Freeradius with OpenLDAP (Suse Enterprise 10)
Markus Krause
krause at biochem.mpg.de
Mon Feb 11 17:25:54 CET 2008
Zitat von David W Bell <david at chaoscrypt.com>:
> Markus Krause wrote:
>> Zitat von David W Bell <david at chaoscrypt.com>:
>>
>>> Markus Krause wrote:
>>>> Zitat von David W Bell <david at chaoscrypt.com>:
>>>>
>>>>> LDAP is installed and working out of the box, having been set to be
>>>>> used for authenication during the SUSE install.
>>>>>
>>>>> This is proven by the ability to log in to the box, both locally
>>>>> and via SSH
>>>>>
>>>>> I installed freeRADIUS from the latest source and it is working also.
>>>>>
>>>>> freeRADIUS seems unable to find a password for the user during
>>>>> Authenication.
>>>>>
>>>>> I issue the following on my workstation
>>>>>
>>>>> david at belld-ubuntu:~$ echo "User-Name = belld,Password=p455w0rd" |
>>>>> radclient 212.95.255.242:1812 auth testing
>>>>> Received response ID 99, code 3, length = 20
>>>>>
>>>>> And see the following from freeRADIUS Listening on authentication
>>>>> address * port 1812
>>>>> Listening on accounting address * port 1813
>>>>> Ready to process requests.
>>>>> rad_recv: Access-Request packet from host 212.95.252.25 port 20758,
>>>>> id=99, length=45
>>>>> User-Name = "belld"
>>>>> User-Password = "p455w0rd"
>>>>> +- entering group authorize
>>>>> ++[preprocess] returns ok
>>>>> ++[chap] returns noop
>>>>> ++[mschap] returns noop
>>>>> rlm_realm: No '@' in User-Name = "belld", looking up realm NULL
>>>>> rlm_realm: No such realm "NULL"
>>>>> ++[suffix] returns noop
>>>>> rlm_eap: No EAP-Message, not doing EAP
>>>>> ++[eap] returns noop
>>>>> ++[unix] returns notfound
>>>>> ++[files] returns noop
>>>>> rlm_ldap: - authorize
>>>>> rlm_ldap: performing user authorization for belld
>>>>> WARNING: Deprecated conditional expansion ":-". See "man
>>>>> unlang" for details
>>>>> expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=belld)
>>>>> expand: dc=dxi,dc=net -> dc=dxi,dc=net
>>>>> rlm_ldap: ldap_get_conn: Checking Id: 0
>>>>> rlm_ldap: ldap_get_conn: Got Id: 0
>>>>> rlm_ldap: attempting LDAP reconnection
>>>>> rlm_ldap: (re)connect to localhost:389, authentication 0
>>>>> rlm_ldap: bind as cn=Administrator,dc=dxi,dc=net/trPic4n03 to
>>>>> localhost:389
>>>>> rlm_ldap: waiting for bind result ...
>>>>> rlm_ldap: Bind was successful
>>>>> rlm_ldap: performing search in dc=dxi,dc=net, with filter (uid=belld)
>>>>> rlm_ldap: looking for check items in directory...
>>>>> rlm_ldap: looking for reply items in directory...
>>>>> WARNING: No "known good" password was found in LDAP. Are you sure that
>>>>> the user is configured correctly?
>>>>> rlm_ldap: user belld authorized to use remote access
>>>>> rlm_ldap: ldap_release_conn: Release Id: 0
>>>>> ++[ldap] returns ok
>>>>> ++[expiration] returns noop
>>>>> ++[logintime] returns noop
>>>>> rlm_pap: WARNING! No "known good" password found for the user.
>>>>> Authentication may fail because of this.
>>>>> ++[pap] returns noop
>>>>> auth: No authenticate method (Auth-Type) configuration found for the
>>>>> request: Rejecting the user
>>>>> auth: Failed to validate the user.
>>>>> Login incorrect: [belld/p455w0rd] (from client 212.95.252.25 port 0)
>>>>> Found Post-Auth-Type Reject
>>>>> +- entering group REJECT
>>>>> expand: %{User-Name} -> belld
>>>>> attr_filter: Matched entry DEFAULT at line 11
>>>>> ++[attr_filter.access_reject] returns updated
>>>>> Delaying reject of request 0 for 1 seconds
>>>>> Going to the next request
>>>>> Waking up in 0.9 seconds.
>>>>> Sending delayed reject for request 0
>>>>> Sending Access-Reject of id 99 to 212.95.252.25 port 20758
>>>>> Waking up in 4.9 seconds.
