Re: Pop3 and LDAP authentication...Multiple radius servers
Thanks Ivan.
Now I have 2 radius servers running on same machine as radiusa (port 1812) and
radiusb (port 1912). I configured radiusa to do ldap auth and radiusb to do
POP3 auth which works fine individually thru radclient.
I setup proxy.conf in radiusa as
realm xyz.net {
type = radius
authhost = radiusb.test1.net:1912
accthost = radiusb.test1.net:1913
secret = testing
}
I am sending request thru radclient on radiusa. But for some reason the request
does not get proxied to radiusb.
This is the radius -X log.
rad_recv: Access-Request packet from host 167.206.23.94:1054, id=14, length=59
User-Name = [EMAIL PROTECTED]
User-Password = test
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
modcall[authorize]: module chap returns noop for request 0
modcall[authorize]: module mschap returns noop for request 0
rlm_realm: Looking up realm xyz.net for User-Name = [EMAIL PROTECTED]
rlm_realm: Found realm xyz.net
rlm_realm: Adding Stripped-User-Name = testaccount
rlm_realm: Proxying request from user testaccount to realm xyz.net
rlm_realm: Adding Realm = xyz.net
rlm_realm: Preparing to proxy authentication request to realm xyz.net
modcall[authorize]: module suffix returns updated for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module eap returns noop for request 0
users: Matched entry DEFAULT at line 75
users: Matched entry DEFAULT at line 180
users: Matched entry DEFAULT at line 184
modcall[authorize]: module files returns ok for request 0
modcall: entering group group for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for testaccount
radius_xlat: '(uid=testaccount)'
radius_xlat: 'dc=test1,dc=net,o=internet'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
Please let me know if I am missing something.
Thanks and Regards.
--- On Mon, 8/25/08, Ivan Kalik [EMAIL PROTECTED] wrote:
From: Ivan Kalik [EMAIL PROTECTED]
Subject: Re: Pop3 and LDAP authentication...Multiple radius servers
To: freeradius-users@lists.freeradius.org
Date: Monday, August 25, 2008, 1:39 PM
http://radiuswiki.suntel.com.tr/Proxy.conf
Ivan Kalik
Kalik Informatika ISP
Dana 25/8/2008, Eric Martell [EMAIL PROTECTED] piše:
Hi,
We have radius server which is inhouse which does the LDAP
authentication We got a new request from third party to do authentication for
their users using POP3.
So the request comes to radiusA (our inhouse radius).
If the user has realm as @xyz.net ..then we forward the request to third
party to authenticate which might be radiusB which does the authentication using
POP3.
If there is no realm attached, radiusA does the LDAP auth and return the
response.
Not sure how to specify in our radiusd.conf.
I could not find any thread in the list. Please let me know the link if
this is already discuss.
Really Appreciated your quick response.
