Integrate freeradius v1.1.6 and openLADP v2.3.32 for authorization and authentication

xuebin gong robin_gong at yahoo.com
Thu May 24 19:48:04 CEST 2007


Thanks Pshem for your quick answer. 

I expect answer like folowing 

"rlm_ldap: user jjeep authorized succesfully 
   modcall[authorize]: module "ldap" returns ok" 

... Request Access-Accept.


But I got 

"rlm_ldap: object not found or got ambiguous search
result 
rlm_ldap: search failed 
rlm_ldap: ldap_release_conn: Release Id: 0 
  modcall[authorize]: module "ldap" returns notfound
for request 0" 

....... Request Access-Rejected.

What is wrong ? need help.

Thanks 
Robin 


Pshem Kowalczyk wrote:Freeradius expects exactly one
answer: 
rlm_ldap: object not found or got ambiguous search 
result 

kind regards 
Pshem 

On 22/05/07, xuebin gong <robin_gong at yahoo.com> wrote:

> Hi, All, 
> 
> I am user and want to integrate freeradius v1.1.6
and 
> openLADP v2.3.32 for authorization and 
> authentication. Our operating system is Fedora 5 
> Linux. 
> 
> (1)Install freeRadius-1.1.6 
> After following the instruction of installation in 
> http://wwww.freeradius.org, 
> install freeRadius-1.1.6 on Fedora Linux 5, run
radius 
> server in debug mode 
> 
>     radiusd -X 
> ...... 
> Module: Instantiated radutmp (radutmp) 
> Listening on authentication *:1812 
> Listening on accounting *:1813 
> Ready to process requests. 
> 
> FreeRadius was installed succeefully. 
> 
> (2)Configure freeRadius-1.1.6 
>   (2.1) Configure radiusd.conf 
>       (2.1.1) LDAP module 
>        ldap{ 
>            server = "10.0.0.118" 
>            identity = "cn=Manager,dc=mtcable,dc=net"

>            password = mtncnl1970 
>            basedn = "dc=mtcable,dc=net" 
>            filter = 
> "uid=%{Stripped-User-Name:-%{User-Name}}" 
>            start_tls = no 
>            dictionary_mapping = 
> ${raddbdir}/ldap.attrmap 
>            ldap_connections_number = 5 
>            edir_account_policy_check=no 
>            timeout = 4 
>            timelimit = 3 
>            net_timeout = 1 
>       } 
>       (2.1.2) authorize module 
>       uncomment ldap  line 
> 
>       authorize{ 
>            ...... 
>            ldap 
>            ...... 
>       } 
> 
>       (2.1.3) authenticate module 
>       uncomment block ldap block: 
> 
>       authenticate{ 
>           ...... 
>           Auth-Type LDAP { 
>                 ldap 
>           } 
>           ...... 
>       } 
> 
> 
>   (2.2) edit /usr/local/etc/raddb/users 
>       Uncomment the following lines: 
> 
>       DEFAULT Auth-Type = LDAP 
>       Fall-Through = 1 
> 
> (3)Install openLDAP 
> (4)Configure openLDAP 
> (5)Add one LDAP entry for testing 
> 
> dn: uid=jjeep, ou=radius, rccd=AAA3140018f, 
> dc=mtcable,dc=net 
> userPassword:: aabbccdd 
> cn: jeep 
> uid: jjeep 
> radiusAuthType: local 
> radiusSimultaneousUse: 1 
> homeDirectory: // 
> objectClass: top 
> objectClass: posixAccount 
> objectClass: radiusprofile 
> uidNumber: 7012 
> gidNumber: 100 
> 
> After add this entry to LDAP, we reset the password
to 
> "888888" 
> 
> (5)Test 
> After run test command line 
> 
>    radtest jjeep "888888" localhost 1 testing123 
> 
> The following is information from running Radiusd
-X: 
> 
> ...... 
>   rad_recv: Access-Request packet from host 
> 127.0.0.1:32771, 
> id=192, length=57 
>         User-Name = "jjeep" 
>         User-Password = "888888" 
>         NAS-IP-Address = 255.255.255.255 
>         NAS-Port = 1 
>   Processing the authorize section of radiusd.conf 
> modcall: entering group authorize for request 0 
>   modcall[authorize]: module "preprocess" returns ok

> for request 0 
>   modcall[authorize]: module "chap" returns noop for

> request 0 
>   modcall[authorize]: module "mschap" returns noop
for 
> request 0 
>   rlm_realm: No '@' in User-Name = "jjeep", looking
up 
> realm NULL 
>   rlm_realm: No such realm "NULL" 
>   modcall[authorize]: module "suffix" returns noop
for 
> request 0 
>   rlm_eap: No EAP-Message, not doing EAP 
>   modcall[authorize]: module "eap" returns noop for 
> request 0 
>     users: Matched entry DEFAULT at line 153 
>   modcall[authorize]: module "files" returns ok for 
> request 0 
> rlm_ldap: - authorize 
> rlm_ldap: performing user authorization for jjeep 
> radius_xlat:  'uid=jjeep' 
> radius_xlat:  'dc=mtcable,dc=net' 
> rlm_ldap: ldap_get_conn: Checking Id: 0 
> rlm_ldap: ldap_get_conn: Got Id: 0 
> rlm_ldap: attempting LDAP reconnection 
> rlm_ldap: (re)connect to 10.0.0.118:389, 
> authentication 0 
> rlm_ldap: bind as
cn=Manager,dc=mtcable,dc=net/mtncnl1 
> 
> 970 to 10.0.0.118:389 
> rlm_ldap: waiting for bind result ... 
> rlm_ldap: Bind was successful 
> rlm_ldap: performing search in dc=mtcable,dc=net,
with 
> 
>  filter uid=jjeep 
> rlm_ldap: object not found or got ambiguous search 
> result 
> rlm_ldap: search failed 
> rlm_ldap: ldap_release_conn: Release Id: 0 
>   modcall[authorize]: module "ldap" returns notfound

