SASL AuthN to LDAP

Brendan Kearney bpk678 at gmail.com
Tue Oct 18 16:24:05 CEST 2016


i am trying to use a Kerberos keytab file to authenticate to LDAP.  the 
keytab file is the same one used to authenticate users against the 
Kerberos database.  the principal in the keytab has been mapped to an 
object in LDAP, for access to be granted.  i dont seem to be getting the 
configs correct for the LDAP binds to work.  can you shed light on what 
i am missing?

i am setting

KRB5_CLIENT_KTNAME = '/etc/raddb/radius.keytab'

in the sasl {} stanzas in mods-available/ldap, which is linked to 
mods-enabled/.  the radiusd -X output below indicates that anonymous 
binds are being attempted.  this seems to indicate the keytab is not 
being picked up and the identity is not being found.  i can run a 'kinit 
-kt /etc/raddb/radius.keytab' and get a TGT back.  i can also run 
'ldapwhoami' with that TGT and get the mapped LDAP identity back.  am i 
going about setting the KRB5_CLIENT_KTNAME wrong?

freeradius version 3.0.10 (packaged for fedora 24)

Copyright (C) 1999-2015 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/raddb/dictionary
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/mods-enabled/
including configuration file /etc/raddb/mods-enabled/always
including configuration file /etc/raddb/mods-enabled/attr_filter
including configuration file /etc/raddb/mods-enabled/cache_eap
including configuration file /etc/raddb/mods-enabled/chap
including configuration file /etc/raddb/mods-enabled/detail
including configuration file /etc/raddb/mods-enabled/detail.log
including configuration file /etc/raddb/mods-enabled/dhcp
including configuration file /etc/raddb/mods-enabled/digest
including configuration file /etc/raddb/mods-enabled/dynamic_clients
including configuration file /etc/raddb/mods-enabled/eap
including configuration file /etc/raddb/mods-enabled/echo
including configuration file /etc/raddb/mods-enabled/exec
including configuration file /etc/raddb/mods-enabled/expiration
including configuration file /etc/raddb/mods-enabled/expr
including configuration file /etc/raddb/mods-enabled/files
including configuration file /etc/raddb/mods-enabled/linelog
including configuration file /etc/raddb/mods-enabled/logintime
including configuration file /etc/raddb/mods-enabled/mschap
including configuration file /etc/raddb/mods-enabled/ntlm_auth
including configuration file /etc/raddb/mods-enabled/pap
including configuration file /etc/raddb/mods-enabled/passwd
including configuration file /etc/raddb/mods-enabled/preprocess
including configuration file /etc/raddb/mods-enabled/radutmp
including configuration file /etc/raddb/mods-enabled/realm
including configuration file /etc/raddb/mods-enabled/replicate
including configuration file /etc/raddb/mods-enabled/soh
including configuration file /etc/raddb/mods-enabled/sradutmp
including configuration file /etc/raddb/mods-enabled/unix
including configuration file /etc/raddb/mods-enabled/unpack
including configuration file /etc/raddb/mods-enabled/utf8
including configuration file /etc/raddb/mods-enabled/krb5
including configuration file /etc/raddb/mods-enabled/ldap
including configuration file /etc/raddb/mods-enabled/sql
including configuration file 
/etc/raddb/mods-config/sql/main/mysql/queries.conf
including files in directory /etc/raddb/policy.d/
including configuration file /etc/raddb/policy.d/accounting
including configuration file /etc/raddb/policy.d/control
including configuration file /etc/raddb/policy.d/cui
including configuration file /etc/raddb/policy.d/debug
including configuration file /etc/raddb/policy.d/dhcp
including configuration file /etc/raddb/policy.d/eap
including configuration file /etc/raddb/policy.d/filter
including configuration file /etc/raddb/policy.d/operator-name
including configuration file /etc/raddb/policy.d/canonicalization.orig
including configuration file /etc/raddb/policy.d/canonicalization
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/inner-tunnel
main {
  security {
      user = "radiusd"
      group = "radiusd"
      allow_core_dumps = no
  }
     name = "radiusd"
     prefix = "/usr"
     localstatedir = "/var"
     logdir = "/var/log/radius"
     run_dir = "/var/run/radiusd"
}
main {
     name = "radiusd"
     prefix = "/usr"
     localstatedir = "/var"
     sbindir = "/usr/sbin"
     logdir = "/var/log/radius"
     run_dir = "/var/run/radiusd"
     libdir = "/usr/lib64/freeradius"
     radacctdir = "/var/log/radius/radacct"
     hostname_lookups = no
     max_request_time = 30
     cleanup_delay = 5
     max_requests = 1024
     pidfile = "/var/run/radiusd/radiusd.pid"
     checkrad = "/usr/sbin/checkrad"
     debug_level = 0
     proxy_requests = no
  log {
      stripped_names = no
      auth = no
      auth_badpass = no
      auth_goodpass = no
      colourise = yes