Thanks and Regards.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pop3 and LDAP authentication...Multiple radius servers
Eric Martell wrote: I am sending request thru radclient on radiusa. But for some reason the request does not get proxied to radiusb. This is the radius -X log. You've edited it so that most of it is missing. i.e. the part where it either decides to proxy, or to authenticate locally. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pop3 and LDAP authentication...Multiple radius servers
Here is the entire log. rad_recv: Access-Request packet from host 167.206.23.94:1054, id=14, length=59 User-Name = [EMAIL PROTECTED] User-Password = test Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: Looking up realm xyz.net for User-Name = [EMAIL PROTECTED] rlm_realm: Found realm xyz.net rlm_realm: Adding Stripped-User-Name = testaccount rlm_realm: Proxying request from user testaccount to realm xyz.net rlm_realm: Adding Realm = xyz.net rlm_realm: Preparing to proxy authentication request to realm xyz.net modcall[authorize]: module suffix returns updated for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched entry DEFAULT at line 75 users: Matched entry DEFAULT at line 180 users: Matched entry DEFAULT at line 184 modcall[authorize]: module files returns ok for request 0 modcall: entering group group for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for testaccount radius_xlat: '(uid=testaccount)' radius_xlat: 'dc=test1,dc=net,o=internet' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to test1dir.net:389, authentication 0 rlm_ldap: bind as uid=mmpProxy,o=internet/MMP to test1dir.net:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=test1,dc=net,o=internet, with filter (uid=testaccount) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap1 returns notfound for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for testaccount radius_xlat: '((uid=testaccount)(entitlements=WIFILOC1))' radius_xlat: 'ou=roles,o=entitlement' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap://asdadasdt:389, authentication 0 rlm_ldap: bind as uid=appuser,ou=appadm,o=entitlement/Paadaad to ldap://adasdasdas:389 rlm_ldap: uid=appuser,ou=appadm,o=entitlement bind to ldap://vadsdsdsad:389 failed: Can't contact LDAP server rlm_ldap: (re)connection attempt failed rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap2 returns fail for request 0 modcall: group group returns reject for request 0 modcall: group authorize returns reject for request 0 Invalid user (rlm_ldap: User not found): [EMAIL PROTECTED] (from client adasdas port 0) Cancelling proxy as request was already rejected Request 0 rejected in proxy_send. Server rejecting request 0. Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 14 to 167.206.23.94:1054 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 14 with timestamp 48b41aaf Nothing to do. Sleeping until we see a request. --- On Tue, 8/26/08, Alan DeKok [EMAIL PROTECTED] wrote: From: Alan DeKok [EMAIL PROTECTED] Subject: Re: Pop3 and LDAP authentication...Multiple radius servers To: [EMAIL PROTECTED], FreeRadius users mailing list freeradius-users@lists.freeradius.org Date: Tuesday, August 26, 2008, 11:13 AM Eric Martell wrote: I am sending request thru radclient on radiusa. But for some reason the request does not get proxied to radiusb. This is the radius -X log. You've edited it so that most of it is missing. i.e. the part where it either decides to proxy, or to authenticate locally. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pop3 and LDAP authentication...Multiple radius servers
Eric Martell wrote: Here is the entire log. ... rlm_ldap: performing search in dc=test1,dc=net,o=internet, with filter (uid=testaccount) If you're proxying the request, why have you configured the server to do lookups in LDAP? ldap://vadsdsdsad:389 failed: Can't contact LDAP server rlm_ldap: (re)connection attempt failed rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap2 returns fail for request 0 modcall: group group returns reject for request 0 That would seem to show why it's being rejeect. The LDAP server is down. And I don't think vadsdsdsad is a real host name in your network. Perhaps you could explain why you think the server should work after you've configured it to use resources that don't exist. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pop3 and LDAP authentication...Multiple radius servers
