rlm_ldap wont authenticate

Natalia Escalera nescalera at gmail.com
Wed Apr 5 21:30:42 CEST 2006


Hello,

In your radiusd.conf:


            server = "localhost"

            identity = "cn=admin,o=My Org,c=UA"

            password = mypass

            basedn = "ou=People,dc=example,dc=com"



            password_attribute = "userPassword"
            filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"

make sure that you have the correct configuration for the variables listed
above. If you do, and you still cannot authenticate a user, it may be that
your ldap server is returning referrals to other servers. To avoid
referrals, go to your ldap.conf in the freeradius server and add the
line: *referrals
no*

Hope it helps,
Natalia.

On 4/3/06, monish ar <monish.ar at gmail.com> wrote:

>  I've tried to authenticate to an LDAP server through RADIUS using the
> rlm_ldap module....
> I'm using freeradius 1.1.0 with OpenLdap 2.1.8 with a bdb backend.
> The problem is that rlm_ldap module binds successfully to an
> authentication request in the authorization section, but fails to bind
> when its tryin to authenticate.... log for RADIUS server is given below
> along with the LDAP configuration... plz help me out
>
>
> /** In the client terminal ,now i've tried to authenticate with user :
> ldapuser*
>
> [root at localhost ~]# radtest ldapuser ldapuser localhost 2 testing123
>
> Sending Access-Request of id 119 to 127.0.0.1 port 1812
>
>         User-Name = "ldapuser"
>
>         User-Password = "ldapuser"
>
>         NAS-IP-Address = 255.255.255.255
>
>         NAS-Port = 2
> rad_recv: Access-Reject packet from host 127.0.0.1:1812 , id=119,
> length=20 ***
> **
>
> /*/ On the server side, response to ldapuser user authentication
> request...*
>
> rad_recv: Access-Request packet from host 127.0.0.1:32769 , id=119,
> length=60
>
>         User-Name = "ldapuser"
>
>         User-Password = "ldapuser"
>
>         NAS-IP-Address = 255.255.255.255
>
>         NAS-Port = 2
>
>   Processing the authorize section of radiusd.conf
>
> modcall: entering group authorize for request 0
>
>   modcall[authorize]: module "preprocess" returns ok for request 0
>
> radius_xlat:
> '/usr/local//var/log/radius/radacct/127.0.0.1/auth-detail-20060403'
>
> rlm_detail:
> /usr/local//var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
> expands to /usr/local//var/log/radius/radacct/127.0.0.1/auth-detail-20060403
>
>
>   modcall[authorize]: module "auth_log" returns ok for request 0
>
>   modcall[authorize]: module "chap" returns noop for request 0
>
>   modcall[authorize]: module "mschap" returns noop for request 0
>
>     rlm_realm: No '@' in User-Name = "ldapuser", looking up realm NULL
>
>     rlm_realm: No such realm "NULL"
>
>   modcall[authorize]: module "suffix" returns noop for request 0
>
>   rlm_eap: No EAP-Message, not doing EAP
>
>   modcall[authorize]: module "eap" returns noop for request 0
>
>     users: Matched entry DEFAULT at line 152
>
>     users: Matched entry DEFAULT at line 158
>
>   modcall[authorize]: module "files" returns ok for request 0
>
> rlm_ldap: - authorize
>
> rlm_ldap: performing user authorization for ldapuser
>
> radius_xlat:  '(uid=ldapuser)'
>
> radius_xlat:  'ou=People,dc=example,dc=com'
>
> rlm_ldap: ldap_get_conn: Checking Id: 0
>
> rlm_ldap: ldap_get_conn: Got Id: 0
>
> rlm_ldap: attempting LDAP reconnection
>
> rlm_ldap: (re)connect to localhost:389, authentication 0
>
> rlm_ldap: bind as / to localhost:389
>
> rlm_ldap: waiting for bind result ...
>
> rlm_ldap: Bind was successful
>
> rlm_ldap: performing search in ou=People,dc=example,dc=com, with filter
> (uid=ldapuser)
>
> rlm_ldap: Added password {crypt}$1$nwby/I64$ORzJuBh4/Ec3c.FAt2oqV0 in
> check items
>
> rlm_ldap: looking for check items in directory...
>
> rlm_ldap: looking for reply items in directory...
>
> rlm_ldap: user ldapuser authorized to use remote access
>
> rlm_ldap: ldap_release_conn: Release Id: 0
>
>   modcall[authorize]: module "ldap" returns ok for request 0
>
> modcall: leaving group authorize (returns ok) for request 0
>
>   rad_check_password:  Found Auth-Type LDAP
>
> auth: type "LDAP"
>
>   Processing the authenticate section of radiusd.conf
>
> modcall: entering group LDAP for request 0
>
> rlm_ldap: - authenticate
>
> rlm_ldap: login attempt by "ldapuser" with password "ldapuser"
>
> rlm_ldap: user DN: uid=ldapuser,ou=People,dc=example,dc=com
>
> rlm_ldap: (re)connect to localhost:389, authentication 1
>
> rlm_ldap: bind as uid=ldapuser,ou=People,dc=example,dc=com/ldapuser to
> localhost:389
>
> rlm_ldap: waiting for bind result ...
>
> rlm_ldap: Bind failed with invalid credentials
>
>   modcall[authenticate]: module "ldap" returns reject for request 0
