Freeradius-Users Digest, Vol 39, Issue 18 topic 5: freeradius with multiple ldap servers

Sambuddho Chakravarty sc2516 at columbia.edu
Thu Jul 3 21:54:30 CEST 2008


Hi Andy
 Thanks a lot. The problem is that I have a file named ldap
inside /etc/raddb/modules directory and it has two ldap modules , ldap1
and ldap2. 

ldap ldap1 {
	server = ....
	identity = .... (set the appropriate CN)
	password = password for the above CN
	basedn = "ou=People,dc=example,dc=com"
	...
	}


ldap ldap1 {
	server = ....
	identity = .... (set the appropriate CN)
	password = password for the above CN
	basedn = "ou=People,dc=example,dc=com"
	...
	}


The first server has a user named 'try' and the second one has one named
'catch'. 

When I try to perform authentication using radtest tool with the
username and password (say for try ) , it searches it in the LDAP server
which doesn't have it and doesn't search the one which actually has the
username. When I try with username 'catch' , it finds the username and
the password but then it goes into 

auth: type Local 
 
and fails. 
WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
details
        expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch)
        expand: ou=People,dc=example,dc=com ->
ou=People,dc=example,dc=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=People,dc=example,dc=com, with filter
(uid=catch)
rlm_ldap: Added User-Password = $1$FYblmPWy$fmgebhCOLpHvhdECNP4EG0 in
check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user catch authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap2] returns ok
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!    Replacing User-Password in config items with
Cleartext-Password.     !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known
good"               !!!
!!! clear text password is in Cleartext-Password, and not in
User-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
auth: type Local
auth: user supplied User-Password does NOT match local User-Password
auth: Failed to validate the user.
  Found Post-Auth-Type Reject
+- entering group REJECT
        expand: %{User-Name} -> catch
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Sending Access-Reject of id 48 to 127.0.0.1 port 1025
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 2 ID 48 with timestamp +39
Ready to process requests.

I know its trivial but I am now struggling with this for a long time. 
(Freeradius version : 2.05)

