Integrate freeradius v1.1.6 and openLADP v2.3.32 for authorization and authentication

Pshem Kowalczyk pshem.k at gmail.com
Tue May 22 06:03:01 CEST 2007 

Freeradius expects exactly one answer:
rlm_ldap: object not found or got ambiguous search
result

kind regards
Pshem

On 22/05/07, xuebin gong <robin_gong at yahoo.com> wrote:
> Hi, All,
>
> I am user and want to integrate freeradius v1.1.6 and
> openLADP v2.3.32 for authorization and
> authentication. Our operating system is Fedora 5
> Linux.
>
> (1)Install freeRadius-1.1.6
> After following the instruction of installation in
> http://wwww.freeradius.org,
> install freeRadius-1.1.6 on Fedora Linux 5, run radius
> server in debug mode
>
>     radiusd -X
> ......
> Module: Instantiated radutmp (radutmp)
> Listening on authentication *:1812
> Listening on accounting *:1813
> Ready to process requests.
>
> FreeRadius was installed succeefully.
>
> (2)Configure freeRadius-1.1.6
>   (2.1) Configure radiusd.conf
>       (2.1.1) LDAP module
>        ldap{
>            server = "10.0.0.118"
>            identity = "cn=Manager,dc=mtcable,dc=net"
>            password = mtncnl1970
>            basedn = "dc=mtcable,dc=net"
>            filter =
> "uid=%{Stripped-User-Name:-%{User-Name}}"
>            start_tls = no
>            dictionary_mapping =
> ${raddbdir}/ldap.attrmap
>            ldap_connections_number = 5
>            edir_account_policy_check=no
>            timeout = 4
>            timelimit = 3
>            net_timeout = 1
>       }
>       (2.1.2) authorize module
>       uncomment ldap  line
>
>       authorize{
>            ......
>            ldap
>            ......
>       }
>
>       (2.1.3) authenticate module
>       uncomment block ldap block:
>
>       authenticate{
>           ......
>           Auth-Type LDAP {
>                 ldap
>           }
>           ......
>       }
>
>
>   (2.2) edit /usr/local/etc/raddb/users
>       Uncomment the following lines:
>
>       DEFAULT Auth-Type = LDAP
>       Fall-Through = 1
>
> (3)Install openLDAP
> (4)Configure openLDAP
> (5)Add one LDAP entry for testing
>
> dn: uid=jjeep, ou=radius, rccd=AAA3140018f,
> dc=mtcable,dc=net
> userPassword:: aabbccdd
> cn: jeep
> uid: jjeep
> radiusAuthType: local
> radiusSimultaneousUse: 1
> homeDirectory: //
> objectClass: top
> objectClass: posixAccount
> objectClass: radiusprofile
> uidNumber: 7012
> gidNumber: 100
>
> After add this entry to LDAP, we reset the password to
> "888888"
>
> (5)Test
> After run test command line
>
>    radtest jjeep "888888" localhost 1 testing123
>
> The following is information from running Radiusd -X:
>
> ......
>   rad_recv: Access-Request packet from host
> 127.0.0.1:32771,
> id=192, length=57
>         User-Name = "jjeep"
>         User-Password = "888888"
>         NAS-IP-Address = 255.255.255.255
>         NAS-Port = 1
>   Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 0
>   modcall[authorize]: module "preprocess" returns ok
> for request 0
>   modcall[authorize]: module "chap" returns noop for
> request 0
>   modcall[authorize]: module "mschap" returns noop for
> request 0
>   rlm_realm: No '@' in User-Name = "jjeep", looking up
> realm NULL
>   rlm_realm: No such realm "NULL"
>   modcall[authorize]: module "suffix" returns noop for
> request 0
>   rlm_eap: No EAP-Message, not doing EAP
>   modcall[authorize]: module "eap" returns noop for
> request 0
>     users: Matched entry DEFAULT at line 153
>   modcall[authorize]: module "files" returns ok for
> request 0
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for jjeep
> radius_xlat:  'uid=jjeep'
> radius_xlat:  'dc=mtcable,dc=net'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to 10.0.0.118:389,
> authentication 0
> rlm_ldap: bind as cn=Manager,dc=mtcable,dc=net/mtncnl1