>>>>>
>>>>> What I cant work out is whether this is due to an LDAP or a RADIUS
>>>>> config problem.
>>>>>
>>>>
>>>> what is the result of the following commands (using a terminal):
>>>> ldapsearch -x -h localhost -b "dc=dxi,dc=net" uid=belld
>>>> ldapsearch -x -h localhost -b "dc=dxi,dc=net" -D
>>>> "cn=Administrator,dc=dxi,dc=net" -w trPic4n03 uid=belld
>>>>
>>>> if they (especially the latter) do not return a value for the
>>>> field "userPassword" the problem is on the LDAP side.
>>>>
>>>> markus
>>>>
>>>>
>>>> ----------------------------------------------------------------------
>>>> This message was sent using https://webmail.biochem.mpg.de
>>>> If you encounter any problems please report to rz-linux at biochem.mpg.de
>>>>
>>>> ------------------------------------------------------------------------ -
>>>> List info/subscribe/unsubscribe? See
>>>> http://www.freeradius.org/list/users.html
>>> Thanks Markus.
>>>
>>> I thought of that - and had done the 1st search and HAD noticed there
>>> was no LDAP password set
>>>
>>> # extended LDIF
>>> #
>>> # LDAPv3
>>> # base <dc=dxi,dc=net> with scope subtree
>>> # filter: uid=belld
>>> # requesting: ALL
>>> #
>>>
>>> # belld, people, dxi.net
>>> dn: uid=belld,ou=people,dc=dxi,dc=net
>>> cn: David Bell
>>> gidNumber: 100
>>> givenName: David
>>> homeDirectory: /home/belld
>>> loginShell: /bin/bash
>>> objectClass: top
>>> objectClass: posixAccount
>>> objectClass: shadowAccount
>>> objectClass: inetOrgPerson
>>> shadowInactive: -1
>>> shadowMax: 99999
>>> shadowMin: 0
>>> shadowWarning: 7
>>> sn: Bell
>>> uid: belld
>>> uidNumber: 1000
>>> shadowLastChange: 13920
>>>
>>> # search result
>>> search: 2
>>> result: 0 Success
>>>
>>> # numResponses: 2
>>> # numEntries: 1
>>> belld at trigger:~>
>>>
>>> I thought this was because LDAP was handing that aspect over to
>>> something else but your second command shows a password.
>>>
>>> belld at trigger:~> ldapsearch -x -h localhost -b "dc=dxi,dc=net" -D
>>> "cn=Administrator,dc=dxi,dc=net" -w trPic4n03 uid=belld
>>> # extended LDIF
>>> #
>>> # LDAPv3
>>> # base <dc=dxi,dc=net> with scope subtree
>>> # filter: uid=belld
>>> # requesting: ALL
>>> #
>>>
>>> # belld, people, dxi.net
>>> dn: uid=belld,ou=people,dc=dxi,dc=net
>>> cn: David Bell
>>> gidNumber: 100
>>> givenName: David
>>> homeDirectory: /home/belld
>>> loginShell: /bin/bash
>>> objectClass: top
>>> objectClass: posixAccount
>>> objectClass: shadowAccount
>>> objectClass: inetOrgPerson
>>> shadowInactive: -1
>>> shadowMax: 99999
>>> shadowMin: 0
>>> shadowWarning: 7
>>> sn: Bell
>>> uid: belld
>>> uidNumber: 1000
>>> userPassword:: e2NyeXB0fWUvMmlHZW9tWXJHTG8=
>>> shadowLastChange: 13920
>>>
>>> # search result
>>> search: 2
>>> result: 0 Success
>>>
>>> # numResponses: 2
>>> # numEntries: 1
>>> belld at trigger:~>
>>>
>>> Any further thoughts?
>>>
>>> David
>>
>> not showing a userPassword field using an anonymous bind (the first
>> command) as actually expected, as rootdn it should work. i assume
>> the following command does reveal the userPassword as well:
>> ldapsearch -x -h localhost -b "dc=dxi,dc=net" -D
>> "uid=belld,ou=people,dc=dxi,dc=net" -w p455w0rd uid=belld
>>
>> i am wondering why the debug output of the freeradius says your
>> binding as administrator, if the command above works this should
>> not be necessary .. could you post your ldap section of your
>> radiusd.conf?
>>
>> regards
>> markus
>>
>> ----------------------------------------------------------------------
>> This message was sent using https://webmail.biochem.mpg.de
>> If you encounter any problems please report to rz-linux at biochem.mpg.de
>>
>> ------------------------------------------------------------------------
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
> Config as requested - I did uncomment and configure the identity
> section - is this not required?
