LDAP CONFIGURATION IN FreeRadius
Matthew Newton
mcn4 at leicester.ac.uk
Thu May 5 18:37:54 CEST 2016
On Wed, May 04, 2016 at 07:43:28PM +0000, WINANT, KEVIN wrote:
> Version is 2.1.1 which we found is EOL and looking to go to V3.
> Did the debug and looks like it loads up > "including configuration file /etc/raddb/modules/ldap"
> Looking in there do not find the hostname or IP of the external LDAP server in there.
Just realised you included the -X output further down.
That server isn't configured to do LDAP, at least not if it's
using /etc/raddb as its live config.
It is configured to use perl, so it's possible someone has decided
to do an LDAP lookup from perl rather than using the FreeRADIUS
module. Look in /etc/raddb/bgmod.pl (a local file, not part of the
standard config).
Matthew
> FreeRADIUS Version 2.1.1, for host s390x-ibm-linux-gnu, built on Feb 28 2014 at 23:16:21
> Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
> There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
> PARTICULAR PURPOSE.
> You may redistribute copies of FreeRADIUS under the terms of the
> GNU General Public License v2.
> Starting - reading configuration files ...
> including configuration file /etc/raddb/radiusd.conf
> including configuration file /etc/raddb/clients.conf
> including configuration file /etc/raddb/bgclients.conf
> including files in directory /etc/raddb/modules/
> including configuration file /etc/raddb/modules/files
> including configuration file /etc/raddb/modules/exec
> including configuration file /etc/raddb/modules/attr_rewrite
> including configuration file /etc/raddb/modules/realm
> including configuration file /etc/raddb/modules/detail.log
> including configuration file /etc/raddb/modules/preprocess
> including configuration file /etc/raddb/modules/wimax
> including configuration file /etc/raddb/modules/detail.example.com
> including configuration file /etc/raddb/modules/digest
> including configuration file /etc/raddb/modules/unix
> including configuration file /etc/raddb/modules/policy
> including configuration file /etc/raddb/modules/krb5
> including configuration file /etc/raddb/modules/mac2vlan
> including configuration file /etc/raddb/modules/chap
> including configuration file /etc/raddb/modules/checkval
> including configuration file /etc/raddb/modules/pam
> including configuration file /etc/raddb/modules/echo
> including configuration file /etc/raddb/modules/inner-eap
> including configuration file /etc/raddb/modules/mac2ip
> including configuration file /etc/raddb/modules/detail
> including configuration file /etc/raddb/modules/always
> including configuration file /etc/raddb/modules/ippool
> including configuration file /etc/raddb/modules/attr_filter
> including configuration file /etc/raddb/modules/logintime
> including configuration file /etc/raddb/modules/pap
> including configuration file /etc/raddb/modules/expiration
> including configuration file /etc/raddb/modules/perl
> including configuration file /etc/raddb/modules/expr
> including configuration file /etc/raddb/modules/passwd
> including configuration file /etc/raddb/modules/sql_log
> including configuration file /etc/raddb/modules/ldap
> including configuration file /etc/raddb/modules/etc_group
> including configuration file /etc/raddb/modules/sradutmp
> including configuration file /etc/raddb/modules/mschap
> including configuration file /etc/raddb/modules/counter
> including configuration file /etc/raddb/modules/smbpasswd
> including configuration file /etc/raddb/modules/acct_unique
> including configuration file /etc/raddb/modules/linelog
> including configuration file /etc/raddb/modules/radutmp
> including configuration file /etc/raddb/eap.conf
> including configuration file /etc/raddb/sql.conf
> including configuration file /etc/raddb/sql/mysql/dialup.conf
> including configuration file /etc/raddb/sql/mysql/counter.conf
> including configuration file /etc/raddb/policy.conf