>
> 970 to 10.0.0.118:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: performing search in dc=mtcable,dc=net, with
>
>  filter uid=jjeep
> rlm_ldap: object not found or got ambiguous search
> result
> rlm_ldap: search failed
> rlm_ldap: ldap_release_conn: Release Id: 0
>   modcall[authorize]: module "ldap" returns notfound
> for req
> uest 0
> rlm_pap: WARNING! No "known good" password found for
> the use
> r.  Authentication may fail because of this.
>   modcall[authorize]: module "pap" returns noop for
> request0
> modcall: leaving group authorize (returns ok) for
> request 0
>   rad_check_password:  Found Auth-Type LDAP
> auth: type "LDAP"
>   Processing the authenticate section of radiusd.conf
> modcall: entering group LDAP for request 0
> rlm_ldap: - authenticate
> rlm_ldap: login attempt by "jjeep" with password
> "888888"
> radius_xlat:  'uid=jjeep'
> radius_xlat:  'dc=mtcable,dc=net'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in dc=mtcable,dc=net, with
>
>  filter uid=jjeep
> rlm_ldap: object not found or got ambiguous search
> result
> rlm_ldap: ldap_release_conn: Release Id: 0
>   modcall[authenticate]: module "ldap" returns
> notfound for
> request 0
> modcall: leaving group LDAP (returns notfound) for
> request 0
> auth: Failed to validate the user.
> Login incorrect (rlm_ldap: User not found): [jjeep]
> (from cl
> ient localhost port 1)
> Delaying request 0 for 1 seconds
> Finished request 0
> Going to the next request
>
> The following is logfile:
>
> ......
> May 17 12:09:13 dolphin slapd[2205]: conn=7 fd=17
> ACCEPT from IP=10.0.0.118:35564 (IP=0.0.0.0:389)
> May 17 12:09:13 dolphin slapd[2205]: conn=7 op=0 BIND
> dn="cn=Manager,dc=mtcable,dc=net" method=128
> May 17 12:09:13 dolphin slapd[2205]: conn=7 op=0 BIND
> dn="cn=Manager,dc=mtcable,dc=net" mech=SIMPLE ssf=0
> May 17 12:09:13 dolphin slapd[2205]: conn=7 op=0
> RESULT tag=97 err=0 text=
> May 17 12:09:13 dolphin slapd[2205]: conn=7 op=1 SRCH
> base="dc=mtcable,dc=net" scope=2 deref=0
> filter="(uid=jjeep)"
> May 17 12:09:13 dolphin slapd[2205]: conn=7 op=1 SRCH
> attr=radiusNASIpAddress radiusExpiration acctFlags
> ntPassword lmPassword radiusCallingStationId
> radiusCalledStationId radiusSimultaneousUse
> radiusAuthType radiusCheckItem radiusReplyMessage
> radiusLoginLATPort radiusPortLimit
> radiusFramedAppleTalkZone radiusFramedAppleTalkNetwork
> radiusFramedAppleTalkLink radiusLoginLATGroup
> radiusLoginLATNode radiusLoginLATService
> radiusTerminationAction radiusIdleTimeout
> radiusSessionTimeout radiusClass
> radiusFramedIPXNetwork radiusCallbackId
> radiusCallbackNumber radiusLoginTCPPort
> radiusLoginService radiusLoginIPHost
> radiusFramedCompression radiusFramedMTU radiusFilterId
> radiusFramedRouting radiusFramedRoute
> radiusFramedIPNetmask radiusFramedIPAddress
> radiusFramedProtocol radiusServiceType radiusReplyItem
>
> May 17 12:09:13 dolphin slapd[2205]: conn=7 op=1
> SEARCH RESULT tag=101 err=0 nentries=3 text=
> May 17 12:09:13 dolphin slapd[2205]: conn=7 op=2 SRCH
> base="dc=mtcable,dc=net" scope=2 deref=0
> filter="(uid=jjeep)"
> May 17 12:09:13 dolphin slapd[2205]: conn=7 op=2 SRCH
> attr=uid
> May 17 12:09:13 dolphin slapd[2205]: conn=7 op=2
> SEARCH RESULT tag=101 err=0 nentries=3 text=
>
> It looks like LDAP search successfully and found 3
> entries, but redius server could not find any objects.
>
> What is wrong with my integration?
>
> Thanks In Advanced
>
> Robin
>
>
>
>
> ____________________________________________________________________________________
> Need Mail bonding?
> Go to the Yahoo! Mail Q&A for great tips from Yahoo! Answers users.
> http://answers.yahoo.com/dir/?link=list&sid=396546091
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

More information about the Freeradius-Users mailing list