Multiple (different) LDAP servers and authorisation

Stewart James Stewart.James at vu.edu.au
Wed Aug 15 02:58:49 CEST 2007 

Hi all,

 

I have been roped in to look over an issue we have with migrating from
Novell to AD.

 

What we would like to do while we in the transitional phase is check
both the AD and Novell LDAP services for authorisation and
authentication (usernames are completely different so no need to be
concerned with username clashes). I have managed to setup authentication
fall through without any real issues, but, authorisation is having
issues. Just to clarify, if I only specify one of the LDAP servers
everything works like a treat, so the actual ldap server definitions are
working fine in their own right.

 

If I have the authorisation section setup:

 

group LDAP {

         vudc01 {

                        notfound=2

                        ok=return

               }

          novell {

                        notfound=2

                        ok=return

               }

}

 

(I have also tried variations without the group LDAP line)

 

Things eventually fail and the last useful message (I think) from -X -f
is:

auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user

 

It's not entirely clear what the freeradius LDAP module is doing BUT it
would appear that it looks over both authorisation assertions and takes
the one with least rights, but, I am not sure.

 

As I stated earlier authentication fall through works like a treat (if
in the users file I don't specify an LDAP-Group authentication works).
If I only specify 1 ldap server to do authentication and authorisation,
everything works, its only when I try to do authorisation via LDAP-Group
AND try to do authorisation fall through as documentation above do I
start getting errors.

 

Can anyone offer any advice or pointers?

 

Cheers,

 

Stewart

 

-X -f output:

 

rad_recv: Access-Request packet from host 127.0.0.1:32909, id=60,
length=60

        User-Name = "USERNAME"

        User-Password = "PASSWORD"

        NAS-IP-Address = 255.255.255.255

        NAS-Port = 10

  Processing the authorize section of radiusd.conf

modcall: entering group authorize for request 1

  modcall[authorize]: module "preprocess" returns ok for request 1

  modcall[authorize]: module "chap" returns noop for request 1

  modcall[authorize]: module "mschap" returns noop for request 1

    rlm_realm: No '@' in User-Name = "USERNAME", looking up realm NULL

    rlm_realm: No such realm "NULL"

  modcall[authorize]: module "suffix" returns noop for request 1

  rlm_eap: No EAP-Message, not doing EAP

  modcall[authorize]: module "eap" returns noop for request 1

rlm_ldap: Entering ldap_groupcmp()

radius_xlat:  'o=vu '

radius_xlat:  '(uid=UID)'

rlm_ldap: ldap_get_conn: Checking Id: 0

rlm_ldap: ldap_get_conn: Got Id: 0

rlm_ldap: performing search in o=vu, with filter (uid=USERNAME)

rlm_ldap: object not found or got ambiguous search result

rlm_ldap::ldap_groupcmp: search failed

rlm_ldap: ldap_release_conn: Release Id: 0

  modcall[authorize]: module "files" returns notfound for request 1

modcall: entering group redundant  for request 1

rlm_ldap: - authorize

rlm_ldap: performing user authorization for USERNAME

radius_xlat:  '(samaccountname=USERNAME)'

radius_xlat:  'dc=ad,dc=vu,dc=edu,dc=au'

rlm_ldap: ldap_get_conn: Checking Id: 0

rlm_ldap: ldap_get_conn: Got Id: 0

rlm_ldap: performing search in dc=ad,dc=vu,dc=edu,dc=au, with filter
(samaccountname=USERNAME)

rlm_ldap: No default NMAS login sequence

rlm_ldap: looking for check items in directory...

rlm_ldap: looking for reply items in directory...

rlm_ldap: user USERNAME authorized to use remote access

rlm_ldap: ldap_release_conn: Release Id: 0

  modcall[authorize]: module "vudc01" returns ok for request 1

modcall: leaving group redundant  (returns ok) for request 1

modcall: leaving group authorize (returns ok) for request 1

auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user

auth: Failed to validate the user.

Delaying request 1 for 1 seconds

Finished request 1

Going to the next request

--- Walking the entire request list ---

Waking up in 1 seconds...

--- Walking the entire request list ---

Waking up in 1 seconds...

--- Walking the entire request list ---

Sending Access-Reject of id 60 to 127.0.0.1 port 32909

Waking up in 4 seconds...

--- Walking the entire request list ---

Cleaning up request 1 ID 60 with timestamp 46c24e67

Nothing to do.  Sleeping until we see a request.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070815/1cb84129/attachment.html>

More information about the Freeradius-Users mailing list