Freeradius with OpenLDAP (Suse Enterprise 10)

Mon Feb 11 14:22:03 CET 2008

Zitat von David W Bell <david at chaoscrypt.com>:

> LDAP is installed and working out of the box, having been set to be
> used for authenication during the SUSE install.
>
> This is proven by the ability to log in to the box, both locally and via SSH
>
> I installed freeRADIUS from the latest source and it is working also.
>
> freeRADIUS seems unable to find a password for the user during Authenication.
>
> I issue the following on my workstation
>
> david at belld-ubuntu:~$ echo "User-Name = belld,Password=p455w0rd" |
> radclient 212.95.255.242:1812 auth testing
> Received response ID 99, code 3, length = 20
>
> And see the following from freeRADIUS Listening on authentication
> address * port 1812
> Listening on accounting address * port 1813
> Ready to process requests.
> rad_recv: Access-Request packet from host 212.95.252.25 port 20758,
> id=99, length=45
>        User-Name = "belld"
>        User-Password = "p455w0rd"
> +- entering group authorize
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
>    rlm_realm: No '@' in User-Name = "belld", looking up realm NULL
>    rlm_realm: No such realm "NULL"
> ++[suffix] returns noop
>  rlm_eap: No EAP-Message, not doing EAP
> ++[eap] returns noop
> ++[unix] returns notfound
> ++[files] returns noop
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for belld
> WARNING: Deprecated conditional expansion ":-".  See "man unlang" for details
>        expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=belld)
>        expand: dc=dxi,dc=net -> dc=dxi,dc=net
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to localhost:389, authentication 0
> rlm_ldap: bind as cn=Administrator,dc=dxi,dc=net/trPic4n03 to localhost:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: performing search in dc=dxi,dc=net, with filter (uid=belld)
> rlm_ldap: looking for check items in directory...
> rlm_ldap: looking for reply items in directory...
> WARNING: No "known good" password was found in LDAP.  Are you sure that
> the user is configured correctly?
> rlm_ldap: user belld authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0
> ++[ldap] returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> rlm_pap: WARNING! No "known good" password found for the user.
> Authentication may fail because of this.
> ++[pap] returns noop
> auth: No authenticate method (Auth-Type) configuration found for the
> request: Rejecting the user
> auth: Failed to validate the user.
> Login incorrect: [belld/p455w0rd] (from client 212.95.252.25 port 0)
>  Found Post-Auth-Type Reject
> +- entering group REJECT
>        expand: %{User-Name} -> belld
> attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] returns updated
> Delaying reject of request 0 for 1 seconds
> Going to the next request
> Waking up in 0.9 seconds.
> Sending delayed reject for request 0
> Sending Access-Reject of id 99 to 212.95.252.25 port 20758
> Waking up in 4.9 seconds.
>
> What I cant work out is whether this is due to an LDAP or a RADIUS
> config problem.
>

what is the result of the following commands (using a terminal):
   ldapsearch -x -h localhost -b "dc=dxi,dc=net" uid=belld
   ldapsearch -x -h localhost -b "dc=dxi,dc=net" -D  
"cn=Administrator,dc=dxi,dc=net" -w trPic4n03 uid=belld

if they (especially the latter) do not return a value for the field  
"userPassword" the problem is on the LDAP side.

markus

----------------------------------------------------------------------
      This message was sent using https://webmail.biochem.mpg.de
If you encounter any problems please report to rz-linux at biochem.mpg.de

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3966 bytes
Desc: S/MIME krytographische Unterschrift
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080211/bb3974aa/attachment.bin>