no authenticate step ...

Michael Arndt michael.arndt at berlin.de
Thu Apr 7 12:58:55 CEST 2011 

hello *

i try to transfer a working configuration from an very old (1.x) freeradius
version to a more recent radius version: 
FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Nov 14 2010 at 21:14:10

My problem: after authenticate against ldap and auth-type = ldap is
set, no authorize step is done

the next step happening is trying the next entry from the users file

expected: authenticate with bind as user and password hash of the user
against ldap

here the snippet from debug log i assume relevant:


hu Apr  7 12:45:28 2011 : Info: [auth_log]     expand: %t -> Thu Apr  7 12:45:28 2011
Thu Apr  7 12:45:28 2011 : Info: ++[auth_log] returns ok
Thu Apr  7 12:45:28 2011 : Info: ++[mschap] returns noop
Thu Apr  7 12:45:28 2011 : Info: [suffix] No '@' in User-Name = "pilot00001", looking up realm NULL
Thu Apr  7 12:45:28 2011 : Info: [suffix] No such realm "NULL"
Thu Apr  7 12:45:28 2011 : Info: ++[suffix] returns noop
Thu Apr  7 12:45:28 2011 : Info: [ldap] performing user authorization for pilot00001
Thu Apr  7 12:45:28 2011 : Info: [ldap] WARNING: Deprecated conditional expansion ":-".  See "man unlang" for details
Thu Apr  7 12:45:28 2011 : Info: [ldap]         ... expanding second conditional
Thu Apr  7 12:45:28 2011 : Info: [ldap]         expand: %{User-Name} -> pilot00001
Thu Apr  7 12:45:28 2011 : Info: [ldap]         expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=pilot00001)
Thu Apr  7 12:45:28 2011 : Info: [ldap]         expand: l=Berlin,dc=de,o=ABC-> l=Berlin,dc=de,o=ABC
Thu Apr  7 12:45:28 2011 : Debug:   [ldap] ldap_get_conn: Checking Id: 0
Thu Apr  7 12:45:28 2011 : Debug:   [ldap] ldap_get_conn: Got Id: 0
Thu Apr  7 12:45:28 2011 : Debug:   [ldap] attempting LDAP reconnection
Thu Apr  7 12:45:28 2011 : Debug:   [ldap] (re)connect to 10.128.1.1:389, authentication 0
Thu Apr  7 12:45:28 2011 : Debug:   [ldap] bind as cn=Manager,o=ABC/xyz to 10.128.1.1:389
Thu Apr  7 12:45:28 2011 : Debug:   [ldap] waiting for bind result ...
Thu Apr  7 12:45:28 2011 : Debug:   [ldap] Bind was successful
Thu Apr  7 12:45:28 2011 : Debug:   [ldap] performing search in l=Berlin,dc=de,o=ABC, with filter (uid=pilot00001)
Thu Apr  7 12:45:28 2011 : Info: [ldap] No default NMAS login sequence
Thu Apr  7 12:45:28 2011 : Info: [ldap] looking for check items in directory...
Thu Apr  7 12:45:28 2011 : Debug:   [ldap] userPassword -> Password-With-Header == "{MD5}hashvalueD1xtOw=="    <- the sequence after the hashed pw astonishes me, the D1xt0w
Thu Apr  7 12:45:28 2011 : Info: [ldap] looking for reply items in directory...
Thu Apr  7 12:45:28 2011 : Info: [ldap] Setting Auth-Type = LDAP
Thu Apr  7 12:45:28 2011 : Info: [ldap] user pilot00001 authorized to use remote access
Thu Apr  7 12:45:28 2011 : Debug:   [ldap] ldap_release_conn: Release Id: 0
Thu Apr  7 12:45:28 2011 : Info: ++[ldap] returns ok
Thu Apr  7 12:45:28 2011 : Info: [eap] No EAP-Message, not doing EAP
Thu Apr  7 12:45:28 2011 : Info: ++[eap] returns noop

... next line / match in users file is done next
...in the old config next step was authenticate

So clearly i do a mistake and have overlooked a neccessary config option
any hints where to look next ?
The hint to transfer a deprecated expression from users file to unlang
will be done when i succeed with auth



TIA
Micha

More information about the Freeradius-Users mailing list