belld
# requesting: ALL
#
# belld, people, dxi.net
dn: uid=belld,ou=people,dc=dxi,dc=net
cn: David Bell
gidNumber: 100
givenName: David
homeDirectory: /home/belld
loginShell: /bin/bash
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
shadowInactive: -1
shadowMax: 9
shadowMin: 0
shadowWarning: 7
sn: Bell
uid: belld
uidNumber: 1000
shadowLastChange: 13920
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
[EMAIL PROTECTED]:~>
I thought this was because LDAP was handing that aspect over to
something else but your second command shows a password.
[EMAIL PROTECTED]:~> ldapsearch -x -h localhost -b &quo
Re: Freeradius with OpenLDAP (Suse Enterprise 10)
Markus Krause wrote:
Zitat von David W Bell <[EMAIL PROTECTED]>:
Markus Krause wrote:
Zitat von David W Bell <[EMAIL PROTECTED]>:
LDAP is installed and working out of the box, having been set to be
used for authenication during the SUSE install.
This is proven by the ability to log in to the box, both locally
and via SSH
I installed freeRADIUS from the latest source and it is working also.
freeRADIUS seems unable to find a password for the user during
Authenication.
I issue the following on my workstation
[EMAIL PROTECTED]:~$ echo "User-Name = belld,Password=p455w0rd" |
radclient 212.95.255.242:1812 auth testing
Received response ID 99, code 3, length = 20
And see the following from freeRADIUS Listening on authentication
address * port 1812
Listening on accounting address * port 1813
Ready to process requests.
rad_recv: Access-Request packet from host 212.95.252.25 port 20758,
id=99, length=45
User-Name = "belld"
User-Password = "p455w0rd"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "belld", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
rlm_ldap: - authorize
rlm_ldap: performing user authorization for belld
WARNING: Deprecated conditional expansion ":-". See "man unlang"
for details
expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=belld)
expand: dc=dxi,dc=net -> dc=dxi,dc=net
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as cn=Administrator,dc=dxi,dc=net/trPic4n03 to
localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=dxi,dc=net, with filter (uid=belld)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure
that
the user is configured correctly?
rlm_ldap: user belld authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Login incorrect: [belld/p455w0rd] (from client 212.95.252.25 port 0)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> belld
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 99 to 212.95.252.25 port 20758
Waking up in 4.9 seconds.
What I cant work out is whether this is due to an LDAP or a RADIUS
config problem.
what is the result of the following commands (using a terminal):
ldapsearch -x -h localhost -b "dc=dxi,dc=net" uid=belld
ldapsearch -x -h localhost -b "dc=dxi,dc=net" -D
"cn=Administrator,dc=dxi,dc=net" -w trPic4n03 uid=belld
if they (especially the latter) do not return a value for the field
"userPassword" the problem is on the LDAP side.
markus
--
This message was sent using https://webmail.biochem.mpg.de
If you encounter any problems please report to [EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Thanks Markus.
I thought of that - and had done the 1st search and HAD noticed there
was no LDAP password set
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: uid=belld
# requesting: ALL
#
# belld, people, dxi.net
dn: uid=belld,ou=people,dc=dxi,dc=net
cn: David Bell
gidNumber: 100
givenName: David
homeDirectory: /home/belld
loginShell: /bin/bash
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
shadowInactive: -1
shadowMax: 9
shadowMin: 0
shadowWarning: 7
sn: Bell
uid: belld
uidNumber: 1000
shadowLastChange: 13920
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
[EMAIL PROTECTED]:~>
I thought this was because LDAP was handing that aspect over to
something else but your second command shows a password.
[EMAIL PROTECTED]:~> ldapsearch -x -h localhost -b "dc=dxi,dc=net" -D
"cn=Administrator,dc=dxi,dc=net" -w trPic
Re: Freeradius with OpenLDAP (Suse Enterprise 10)
Markus Krause wrote:
Zitat von David W Bell <[EMAIL PROTECTED]>:
LDAP is installed and working out of the box, having been set to be
used for authenication during the SUSE install.
This is proven by the ability to log in to the box, both locally and
via SSH
I installed freeRADIUS from the latest source and it is working also.
freeRADIUS seems unable to find a password for the user during
Authenication.
