Freeradius +LDAP + Samba integrates to Active Derectory
Hi all, We deploy freeradius integrated to Active Directory, but the AD enabled Require signing option (see the attachement). net join is OK after we set LDAP SASL wrapping to 'sign'. But LDAP search failed. Is there a way to let LDAP search work? Can someone show me some reference or guide? Thanks, Johnattachment: LDAP SASL wrapping.JPG- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question about differences between possibilities of authentication
Hi All,
The last week I've had my first encounter with FreeRADIUS as we were supposed
to deploy eduroam. I had a lot of fun doing it although I have dreamt about the
config files after a couple of days :)
Everything is working as it should so no worries there, but I'm curious about
something. I configured the proxies and the local realm. When I did a radtest
like this:
radtest che...@localdomain.nl password 127.0.0.1 1 secret
I would get an Accept-Accept. The debug output would show that first a bind and
then an LDAP search is performed in our eDirectory. Okay! Fun times I thought,
let's try it on my mobile phone because a test account I got from an academic
institution in the UK worked so local authentication should work as well! I
entered the credentials but now comes the difference. Using a Wifi device made
the LDAP search fail because it tried to authenticate the u...@domain.nl in
stead of stripping the suffix.
I've been staring at the config files to see if I got the LDAP-filter defined
two times somewhere but that doesn't seem to be the case. Now, this wasn't a
really big problem because users can be pretty stupid and we decided to let
them authenticate using their email address in stead of their username@domain
which would to too much confusion for them.
The LDAP filter was:
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
Is now:
filter = (|(cn=%{Stripped-User-Name:-%{User-Name}})(mail=%{User-Name}))
The proxy.conf lines right before it's defaulted to eduroam:
realm ettyhillesumlyceum.nl {
}
Anyone has an idea why radtest would behave differently from an 802.1x login?
Regards,
Bas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Group questions..several group memberships to one account. FreeRADIUS Version 2.1.10
Hello,
Never played around with groups using rlm_sql and the default schema..
I am reading what i assume is saying that it should be possible to have several
groups to a account and each group should be able to supply that specific
groups radgroupreply attributes..
Number 4 below sure sounds like it should get all the accounts groups first and
then process them according to priority? Below test shows it only reads the
first group? And no matter what priority..
Is that how it should work or what am i missing here?
1.Search the radcheck table for any check attributes specific to the user
2.If check attributes are found, and there's a match, pull the reply items from
the radreply table for this user and add them to the reply
3.Group processing then begins if any of the following conditions are met:
◦The user IS NOT found in radcheck
◦The user IS found in radcheck, but the check items don't match
◦The user IS found in radcheck, the check items DO match AND Fall-Through is
set in the radreply table
◦The user IS found in radcheck, the check items DO match AND the read_groups
directive is set to 'yes'
4.If groups are to be processed for this user, the first thing that is done is
the list of groups this user is a member of is pulled from the usergroup table
ordered by the priority field. The priority field of the usergroup table allows
us to control the order in which groups are processed, so that we can emulate
the ordering in the users file. This can be important in many cases.
5.For each group this user is a member of, the corresponding check items are
pulled from radgroupcheck table and compared with the request. If there is a
match, the reply items for this group are pulled from the radgroupreply table
and applied.
6.Processing continues to the next group IF:
◦There was not a match for the last group's check items OR
◦Fall-Through was set in the last group's reply items (The above is exactly the
same as in the users file)
7.Finally, if the user has a User-Profile attribute set or the Default Profile
option is set in the sql.conf, then steps 4-6 are repeated for the groups that
the profile is a member of.