>
> modcall: leaving group LDAP (returns reject) for request 0
>
> auth: Failed to validate the user.
>
> Login incorrect (rlm_ldap: Bind as user failed): [ldapuser] (from client
> localhost port 2)
>
> Delaying request 0 for 1 seconds
>
> Finished request 0
>
> Going to the next request
>
> --- Walking the entire request list ---
>
> Waking up in 1 seconds...
>
> --- Walking the entire request list ---
>
> Waking up in 1 seconds...
>
> --- Walking the entire request list ---
>
> Sending Access-Reject of id 119 to 127.0.0.1 port 32769
>
> Waking up in 4 seconds...
>
>
>
> *// THE CONFIGURATION DETAILS REQUIRED FOR RLM_LDAP AUTHENTICATION ARE
> BELOW*
>
> * *
>
> */* **example.com.ldif (base entries added to LDAP database)*
>
> * *
>
> Dn: dc=example,dc=com
>
> Objectclass: dcObject
>
> Objectclass : organization
>
> o: Example company
>
> dc: example
>
> * *
>
> dn: cn=manager,dc=example,dc=com
>
> objectclass: organizationalRole
>
> cn: manager
>
>
>
> dn: ou=people,dc=example,dc=com
>
> ou: people
>
> description: All people in the organization
>
> objectClass: dcObject
>
> objectClass: organizationalUnit
>
> dc: example
>
> * *
>
> * *
>
> */*** ldapuser.ldif (details of user account for authentication added to
> the LDAP database */*
>
> * *
>
> dn: uid=ldapuser,ou=People,dc=example,dc=com
>
> uid: ldapuser
>
> cn: ldapuser
>
> objectClass: account
>
> objectClass: posixAccount
>
> objectClass: top
>
> objectClass: shadowAccount
>
> userPassword: {crypt}$1$nwby/I64$ORzJuBh4/Ec3c.FAt2oqV0
>
> shadowLastChange: 13238
>
> shadowMax: 99999
>
> shadowWarning: 7
>
> loginShell: /bin/bash
>
> uidNumber: 503
>
> gidNumber: 100
>
> homeDirectory: /home/ldapuser
>
>
>
> /* *radiusd.conf (LDAP MODULE)*
>
> * *
>
> ldap {
>
>             server = "localhost"
>
>             # identity = "cn=admin,o=My Org,c=UA"
>
>             # password = mypass
>
>             basedn = "ou=People,dc=example,dc=com"
>
>
>
>             password_attribute = "userPassword"
>
>             filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
>
>             # base_filter = "(objectclass=radiusprofile)"
>
>
>
>           start_tls = no
>
>
>
>             # tls_cacertfile  = /path/to/cacert.pem
>
>             # tls_cacertdir         = /path/to/ca/dir/
>
>             # tls_certfile          = /path/to/radius.crt
>
>             # tls_keyfile           = /path/to/radius.key
>
>             # tls_randfile          = /path/to/rnd
>
>             # tls_require_cert      = "demand"
>
>
>
>             # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
>
>             # profile_attribute = "radiusProfileDn"
>
>             #  access_attr = "dialupAccess"
>
>
>
>             # Mapping of RADIUS dictionary attributes to LDAP
>
>             # directory attributes.
>
>             dictionary_mapping = ${raddbdir}/ldap.attrmap
>
>
>
>             ldap_connections_number = 5
>
>             timeout = 4
>
>             timelimit = 3
>
>
>
>             net_timeout = 1
>
>             # compare_check_items = yes
>
>             # do_xlat = yes
>
>             # access_attr_used_for_allow = yes
>
>
>
>     }
>
>
>
> authorize {
>
>              chap
>
>              mschap
>
>              eap
>
>              files
>
>              ldap
>
>           }
>
>
>
> authenticate {
>
>
>
>                  Auth-Type PAP {
>
>                    pap
>
>                  }
>
>
>
>                  Auth-Type CHAP {
>
>                    chap
>
>                   }
>
>
>
>                  Auth-Type MS-CHAP {
>
>                     mschap
>
>                   }
>
>
>
>                  Unix
>
>
>
>                  Auth-Type LDAP {
>
>                    ldap
>
>                   }
>
>
>
> *Slapd.conf (ldap configuration)*
>
> * *
>
> include           /usr/local/etc/openldap/schema/core.schema
>
> include            /usr/local/etc/openldap/schema/cosine.schema
>
> include           /usr/local/etc/openldap/schema/nis.schema
>
>
>
> pidfile           /usr/local/var/slapd.pid
>
> argsfile          /usr/local/var/slapd.args
>
>
>
> #######################################################################
>
> # ldbm database definitions
>
> #######################################################################
>
>
>
> database          bdb
>
> suffix            "dc=example,dc=com"
>
> rootdn            "cn=manager,dc=example,dc=com"
>
> rootpw          {SSHA}Rt9x/xGxM5e8+RpKbvTCWYT8POUEaKwA
>
>
>
> # Indices to maintain
>
> index cn,sn,uid pres,eq,approx,sub
>
> index objectClass eq
>
>
>
>
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20060405/c717c455/attachment.html>


More information about the Freeradius-Users mailing list