I issue the following on my workstation
[EMAIL PROTECTED]:~$ echo "User-Name = belld,Password=p455w0rd" |
radclient 212.95.255.242:1812 auth testing
Received response ID 99, code 3, length = 20
And see the following from freeRADIUS Listening on authentication
address * port 1812
Listening on accounting address * port 1813
Ready to process requests.
rad_recv: Access-Request packet from host 212.95.252.25 port 20758,
id=99, length=45
User-Name = "belld"
User-Password = "p455w0rd"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "belld", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
rlm_ldap: - authorize
rlm_ldap: performing user authorization for belld
WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=belld)
expand: dc=dxi,dc=net -> dc=dxi,dc=net
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as cn=Administrator,dc=dxi,dc=net/trPic4n03 to
localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=dxi,dc=net, with filter (uid=belld)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that
the user is configured correctly?
rlm_ldap: user belld authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Login incorrect: [belld/p455w0rd] (from client 212.95.252.25 port 0)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> belld
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 99 to 212.95.252.25 port 20758
Waking up in 4.9 seconds.
What I cant work out is whether this is due to an LDAP or a RADIUS
config problem.
what is the result of the following commands (using a terminal):
ldapsearch -x -h localhost -b "dc=dxi,dc=net" uid=belld
ldapsearch -x -h localhost -b "dc=dxi,dc=net" -D
"cn=Administrator,dc=dxi,dc=net" -w trPic4n03 uid=belld
if they (especially the latter) do not return a value for the field
"userPassword" the problem is on the LDAP side.
markus
--
This message was sent using https://webmail.biochem.mpg.de
If you encounter any problems please report to [EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks Markus.
I thought of that - and had done the 1st search and HAD noticed there
was no LDAP password set
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: uid=belld
# requesting: ALL
#
# belld, people, dxi.net
dn: uid=belld,ou=people,dc=dxi,dc=net
cn: David Bell
gidNumber: 100
givenName: David
homeDirectory: /home/belld
loginShell: /bin/bash
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
shadowInactive: -1
shadowMax: 9
shadowMin: 0
shadowWarning: 7
sn: Bell
uid: belld
uidNumber: 1000
shadowLastChange: 13920
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
[EMAIL PROTECTED]:~>
I thought this was because LDAP was handing that aspect over to
something else but your second command shows a password.
[EMAIL PROTECTED]:~> ldapsearch -x -h localhost -b "dc=dxi,dc=net" -D
"cn=Administrator,dc=dxi,dc=net" -w trPic4n03 uid=belld
# extended LDIF
#
# LDAPv3
# base with scope subt
Freeradius with OpenLDAP (Suse Enterprise 10)
LDAP is installed and working out of the box, having been set to be used
for authenication during the SUSE install.
This is proven by the ability to log in to the box, both locally and via SSH
I installed freeRADIUS from the latest source and it is working also.
freeRADIUS seems unable to find a password for the user during
Authenication.
I issue the following on my workstation
[EMAIL PROTECTED]:~$ echo "User-Name = belld,Password=p455w0rd" |
radclient 212.95.255.242:1812 auth testing
Received response ID 99, code 3, length = 20
And see the following from freeRADIUS
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Ready to process requests.
rad_recv: Access-Request packet from host 212.95.252.25 port 20758,
id=99, length=45
User-Name = "belld"
User-Password = "p455w0rd"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "belld", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
rlm_ldap: - authorize
rlm_ldap: performing user authorization for belld
WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=belld)
expand: dc=dxi,dc=net -> dc=dxi,dc=net
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as cn=Administrator,dc=dxi,dc=net/trPic4n03 to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=dxi,dc=net, with filter (uid=belld)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that
the user is configured correctly?
rlm_ldap: user belld authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Login incorrect: [belld/p455w0rd] (from client 212.95.252.25 port 0)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> belld
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 99 to 212.95.252.25 port 20758
Waking up in 4.9 seconds.