To test it i added som data to
mysql select * from radcheck;
++--+---++---+
| id | username | attribute | op | value |
++--+---++---+
| 8 | alex | Password | := | test |
++--+---++---+
mysql select * from radusergroup;
+--+--+--+
| username | groupname| priority |
+--+--+--+
| alex | mega-admin-group |0 |
| alex | cisco_admin |1 |
+--+--+--+
mysql select * from radgroupreply;
++--+++--+
| id | groupname| attribute | op | value
|
++--+++--+
| 1 | mega-admin-group | Reply-Message | = | test-mega-admin-reply-attribute
|
| 2 | mega-admin-group | NAS-Identifier | = | test-NAS
|
| 3 | cisco_admin | Service-Type | = | NAS-Prompt-User
|
| 4 | cisco_admin | cisco-avpair | = | shell:priv-lvl=15
|
++--+++--+
5 rows in set (0.00 sec)
root@noc1:/etc/freeradius# radtest -x alex test localhost 1812 testing123
Sending Access-Request of id 69 to 127.0.0.1 port 1812
User-Name = alex
User-Password = test
NAS-IP-Address = 10.173.2.10
NAS-Port = 1812
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=69, length=63
Reply-Message = test-mega-admin-reply-attribute
NAS-Identifier = test-NAS -- Only replies from
group mega-admin-group
And freeradius debug is showing it only checked replies from the first group..
rad_recv: Access-Request packet from host 127.0.0.1 port 49061, id=3, length=56
User-Name = alex
User-Password = test
NAS-IP-Address = 10.173.2.10
NAS-Port = 1812
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
rlm_perl: rlm_perl::Itux DEBUG::Inside authorize Function.
rlm_perl: Added pair User-Name = alex
rlm_perl: Added pair User-Password = test
rlm_perl: Added pair NAS-Port = 1812
rlm_perl: Added pair NAS-IP-Address = 10.173.2.10
++[perl] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = alex, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[sql] expand: %{User-Name} - alex
[sql] sql_set_user escaped user -- 'alex'
rlm_sql (sql): Reserving sql socket id: 3
[sql] expand: SELECT id, username, attribute, value, op FROM
SV: Group questions..several group memberships to one account. FreeRADIUS Version 2.1.10
Sorry forget about priority i thought higher was first..Which it wasn’t.. Still
is it possible to get replies from multiple groups an account belongs to?
Cheers
Alex
Från:
freeradius-users-bounces+alexander.silverohrt=itux...@lists.freeradius.org
[mailto:freeradius-users-bounces+alexander.silverohrt=itux...@lists.freeradius.org]
För Alexander Silveröhrt
Skickat: den 12 april 2013 09:33
Till: freeradius-users@lists.freeradius.org
Ämne: Group questions..several group memberships to one account. FreeRADIUS
Version 2.1.10
Hello,
Never played around with groups using rlm_sql and the default schema..
I am reading what i assume is saying that it should be possible to have several
groups to a account and each group should be able to supply that specific
groups radgroupreply attributes..
Number 4 below sure sounds like it should get all the accounts groups first and
then process them according to priority? Below test shows it only reads the
first group? And no matter what priority..
Is that how it should work or what am i missing here?
1.Search the radcheck table for any check attributes specific to the user
2.If check attributes are found, and there's a match, pull the reply items from
the radreply table for this user and add them to the reply
3.Group processing then begins if any of the following conditions are met:
◦The user IS NOT found in radcheck
◦The user IS found in radcheck, but the check items don't match
◦The user IS found in radcheck, the check items DO match AND Fall-Through is
set in the radreply table
◦The user IS found in radcheck, the check items DO match AND the read_groups
directive is set to 'yes'
4.If groups are to be processed for this user, the first thing that is done is
the list of groups this user is a member of is pulled from the usergroup table
ordered by the priority field. The priority field of the usergroup table allows
us to control the order in which groups are processed, so that we can emulate
the ordering in the users file. This can be important in many cases.
5.For each group this user is a member of, the corresponding check items are
pulled from radgroupcheck table and compared with the request. If there is a
match, the reply items for this group are pulled from the radgroupreply table
and applied.
6.Processing continues to the next group IF:
◦There was not a match for the last group's check items OR
◦Fall-Through was set in the last group's reply items (The above is exactly the
same as in the users file)
7.Finally, if the user has a User-Profile attribute set or the Default Profile
option is set in the sql.conf, then steps 4-6 are repeated for the groups that
the profile is a member of.
