Need help for configuration - LDAP with custom files Failover
Dajka Tamás
tdajka at geomant.com
Tue Oct 28 10:52:12 CET 2008
Uncommented the "Auth-Type" in users, and the debug output:
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = yes
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
}
radiusd: #### Loading Virtual Servers ####
server {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = "crypt"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Linked to module rlm_mschap
Module: Instantiating mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
}
Module: Linked to module rlm_unix
Module: Instantiating unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
Module: Linked to module rlm_ldap
Module: Instantiating ldap
ldap {
server = "ldap.mydomain.hu"
port = 636
password = ""
identity = ""
net_timeout = 5
timeout = 4
timelimit = 3
tls_mode = yes
start_tls = no
tls_cacertfile = "/etc/ssl/mydomain.hu/ca/cacert.pem"
tls_require_cert = "never"
basedn = "dc=mydomain,dc=hu"
filter = "(uid=%{User-Name})"
base_filter = "(objectclass=posixAccount)"
password_header = "{clear}"
password_attribute = "userPassword"
auto_header = no
access_attr = "uid"
access_attr_used_for_allow = yes
groupname_attribute = "cn"
groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
dictionary_mapping = "/etc/freeradius/ldap.attrmap"
ldap_debug = 0
ldap_connections_number = 5
compare_check_items = no
do_xlat = yes
edir_account_policy_check = yes
set_auth_type = yes
}
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: reading ldap<->radius mappings from file /etc/freeradius/ldap.attrmap
rlm_ldap: LDAP userPassword mapped to RADIUS User-Password
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
conns: 0x8816b00
Module: Linked to module rlm_eap
Module: Instantiating eap
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = "/etc/freeradius/huntgroups"
hints = "/etc/freeradius/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_detail
Module: Instantiating auth_log
detail auth_log {
detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_files
Module: Instantiating files
files {
usersfile = "/etc/freeradius/users"
acctusersfile = "/etc/freeradius/acct_users"
compat = "no"
}
Module: Linked to module rlm_passwd
Module: Instantiating ciscopwd
passwd ciscopwd {
filename = "/etc/freeradius/ciscopwd"
format = "*User-Name:Crypt-Password"
delimiter = ":"
ignorenislike = yes
ignoreempty = yes
allowmultiplekeys = no
hashsize = 100
}
rlm_passwd: nfields: 2 keyfield 0(User-Name) listable: no
Module: Instantiating ciscoextra
passwd ciscoextra {
filename = "/etc/freeradius/ciscoextra"
format = "*User-Name:=Cisco-AVPair"
delimiter = ";"
ignorenislike = yes
ignoreempty = yes
allowmultiplekeys = no
hashsize = 100
}
rlm_passwd: nfields: 2 keyfield 0(User-Name) listable: no
Module: Instantiating ciscogroup
passwd ciscogroup {
filename = "/etc/freeradius/ciscogroup"
format = "*User-Name:~Group"
delimiter = ":"
ignorenislike = yes
ignoreempty = yes
allowmultiplekeys = no
hashsize = 100
}
rlm_passwd: nfields: 2 keyfield 0(User-Name) listable: no
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_counter
Module: Instantiating daily
counter daily {
filename = "/etc/freeradius/db.daily"
key = "User-Name"
reset = "daily"
count-attribute = "Acct-Session-Time"
counter-name = "Daily-Session-Time"
check-name = "Max-Daily-Session"
allowed-servicetype = "Framed-User"
cache-size = 5000
}
rlm_counter: Counter attribute Daily-Session-Time is number 11276
rlm_counter: Current Time: 1225186760 [2008-10-28 10:39:20], Next reset 1225234800 [2008-10-29 00:00:00]
Module: Linked to module rlm_radutmp
Module: Instantiating radutmp
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
}
}
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
main {
snmp = no
smux_password = ""
snmp_write_access = no
}
Listening on authentication address * port 1812
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host myswitchip port 1645, id=139, length=80
NAS-IP-Address = myswitchip
NAS-Port = 1
NAS-Port-Type = Virtual
User-Name = "myusernamer"
Calling-Station-Id = "myclientip"
User-Password = "myvalid_ldap_password"
+- entering group authorize
++[preprocess] returns ok
expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/myswitchip/auth-detail-20081028
rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/myswitchip/auth-detail-20081028
expand: %t -> Tue Oct 28 10:39:26 2008
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++- entering policy redundant
users: Matched entry DEFAULT at line 11
+++[files] returns ok
++- policy redundant returns ok
rlm_passwd: Added Cisco-AVPair: 'shell:priv-lvl=1' to reply_items
++[ciscoextra] returns ok
++[ciscogroup] returns notfound
rad_check_password: Found Auth-Type LDAP
auth: type "LDAP"
+- entering group LDAP
rlm_ldap: - authenticate
rlm_ldap: login attempt by "myusername" with password "myvalid_ldap_password"
expand: (uid=%{User-Name}) -> (uid=myusername)
expand: dc=mydomain,dc=hu -> dc=mydomain,dc=hu
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap.mydomain.hu:636, authentication 0
rlm_ldap: setting TLS mode to 1
rlm_ldap: setting TLS CACert File to /etc/ssl/mydomain.hu/ca/cacert.pem
rlm_ldap: setting TLS Require Cert to never
rlm_ldap: bind as / to ldap.mydomain.hu:636
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=mydomain,dc=hu, with filter (uid=myusername)
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: user DN: cn=myusername,ou=users,dc=mydomain,dc=hu
rlm_ldap: (re)connect to ldap.mydomain.hu:636, authentication 1
rlm_ldap: setting TLS mode to 1
rlm_ldap: setting TLS CACert File to /etc/ssl/mydomain.hu/ca/cacert.pem
rlm_ldap: setting TLS Require Cert to never
rlm_ldap: bind as cn=myusername,ou=users,dc=mydomain,dc=hu/myvalid_ldap_password to ldap.mydomain.hu:636
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: user myusername authenticated succesfully
++[ldap] returns ok
Login OK: [myusername/myvalid_ldap_password] (from client myshortname port 1 cli myclientip)
Sending Access-Accept of id 139 to myswitchip port 1645
Cisco-AVPair = "shell:priv-lvl=1"
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
The myusername is same in the ciscopwd file and in LDAP, but the passwords are different.
________________________________________
Feladó: freeradius-users-bounces+tdajka=geomant.com at lists.freeradius.org [freeradius-users-bounces+tdajka=geomant.com at lists.freeradius.org], meghatalmazó: tnt at kalik.net [tnt at kalik.net]
Küldve: 2008. október 28. 10:36
Címzett: FreeRadius users mailing list
Tárgy: RE: Need help for configuration - LDAP with custom files Failover
>redundant {
> # if I comment the folloing line out, the password is accepted, but I get "% Authorization failed." from the switch (this is coused by the incorrect "users" file maybe).
So, post the debug (radiusd -X).
> files
> ldap
> ciscopwd
> # if I uncomment the following line, freerad won't start
> # ok = return
>}
>
>The users file:
>
>DEFAULT Auth-Type := Crypt-Local
> Service-Type = Login-User
>
You said you have plain text passwords. This will ensure that
authentication fails. Delete that Auth-Type.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list