FW: Problem when removing Auth-Type := Ldap in users file

cxu cxu at unbsj.ca
Tue Feb 12 20:52:43 CET 2008


I made a progress on this issue.  I added pap under Autz-Type Ldap1, as
below, and then Auth-Type was set to pap.

 

authorize {

 

      preprocess

      chap

      mschap

      suffix

      eap

      Autz-Type Ldap1 {

            redundant-load-balance{ 

                  myldap

                  myldap2

            } 

            pap # <-- the change

      }

      Autz-Type Web{

            files

      }

      files

      pap

 

}

 

The purpose of doing this is to make sure pap is the last module being
called during the authorization process.

 

My questions are,

 

1.	Is this configuration right?  Or is it a correct way to construct
Autz-Type? 
2.	Under what condition that ldap module will set Auth-Type to ldap?   

 

Thanks!

Andrew

 

P.S.

 

In users file,

 

DEFAULT Called-Station-Id =~ ".*Guest at myu", Autz-Type := Ldap1

      Fall-Through = no

 

Debug output,

 

rad_recv: Access-Request packet from host 192.168.1.113 port 20000, id=8,
length=98

        User-Name = "tester"

        Called-Station-Id = "00-1B-BA-A5-45-40:Guest at myu"

        NAS-Port = 152

        NAS-Port-Type = Wireless-802.11

        NAS-Identifier = "nortel"

        NAS-IP-Address = 192.168.1.113

        User-Password = "testing"

+- entering group authorize

++[preprocess] returns ok

++[chap] returns noop

++[mschap] returns noop

    rlm_realm: No '@' in User-Name = "tester", looking up realm NULL

    rlm_realm: No such realm "NULL"

++[suffix] returns noop

  rlm_eap: No EAP-Message, not doing EAP

++[eap] returns noop

        expand: %{Called-Station-Id} -> 00-1B-BA-A5-45-40:Guest at myu

        expand: %{Called-Station-Id} -> 00-1B-BA-A5-45-40:Guest at myu

    users: Matched entry DEFAULT at line 71

++[files] returns ok

rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.

++[pap] returns noop

  Found Autz-Type Ldap1

+- entering group Ldap1

++- entering redundant-load-balance group redundant-load-balance

rlm_ldap: - authorize

rlm_ldap: performing user authorization for tester

WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
details

        expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=tester)

        expand: ou=people,dc=myu,dc=ca -> ou=people,dc=myu,dc=ca

rlm_ldap: ldap_get_conn: Checking Id: 0

rlm_ldap: ldap_get_conn: Got Id: 0

rlm_ldap: attempting LDAP reconnection

rlm_ldap: (re)connect to ldap2.myu.ca:389, authentication 0

rlm_ldap: setting TLS CACert File to /usr/local/etc/raddb/certs/myuCA.crt

rlm_ldap: setting TLS Require Cert to never

rlm_ldap: bind as uid=radius,dc=myu,dc=ca/PWD12345678 to ldap2.myu.ca:389

rlm_ldap: waiting for bind result ...

rlm_ldap: Bind was successful

rlm_ldap: performing search in ou=people,dc=myu,dc=ca, with filter
(uid=tester)

rlm_ldap: Added User-Password =
{SSHA}jSTYFonbXmIE6pReKdYUvq0RhxuhLUAT6FYcG== in check items

rlm_ldap: looking for check items in directory...

rlm_ldap: looking for reply items in directory...

rlm_ldap: user tester authorized to use remote access

rlm_ldap: ldap_release_conn: Release Id: 0

+++[myldap] returns ok

++- redundant-load-balance group redundant-load-balance returns ok

++[pap] returns updated

  rad_check_password:  Found Auth-Type

auth: type "PAP"

+- entering group PAP

rlm_pap: login attempt with password "testing"

rlm_pap: Using SSHA encryption.

rlm_pap: Normalizing SSHA1-Password from base64 encoding

rlm_pap: User authenticated successfully

++[pap] returns ok

Login OK: [tester] (from client myusj113 port 152)

Sending Access-Accept of id 8 to 192.168.1.113 port 20000

Finished request 0.

Going to the next request

Waking up in 0.9 seconds.

Waking up in 4.0 seconds.

Cleaning up request 0 ID 8 with timestamp +54

Ready to process requests.

 

  _____  

From: cxu [mailto:cxu at unbsj.ca] 
Sent: Thursday, February 07, 2008 2:27 PM
To: 'freeradius-users at lists.freeradius.org'
Subject: Problem when removing Auth-Type := Ldap in users file

 

Hi,

 

I am testing the freeradius server, and try to clarify rules applied in
freeradius.  In the following trials, I could not figure out how to make
Autz-Type Ldap1 in authorize section to correctly set Auth-Type used in
authentication without the help from "Auth-Type := Ldap1".   

