Problem when removing Auth-Type := Ldap in users file
Ivan Kalik
tnt at kalik.net
Thu Feb 7 21:49:27 CET 2008
Have you noticed some warnings about password attribute in the debug?
Maybe using appropriate password attribute might help ;-)
Ivan Kalik
Kalik Informatika ISP
Dana 7/2/2008, "cxu" <cxu at unbsj.ca> piše:
>Hi,
>
>
>
>I am testing the freeradius server, and try to clarify rules applied in
>freeradius. In the following trials, I could not figure out how to make
>Autz-Type Ldap1 in authorize section to correctly set Auth-Type used in
>authentication without the help from "Auth-Type := Ldap1".
>
>
>
>
>
>With the following entry in users file,
>
>**************
>
>DEFAULT Called-Station-Id =~ ".*Guest at myu", Autz-Type := Ldap1, Auth-Type :=
>Ldap1
>
>**************
>
>the user authentication worked fine.
>
>
>
>
>
>Below is the debug output.
>
>**************
>
>rad_recv: Access-Request packet from host 192.168.1.113 port 20000, id=19,
>length=98
>
> User-Name = "tester"
>
> Called-Station-Id = "00-1B-BA-A5-45-40:Guest at myu"
>
> NAS-Port = 189
>
> NAS-Port-Type = Wireless-802.11
>
> NAS-Identifier = "nortel"
>
> NAS-IP-Address = 192.168.1.113
>
> User-Password = "testing"
>
>+- entering group authorize
>
>++[preprocess] returns ok
>
>++[chap] returns noop
>
>++[mschap] returns noop
>
> rlm_realm: No '@' in User-Name = "tester", looking up realm NULL
>
> rlm_realm: No such realm "NULL"
>
>++[suffix] returns noop
>
> rlm_eap: No EAP-Message, not doing EAP
>
>++[eap] returns noop
>
> expand: %{Called-Station-Id} -> 00-1B-BA-A5-45-40:Guest at myu
>
> expand: %{Called-Station-Id} -> 00-1B-BA-A5-45-40:Guest at myu
>
> users: Matched entry DEFAULT at line 70
>
>++[files] returns ok
>
>rlm_pap: WARNING! No "known good" password found for the user.
>Authentication may fail because of this.
>
>++[pap] returns noop
>
> Found Autz-Type Ldap1
>
>+- entering group Ldap1
>
>++- entering redundant-load-balance group redundant-load-balance
>
>rlm_ldap: - authorize
>
>rlm_ldap: performing user authorization for tester
>
>WARNING: Deprecated conditional expansion ":-". See "man unlang" for
>details
>
> expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=tester)
>
> expand: ou=people,dc=myu,dc=ca -> ou=people,dc=myu,dc=ca
>
>rlm_ldap: ldap_get_conn: Checking Id: 0
>
>rlm_ldap: ldap_get_conn: Got Id: 0
>
>rlm_ldap: attempting LDAP reconnection
>
>rlm_ldap: (re)connect to ldap.myu.ca:389, authentication 0
>
>rlm_ldap: setting TLS CACert File to /usr/local/etc/raddb/certs/unbCA.crt
>
>rlm_ldap: setting TLS Require Cert to never
>
>rlm_ldap: bind as uid=radius,dc=myu,dc=ca/PWD12345678 to ldap.myu.ca:389
>
>rlm_ldap: waiting for bind result ...
>
>rlm_ldap: Bind was successful
>
>rlm_ldap: performing search in ou=people,dc=myu,dc=ca, with filter
>(uid=tester)
>
>rlm_ldap: Added User-Password =
>{SSHA}jSTYFonbXmIE6pReKdYUvq0RhxuhLUAT6FYcG== in check items
>
>rlm_ldap: looking for check items in directory...
>
>rlm_ldap: looking for reply items in directory...
>
>rlm_ldap: user tester authorized to use remote access
>
>rlm_ldap: ldap_release_conn: Release Id: 0
>
>+++[myldap2] returns ok
>
>++- redundant-load-balance group redundant-load-balance returns ok
>
> rad_check_password: Found Auth-Type Ldap1
>
>!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>!!!
>
>!!! Replacing User-Password in config items with Cleartext-Password.