>
> ldap {
> #
> # Note that this needs to match the name in the LDAP
> # server certificate, if you're using ldaps.
> server = "localhost"
> identity = "cn=Administrator,dc=dxi,dc=net"
> password = trPic4n03
> basedn = "dc=dxi,dc=net"
> filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
> #base_filter = "(objectclass=radiusprofile)"
>
> # How many connections to keep open to the LDAP server.
> # This saves time over opening a new LDAP socket for
> # every authentication request.
> ldap_connections_number = 5
>
> # seconds to wait for LDAP query to finish. default: 20
> timeout = 4
>
> # seconds LDAP server has to process the query (server-side
> # time limit). default: 20
> #
> # LDAP_OPT_TIMELIMIT is set to this value.
> timelimit = 3
>
> #
> # seconds to wait for response of the server. (network
> # failures) default: 10
> #
> # LDAP_OPT_NETWORK_TIMEOUT is set to this value.
> net_timeout = 1
> tls {
> # Set this to 'yes' to use TLS encrypted connections
> # to the LDAP database by using the StartTLS extended
> # operation.
> #
> # The StartTLS operation is supposed to be
> # used with normal ldap connections instead of
> # using ldaps (port 689) connections
> start_tls = no
>
> # cacertfile = /path/to/cacert.pem
> # cacertdir = /path/to/ca/dir/
> # certfile = /path/to/radius.crt
> # keyfile = /path/to/radius.key
> # randfile = /path/to/rnd
>
> # Certificate Verification requirements. Can be:
> # "never" (don't even bother trying)
> # "allow" (try, but don't fail if the cerificate
> # can't be verified)
> # "demand" (fail if the certificate
> doesn't verify.)
> #
> # The default is "allow"
> # require_cert = "demand"
> }
>
> # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
> # profile_attribute = "radiusProfileDn"
> # access_attr = "dialupAccess"
>
> # Mapping of RADIUS dictionary attributes to LDAP
> # directory attributes.
> dictionary_mapping = ${confdir}/ldap.attrmap
>
> # Set password_attribute = nspmPassword to get the
> # user's password from a Novell eDirectory
> # backend. This will work ONLY IF FreeRADIUS has been
> # built with the --with-edir configure option.
> #
> # password_attribute = userPassword
>
> # Un-comment the following to disable Novell
> # eDirectory account policy check and intruder
> # detection. This will work *only if* FreeRADIUS is
> # configured to build with --with-edir option.
> #
> edir_account_policy_check = no
>
> #
> # Group membership checking. Disabled by default.
> #
> # groupname_attribute = cn
> # groupmembership_filter =
> "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
> # groupmembership_attribute = radiusGroupName
>
> # compare_check_items = yes
> # do_xlat = yes
> # access_attr_used_for_allow = yes #
> # By default, if the packet contains a User-Password,
> # and no other module is configured to handle the
> # authentication, the LDAP module sets itself to do
> # LDAP bind for authentication.
> #
> # THIS WILL ONLY WORK FOR PAP AUTHENTICATION.
> #
> # THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP).
> #
> # You can disable this behavior by setting the following
> # configuration entry to "no".
> #
> # allowed values: {no, yes}
> # set_auth_type = yes
>
> # ldap_debug: debug flag for LDAP SDK
> # (see OpenLDAP documentation). Set this to enable
> # huge amounts of LDAP debugging on the screen.
> # You should only use this if you are an LDAP expert.
> #
> # default: 0x0000 (no debugging messages)
> # Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
> #ldap_debug = 0x0028
> }
>
>
>
>
> #
> # This subsection configures the tls related items
> # that control how FreeRADIUS connects to an LDAP
> # server. It contains all of the "tls_*" configuration
> # entries used in older versions of FreeRADIUS. Those
> # configuration entries can still be used, but we recommend
> # using these.
> #
>
>
>
afaik the identity values has to be configured, if you are using the
ldap part for more than binding ("check if a password is correct")
e.g. for use with PEAP as the radius server then needs access to
possibly protected fields like sambalmpassword.
what happens/changes if you comment out identity and password?
(regarding debug etc.)
m.
----------------------------------------------------------------------
This message was sent using https://webmail.biochem.mpg.de
If you encounter any problems please report to rz-linux at biochem.mpg.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3966 bytes
Desc: S/MIME krytographische Unterschrift
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080211/a2942526/attachment.bin>
More information about the Freeradius-Users
mailing list