LDAP auth in two sources

Vladimir Mendelevich menv at on-line.ru
Fri Nov 27 16:47:05 CET 2009 

On Fri, 27 Nov 2009 14:57:44 -0000 (UTC)
 tnt at kalik.net wrote:
> Remove tam and lotus from authorize section of default
> virtual server -
> you are not authorizing anything just doing
> authentication. Instead just
> put that line at the top of the users file and enable
> files in authorize.

OK. Thanks you. Now i understand. Done this.

> 
> Post the debug of server startup (part before requests
> can be processed.
> 

This REALY big. I think you are interested in LDAP part?
---------------------
FreeRADIUS Version 2.1.7, for host x86_64-redhat-linux-gnu,
built on Sep 18 2009 at 11:00:13
Copyright (C) 1999-2009 The FreeRADIUS server project and
contributors. 
There is NO warranty; not even for MERCHANTABILITY or
FITNESS FOR A 
PARTICULAR PURPOSE. 
You may redistribute copies of FreeRADIUS under the terms
of the 
GNU General Public License v2. 
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/ldap
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/mac2vlan
including configuration file
/etc/raddb/modules/attr_rewrite
including configuration file
/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/ippool
including configuration file
/etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/pam
group = radiusd
user = radiusd
including dictionary file /etc/raddb/dictionary
main {
	prefix = "/usr"
	localstatedir = "/var"
	logdir = "/var/log/radius"
	libdir = "/usr/lib64"
	radacctdir = "/var/log/radius/radacct"
	hostname_lookups = no
	max_request_time = 30
	cleanup_delay = 5
	max_requests = 1024
	allow_core_dumps = no
	pidfile = "/var/run/radiusd/radiusd.pid"
	checkrad = "/usr/sbin/checkrad"
	debug_level = 0
	proxy_requests = yes
	log_auth = yes
	log_auth_badpass = no
	log_auth_goodpass = no
	log_stripped_names = no
 security {
	max_attributes = 200
	reject_delay = 1
	status_server = no
 }
}
radiusd: #### Loading Realms and Home Servers ####
radiusd: #### Loading Clients ####
 client client1 {
	require_message_authenticator = no
	secret = "123"
	shortname = "client1"
 }
 client client2 {
	require_message_authenticator = no
	secret = "123"
	shortname = "client2"
 }
 client client3 {
	require_message_authenticator = no
	secret = "123"
	shortname = "client3"
 }
radiusd: #### Instantiating modules ####


radiusd: #### Loading Virtual Servers ####
server {
 modules {
 Module: Checking authenticate {...} for more modules to
load
 Module: Linked to module rlm_ldap
 Module: Instantiating tam
  ldap tam {
	server = "skoll-vm1.kmz.ts"
	port = 389
	password = ""
	identity = ""
	net_timeout = 1
	timeout = 4
	timelimit = 3
	tls_mode = no
	start_tls = no
	tls_require_cert = "allow"
	basedn = "o=tamknown"
	filter = "(uid=%{User-Name})"
	base_filter = "(objectclass=radiusprofile)"
	auto_header = no
	access_attr_used_for_allow = no
	groupname_attribute = "cn"
	groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
	dictionary_mapping = "/etc/raddb/ldap.attrmap"
	ldap_debug = 0
	ldap_connections_number = 5
	compare_check_items = no
	do_xlat = no
	set_auth_type = yes
  }
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Creating new attribute tam-Ldap-Group
rlm_ldap: Registering ldap_groupcmp for tam-Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name tam
rlm_ldap: reading ldap<->radius mappings from file
/etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS
Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS
Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS
Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password
rlm_ldap: LDAP acctFlags mapped to RADIUS
SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS
NAS-IP-Address
rlm_ldap: LDAP radiusServiceType mapped to RADIUS
Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS
Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS
Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS
Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS
Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS
Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS
Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS
Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS
Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS
Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS
Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS
Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS
Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS
Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS
Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS
Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS
Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS
Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS
Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS
Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to
RADIUS Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS
Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS
Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS
Reply-Message
rlm_ldap: LDAP radiusTunnelType mapped to RADIUS
Tunnel-Type
rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS
Tunnel-Medium-Type
rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS
Tunnel-Private-Group-Id
conns: 0xf72da70
 Module: Instantiating lotus
  ldap lotus {
	server = "ldap.kmz.ts"
	port = 389
	password = "1234567890"
	identity = "cn=user,o=tsas"
	net_timeout = 1
	timeout = 4
	timelimit = 3
	tls_mode = no
	start_tls = no
	tls_require_cert = "allow"
	basedn = "o=tsas"
	filter = "(uid=%{User-Name})"
	base_filter = "(objectclass=radiusprofile)"
	auto_header = no
	access_attr_used_for_allow = no
	groupname_attribute = "cn"
	groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
	dictionary_mapping = "/etc/raddb/ldap.attrmap"
	ldap_debug = 0
	ldap_connections_number = 5
	compare_check_items = no
	do_xlat = no
	set_auth_type = yes
  }
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Creating new attribute lotus-Ldap-Group
rlm_ldap: Registering ldap_groupcmp for lotus-Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name lotus
rlm_ldap: reading ldap<->radius mappings from file
/etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS
Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS
Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS
Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password
rlm_ldap: LDAP acctFlags mapped to RADIUS
SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS
NAS-IP-Address
rlm_ldap: LDAP radiusServiceType mapped to RADIUS
Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS
Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS
Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS
Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS
Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS
Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS
Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS
Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS
Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS
Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS
Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS
Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS
Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS
Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS
Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS
Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS
Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS
Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS
Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS
Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to
RADIUS Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS
Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS
Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS
Reply-Message
rlm_ldap: LDAP radiusTunnelType mapped to RADIUS
Tunnel-Type
rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS
Tunnel-Medium-Type
rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS
Tunnel-Private-Group-Id
conns: 0xf72f840
 Module: Linked to module rlm_always
 Module: Instantiating handled
  always handled {
	rcode = "handled"
	simulcount = 0
	mpp = no
  }
 Module: Checking authorize {...} for more modules to load
 Module: Linked to module rlm_files
 Module: Instantiating files
  files {
	usersfile = "/etc/raddb/users"
	compat = "no"
  }
 } # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
	type = "auth"
	ipaddr = *
	port = 0
}
Listening on authentication address * port 1812
Listening on proxy address * port 1814
Ready to process requests.
---------------

