LDAP auth in two sources

Thu Nov 26 12:27:22 CET 2009

On Wed, 25 Nov 2009 19:51:34 -0000 (UTC)
 tnt at kalik.net wrote:

Thank you foк the reply. 

> > radiusd: FreeRADIUS Version 1.1.3, for host
> > x86_64-redhat-linux-gnu, built on Apr 25 2007 at
> 09:04:23
> 
> Upgrade.
> 
>
http://wiki.freeradius.org/Red_Hat_FAQ#Current_Pre-built_RPM.27s_for_RHEL_5_and_CentOS_5
> 
Done.

FreeRADIUS Version 2.1.7, for host x86_64-redhat-linux-gnu,
built on Sep 18 2009 at 11:00:13
Copyright (C) 1999-2009 The FreeRADIUS server project and
contributors. 

> > With curent configuration i get this:
> >
> > if username aren't found in first LDAP lets proceed to
> the
> > next
> > if username aren't found in second LDAP lets DENY
> access
> 
> You probably don't need that after upgrade. Just force
> Auth-Type LDAP in
> users file.

As i doesn't have any other auth rather LDAP it is done
automatically. I hope so. ;-)

> 
> Create failover inside Auth-Type LDAP:
> 
> Auth-Type LDAP {
>      tam {
>           reject = 2
>           }
>      if(reject) {
>           lotus
>      }
> }
> 

I have realised something like this in my long road to
success. Unfortunately there an issue.

LDAP1: uid=username,o=org1
LDAP2: uid=username,o=org2

As you can see "o=org..." is different.

--------
rad_recv: Access-Request packet from host 192.168.110.3
port 46057, id=141, length=64
	User-Name = "vmendelevich"
	User-Password = "33333333"
	NAS-IP-Address = 192.168.110.3
	NAS-Port = 10
+- entering group authorize {...}
++- entering group ldap {...}
[tam] performing user authorization for vmendelevich
[tam] 	expand: (uid=%{User-Name}) -> (uid=vmendelevich)
[tam] 	expand: o=org1 -> o=org1
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to skoll-vm1.kmz.ts:389,
authentication 0
rlm_ldap: bind as / to skoll-vm1.kmz.ts:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in o=org1, with filter
(uid=vmendelevich)
[tam] looking for check items in directory...
[tam] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are
you sure that the user is configured correctly?
[tam] Setting Auth-Type = tam
[tam] user vmendelevich authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
+++[tam] returns ok
++- group ldap returns ok
Found Auth-Type = tam
+- entering group tam {...}
[tam] login attempt by "vmendelevich" with password
"33333333"
[tam] user DN: uid=vmendelevich,o=org1
rlm_ldap: (re)connect to ldap1.ts:389, authentication 1
rlm_ldap: bind as uid=vmendelevich,o=org1/33333333 to
ldap1.ts:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind failed with invalid credentials
++[tam] returns reject
++? if (reject)
? Evaluating (reject) -> TRUE
++? if (reject) -> TRUE
++- entering if (reject) {...}
[lotus] login attempt by "vmendelevich" with password
"33333333"
[lotus] user DN: uid=vmendelevich,o=org1
rlm_ldap: (re)connect to ldap2.ts:389, authentication 1
rlm_ldap: bind as uid=vmendelevich,o=org1/33333333 to
ldap2.ts:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind failed with invalid credentials
+++[lotus] returns reject
++- if (reject) returns reject
Failed to authenticate the user.
Login incorrect (rlm_ldap: Bind as user failed):
[vmendelevich] (from client VMendelevich port 10)
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 141 to 192.168.110.3 port 46057
Waking up in 4.9 seconds.
Cleaning up request 0 ID 141 with timestamp +223
Ready to process requests.
-------------

You can see when radius try to authenticate on the second
LDAP (ldap2.ts) it hasn't changed o=org1 to o=org2. This is
a problem. we cannot modify any scheme of those two LDAP
servers. 

UIN:9244669
Phone:+7(495)727-0982 ext.4162