Pop3 and LDAP authentication...Multiple radius servers

Eric Martell workoutexcite at yahoo.com
Tue Aug 26 18:14:42 CEST 2008


Alan thanks for the reply.

I already have radiusa which does the LDAP authentication ( which has ldap1 and ldap2 groups) . New business request came to add POP3 authentication for third party. so I added new radius server radiusb which does the POP3 auth.

I am using radiusa to do proxy depends on the realm xyz.net to forward to radiusb and all other requests (no realm in the usernames) still go to radiusa.

I am running radiusa on 1812 and radiusb on 1912. I did not see any log messages in radiusb server. I thought when using radiusa proxy, it forwards the request to radiusb.

The user testaccount at xyz.net is configured in radiusb which does pop3 auth. No testaccount at xyz.net user exists in radiusa ( in ldap).

Hope this helps. Let me know if I am doing it right.
Here is the radius -X log, 

rad_recv: Access-Request packet from host 167.206.23.94:1357, id=15, length=59
        User-Name = "testaccount at xyz.net"
        User-Password = "test"
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
    rlm_realm: Looking up realm "xyz.net" for User-Name = "testaccount at xyz.net"
    rlm_realm: Found realm "xyz.net"
    rlm_realm: Adding Stripped-User-Name = "testaccount"
    rlm_realm: Proxying request from user testaccount to realm xyz.net
    rlm_realm: Adding Realm = "xyz.net"
    rlm_realm: Preparing to proxy authentication request to realm "xyz.net" 
  modcall[authorize]: module "suffix" returns updated for request 0
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 0
    users: Matched entry DEFAULT at line 75
    users: Matched entry DEFAULT at line 180
    users: Matched entry DEFAULT at line 184
  modcall[authorize]: module "files" returns ok for request 0
modcall: entering group group for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for testaccount
radius_xlat:  '(uid=testaccount)'
radius_xlat:  'dc=opt,dc=net,o=internet'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap1:389, authentication 0
rlm_ldap: bind as uid=mmpProxy,o=internet/MMPass to ldap1:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=opt,dc=net,o=internet, with filter (uid=testaccount)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap1" returns notfound for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for testaccount
radius_xlat:  '(&(uid=testaccount)(entitlements=WIFILOC1))'
radius_xlat:  'ou=roles,o=entitlement'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap://ldap2:1389, authentication 0
rlm_ldap: bind as uid=appuser,ou=appadm,o=entitlement/PaBlAn0 to ldap://ldap2:1389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=roles,o=entitlement, with filter (&(uid=testaccount)(entitlements=WIFILOC1))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap2" returns notfound for request 0
modcall: group group returns reject for request 0
modcall: group authorize returns reject for request 0
Invalid user (rlm_ldap: User not found): [testaccount at xyz.net] (from client test1 port 0)
Cancelling proxy as request was already rejected
Request 0 rejected in proxy_send.
Server rejecting request 0.
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 15 to 167.206.23.94:1357
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 15 with timestamp 48b424b1
Nothing to do.  Sleeping until we see a request.






--- On Tue, 8/26/08, Alan DeKok <aland at deployingradius.com> wrote:
From: Alan DeKok <aland at deployingradius.com>
Subject: Re: Pop3 and LDAP authentication...Multiple radius servers
To: workoutexcite at yahoo.com, "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org>
Date: Tuesday, August 26, 2008, 12:00 PM

Eric Martell wrote:
> Here is the entire log.
...
> rlm_ldap: performing search in dc=test1,dc=net,o=internet, with filter
> (uid=testaccount)

  If you're proxying the request, why have you configured the server to
do lookups in LDAP?

> ldap://vadsdsdsad:389 failed: Can't contact LDAP server
> rlm_ldap: (re)connection attempt failed
> rlm_ldap: search failed
> rlm_ldap: ldap_release_conn: Release Id: 0
>   modcall[authorize]: module "ldap2" returns fail for request 0
> modcall: group group returns reject for request 0

  That would seem to show why it's being rejeect.  The LDAP server is
down.  And I don't think "vadsdsdsad" is a real host name in your
network.

  Perhaps you could explain why you think the server should work after
you've configured it to use resources that don't exist.

  Alan DeKok.



      
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080826/c6235b2c/attachment.html>


More information about the Freeradius-Users mailing list