      msg_denied = "You are already logged in - access denied"
  }
  resources {
  }
  security {
      max_attributes = 200
      reject_delay = 1.000000
      status_server = yes
  }
}
radiusd: #### Loading Realms and Home Servers ####
radiusd: #### Loading Clients ####
  client localhost {
      ipaddr = 127.0.0.1
      require_message_authenticator = no
      secret = <<< secret >>>
      nas_type = "other"
      proto = "*"
   limit {
       max_connections = 16
       lifetime = 0
       idle_timeout = 30
   }
  }
Debugger not attached
  # Creating Auth-Type = digest
  # Creating Auth-Type = LDAP
radiusd: #### Instantiating modules ####
   # Loaded module rlm_always
   # Loading module "reject" from file /etc/raddb/mods-enabled/always
   always reject {
       rcode = "reject"
       simulcount = 0
       mpp = no
   }
   # Loading module "fail" from file /etc/raddb/mods-enabled/always
   always fail {
       rcode = "fail"
       simulcount = 0
       mpp = no
   }
   # Loading module "ok" from file /etc/raddb/mods-enabled/always
   always ok {
       rcode = "ok"
       simulcount = 0
       mpp = no
   }
   # Loading module "handled" from file /etc/raddb/mods-enabled/always
   always handled {
       rcode = "handled"
       simulcount = 0
       mpp = no
   }
   # Loading module "invalid" from file /etc/raddb/mods-enabled/always
   always invalid {
       rcode = "invalid"
       simulcount = 0
       mpp = no
   }
   # Loading module "userlock" from file /etc/raddb/mods-enabled/always
   always userlock {
       rcode = "userlock"
       simulcount = 0
       mpp = no
   }
   # Loading module "notfound" from file /etc/raddb/mods-enabled/always
   always notfound {
       rcode = "notfound"
       simulcount = 0
       mpp = no
   }
   # Loading module "noop" from file /etc/raddb/mods-enabled/always
   always noop {
       rcode = "noop"
       simulcount = 0
       mpp = no
   }
   # Loading module "updated" from file /etc/raddb/mods-enabled/always
   always updated {
       rcode = "updated"
       simulcount = 0
       mpp = no
   }
   # Loaded module rlm_attr_filter
   # Loading module "attr_filter.post-proxy" from file 
/etc/raddb/mods-enabled/attr_filter
   attr_filter attr_filter.post-proxy {
       filename = "/etc/raddb/mods-config/attr_filter/post-proxy"
       key = "%{Realm}"
       relaxed = no
   }
   # Loading module "attr_filter.pre-proxy" from file 
/etc/raddb/mods-enabled/attr_filter
   attr_filter attr_filter.pre-proxy {
       filename = "/etc/raddb/mods-config/attr_filter/pre-proxy"
       key = "%{Realm}"
       relaxed = no
   }
   # Loading module "attr_filter.access_reject" from file 
/etc/raddb/mods-enabled/attr_filter
   attr_filter attr_filter.access_reject {
       filename = "/etc/raddb/mods-config/attr_filter/access_reject"
       key = "%{User-Name}"
       relaxed = no
   }
   # Loading module "attr_filter.access_challenge" from file 
/etc/raddb/mods-enabled/attr_filter
   attr_filter attr_filter.access_challenge {
       filename = "/etc/raddb/mods-config/attr_filter/access_challenge"
       key = "%{User-Name}"
       relaxed = no
   }
   # Loading module "attr_filter.accounting_response" from file 
/etc/raddb/mods-enabled/attr_filter
   attr_filter attr_filter.accounting_response {
       filename = "/etc/raddb/mods-config/attr_filter/accounting_response"
       key = "%{User-Name}"
       relaxed = no
   }
   # Loaded module rlm_cache
   # Loading module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap
   cache cache_eap {
       driver = "rlm_cache_rbtree"
       key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
       ttl = 15
       max_entries = 0
       epoch = 0
       add_stats = no
   }
   # Loaded module rlm_chap
   # Loading module "chap" from file /etc/raddb/mods-enabled/chap
   # Loaded module rlm_detail
   # Loading module "detail" from file /etc/raddb/mods-enabled/detail
   detail {
       filename = 
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
       header = "%t"
       permissions = 384
       locking = no
       escape_filenames = no
       log_packet_header = no
   }
   # Loading module "auth_log" from file /etc/raddb/mods-enabled/detail.log
   detail auth_log {
       filename = 
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
       header = "%t"
       permissions = 384
       locking = no
       escape_filenames = no
       log_packet_header = no
   }
   # Loading module "reply_log" from file /etc/raddb/mods-enabled/detail.log
   detail reply_log {
       filename = 
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
       header = "%t"
       permissions = 384
       locking = no
       escape_filenames = no
       log_packet_header = no
   }
   # Loading module "pre_proxy_log" from file 
/etc/raddb/mods-enabled/detail.log