Thanks
Sambuddho



 
On Thu, 2008-07-03 at 12:35 -0700, Andy An wrote:
> Hi Sambuddho:
> 
> I met similar problem a few weeks ago. 
> You need to set the ldap identity/password for your freeRadius server at modules/ldap:
> e.g. mine is like:
> 
>         server = "ldap.xxx.ca"
>         identity = "cn=radius,ou=Applications,dc=xxx,dc=ca"
>         password = "password"
>         basedn = "ou=People,dc=xxx,dc=ca"
> 
> The default setting is "read-only" anonymous search(i.e. without 
> identity/password setting) and it will fail because ldap server does not 
> allow anonymous search for other user's password.
> Hope this is helpful.
> 
> Andy
> 
> 
> freeradius-users-request at lists.freeradius.org wrote:
> > Send Freeradius-Users mailing list submissions to
> > 	freeradius-users at lists.freeradius.org
> >
> > To subscribe or unsubscribe via the World Wide Web, visit
> > 	http://lists.freeradius.org/mailman/listinfo/freeradius-users
> > or, via email, send a message with subject or body 'help' to
> > 	freeradius-users-request at lists.freeradius.org
> >
> > You can reach the person managing the list at
> > 	freeradius-users-owner at lists.freeradius.org
> >
> > When replying, please edit your Subject line so it is more specific
> > than "Re: Contents of Freeradius-Users digest..."
> >
> >
> > Today's Topics:
> >
> >    1. Re: =?UTF-8?Q?freeradius-proxy_+_PAP_works,
> >       _PEAP_and_the_rest_doesn=C2=B4t?= (uni at christiankraus.de)
> >    2. Re: freeradius-proxy + PAP works,  PEAP and the rest doesn?t
> >       (Alan DeKok)
> >    3. Re: freeradius-proxy + PAP works, PEAP and the rest doesn?t
> >       (Ivan Kalik)
> >    4. Re: sqlippool (Ivan Kalik)
> >    5. Re: freeradius with multiple ldap servers (Sambuddho Chakravarty)
> >    6.
> >       Re:=?UTF-8?Q?freeradius-proxy_+_PAP_works,_PEAP_and_the_rest_doesn=C2=B4t?=
> >       (A.L.M.Buxey at lboro.ac.uk)
> >
> >
> > ------------------------------
> >
> > Message: 5
> > Date: Thu, 03 Jul 2008 12:50:25 -0400
> > From: Sambuddho Chakravarty <sc2516 at columbia.edu>
> > Subject: Re: freeradius with multiple ldap servers
> > To: FreeRadius users mailing list
> > 	<freeradius-users at lists.freeradius.org>
> > Message-ID: <1215103825.8819.81.camel at insomniac>
> > Content-Type: text/plain; charset=utf-8
> >
> > Hello Ivan
> >  But I don't have a field in the database by that name . The name of the
> > field is "userPassword" . This is what the openLDAP migration scripts
> > generated. Please let me know what mistake I am doing . Also , my
> > question on failover. Is the failover used when the first LDAP server is
> > down / unresponsive to connection attempts or when it is not able to
> > authenticate (example bad username / password)  ?
> >
> > Thanks
> > Sambuddho
> > On Thu, 2008-07-03 at 10:24 +0100, Ivan Kalik wrote:
> >   
> >> Password (radius) attribute should be Crypt-Password not User-Password.
> >>
> >> Ivan Kalik
> >> Kalik Informatika ISP
> >>
> >>
> >> Dana 3/7/2008, "Sambuddho Chakravarty" <sc2516 at columbia.edu> pi?e:
> >>
> >>     
> >>> Hello
> >>>
> >>> I set the password_header to = {crypt} and password_attribute to
> >>> "userPassword" (Thats the name of the field in the database). Now this
> >>> is what the logs show,
> >>>
> >>> rlm_ldap: performing search in ou=People,dc=example,dc=com, with filter
> >>> (uid=try)
> >>> rlm_ldap: Added User-Password = $1$n48a7wCp$RfvlOx1pZgiVNfmMmA2xS. in
> >>> check items
> >>> rlm_ldap: looking for check items in directory...
> >>> rlm_ldap: looking for reply items in directory...
> >>> rlm_ldap: user try authorized to use remote access
> >>> rlm_ldap: ldap_release_conn: Release Id: 0
> >>> +++[ldap1] returns ok
> >>> ++- policy redundant returns ok
> >>> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> >>> !!!    Replacing User-Password in config items with
> >>> Cleartext-Password.     !!!
> >>> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> >>> !!! Please update your configuration so that the "known
> >>> good"               !!!
> >>> !!! clear text password is in Cleartext-Password, and not in
> >>> User-Password. !!!
> >>> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> >>> auth: type Local
> >>> auth: user supplied User-Password does NOT match local User-Password
> >>> auth: Failed to validate the user.
> >>>  Found Post-Auth-Type Reject