To test it i added som data to
mysql select * from radcheck;
++--+---++---+
| id | username | attribute | op | value |
++--+---++---+
| 8 | alex | Password | := | test |
++--+---++---+
mysql select * from radusergroup;
+--+--+--+
| username | groupname| priority |
+--+--+--+
| alex | mega-admin-group |0 |
| alex | cisco_admin |1 |
+--+--+--+
mysql select * from radgroupreply;
++--+++--+
| id | groupname| attribute | op | value
|
++--+++--+
| 1 | mega-admin-group | Reply-Message | = | test-mega-admin-reply-attribute
|
| 2 | mega-admin-group | NAS-Identifier | = | test-NAS
|
| 3 | cisco_admin | Service-Type | = | NAS-Prompt-User
|
| 4 | cisco_admin | cisco-avpair | = | shell:priv-lvl=15
|
++--+++--+
5 rows in set (0.00 sec)
root@noc1:/etc/freeradius# radtest -x alex test localhost 1812 testing123
Sending Access-Request of id 69 to 127.0.0.1 port 1812
User-Name = alex
User-Password = test
NAS-IP-Address = 10.173.2.10
NAS-Port = 1812
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=69, length=63
Reply-Message = test-mega-admin-reply-attribute
NAS-Identifier = test-NAS -- Only replies from
group mega-admin-group
And freeradius debug is showing it only checked replies from the first group..
rad_recv: Access-Request packet from host 127.0.0.1 port 49061, id=3, length=56
User-Name = alex
User-Password = test
NAS-IP-Address = 10.173.2.10
NAS-Port = 1812
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
rlm_perl: rlm_perl::Itux DEBUG::Inside authorize Function.
rlm_perl: Added pair User-Name = alex
SV: Group questions..several group memberships to one account. FreeRADIUS Version 2.1.10
And sorry again… I forgot old Fall-Through= yes which of course made it work.. I thank myself for my excellent answers☺ Cheers Alex Från: freeradius-users-bounces+alexander.silverohrt=itux...@lists.freeradius.org [mailto:freeradius-users-bounces+alexander.silverohrt=itux...@lists.freeradius.org] För Alexander Silveröhrt Skickat: den 12 april 2013 09:41 Till: FreeRadius users mailing list Ämne: SV: Group questions..several group memberships to one account. FreeRADIUS Version 2.1.10 Sorry forget about priority i thought higher was first..Which it wasn’t.. Still is it possible to get replies from multiple groups an account belongs to? Cheers Alex Från: freeradius-users-bounces+alexander.silverohrt=itux...@lists.freeradius.org [mailto:freeradius-users-bounces+alexander.silverohrt=itux...@lists.freeradius.org] För Alexander Silveröhrt Skickat: den 12 april 2013 09:33 Till: freeradius-users@lists.freeradius.org Ämne: Group questions..several group memberships to one account. FreeRADIUS Version 2.1.10 Hello, Never played around with groups using rlm_sql and the default schema.. I am reading what i assume is saying that it should be possible to have several groups to a account and each group should be able to supply that specific groups radgroupreply attributes.. Number 4 below sure sounds like it should get all the accounts groups first and then process them according to priority? Below test shows it only reads the first group? And no matter what priority.. Is that how it should work or what am i missing here? 1.Search the radcheck table for any check attributes specific to the user 2.If check attributes are found, and there's a match, pull the reply items from the radreply table for this user and add them to the reply 3.Group processing then begins if any of the following conditions are met: ◦The user IS NOT found in radcheck ◦The user IS found in radcheck, but the check items don't match ◦The user IS found in radcheck, the check items DO match AND Fall-Through is set in the radreply table ◦The user IS found in radcheck, the check items DO match AND the read_groups directive is set to 'yes' 4.If groups are to be processed for this user, the first thing that is done is the list of groups this user is a member of is pulled from the usergroup table ordered by the priority field. The priority field of the usergroup table allows us to control the order in which groups are processed, so that we can emulate the ordering in the users file. This can be important in many cases. 5.For each group this user is a member of, the corresponding check items are pulled from radgroupcheck table and compared with the request. If there is a match, the reply items for this group are pulled from the radgroupreply table and applied. 