 

 

With the following entry in users file, 

**************

DEFAULT Called-Station-Id =~ ".*Guest at myu", Autz-Type := Ldap1, Auth-Type :=
Ldap1

**************

the user authentication worked fine.

 

 

Below is the debug output.

**************

rad_recv: Access-Request packet from host 192.168.1.113 port 20000, id=19,
length=98

        User-Name = "tester"

        Called-Station-Id = "00-1B-BA-A5-45-40:Guest at myu"

        NAS-Port = 189

        NAS-Port-Type = Wireless-802.11

        NAS-Identifier = "nortel"

        NAS-IP-Address = 192.168.1.113

        User-Password = "testing"

+- entering group authorize

++[preprocess] returns ok

++[chap] returns noop

++[mschap] returns noop

    rlm_realm: No '@' in User-Name = "tester", looking up realm NULL

    rlm_realm: No such realm "NULL"

++[suffix] returns noop

  rlm_eap: No EAP-Message, not doing EAP

++[eap] returns noop

        expand: %{Called-Station-Id} -> 00-1B-BA-A5-45-40:Guest at myu

        expand: %{Called-Station-Id} -> 00-1B-BA-A5-45-40:Guest at myu

    users: Matched entry DEFAULT at line 70

++[files] returns ok

rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.

++[pap] returns noop

  Found Autz-Type Ldap1

+- entering group Ldap1

++- entering redundant-load-balance group redundant-load-balance

rlm_ldap: - authorize

rlm_ldap: performing user authorization for tester

WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
details

        expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=tester)

        expand: ou=people,dc=myu,dc=ca -> ou=people,dc=myu,dc=ca

rlm_ldap: ldap_get_conn: Checking Id: 0

rlm_ldap: ldap_get_conn: Got Id: 0

rlm_ldap: attempting LDAP reconnection

rlm_ldap: (re)connect to ldap.myu.ca:389, authentication 0

rlm_ldap: setting TLS CACert File to /usr/local/etc/raddb/certs/unbCA.crt

rlm_ldap: setting TLS Require Cert to never

rlm_ldap: bind as uid=radius,dc=myu,dc=ca/PWD12345678 to ldap.myu.ca:389

rlm_ldap: waiting for bind result ...

rlm_ldap: Bind was successful

rlm_ldap: performing search in ou=people,dc=myu,dc=ca, with filter
(uid=tester)

rlm_ldap: Added User-Password =
{SSHA}jSTYFonbXmIE6pReKdYUvq0RhxuhLUAT6FYcG== in check items

rlm_ldap: looking for check items in directory...

rlm_ldap: looking for reply items in directory...

rlm_ldap: user tester authorized to use remote access

rlm_ldap: ldap_release_conn: Release Id: 0

+++[myldap2] returns ok

++- redundant-load-balance group redundant-load-balance returns ok

  rad_check_password:  Found Auth-Type Ldap1

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!

!!!    Replacing User-Password in config items with Cleartext-Password.
!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!

!!! Please update your configuration so that the "known good"
!!!

!!! clear text password is in Cleartext-Password, and not in User-Password.
!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!

auth: type "Ldap1"

+- entering group Ldap1

++- entering redundant-load-balance group redundant-load-balance

rlm_ldap: - authenticate

rlm_ldap: login attempt by "tester" with password "testing"

rlm_ldap: user DN: uid=tester,ou=people,dc=myu,dc=ca

rlm_ldap: (re)connect to ldap.myu.ca:389, authentication 1

rlm_ldap: setting TLS CACert File to /usr/local/etc/raddb/certs/myuCA.crt

rlm_ldap: setting TLS Require Cert to never

rlm_ldap: bind as uid=tester,ou=people,dc=myu,dc=ca/testing to
ldap.myu.ca:389

rlm_ldap: waiting for bind result ...

rlm_ldap: Bind was successful

rlm_ldap: user tester authenticated succesfully

+++[myldap2] returns ok

++- redundant-load-balance group redundant-load-balance returns ok

Login OK: [tester] (from client unbsj113 port 189)

Sending Access-Accept of id 19 to 192.168.1.113 port 20000

Finished request 0.

Going to the next request

Waking up in 0.8 seconds.

Waking up in 4.1 seconds.

Cleaning up request 0 ID 19 with timestamp +99

Ready to process requests.

**************

 

However when I removed Auth-Type := Ldap1 in the entry, 

**************

DEFAULT Called-Station-Id =~ ".*Guest at myu", Autz-Type := Ldap1

**************

the user authentication failed.  The Auth Type is set to Local instead of
Ldap.

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080212/caa56eb3/attachment.html>


More information about the Freeradius-Users mailing list