> including files in directory /etc/raddb/sites-enabled/
> including configuration file /etc/raddb/sites-enabled/default
> including configuration file /etc/raddb/sites-enabled/inner-tunnel
> group = radiusd
> user = radiusd
> including dictionary file /etc/raddb/dictionary
> main {
> prefix = "/usr"
> localstatedir = "/var"
> logdir = "/var/log/radius"
> libdir = "/usr/lib64/freeradius"
> radacctdir = "/var/log/radius/radacct"
> hostname_lookups = no
> max_request_time = 18
> cleanup_delay = 5
> max_requests = 30720
> allow_core_dumps = no
> pidfile = "/var/run/radiusd/radiusd.pid"
> checkrad = "/usr/sbin/checkrad"
> debug_level = 0
> proxy_requests = no
> log {
> stripped_names = no
> auth = yes
> auth_badpass = no
> auth_goodpass = no
> }
> security {
> max_attributes = 200
> reject_delay = 1
> status_server = yes
> }
> }
> client whplp2621f1133a.whiteplains.ibm/9.58.200.102 {
> ipaddr = 9.58.200.102
> require_message_authenticator = no
> secret = "xxxxxxxx"
> }
> client rep-pf-16e04-a.atlanta.ibm.com/9.9.161.93 {
> ipaddr = 9.9.161.93
> require_message_authenticator = no
> secret = "xxxxxxxxxxx"
> }
> client igf-fw-gy.pokvpn.ibm.com/9.56.200.153 {
> ipaddr = 9.56.200.153
> require_message_authenticator = no
> secret = "xxxxxxxxxxxxx"
> }
> client aus-bf-bldg904-a.austin.ibm.com/9.3.60.208 {
> ipaddr = 9.3.60.208
> require_message_authenticator = no
> secret = "xxxxxxxxxxxxx"
> }
> SEVERAL HUINDRED MORE DEVICES DEFINED IN THIS AREA USING THE SAME FORMAT
> }
>
> radiusd: #### Loading Realms and Home Servers ####
> radiusd: #### Instantiating modules ####
> instantiate {
> Module: Linked to module rlm_exec
> Module: Instantiating exec
> exec {
> wait = no
> input_pairs = "request"
> shell_escape = yes
> }
> Module: Linked to module rlm_expr
> Module: Instantiating expr
> Module: Linked to module rlm_expiration
> Module: Instantiating expiration
> expiration {
> reply-message = "Password Has Expired "
> }
> Module: Linked to module rlm_logintime
> Module: Instantiating logintime
> logintime {
> reply-message = "You are calling outside your allowed timespan "
> minimum-timeout = 60
> }
> }
> radiusd: #### Loading Virtual Servers ####
> server inner-tunnel {
> modules {
> Module: Checking authenticate {...} for more modules to load
> Module: Linked to module rlm_pap
> Module: Instantiating pap
> pap {
> encryption_scheme = "auto"
> auto_header = no
> }
> Module: Linked to module rlm_chap
> Module: Instantiating chap
> Module: Linked to module rlm_mschap
> Module: Instantiating mschap
> mschap {
> use_mppe = yes
> require_encryption = no
> require_strong = no
> with_ntdomain_hack = no
> }
> Module: Linked to module rlm_unix
> Module: Instantiating unix
> unix {
> radwtmp = "/var/log/radius/radwtmp"
> }
> Module: Linked to module rlm_eap
> Module: Instantiating eap
> eap {
> default_eap_type = "md5"
> timer_expire = 60
> ignore_unknown_eap_types = no
> cisco_accounting_username_bug = no
> max_sessions = 2048
> }
> Module: Linked to sub-module rlm_eap_md5
> Module: Instantiating eap-md5
> Module: Linked to sub-module rlm_eap_leap
> Module: Instantiating eap-leap
> Module: Linked to sub-module rlm_eap_gtc
> Module: Instantiating eap-gtc
> gtc {
> challenge = "Password: "
> auth_type = "PAP"
> }
> Module: Linked to sub-module rlm_eap_tls
> Module: Instantiating eap-tls
> tls {
> rsa_key_exchange = no
> dh_key_exchange = yes
> rsa_key_length = 512
> dh_key_length = 512
> verify_depth = 0
> pem_file_type = yes
> private_key_file = "/etc/raddb/certs/server.pem"
> certificate_file = "/etc/raddb/certs/server.pem"
> CA_file = "/etc/raddb/certs/ca.pem"
> private_key_password = "xxxxxxxxx"
> dh_file = "/etc/raddb/certs/dh"
> random_file = "/etc/raddb/certs/random"
> fragment_size = 1024
> include_length = yes
> check_crl = no
> cipher_list = "DEFAULT"
> make_cert_command = "/etc/raddb/certs/bootstrap"
> cache {
> enable = no
> lifetime = 24
> max_entries = 255