> >>> +- entering group REJECT
> >>>        expand: %{User-Name} -> try
> >>> attr_filter: Matched entry DEFAULT at line 11
> >>>
> >>>
> >>>
> >>> My guess is authorize{}  worked but not authenticate {}. Also , I see
> >>> both modules ldap1 and ldap2 being loaded but whenever I try to
> >>> authenticate with the username/password that is found in ldap2 , the
> >>> radius server never attempts to connect to the other LDAP server.
> >>> Instead it search for the entries in the "ldap1"'s server only.
> >>>
> >>> Any suggestions ?
> >>>
> >>> Thanks
> >>> Sambuddho
> >>>
> >>>
> >>> On Wed, 2008-07-02 at 23:45 +0100, Ivan Kalik wrote:
> >>>       
> >>>> http://wiki.freeradius.org/index.php/Rlm_ldap
> >>>>
> >>>> See use of password_header and password_attribute.
> >>>>
> >>>> Ivan Kalik
> >>>> Kalik Informatika ISP
> >>>>
> >>>>
> >>>> Dana 2/7/2008, "Sambuddho Chakravarty" <sc2516 at columbia.edu> pi??e:
> >>>>
> >>>>         
> >>>>> Hello
> >>>>> I think I know what the problem is. The radius server is looking up
> >>>>> using cleartext password , while the LDAP data base stores the hashed
> >>>>> passwords. How can I force the radiuse server to search for the password
> >>>>> as a hashed value (rather than searching for the clear-text value) ?
> >>>>>
> >>>>> Thanks
> >>>>> Sambuddho
> >>>>> On Wed, 2008-07-02 at 17:09 -0400, Sambuddho Chakravarty wrote:
> >>>>>           
> >>>>>> Hello Alan
> >>>>>>   I made sure this time that rlm_ldap was compiled. Now the following is
> >>>>>> the configuration
> >>>>>>
> >>>>>> ------/etc/raddb/modules/ldap-----------
> >>>>>>
> >>>>>> ldap ldap1 {
> >>>>>> 	server = "a.b.c.d"
> >>>>>> 	...
> >>>>>> 	}
> >>>>>>
> >>>>>> ldap ldap2 {
> >>>>>> 	server = "w.x.y.z"
> >>>>>> 	...
> >>>>>> 	}
> >>>>>>
> >>>>>> -----/etc/raddb/radiusd.conf-----
> >>>>>>
> >>>>>>
> >>>>>> authorize {
> >>>>>>        ldap1
> >>>>>>
> >>>>>>          ldap2
> >>>>>>
> >>>>>>         }
> >>>>>>
> >>>>>>    authenticate {
> >>>>>>         ldap1
> >>>>>>         ldap2
> >>>>>>         }
> >>>>>>
> >>>>>> ------------------------------------
> >>>>>>
> >>>>>> When I execute /sbin/radiusd -X
> >>>>>>
> >>>>>> It shows instantiating module ldap1 and module ldap2
> >>>>>>
> >>>>>> ....
> >>>>>>  Module: Instantiating ldap2
> >>>>>>   ldap ldap1 {
> >>>>>>         server = "a.b.c.d"
> >>>>>>         port = 389
> >>>>>> ....
> >>>>>>  Module: Instantiating ldap2
> >>>>>>   ldap ldap2 {
> >>>>>>         server = "w.x.y.z"
> >>>>>>         port = 389
> >>>>>> ....
> >>>>>>
> >>>>>> When sending a radtest request using the following command (from the
> >>>>>> same machine as one which is running the server)
> >>>>>>
> >>>>>> $ radtest user "secret" localhost 2 testing123
> >>>>>>
> >>>>>> I get ACCESS-REJECT reply from the sever.
> >>>>>>
> >>>>>> On the server the logs show something like this
> >>>>>> ---------------------------------------------------
> >>>>>> It shows binding to both LDAP servers one by one through something like
> >>>>>> this :
> >>>>>>
> >>>>>> rlm_ldap: performing user authorization for catch
> >>>>>> WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
> >>>>>> details
> >>>>>>         expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch)
> >>>>>>         expand: ou=People,dc=example,dc=example ->
> >>>>>> ou=People,dc=example,dc=example
> >>>>>> rlm_ldap: ldap_get_conn: Checking Id: 0
> >>>>>> rlm_ldap: ldap_get_conn: Got Id: 0
> >>>>>> rlm_ldap: attempting LDAP reconnection
> >>>>>> rlm_ldap: (re)connect to 30.0.0.2:389, authentication 0
> >>>>>> rlm_ldap: bind as / to 30.0.0.2:389
> >>>>>> rlm_ldap: waiting for bind result ...
> >>>>>> rlm_ldap: Bind was successful
> >>>>>> rlm_ldap: performing search in ou=People,dc=example,dc=example, with
> >>>>>> filter (uid=catch)
> >>>>>> rlm_ldap: object not found or got ambiguous search result
> >>>>>> rlm_ldap: search failed
> >>>>>> rlm_ldap: ldap_release_conn: Release Id: 0
> >>>>>> ++[ldap1] returns notfound
> >>>>>> rlm_ldap: - authorize
> >>>>>> rlm_ldap: performing user authorization for catch
> >>>>>> WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
> >>>>>> details
> >>>>>>         expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch)
> >>>>>>         expand: ou=People,dc=example,dc=example ->
> >>>>>> ou=People,dc=example,dc=example