6.Processing continues to the next group IF: ◦There was not a match for the last group's check items OR ◦Fall-Through was set in the last group's reply items (The above is exactly the same as in the users file) 7.Finally, if the user has a User-Profile attribute set or the Default Profile option is set in the sql.conf, then steps 4-6 are repeated for the groups that the profile is a member of. To test it i added som data to mysql select * from radcheck; ++--+---++---+ | id | username | attribute | op | value | ++--+---++---+ | 8 | alex | Password | := | test | ++--+---++---+ mysql select * from radusergroup; +--+--+--+ | username | groupname| priority | +--+--+--+ | alex | mega-admin-group |0 | | alex | cisco_admin |1 | +--+--+--+ mysql select * from radgroupreply; ++--+++--+ | id | groupname| attribute | op | value | ++--+++--+ | 1 | mega-admin-group | Reply-Message | = | test-mega-admin-reply-attribute | | 2 | mega-admin-group | NAS-Identifier | = | test-NAS | | 3 | cisco_admin | Service-Type | = | NAS-Prompt-User | | 4 | cisco_admin | cisco-avpair | = | shell:priv-lvl=15 | ++--+++--+ 5 rows in set (0.00 sec) root@noc1:/etc/freeradius# radtest -x alex test localhost 1812 testing123 Sending Access-Request of id 69 to 127.0.0.1 port 1812 User-Name = alex User-Password = test NAS-IP-Address = 10.173.2.10 NAS-Port = 1812 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=69, length=63 Reply-Message = test-mega-admin-reply-attribute NAS-Identifier = test-NAS -- Only replies from group mega-admin-group And
Re: Question on certificates before deep dive into EAP-TLS
Mathieu Simon wrote: Telling students how to install a internal CA root isn't going to work, it already didn't work for teachers in the past ... Yes. That is a problem. But allowing only (internal) devices with certs from the internal CA through CA_file would allow us to more easily integrate those non-personal but school-owned devices. That would work. I just hope I'm not telling complete bullshit... ;-) Nope. Thank you Alan for your time to answer! It's what I do. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius +LDAP + Samba integrates to Active Derectory
John wrote: We deploy freeradius integrated to Active Directory, but the AD enabled Require signing option (see the attachement). That's really an AD question. net join is OK after we set LDAP SASL wrapping to 'sign'. But LDAP search failed. Is there a way to let LDAP search work? Can someone show me some reference or guide? Look in Microsoft support forums. Once you get LDAP search working, FreeRADIUS will work, too. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about differences between possibilities of authentication
Bas Penris wrote:
Everything is working as it should so no worries there, but I'm curious
about something. I configured the proxies and the local realm. When I
did a radtest like this:
radtest che...@localdomain.nl password 127.0.0.1 1 secret
I would get an Accept-Accept.
That's the easy part.
The debug output would show that first a
bind and then an LDAP search is performed in our eDirectory. Okay! Fun
times I thought, let's try it on my mobile phone because a test account
I got from an academic institution in the UK worked so local
authentication should work as well! I entered the credentials but now
comes the difference. Using a Wifi device made the LDAP search fail
because it tried to authenticate the u...@domain.nl
in stead of stripping the suffix.
Don't test from a mobile device until you've done complete EAP testing
yourself. You'll get a LOT more useful information.
See my web page: http://deployingradius.com
I've been staring at the config files to see if I got the LDAP-filter
defined two times somewhere but that doesn't seem to be the case. Now,
this wasn't a really big problem because users can be pretty stupid and
we decided to let them authenticate using their email address in stead
of their username@domain which would to too much confusion for them.
It's usually best to use the full email address. It simplifies a lot
of issues.
The LDAP filter was:
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
Is now:
filter = (|(cn=%{Stripped-User-Name:-%{User-Name}})(mail=%{User-Name}))
The proxy.conf lines right before it's defaulted to eduroam:
realm ettyhillesumlyceum.nl {
}
So.. you're posting tiny pieces of the config. But not the debug
output as suggested in the FAQ, README, man page, web pages, and daily
on this list?
Anyone has an idea why radtest would behave differently from an 802.1x
login?
Because it's doing different searches. See the debug output for more
information. It's all in there. Really. That's why we tell people to
read it, and to post it here.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[RESOLVED] Need both Local (MySQL database) and Active directory authentications.