>!!!
>
>!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>!!!
>
>!!! Please update your configuration so that the "known good"
>!!!
>
>!!! clear text password is in Cleartext-Password, and not in User-Password.
>!!!
>
>!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>!!!
>
>auth: type "Ldap1"
>
>+- entering group Ldap1
>
>++- entering redundant-load-balance group redundant-load-balance
>
>rlm_ldap: - authenticate
>
>rlm_ldap: login attempt by "tester" with password "testing"
>
>rlm_ldap: user DN: uid=tester,ou=people,dc=myu,dc=ca
>
>rlm_ldap: (re)connect to ldap.myu.ca:389, authentication 1
>
>rlm_ldap: setting TLS CACert File to /usr/local/etc/raddb/certs/myuCA.crt
>
>rlm_ldap: setting TLS Require Cert to never
>
>rlm_ldap: bind as uid=tester,ou=people,dc=myu,dc=ca/testing to
>ldap.myu.ca:389
>
>rlm_ldap: waiting for bind result ...
>
>rlm_ldap: Bind was successful
>
>rlm_ldap: user tester authenticated succesfully
>
>+++[myldap2] returns ok
>
>++- redundant-load-balance group redundant-load-balance returns ok
>
>Login OK: [tester] (from client unbsj113 port 189)
>
>Sending Access-Accept of id 19 to 192.168.1.113 port 20000
>
>Finished request 0.
>
>Going to the next request
>
>Waking up in 0.8 seconds.
>
>Waking up in 4.1 seconds.
>
>Cleaning up request 0 ID 19 with timestamp +99
>
>Ready to process requests.
>
>**************
>
>
>
>However when I removed Auth-Type := Ldap1 in the entry,
>
>**************
>
>DEFAULT Called-Station-Id =~ ".*Guest at myu", Autz-Type := Ldap1
>
>**************
>
>the user authentication failed. The Auth Type is set to Local instead of
>Ldap.
>
>
>
>Below is the debug output.
>
>**************
>
>rad_recv: Access-Request packet from host 192.168.1.113 port 20000, id=20,
>length=98
>
> User-Name = "tester"
>
> Called-Station-Id = "00-1B-BA-A5-45-40:Guest at myu"
>
> NAS-Port = 192
>
> NAS-Port-Type = Wireless-802.11
>
> NAS-Identifier = "nortel"
>
> NAS-IP-Address = 192.168.1.113
>
> User-Password = "testing"
>
>+- entering group authorize
>
>++[preprocess] returns ok
>
>++[chap] returns noop
>
>++[mschap] returns noop
>
> rlm_realm: No '@' in User-Name = "tester", looking up realm NULL
>
> rlm_realm: No such realm "NULL"
>
>++[suffix] returns noop
>
> rlm_eap: No EAP-Message, not doing EAP
>
>++[eap] returns noop
>
> expand: %{Called-Station-Id} -> 00-1B-BA-A5-45-40:Guest at myu
>
> expand: %{Called-Station-Id} -> 00-1B-BA-A5-45-40:Guest at myu
>
> users: Matched entry DEFAULT at line 71
>
>++[files] returns ok
>
>rlm_pap: WARNING! No "known good" password found for the user.
>Authentication may fail because of this.
>
>++[pap] returns noop
>
> Found Autz-Type Ldap1
>
>+- entering group Ldap1
>
>++- entering redundant-load-balance group redundant-load-balance
>
>rlm_ldap: - authorize
>
>rlm_ldap: performing user authorization for tester
>
>WARNING: Deprecated conditional expansion ":-". See "man unlang" for
>details
>
> expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=tester)
>
> expand: ou=people,dc=myu,dc=ca -> ou=people,dc=myu,dc=ca
>
>rlm_ldap: ldap_get_conn: Checking Id: 0
>
>rlm_ldap: ldap_get_conn: Got Id: 0
>
>rlm_ldap: attempting LDAP reconnection
>
>rlm_ldap: (re)connect to ldap2.myu.ca:389, authentication 0
>
>rlm_ldap: setting TLS CACert File to /usr/local/etc/raddb/certs/myuCA.crt
>
>rlm_ldap: setting TLS Require Cert to never
>
>rlm_ldap: bind as uid=radius,dc=myu,dc=ca/PWD12345678 to ldap2.myu.ca:389
>
>rlm_ldap: waiting for bind result ...
