freeradius + ldap

Ana Gallardo ana.gallardo.77 at gmail.com
Wed Dec 1 12:48:14 CET 2010 

Hello,

I'm using freeradius 2.1.10 and I want to use ldap like a backend in
authorize section to take userPassword attribute (unix crypt) to
authenticate the user.

My problem is: the ldap server don't have public key that an admin user (who
bind) can take. So I have to bind in the authorize section with the user and
password (clear text) in the request.

Is this posible?

What are my posibilities?

Here is my actual configuration in my test:

LDAP MODULE

ldap ldapPerson{
   server = "ldap.xxxx"
   basedn = "ou=people,dc=unex,dc=es"
   filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
   ldap_connections_number = 5
   timeout = 4
   timelimit = 3
   net_timeout = 1
   tls {
      start_tls = no
   }
   dictionary_mapping = ${confdir}/ldapPerson.attrmap
   edir_account_policy_check = no
   set_auth_type = yes
}

SERVER

server test{

authorize {
  suffix
  files
  ldapPerson
  expiration
  pap
}

authenticate {
  Auth-Type PAP {
    pap
  }
}

}


DEBUG

rad_recv: Access-Request packet from host X.X.X.X port 38152, id=201,
length=58
    User-Name = "aigallardo at unex.es"
    User-Password = "pass"
server test {
# Executing section authorize from file /etc/freeradius/sites-enabled/test
+- entering group authorize {...}
[suffix] Looking up realm "unex.es" for User-Name = "aigallardo at unex.es"
[suffix] Found realm "unex.es"
[suffix] Adding Stripped-User-Name = "aigallardo"
[suffix] Adding Realm = "unex.es"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[files] users: Matched entry DEFAULT at line 33
++[files] returns ok
[ldapPerson] performing user authorization for aigallardo
[ldapPerson]     expand: %{Stripped-User-Name} -> aigallardo
[ldapPerson]     expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(uid=aigallardo)
[ldapPerson]     expand: ou=people,dc=unex,dc=es -> ou=people,dc=unex,dc=es
  [ldapPerson] ldap_get_conn: Checking Id: 0
  [ldapPerson] ldap_get_conn: Got Id: 0
  [ldapPerson] attempting LDAP reconnection
  [ldapPerson] (re)connect to XXXXX :389, authentication 0
  [ldapPerson] bind as / to XXXX :389
  [ldapPerson] waiting for bind result ...
  [ldapPerson] Bind was successful
  [ldapPerson] performing search in ou=people,dc=unex,dc=es, with filter
(uid=aigallardo)
[ldapPerson] No default NMAS login sequence
[ldapPerson] looking for check items in directory...
[ldapPerson] looking for reply items in directory...
  [ldapPerson] gecos -> Nombre-Completo = "Ana-Isabel Gallardo Gomez"
WARNING: No "known good" password was found in LDAP.  Are you sure that the
user is configured correctly?
[ldapPerson] user aigallardo authorized to use remote access
  [ldapPerson] ldap_release_conn: Release Id: 0
++[ldapPerson] returns ok
++[expiration] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication
may fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting
the user
Failed to authenticate the user.
} # server test



Thank you very much and sorry for my eglish.


++ Ana Gallardo Gómez ++
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20101201/3e92e701/attachment.html>

More information about the Freeradius-Users mailing list