freeradius with multiple ldap servers

Sambuddho Chakravarty sc2516 at columbia.edu
Sun Jul 6 19:03:53 CEST 2008


Hello Alan and Ivan
 My intent is not to pester you with my queries but the problem is still
what it was initially. Ill once again tell you the configuration that I
am using.


------------------------radiusd.conf-----------------------------------


/* Most of the stuff is untouched.
*/

/* Added authenticate{} and authorize{} section */

authenticate {
        ldap1
        ldap2
}

authorize{
         ldap1
         ldap2
        }


-----------------module/ldap------------------------------


ldap ldap1{
        #
        #  Note that this needs to match the name in the LDAP
        #  server certificate, if you're using ldaps.
        server = "...."
        identity = "....."
        password = .....
        basedn = "ou=People,dc=example,dc=com"
        filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
        ldap_connections_number = 5
        password_header="{crypt}"
        password_attribute=userPassword
        password_radius_attribute=Crypt-Password

	 .....

}


ldap ldap1{
        #
        #  Note that this needs to match the name in the LDAP
        #  server certificate, if you're using ldaps.
        server = "...."
        identity = "....."
        password = .....
        basedn = "ou=People,dc=example,dc=com"
        filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
        ldap_connections_number = 5
        password_header="{crypt}"
        password_attribute=userPassword
        password_radius_attribute=Crypt-Password

	.....

}


'users' and 'client' file is unchanged. 

I run the server with the following command line options. 'radiusd -X'

To test I run the radtest tool with the following option. 

 radtest catch "catchall" localhost 2 testing123

Here catch and catchall are user and password in the LDAP database
created from a unix account on the host hosting the LDAP database. The
migration from the regular unix /etc/passwd to the LDIF file was done
using the migration tools. 

The reply received was rad_recv: Access-Reject. The following was the
debug output from the server.

rlm_ldap: performing search in ou=People,dc=example,dc=com, with filter
(uid=catch)
rlm_ldap: Added User-Password = $1$FYblmPWy$fmgebhCOLpHvhdECNP4EG0 in
check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user catch authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap2] returns ok
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!    Replacing User-Password in config items with
Cleartext-Password.     !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known
good"               !!!
!!! clear text password is in Cleartext-Password, and not in
User-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
auth: type Local
auth: user supplied User-Password does NOT match local User-Password
auth: Failed to validate the user.
  Found Post-Auth-Type Reject
+- entering group REJECT
        expand: %{User-Name} -> catch
 attr_filter: Matched entry DEFAULT at line 11

Please point me out what may have possibly gone wrong.

Another observation :

1. When I try to test using the username 'try' stored in the other ldap
database, it doesn't search in the other LDAP server but only searches
in the one which doesn't have it and fails. 

2. The  problem in (1) doesn't occur when I comment out the
'password_attribute' line in the modules/ldap file. It then searches the
appropriate LDAP database , however fails with the following output.

rlm_ldap: waiting for bind result ...
rlm_ldap: Bind failed with invalid credentials

Please advice.

Thanks
Sambuddho



On Sun, 2008-07-06 at 08:06 +0200, Alan DeKok wrote:
> Sambuddho Chakravarty wrote:
> >  Does that mean that I cannot authenticate against a LDAP server from a
> > freeradius server using cleartext passwords.
> 
>   No.  That is not what he said.
> 
> > So the freeradius client
> > needs to send the password in encrypted format.
> 
>   No.  That is not what he said.
> 
> > But other programs which
> > using LDAP server to authenticate (eg. the pam_ldap ) takes as input the
> > cleartext password.
> 
>   We know.  We've been doing this for years.
> 
> > Is there a solution to this ?
> 
>   Do what Ivan said.
> 
> > Maybe I am mistaken somewhere.
> 
>   Lots.
> 
> > Please let me know.
> 
>   We're trying to help you.  It's not working.
> 
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list