What I cant work out is whether this is due to an LDAP or a RADIUS
config problem.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Unable to run radclient - libfreeradius-radius-2.0.0.so not found
Trying to run radclient to test if I have things set up correctly and I get this. Only similar thing I could find on the net was libcrypt being missing which was pointed at being an incorrect installation of openLDAP (I think). I downloaded the src and compiled from there with ./configure, make and then make install. Any suggestions? [EMAIL PROTECTED]:~> sudo radclient --help radclient: error while loading shared libraries: libfreeradius-radius-2.0.1.so: cannot open shared object file: No such file or directory [EMAIL PROTECTED]:~> sudo find / -noleaf -name libfreeradius-radius-2.0.1.so /usr/local/lib/libfreeradius-radius-2.0.1.so /home/belld/src/freeradius-server-2.0.1/src/lib/.libs/libfreeradius-radius-2.0.1.so - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failed MAKE on SLES10
That will teach me for following the advice to "just get it from the server" freeradius2.0.0 now installing :) Thanks David Hey David, How about trying a more recent FreeRADIUS version? If not, check that your libgdbm library is installed properly. Regards, Liran Tal. On Jan 15, 2008 3:39 PM, David W Bell < [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> wrote: Anyone else seen this, and if so is there an easy fix, or do I need to find an alternative libgdbm.so ? /home/belld/freeradius-1.0.4/libtool --mode=link gcc -release 1.0.4 \ -module -export-dynamic -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -DNDEBUG -I../../include \ -o rlm_counter.la -rpath /usr/local/lib rlm_counter.lo -lgdbm -lnsl -lresolv -lpthread -lcrypto -lssl rm -fr .libs/rlm_counter.la .libs/rlm_counter.* .libs/rlm_counter-1.0.4.* gcc -shared rlm_counter.lo /usr/lib/libgdbm.so -lnsl -lresolv -lpthread -lcrypto -lssl -Wl,-soname -Wl,rlm_counter-1.0.4.so <http://1.0.4.so> -o .libs/rlm_counter-1.0.4.so <http://1.0.4.so> /usr/lib/libgdbm.so: could not read symbols: File in wrong format - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Failed MAKE on SLES10
Anyone else seen this, and if so is there an easy fix, or do I need to find an alternative libgdbm.so ? /home/belld/freeradius-1.0.4/libtool --mode=link gcc -release 1.0.4 \ -module -export-dynamic -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -DNDEBUG -I../../include \ -o rlm_counter.la -rpath /usr/local/lib rlm_counter.lo -lgdbm -lnsl -lresolv -lpthread -lcrypto -lssl rm -fr .libs/rlm_counter.la .libs/rlm_counter.* .libs/rlm_counter-1.0.4.* gcc -shared rlm_counter.lo /usr/lib/libgdbm.so -lnsl -lresolv -lpthread -lcrypto -lssl -Wl,-soname -Wl,rlm_counter-1.0.4.so -o .libs/rlm_counter-1.0.4.so /usr/lib/libgdbm.so: could not read symbols: File in wrong format - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Hello, and a question.
Can freeRADIUS provide everything that TACACS+ can so that I need only install/configure freeRADIUS. This really depends on the network kit and the Vendor that produced it. Cisco claim that many of the features of TACACS+ can be replicated using Cisco VSA strings. The wiki has bits and pieces for Cisco http://wiki.freeradius.org/Cisco#Cisco_VSAs. HP Have limited support for RADIUS; You can be an operator or manager But you can't really have fine grained control over what commands those users can issue. Bottom line is TACACS+ generally has better support in terms of fine grained access control, but TACACS+ server implementations do not have the flexibility and range of features FreeRADIUS does. Much of the kit we are using IS Cisco. So I am guessing I would be best to allow RADIUS & TAC+ to interface with LDAP. Thanks for that :) David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hello, and a question.
Hi there. Have used freeRADIUS in the past to authenticate dial-up/ADSL users, but now have a different implementation problem that requires some input from this list. I am working on a Single Sign-On solution to try and give users in the organisation that I work for, a single username and password. I am planning on using LDAP for the backend store, as a lot of our equipment can be configured to use LDAP natively. However we also have a lot of routers and other network kit that either talks RADIUS or TACACS+ (or both) I would like to keep things as simple as possible, so my question is. Can freeRADIUS provide everything that TACACS+ can so that I need only install/configure freeRADIUS. Thanks in advance David W Bell - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