> }
> }
> Module: Linked to sub-module rlm_eap_ttls
> Module: Instantiating eap-ttls
> ttls {
> default_eap_type = "md5"
> copy_request_to_tunnel = no
> use_tunneled_reply = no
> virtual_server = "inner-tunnel"
> }
> Module: Linked to sub-module rlm_eap_peap
> Module: Instantiating eap-peap
> peap {
> default_eap_type = "mschapv2"
> copy_request_to_tunnel = no
> use_tunneled_reply = no
> proxy_tunneled_request_as_eap = yes
> virtual_server = "inner-tunnel"
> }
> Module: Linked to sub-module rlm_eap_mschapv2
> Module: Instantiating eap-mschapv2
> mschapv2 {
> with_ntdomain_hack = no
> }
> Module: Checking authorize {...} for more modules to load
> Module: Linked to module rlm_realm
> Module: Instantiating suffix
> realm suffix {
> format = "suffix"
> delimiter = "@"
> ignore_default = no
> ignore_null = no
> }
> Module: Linked to module rlm_files
> Module: Instantiating files
> files {
> usersfile = "/etc/raddb/users"
> acctusersfile = "/etc/raddb/acct_users"
> preproxy_usersfile = "/etc/raddb/preproxy_users"
> compat = "no"
> }
> Module: Checking session {...} for more modules to load
> Module: Linked to module rlm_radutmp
> Module: Instantiating radutmp
> radutmp {
> filename = "/var/log/radius/radutmp"
> username = "%{User-Name}"
> case_sensitive = yes
> check_with_nas = yes
> perm = 384
> callerid = yes
> }
> Module: Checking post-proxy {...} for more modules to load
> Module: Checking post-auth {...} for more modules to load
> Module: Linked to module rlm_attr_filter
> Module: Instantiating attr_filter.access_reject
> attr_filter attr_filter.access_reject {
> attrsfile = "/etc/raddb/attrs.access_reject"
> key = "%{User-Name}"
> }
> }
> }
> modules {
> Module: Checking authenticate {...} for more modules to load
> Module: Linked to module rlm_perl
> Module: Instantiating perl
> perl {
> module = "/etc/raddb/bgmod.pl"
> func_authorize = "authorize"
> func_authenticate = "authenticate"
> func_accounting = "accounting"
> func_preacct = "preacct"
> func_checksimul = "checksimul"
> func_detach = "detach"
> func_xlat = "xlat"
> func_pre_proxy = "pre_proxy"
> func_post_proxy = "post_proxy"
> func_post_auth = "post_auth"
> }
> perl {
> max_clones = 10
> start_clones = 3
> min_spare_clones = 1
> max_spare_clones = 3
> cleanup_delay = 0
> max_request_per_clone = 0
> }
> Module: Checking authorize {...} for more modules to load
> Module: Linked to module rlm_preprocess
> Module: Instantiating preprocess
> preprocess {
> huntgroups = "/etc/raddb/huntgroups"
> hints = "/etc/raddb/hints"
> with_ascend_hack = no
> ascend_channels_per_line = 23
> with_ntdomain_hack = no
> with_specialix_jetstream_hack = no
> with_cisco_vsa_hack = no
> with_alvarion_vsa_hack = no
> }
> Module: Checking preacct {...} for more modules to load
> Module: Linked to module rlm_acct_unique
> Module: Instantiating acct_unique
> acct_unique {
> key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
> }
> Module: Checking accounting {...} for more modules to load
> Module: Linked to module rlm_detail
> Module: Instantiating detail
> detail {
> detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
> header = "%t"
> detailperm = 384
> dirperm = 493
> locking = no
> log_packet_header = no
> }
> Module: Instantiating attr_filter.accounting_response
> attr_filter attr_filter.accounting_response {
> attrsfile = "/etc/raddb/attrs.accounting_response"
> key = "%{User-Name}"
> }
> Module: Checking session {...} for more modules to load
> Module: Checking post-proxy {...} for more modules to load
> Module: Checking post-auth {...} for more modules to load
> }
> radiusd: #### Opening IP addresses and Ports ####
> listen {
> type = "auth"
> ipaddr = *
> port = 0
> Failed binding to socket: Address already in use
> /etc/raddb/radiusd.conf[242]: Error binding to port for 0.0.0.0 port 1812
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
More information about the Freeradius-Users
mailing list