Alan thanks for the reply. I already have radiusa which does the LDAP authentication ( which has ldap1 and ldap2 groups) . New business request came to add POP3 authentication for third party. so I added new radius server radiusb which does the POP3 auth. I am using radiusa to do proxy depends on the realm xyz.net to forward to radiusb and all other requests (no realm in the usernames) still go to radiusa. I am running radiusa on 1812 and radiusb on 1912. I did not see any log messages in radiusb server. I thought when using radiusa proxy, it forwards the request to radiusb. The user [EMAIL PROTECTED] is configured in radiusb which does pop3 auth. No [EMAIL PROTECTED] user exists in radiusa ( in ldap). Hope this helps. Let me know if I am doing it right. Here is the radius -X log, rad_recv: Access-Request packet from host 167.206.23.94:1357, id=15, length=59 User-Name = [EMAIL PROTECTED] User-Password = test Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: Looking up realm xyz.net for User-Name = [EMAIL PROTECTED] rlm_realm: Found realm xyz.net rlm_realm: Adding Stripped-User-Name = testaccount rlm_realm: Proxying request from user testaccount to realm xyz.net rlm_realm: Adding Realm = xyz.net rlm_realm: Preparing to proxy authentication request to realm xyz.net modcall[authorize]: module suffix returns updated for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched entry DEFAULT at line 75 users: Matched entry DEFAULT at line 180 users: Matched entry DEFAULT at line 184 modcall[authorize]: module files returns ok for request 0 modcall: entering group group for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for testaccount radius_xlat: '(uid=testaccount)' radius_xlat: 'dc=opt,dc=net,o=internet' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap1:389, authentication 0 rlm_ldap: bind as uid=mmpProxy,o=internet/MMPass to ldap1:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=opt,dc=net,o=internet, with filter (uid=testaccount) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap1 returns notfound for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for testaccount radius_xlat: '((uid=testaccount)(entitlements=WIFILOC1))' radius_xlat: 'ou=roles,o=entitlement' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap://ldap2:1389, authentication 0 rlm_ldap: bind as uid=appuser,ou=appadm,o=entitlement/PaBlAn0 to ldap://ldap2:1389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=roles,o=entitlement, with filter ((uid=testaccount)(entitlements=WIFILOC1)) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap2 returns notfound for request 0 modcall: group group returns reject for request 0 modcall: group authorize returns reject for request 0 Invalid user (rlm_ldap: User not found): [EMAIL PROTECTED] (from client test1 port 0) Cancelling proxy as request was already rejected Request 0 rejected in proxy_send. Server rejecting request 0. Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 15 to 167.206.23.94:1357 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 15 with timestamp 48b424b1 Nothing to do. Sleeping until we see a request. --- On Tue, 8/26/08, Alan DeKok [EMAIL PROTECTED] wrote: From: Alan DeKok [EMAIL PROTECTED] Subject: Re: Pop3 and LDAP authentication...Multiple radius servers To: [EMAIL PROTECTED], FreeRadius users mailing list freeradius-users@lists.freeradius.org Date: Tuesday, August 26, 2008, 12:00 PM Eric Martell wrote: Here is the entire log. ... rlm_ldap: performing search in dc=test1,dc=net,o=internet, with filter (uid=testaccount) If you're proxying the request, why have you configured the server to do lookups in LDAP? ldap://vadsdsdsad:389 failed: Can't contact LDAP server rlm_ldap: (re)connection attempt failed rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module
Re: Pop3 and LDAP authentication...Multiple radius servers
Eric Martell wrote: I am using radiusa to do proxy depends on the realm xyz.net to forward to radiusb and all other requests (no realm in the usernames) still go to radiusa. Then you need to configure the server to *not* look up [EMAIL PROTECTED] in LDAP. See man unlang in the latest version. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Pop3 and LDAP authentication...Multiple radius servers
Hi, We have radius server which is inhouse which does the LDAP authentication. We got a new request from third party to do authentication for their users using POP3. So the request comes to radiusA (our inhouse radius). If the user has realm as @xyz.net ..then we forward the request to third party to authenticate which might be radiusB which does the authentication using POP3. If there is no realm attached, radiusA does the LDAP auth and return the response. Not sure how to specify in our radiusd.conf. I could not find any thread in the list. Please let me know the link if this is already discuss. Really Appreciated your quick response. Thanks and Regards. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pop3 and LDAP authentication...Multiple radius servers
http://radiuswiki.suntel.com.tr/Proxy.conf Ivan Kalik Kalik Informatika ISP Dana 25/8/2008, Eric Martell [EMAIL PROTECTED] piše: Hi, We have radius server which is inhouse which does the LDAP authentication We got a new request from third party to do authentication for their users using POP3. So the request comes to radiusA (our inhouse radius). If the user has realm as @xyz.net ..then we forward the request to third party to authenticate which might be radiusB which does the authentication using POP3. If there is no realm attached, radiusA does the LDAP auth and return the response. Not sure how to specify in our radiusd.conf. I could not find any thread in the list. Please let me know the link if this is already discuss. Really Appreciated your quick response. Thanks and Regards. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
