Problems with 1.0.6-2.0.1 connecting to OpenLDAP 2.3.33

Tue Mar 4 02:15:26 CET 2008

Sorry to reply to my own post, just curious if anyone had a chance to  
take a glance at this. I'm still stumped and starting to suspect that  
my OpenLDAP is borked somehow, due to the numerous revisions of  
Freeradius I've attempted now.

Thanks again,

--Zach

On Mar 1, 2008, at 6:18 PM, Zach Lowry wrote:

> I'm running FreeRadius 2.0.1 on OpenBSD 4.2 on sparc64. I've also  
> tried versions 1.0.6 and 1.1.6. I'm using OpenLDAP 2.3.33 with  
> rlm_ldap. It works for the first request, then returns the following:
>
> From FreeRadius:
>
> Ready to process requests.
> rad_recv: Access-Request packet from host 127.0.0.1 port 2362, id=66,
> length=56
>        User-Name = "zach"
>        User-Password = "*****"
>        NAS-IP-Address = 192.168.2.11
>        NAS-Port = 1812
> +- entering group authorize
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
>    rlm_realm: No '@' in User-Name = "zach", looking up realm NULL
>    rlm_realm: No such realm "NULL"
> ++[suffix] returns noop
>  rlm_eap: No EAP-Message, not doing EAP
> ++[eap] returns noop
> ++[unix] returns notfound
> ++[files] returns noop
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for zach
> WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
> details
>        expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=zach)
>        expand: o=zachlowry.net,c=US -> o=zachlowry.net,c=US
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in o=zachlowry.net,c=US, with filter
> (uid=zach)
> rlm_ldap: ldap_search() failed: Timed out while waiting for server to
> respond. Please increase the timeout.
> rlm_ldap: search failed
> rlm_ldap: ldap_release_conn: Release Id: 0
> ++[ldap] returns fail
> Invalid user: [zach/*****] (from client localhost port 1812)
>  Found Post-Auth-Type Reject
> +- entering group REJECT
>        expand: %{User-Name} -> zach
> attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] returns updated
> Delaying reject of request 2 for 1 seconds
> Going to the next request
> Waking up in 0.9 seconds.
> Sending delayed reject for request 2
> Sending Access-Reject of id 66 to 127.0.0.1 port 2362
> Waking up in 4.9 seconds.
> Cleaning up request 2 ID 66 with timestamp +113
> Ready to process requests.
>
> From OpenLDAP:
>
> Mar  1 10:25:01 tweedledum slapd[9985]: conn=8483 op=4 SRCH
> base="o=zachlowry.net,c=US" scope=2 deref=0 filter="(uid=zach)"
> Mar  1 10:25:01 tweedledum slapd[9985]: conn=8483 op=4 SRCH
> attr=radiusNASIpAddress radiusExpiration acctFlags sambaNtPassword
> sambaLmPassword ntPassword lmPassword radiusCallingStationId
> radiusCalledStationId radiusSimultaneousUse radiusAuthType
> radiusCheckItem radiusReplyMessage radiusLoginLATPort radiusPortLimit
> radiusFramedAppleTalkZone radiusFramedAppleTalkNetwork
> radiusFramedAppleTalkLink radiusLoginLATGroup radiusLoginLATNode
> radiusLoginLATService radiusTerminationAction radiusIdleTimeout
> radiusSessionTimeout radiusClass radiusFramedIPXNetwork  
> radiusCallbackId
> Mar  1 10:25:01 tweedledum slapd[9985]: conn=8483 op=4 SRCH
> attr=radiusCallbackNumber radiusLoginTCPPort radiusLoginService
> radiusLoginIPHost radiusFramedCompression radiusFramedMTU
> radiusFilterId radiusFramedRouting radiusFramedRoute
> radiusFramedIPNetmask radiusFramedIPAddress radiusFramedProtocol
> radiusServiceType radiusReplyItem userPassword
> Mar  1 10:25:01 tweedledum slapd[9985]: conn=8483 op=4 SEARCH RESULT
> tag=101 err=0 nentries=1 text=
> Mar  1 10:25:01 tweedledum slapd[9985]: conn=8483 op=5 ABANDON msg=5
>
> I can't find where the ABANDON is sent to the LDAP server. The
> "increase the timeout" error is found easily enough in rlm_ldap.c,
> but I can't figure out what timeout to increase. I think there's a
> deeper issue afoot, however.
>
> Thanks,
>
> --Zach
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html