Thanks Alan! The following code in the sites-available/inner-tunnel solved
the problem.
if (%{sql: SELECT COUNT(*) FROM radcheck WHERE username =
'%{SQL-User-Name}' AND pwdtype = 'local'} 0) {
update control {
MS-CHAP-Use-NTLM-Auth := 0
}
}
ffgch2 wrote:
I have set up Freeradius (v.2.1.10)
Upgrade to v2.2.0.
to do password authentication from
MySQL database and it works fine but now I need to make some users be
able to authenticate against Active directory accounts. I’ve setup
winbind to authenticate windows accounts and it works but as a result
freeradius lost ability to authenticate by local database.
You need to figure out when users will be checked against SQL, and
when they will be checked against AD. Right now, you've configured
FreeRADIUS to use both. Which isn't what you want.
So if I comment the line:
Don't randomly change things. It won't work.
Is there a way to tell mschap to use ntlm_auth depending on field in
MySQL table and use the internal mechanisms if plain text passwords
available in the MySQL table?
No. There are better ways.
See raddb/modules/mschap. You can control when ntlm_auth is called.
See man unlang. You can configure policies. Read the debug output.
What you want is this:
authorize {
...
sql
if (ok) {
update control {
MS-CHAP-Use-NTLM-Auth := No
}
}
...
}
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how can detect the cues of reject
how we can detect cues of reject in any section of default(site enable) ? do we have any internal attribute or any source that can be use for determine cues of rejecting user ? best regards. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Betr.: Re: Question about differences between possibilities of authentication
Hi Alan,
The reason I didn't post the debugs and config files was because I thought
there might be an easy explanation which one of you would be able to spoon up
without any trouble. Especially because nothing is broken and everything works
as it's supposed to.
I'll get back with a debug log and the config after the weekend.
Regards,
Bas
Alan DeKok al...@deployingradius.com 12-04-13 15:52
Bas Penris wrote:
Everything is working as it should so no worries there, but I'm curious
about something. I configured the proxies and the local realm. When I
did a radtest like this:
radtest che...@localdomain.nl password 127.0.0.1 1 secret
I would get an Accept-Accept.
That's the easy part.
The debug output would show that first a
bind and then an LDAP search is performed in our eDirectory. Okay! Fun
times I thought, let's try it on my mobile phone because a test account
I got from an academic institution in the UK worked so local
authentication should work as well! I entered the credentials but now
comes the difference. Using a Wifi device made the LDAP search fail
because it tried to authenticate the u...@domain.nl
in stead of stripping the suffix.
Don't test from a mobile device until you've done complete EAP testing
yourself. You'll get a LOT more useful information.
See my web page: http://deployingradius.com
I've been staring at the config files to see if I got the LDAP-filter
defined two times somewhere but that doesn't seem to be the case. Now,
this wasn't a really big problem because users can be pretty stupid and
we decided to let them authenticate using their email address in stead
of their username@domain which would to too much confusion for them.
It's usually best to use the full email address. It simplifies a lot
of issues.
The LDAP filter was:
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
Is now:
filter = (|(cn=%{Stripped-User-Name:-%{User-Name}})(mail=%{User-Name}))
The proxy.conf lines right before it's defaulted to eduroam:
realm ettyhillesumlyceum.nl {
}
So.. you're posting tiny pieces of the config. But not the debug
output as suggested in the FAQ, README, man page, web pages, and daily
on this list?
Anyone has an idea why radtest would behave differently from an 802.1x
login?