> >>>>>> rlm_ldap: ldap_get_conn: Checking Id: 0
> >>>>>> rlm_ldap: ldap_get_conn: Got Id: 0
> >>>>>> rlm_ldap: attempting LDAP reconnection
> >>>>>> rlm_ldap: (re)connect to 10.0.0.1:389, authentication 0
> >>>>>> rlm_ldap: bind as / to 10.0.0.1:389
> >>>>>> rlm_ldap: waiting for bind result ...
> >>>>>> rlm_ldap: Bind was successful
> >>>>>> rlm_ldap: performing search in ou=People,dc=example,dc=example, with
> >>>>>> filter (uid=catch)
> >>>>>> rlm_ldap: object not found or got ambiguous search result
> >>>>>> rlm_ldap: search failed
> >>>>>> rlm_ldap: ldap_release_conn: Release Id: 0
> >>>>>> ++[ldap2] returns notfound
> >>>>>>
> >>>>>> auth: No authenticate method (Auth-Type) configuration found for the
> >>>>>> request: Rejecting the user
> >>>>>> auth: Failed to validate the user.
> >>>>>>
> >>>>>> You can see it is attempting to search both databases but fails. If I
> >>>>>> use a simple telnet or ssh to authenticate against the LDAP server it
> >>>>>> logs in fine. LDAP client login against the LDAP server is otherwise
> >>>>>> working fine. I know I have been bothering using trivial question. But
> >>>>>> any help would be appreciated :-)
> >>>>>>
> >>>>>> Thanks in advance.
> >>>>>> Sambuddho
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> On Tue, 2008-07-01 at 22:33 +0200, Alan DeKok wrote:
> >>>>>>             
> >>>>>>> Sambuddho Chakravarty wrote:
> >>>>>>>               
> >>>>>>>>  This is exactly what I did . I forgot to put the separate module names
> >>>>>>>>                 
> >>>>>>>   The consistent problems you see make me think that the issue is more
> >>>>>>> than "forgot".
> >>>>>>>
> >>>>>>>               
> >>>>>>>> And now when I try to start the server this is what the error I see :
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> server {
> >>>>>>>>  modules {
> >>>>>>>>  Module: Checking authenticate {...} for more modules to load
> >>>>>>>> //etc/raddb/modules/ldap1[29]: Failed to link to module 'rlm_ldap':
> >>>>>>>>                 
> >>>>>>>   So.... was that module built?  Apparently not...
> >>>>>>>
> >>>>>>>               
> >>>>>>>> When trying with a single server ,it matches the radius request against
> >>>>>>>> rlm_pap and not rlm_ldap. I am confused.
> >>>>>>>>                 
> >>>>>>>   Perhaps reading the debug output (and that of "configure" and "make")
> >>>>>>> would help.
> >>>>>>>
> >>>>>>>   Alan DeKok.
> >>>>>>> -
> >>>>>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> >>>>>>>               
> >>>>>> -
> >>>>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> >>>>>>             
> >>>>> -
> >>>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/usershtml
> >>>>>
> >>>>>
> >>>>>           
> >>>> -
> >>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> >>>>         
> >>> -
> >>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> >>>       
> >> -
> >> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> >>     
> >
> >
> >
> > ------------------------------
> >
> > Message: 6
> > Date: Thu, 3 Jul 2008 18:00:35 +0100
> > From: A.L.M.Buxey at lboro.ac.uk
> > Subject:
> > 	Re:=?UTF-8?Q?freeradius-proxy_+_PAP_works,_PEAP_and_the_rest_doesn=C2=B4t?=
> > 	
> > To: FreeRadius users mailing list
> > 	<freeradius-users at lists.freeradius.org>
> > Message-ID: <20080703170035.GA14834 at lboro.ac.uk>
> > Content-Type: text/plain; charset=us-ascii
> >
> > hi,
> >
> > if you really are using freeradius as a proxy, as you stated,
> > then you dont need certificates...as the system will JUST
> > proxy. if you mean you want to terminate EAP on your
> > freeradius, then please dont call it a proxy. get the 
> > terminology correct.
> >
> > what did you do wrong?
> >
> > well, since 1.1.7 and 2.0.5 need completely different configs,
> > i doubt you could make the same mistake twice...you CANT use a 1.1.7
> > config on a 2.0.5 box.
> >
> > from what i can see, the daemon is clearly telling you something
> > is wrong with your DH stuff. read eap.conf properly. get rid
> > of that error. thats your primary task.
> >
> > alan
> >
> >
> > ------------------------------
> >
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> >
> >
> > End of Freeradius-Users Digest, Vol 39, Issue 18
> > ************************************************
> >
> >   
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list