Authentication type (ldap, users, etc) per client or user?

falz me at falz.net
Thu Jan 3 17:47:11 CET 2008 

On Jan 3, 2008 10:18 AM, Alan DeKok <aland at deployingradius.com> wrote:
> falz wrote:
> > I have a FreeRADIUS server working properly with an LDAP backend. I've
> > brought some user config into the 'users' file for a legacy system
> > we're migrating to this server. However, I cannot seem to find the
> > appropriate way to have FreeRADIUS map clients to a specific
> > authentication type.
>
>   What does that mean?

Radius Client A uses rlm_ldap, Radius Client B uses 'files' for the
livingston-style 'users' file. What I have now is Client A works fine
with LDAP, but it seems to be a default across the system. Client B
always talks to LDAP, it doesn't seem to read from the user's file.

Here's some debug stuff. When I start radiusd -X, it does show that it
reads the files module:

Module: Loaded files
 files: usersfile = "/usr/local/etc/raddb/users"
 files: acctusersfile = "/usr/local/etc/raddb/acct_users"
 files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
 files: compat = "no"


As well as ldap:

Module: Loaded LDAP
<snipped because it all works>



But when one authenticate, it chooses ldap only:


rad_recv: Access-Request packet from host 192.168.0.130:1028, id=18, length=119
        User-Name = "falz"
        User-Password = "abc123"
        NAS-IP-Address = 192.168.0.130
        NAS-Port = 4
        NAS-Port-Type = Async
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Connect-Info = "52000 LAPM/V42BIS"
        Called-Station-Id = "5552271012"
        Calling-Station-Id = "5552291017"
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
  modcall[authorize]: module "preprocess" returns ok for request 2
  modcall[authorize]: module "chap" returns noop for request 2
  modcall[authorize]: module "mschap" returns noop for request 2
    rlm_realm: No '@' in User-Name = "falz", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 2
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 2
rlm_ldap: - authorize
rlm_ldap: performing user authorization for falz
radius_xlat:  '(uid=falz)'
radius_xlat:  'ou=staff,dc=domain,dc=net'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=staff,dc=domain,dc=net, with filter (uid=falz)
request done: ld 0x8068e00 msgid 3
rlm_ldap: checking if remote access for falz is allowed by radiusReplyItem
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: extracted attribute Cisco-AVPair from generic item
Cisco-AVPair := "shell:priv-lvl=15"
rlm_ldap: extracted attribute Fall-Through from generic item Fall-Through = 1
rlm_ldap: extracted attribute Extreme-CLI-Authorization from generic
item Extreme-CLI-Authorization = Enabled
rlm_ldap: extracted attribute Service-Type from generic item
Service-Type = NAS-Prompt-User
rlm_ldap: extracted attribute Service-Type from generic item
Service-Type := Administrative-User
rlm_ldap: Setting Auth-Type = ldap
rlm_ldap: user falz authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 2
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
  modcall[authorize]: module "pap" returns noop for request 2
modcall: leaving group authorize (returns ok) for request 2
  rad_check_password:  Found Auth-Type ldap
auth: type "LDAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group LDAP for request 2
rlm_ldap: - authenticate
rlm_ldap: login attempt by "falz" with password "abc123"
rlm_ldap: user DN: uid=falz,ou=users,ou=staff,dc=domain,dc=net
rlm_ldap: (re)connect to localhost:389, authentication 1
rlm_ldap: bind as uid=falz,ou=users,ou=staff,dc=domain,dc=net/abc123
to localhost:389
rlm_ldap: waiting for bind result ...
request done: ld 0x8068f00 msgid 1
rlm_ldap: Bind failed with invalid credentials
  modcall[authenticate]: module "ldap" returns reject for request 2
modcall: leaving group LDAP (returns reject) for request 2
auth: Failed to validate the user.
Login incorrect (rlm_ldap: Bind as user failed): [falz] (from client
portmaster3 port 4 cli 6082291017)
Delaying request 2 for 1 seconds
Finished request 2
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 18 to 192.168.0.130 port 1028
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 2 ID 18 with timestamp 477d0e80
Nothing to do.  Sleeping until we see a request.


It is logical that it does this, as I have nothing in my config about
this client using 'files'/'users', because I do not know what to put
in. I posted the original link, and also found this, which is related:

http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg40372.html

However, in all cases that I find, users are trying to authenticate
with multiple same-type backends. Original link user is authenticating
off of different LDAP servers, this case they're authenticating off of
multiple SQL servers. I want 1 LDAP and one 'files'.

--falz

More information about the Freeradius-Users mailing list