> for req 
> uest 0 
> rlm_pap: WARNING! No "known good" password found for

> the use 
> r.  Authentication may fail because of this. 
>   modcall[authorize]: module "pap" returns noop for 
> request0 
> modcall: leaving group authorize (returns ok) for 
> request 0 
>   rad_check_password:  Found Auth-Type LDAP 
> auth: type "LDAP" 
>   Processing the authenticate section of
radiusd.conf 
> modcall: entering group LDAP for request 0 
> rlm_ldap: - authenticate 
> rlm_ldap: login attempt by "jjeep" with password 
> "888888" 
> radius_xlat:  'uid=jjeep' 
> radius_xlat:  'dc=mtcable,dc=net' 
> rlm_ldap: ldap_get_conn: Checking Id: 0 
> rlm_ldap: ldap_get_conn: Got Id: 0 
> rlm_ldap: performing search in dc=mtcable,dc=net,
with 
> 
>  filter uid=jjeep 
> rlm_ldap: object not found or got ambiguous search 
> result 
> rlm_ldap: ldap_release_conn: Release Id: 0 
>   modcall[authenticate]: module "ldap" returns 
> notfound for 
> request 0 
> modcall: leaving group LDAP (returns notfound) for 
> request 0 
> auth: Failed to validate the user. 
> Login incorrect (rlm_ldap: User not found): [jjeep] 
> (from cl 
> ient localhost port 1) 
> Delaying request 0 for 1 seconds 
> Finished request 0 
> Going to the next request 
> 
> The following is logfile: 
> 
> ...... 
> May 17 12:09:13 dolphin slapd[2205]: conn=7 fd=17 
> ACCEPT from IP=10.0.0.118:35564 (IP=0.0.0.0:389) 
> May 17 12:09:13 dolphin slapd[2205]: conn=7 op=0
BIND 
> dn="cn=Manager,dc=mtcable,dc=net" method=128 
> May 17 12:09:13 dolphin slapd[2205]: conn=7 op=0
BIND 
> dn="cn=Manager,dc=mtcable,dc=net" mech=SIMPLE ssf=0 
> May 17 12:09:13 dolphin slapd[2205]: conn=7 op=0 
> RESULT tag=97 err=0 text= 
> May 17 12:09:13 dolphin slapd[2205]: conn=7 op=1
SRCH 
> base="dc=mtcable,dc=net" scope=2 deref=0 
> filter="(uid=jjeep)" 
> May 17 12:09:13 dolphin slapd[2205]: conn=7 op=1
SRCH 
> attr=radiusNASIpAddress radiusExpiration acctFlags 
> ntPassword lmPassword radiusCallingStationId 
> radiusCalledStationId radiusSimultaneousUse 
> radiusAuthType radiusCheckItem radiusReplyMessage 
> radiusLoginLATPort radiusPortLimit 
> radiusFramedAppleTalkZone
radiusFramedAppleTalkNetwork 
> radiusFramedAppleTalkLink radiusLoginLATGroup 
> radiusLoginLATNode radiusLoginLATService 
> radiusTerminationAction radiusIdleTimeout 
> radiusSessionTimeout radiusClass 
> radiusFramedIPXNetwork radiusCallbackId 
> radiusCallbackNumber radiusLoginTCPPort 
> radiusLoginService radiusLoginIPHost 
> radiusFramedCompression radiusFramedMTU
radiusFilterId 
> radiusFramedRouting radiusFramedRoute 
> radiusFramedIPNetmask radiusFramedIPAddress 
> radiusFramedProtocol radiusServiceType
radiusReplyItem 
> 
> May 17 12:09:13 dolphin slapd[2205]: conn=7 op=1 
> SEARCH RESULT tag=101 err=0 nentries=3 text= 
> May 17 12:09:13 dolphin slapd[2205]: conn=7 op=2
SRCH 
> base="dc=mtcable,dc=net" scope=2 deref=0 
> filter="(uid=jjeep)" 
> May 17 12:09:13 dolphin slapd[2205]: conn=7 op=2
SRCH 
> attr=uid 
> May 17 12:09:13 dolphin slapd[2205]: conn=7 op=2 
> SEARCH RESULT tag=101 err=0 nentries=3 text= 
> 
> It looks like LDAP search successfully and found 3 
> entries, but redius server could not find any
objects. 
> 
> What is wrong with my integration? 
> 
> Thanks In Advanced 
> 
> Robin 



       
____________________________________________________________________________________Take the Internet to Go: Yahoo!Go puts the Internet in your pocket: mail, news, photos & more. 
http://mobile.yahoo.com/go?refer=1GNXIC



More information about the Freeradius-Users mailing list