Because it's doing different searches. See the debug output for more
information. It's all in there. Really. That's why we tell people to
read it, and to post it here.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Betr.: Re: Question about differences between possibilities of authentication
Bas Penris wrote: The reason I didn't post the debugs and config files was because I thought there might be an easy explanation which one of you would be able to spoon up without any trouble. We need certain information to answer questions. One piece of which is the debug output. That's why we ask for it DAILY on this list. There is NO excuse for not posting it when you're trying to debug a problem. Especially because nothing is broken and everything works as it's supposed to. So you said it didn't do what you wanted, but that it works? I'll get back with a debug log and the config after the weekend. Did I ask for the configuration? No. I asked for the debug output. That's what I want. I don't want copies of your configuration. If I had wanted copies of the configuration, I would have asked for them. Please follow instructions. A MAJOR reason why people have trouble is that they refuse to follow instructions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Adding modified libraries without recompiling entirely FreeRADIUS
yoann Couble wrote: Hi everyone, I have a freeRADIUS 2.0.4 server which has been running well for the past two years. Upgrade to 2.2.0. With the sources downloaded from packages.debian.org, wrote my version of rlm_chap.c. Everything compiles and works fine when i do: ./configure make make install from the source folder and run it with /radiusd/. NB: To avoid lib conflicts i remove the libs generated in /usr/local/lib during installation before i start again /usr/sbin/freeradius That might work. It's not something that's well tested. Especially with a very old version of the server. But now i would like to update my working version of freeradius (which was installed through an apt-get install) without causing much trouble. As I only modified rlm_chap.c I thought i could simply replace the current library Why not just re-install the package? You're going out of your way to hack things, when you could just build and install the package. After that i restart freeradius (the apt-get version) with freeradius -X Everything looks fine but when i send a request i get a segmentation fault when the server tries to enter chap module. (see the debug entry further) You probably made a coding error in your module. The solution is to debug the code you wrote. If i go back and replace /usr/lib/freeradius/rlm_chap-2.0.4.so http://rlm_chap-2.0.4.so by the original Everything works fine again. i.e. the code we ship (usually) works. I am pretty sure it has something to do with compilation and the way files were generated. Do you think it is possible to do what I want? i.e. inserting a modified library into the working set of library. Your code is wrong. Fix it. Reinstalling the working freeradius or using the compiled files is not an possibility. Good luck with that. If you have any idea on what I am doing wrong (I am still a beginner and I probably do a lot of things wrong), please feel free to tell me and to share with me if you had similar situations. Learn C. Read doc/bugs for a *basic* introduction to gdb. But this list isn't the place for learning how to debug your code. Sorry. We're too busy adding new features to be able to help you with fixing your code, or with fixing very old FreeRADIUS code. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how can detect the cues of reject
On 12 Apr 2013, at 11:01, Mehdi Ravanbakhsh baba...@gmail.com wrote: how we can detect cues of reject in any section of default(site enable) ? do we have any internal attribute or any source that can be use for determine cues of rejecting user ? Module-Failure-Message But it's only reliably populated in 3.0. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how can detect the cues of reject
thanks ARRAN On 4/12/13, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: On 12 Apr 2013, at 11:01, Mehdi Ravanbakhsh baba...@gmail.com wrote: how we can detect cues of reject in any section of default(site enable) ? do we have any internal attribute or any source that can be use for determine cues of rejecting user ? Module-Failure-Message But it's only reliably populated in 3.0. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Freeradius 3 LDAP Generic Attributes
The ldap.attrmap syntax in FR2 was: checkItem $GENERIC$ radiusCheckItem replyItem $GENERIC$ radiusReplyItem Basically the ldap attributes radiusCheckItem radiusReplyItem contained FR attr/value pairs which were then added to the corresponding attribute list in FR (e.g. in LDAP radiusReplyItem could be Primary-DNS-Server := 1.1.1.1). They wouldn't necessarily need to be distinct check/reply attributes in the new rlm_ldap... it could work more like unlang where an LDAP attribute value could be control:Disabled := true, and where if the list: portion is omitted it would default to reply. No matter how this happens, there's probably going to need to be a special case syntax made in the rlm_ldap attribute mapping... Best Regards, -Nick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 3 LDAP Generic Attributes