>
>rlm_ldap: Bind was successful
>
>rlm_ldap: performing search in ou=people,dc=myu,dc=ca, with filter
>(uid=tester)
>
>rlm_ldap: Added User-Password =
>{SSHA}jSTYFonbXmIE6pReKdYUvq0RhxuhLUAT6FYcG== in check items
>
>rlm_ldap: looking for check items in directory...
>
>rlm_ldap: looking for reply items in directory...
>
>rlm_ldap: user tester authorized to use remote access
>
>rlm_ldap: ldap_release_conn: Release Id: 0
>
>+++[myldap] returns ok
>
>++- redundant-load-balance group redundant-load-balance returns ok
>
>!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>!!!
>
>!!! Replacing User-Password in config items with Cleartext-Password.
>!!!
>
>!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>!!!
>
>!!! Please update your configuration so that the "known good"
>!!!
>
>!!! clear text password is in Cleartext-Password, and not in User-Password.
>!!!
>
>!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>!!!
>
>auth: type Local
>
>auth: user supplied User-Password does NOT match local User-Password
>
>auth: Failed to validate the user.
>
>Login incorrect: [tester] (from client unbsj113 port 192)
>
>Delaying reject of request 0 for 1 seconds
>
>Going to the next request
>
>Waking up in 0.9 seconds.
>
>Sending delayed reject for request 0
>
>Sending Access-Reject of id 20 to 192.168.1.113 port 20000
>
>Waking up in 4.9 seconds.
>
>Cleaning up request 0 ID 20 with timestamp +111
>
>Ready to process requests.
>
>**************
>
>
>
>In radiusd.conf,
>
>
>
>ldap myldap {
>
> server = "ldap2.myu.ca"
>
> identity = "uid=radius,dc=myu,dc=ca"
>
> password = PWD12345678
>
> basedn = "ou=people,dc=myu,dc=ca"
>
> filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
>
> ldap_connections_number = 5
>
>
>
> timeout = 4
>
>
>
> timelimit = 3
>
>
>
> net_timeout = 1
>
>
>
> tls {
>
> start_tls = no
>
>
>
> # cacertfile = /path/to/cacert.pem
>
> # cacertdir = /path/to/ca/dir/
>
> # certfile = /path/to/radius.crt
>
> cacertfile = /usr/local/etc/raddb/certs/myuCA.crt
>
> # keyfile = /path/to/radius.key
>
> # randfile = /path/to/rnd
>
>
>
> require_cert = "never"
>
> }
>
>
>
> # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
>
> # profile_attribute = "radiusProfileDn"
>
> # access_attr = "dialupAccess"
>
>
>
> dictionary_mapping = ${confdir}/ldap.attrmap
>
>
>
> password_attribute = userPassword
>
>
>
> # password_header = "{clear}"
>
>
>
> edir_account_policy_check = no
>
>
>
> # groupname_attribute = cn
>
> # groupmembership_filter =
>"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupO
>fUniqueNames)(uniquemember=%{Ldap-UserDn})))"
>
> # groupmembership_attribute = radiusGroupName
>
> groupmembership_attribute = eduPersonPrimaryAffiliation
>
>
>
> # compare_check_items = yes
>
> # do_xlat = yes
>
> # access_attr_used_for_allow = yes
>
>
>
> set_auth_type = yes
>
>
>
> #ldap_debug = 0x0028
>
>}
>
>
>
>
>
>ldap myldap2 {
>
>
>
>....
>
>
>
>}
>
>
>
>
>
>authorize {
>
>....
>
> Autz-Type Ldap1 {
>
> redundant-load-balance{
>
> myldap
>
> myldap2
>
> }
>
> }
>
>....
>
>}
>
>
>
>
>
>authenticate {
>
>....
>
> Auth-Type Ldap1 {
>
> redundant-load-balance{
>
> myldap
>
> myldap2
>
> }
>
> }
>
>....
>
>}
>
>
>
>
>
>Thanks for your help!
>
>
>
>Andrew
>
>
>
>
>
More information about the Freeradius-Users
mailing list