testing this conf. password is a fake? so authentication
failed. but you can see than used basedn is from the first
server not from the second.

---------------
rad_recv: Access-Request packet from host 192.168.110.3
port 45965, id=14, length=64
	User-Name = "vmendelevich"
	User-Password = "33333333"
	NAS-IP-Address = 192.168.110.3
	NAS-Port = 10
+- entering group authorize {...}
[files] users: Matched entry DEFAULT at line 52
++[files] returns ok
Found Auth-Type = tam
+- entering group tam {...}
[tam] login attempt by "vmendelevich" with password
"33333333"
[tam] 	expand: (uid=%{User-Name}) -> (uid=vmendelevich)
[tam] 	expand: o=tamknown -> o=tamknown
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to skoll-vm1.kmz.ts:389,
authentication 0
rlm_ldap: bind as / to skoll-vm1.kmz.ts:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in o=tamknown, with filter
(uid=vmendelevich)
rlm_ldap: ldap_release_conn: Release Id: 0
[tam] user DN: uid=vmendelevich,o=tamknown
rlm_ldap: (re)connect to skoll-vm1.kmz.ts:389,
authentication 1
rlm_ldap: bind as uid=vmendelevich,o=tamknown/33333333 to
skoll-vm1.kmz.ts:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind failed with invalid credentials
++[tam] returns reject
++? if (reject)
? Evaluating (reject) -> TRUE
++? if (reject) -> TRUE
++- entering if (reject) {...}
[lotus] login attempt by "vmendelevich" with password
"33333333"
[lotus] user DN: uid=vmendelevich,o=tamknown
rlm_ldap: (re)connect to ldap.kmz.ts:389, authentication 1
rlm_ldap: bind as uid=vmendelevich,o=tamknown/33333333 to
ldap.kmz.ts:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind failed with invalid credentials
+++[lotus] returns reject
++- if (reject) returns reject
Failed to authenticate the user.
Login incorrect (rlm_ldap: Bind as user failed):
[vmendelevich] (from client VMendelevich port 10)
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 14 to 192.168.110.3 port 45965
Waking up in 4.9 seconds.
Cleaning up request 0 ID 14 with timestamp +457
Ready to process requests.
-------------

IMHO i must see when connecting to first server:

[tam] user DN: uid=vmendelevich,o=tamknown

and this when to second:

[lotus] user DN: uid=vmendelevich,o=tsas

i think this happend because expanding is made only once:

+- entering group tam {...}
[tam] login attempt by "vmendelevich" with password
"33333333"
[tam] 	expand: (uid=%{User-Name}) -> (uid=vmendelevich)
[tam] 	expand: o=tamknown -> o=tamknown

Thanks you once more for you answers.

UIN:9244669
Phone:+7(495)727-0982 ext.4162

More information about the Freeradius-Users mailing list