On 12 Apr 2013, at 15:00, Nicholas Lemberger nick.lember...@lkfd.net wrote: The ldap.attrmap syntax in FR2 was: checkItem $GENERIC$ radiusCheckItem replyItem $GENERIC$ radiusReplyItem Basically the ldap attributes radiusCheckItem radiusReplyItem contained FR attr/value pairs which were then added to the corresponding attribute list in FR (e.g. in LDAP radiusReplyItem could be Primary-DNS-Server := 1.1.1.1). They wouldn't necessarily need to be distinct check/reply attributes in the new rlm_ldap... it could work more like unlang where an LDAP attribute value could be control:Disabled := true, and where if the list: portion is omitted it would default to reply. No matter how this happens, there's probably going to need to be a special case syntax made in the rlm_ldap attribute mapping... I was thinking just adding a valuepair_attr = blah config item in the ldap config and then doing exactly what you suggested above. It's not much work, i'll take a look at it later today or tomorrow. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: segfault error
Ok I have upgraded to a compiled version of freeradius 2.2.0, and I was able to see the same result. It crashed after a few minutes with the error below. on-radius01 kernel: radiusd[10038]: segfault at 73d87000 rip 003c6c07b5bb rsp 73d83c08 error 4 I turned on core dumps to see if I could get any more details out of it, but I could not make it crash after that. Any ideas as to what this could be I can post my -X output but all it says at the bottom when it stops working is segfault. Thanks, Chris -Original Message- From: freeradius-users-bounces+chris.taylor=corp.eastlink...@lists.freeradius.org [mailto:freeradius-users-bounces+chris.taylor=corp.eastlink...@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Wednesday, April 10, 2013 9:45 AM To: FreeRadius users mailing list Subject: Re: segfault error Chris Taylor wrote: I am running freeradius2-2.1.12-5.el5 on a CentOS server release 5.9 (Final). I was doing some testing on some new RADIUS servers that we want to put into production and I got the following error. Well... upgrade to 2.2.0. There's no reason for us to debug issues in old versions. Those have already been debugged and fixed. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: segfault error
Chris Taylor wrote: Ok I have upgraded to a compiled version of freeradius 2.2.0, and I was able to see the same result. It crashed after a few minutes with the error below. on-radius01 kernel: radiusd[10038]: segfault at 73d87000 rip 003c6c07b5bb rsp 73d83c08 error 4 Check that you're really running v2.2.0. Sometimes scripts point to old installations. I turned on core dumps to see if I could get any more details out of it, but I could not make it crash after that. Did you follow the instructions in doc/bugs? That says how to find the bug. Any ideas as to what this could be I can post my -X output but all it says at the bottom when it stops working is segfault. doc/bugs has detailed instructions for just such an occasion. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: segfault error
Yeah this is the only version of freeradius on the box the other was an rpm version that was removed before I compiled this one. -Original Message- From: freeradius-users-bounces+chris.taylor=corp.eastlink...@lists.freeradius.org [mailto:freeradius-users-bounces+chris.taylor=corp.eastlink...@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Friday, April 12, 2013 3:45 PM To: FreeRadius users mailing list Subject: Re: segfault error Chris Taylor wrote: Ok I have upgraded to a compiled version of freeradius 2.2.0, and I was able to see the same result. It crashed after a few minutes with the error below. on-radius01 kernel: radiusd[10038]: segfault at 73d87000 rip 003c6c07b5bb rsp 73d83c08 error 4 Check that you're really running v2.2.0. Sometimes scripts point to old installations. I turned on core dumps to see if I could get any more details out of it, but I could not make it crash after that. Did you follow the instructions in doc/bugs? That says how to find the bug. Any ideas as to what this could be I can post my -X output but all it says at the bottom when it stops working is segfault. doc/bugs has detailed instructions for just such an occasion. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 3 LDAP Generic Attributes
On 12 Apr 2013, at 15:21, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: On 12 Apr 2013, at 15:00, Nicholas Lemberger nick.lember...@lkfd.net wrote: The ldap.attrmap syntax in FR2 was: checkItem $GENERIC$ radiusCheckItem replyItem $GENERIC$ radiusReplyItem Basically the ldap attributes radiusCheckItem radiusReplyItem contained FR attr/value pairs which were then added to the corresponding attribute list in FR (e.g. in LDAP radiusReplyItem could be Primary-DNS-Server := 1.1.1.1). They wouldn't necessarily need to be distinct check/reply attributes in the new rlm_ldap... it could work more like unlang where an LDAP attribute value could be control:Disabled := true, and where if the list: portion is omitted it would default to reply. No matter how this happens, there's probably going to need to be a special case syntax made in the rlm_ldap attribute mapping... I was thinking just adding a valuepair_attr = blah config item in the ldap config and then doing exactly what you suggested above. It's not much work, i'll take a look at it later today or tomorrow. Done, but somebody's new xlat parser is segfaulting so i'd wait until tomorrow for that to be fixed before testing. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