   detail pre_proxy_log {
       filename = 
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
       header = "%t"
       permissions = 384
       locking = no
       escape_filenames = no
       log_packet_header = no
   }
   # Loading module "post_proxy_log" from file 
/etc/raddb/mods-enabled/detail.log
   detail post_proxy_log {
       filename = 
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
       header = "%t"
       permissions = 384
       locking = no
       escape_filenames = no
       log_packet_header = no
   }
   # Loaded module rlm_dhcp
   # Loading module "dhcp" from file /etc/raddb/mods-enabled/dhcp
   # Loaded module rlm_digest
   # Loading module "digest" from file /etc/raddb/mods-enabled/digest
   # Loaded module rlm_dynamic_clients
   # Loading module "dynamic_clients" from file 
/etc/raddb/mods-enabled/dynamic_clients
   # Loaded module rlm_eap
   # Loading module "eap" from file /etc/raddb/mods-enabled/eap
   eap {
       default_eap_type = "md5"
       timer_expire = 60
       ignore_unknown_eap_types = no
       cisco_accounting_username_bug = no
       max_sessions = 1024
   }
   # Loaded module rlm_exec
   # Loading module "echo" from file /etc/raddb/mods-enabled/echo
   exec echo {
       wait = yes
       program = "/bin/echo %{User-Name}"
       input_pairs = "request"
       output_pairs = "reply"
       shell_escape = yes
   }
   # Loading module "exec" from file /etc/raddb/mods-enabled/exec
   exec {
       wait = no
       input_pairs = "request"
       shell_escape = yes
       timeout = 10
   }
   # Loaded module rlm_expiration
   # Loading module "expiration" from file 
/etc/raddb/mods-enabled/expiration
   # Loaded module rlm_expr
   # Loading module "expr" from file /etc/raddb/mods-enabled/expr
   expr {
       safe_characters = 
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: 
/äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
   }
   # Loaded module rlm_files
   # Loading module "files" from file /etc/raddb/mods-enabled/files
   files {
       filename = "/etc/raddb/mods-config/files/authorize"
       acctusersfile = "/etc/raddb/mods-config/files/accounting"
       preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy"
   }
   # Loaded module rlm_linelog
   # Loading module "linelog" from file /etc/raddb/mods-enabled/linelog
   linelog {
       filename = "/var/log/radius/linelog"
       escape_filenames = no
       syslog_severity = "info"
       permissions = 384
       format = "This is a log message for %{User-Name}"
       reference = "messages.%{%{reply:Packet-Type}:-default}"
   }
   # Loading module "log_accounting" from file 
/etc/raddb/mods-enabled/linelog
   linelog log_accounting {
       filename = "/var/log/radius/linelog-accounting"
       escape_filenames = no
       syslog_severity = "info"
       permissions = 384
       format = ""
       reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
   }
   # Loaded module rlm_logintime
   # Loading module "logintime" from file /etc/raddb/mods-enabled/logintime
   logintime {
       minimum_timeout = 60
   }
   # Loaded module rlm_mschap
   # Loading module "mschap" from file /etc/raddb/mods-enabled/mschap
   mschap {
       use_mppe = no
       require_encryption = yes
       require_strong = yes
       with_ntdomain_hack = yes
    passchange {
    }
       allow_retry = yes
   }
   # Loading module "ntlm_auth" from file /etc/raddb/mods-enabled/ntlm_auth
   exec ntlm_auth {
       wait = yes
       program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN 
--username=%{mschap:User-Name} --password=%{User-Password}"
       shell_escape = yes
   }
   # Loaded module rlm_pap
   # Loading module "pap" from file /etc/raddb/mods-enabled/pap
   pap {
       normalise = yes
   }
   # Loaded module rlm_passwd
   # Loading module "etc_passwd" from file /etc/raddb/mods-enabled/passwd
   passwd etc_passwd {
       filename = "/etc/passwd"
       format = "*User-Name:Crypt-Password:"
       delimiter = ":"
       ignore_nislike = no
       ignore_empty = yes
       allow_multiple_keys = no
       hash_size = 100
   }
   # Loaded module rlm_preprocess
   # Loading module "preprocess" from file 
/etc/raddb/mods-enabled/preprocess
   preprocess {
       huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups"
       hints = "/etc/raddb/mods-config/preprocess/hints"
       with_ascend_hack = no
       ascend_channels_per_line = 23
       with_ntdomain_hack = no
       with_specialix_jetstream_hack = no
       with_cisco_vsa_hack = no
       with_alvarion_vsa_hack = no
   }
   # Loaded module rlm_radutmp
   # Loading module "radutmp" from file /etc/raddb/mods-enabled/radutmp
   radutmp {
       filename = "/var/log/radius/radutmp"
       username = "%{User-Name}"
       case_sensitive = yes
       check_with_nas = yes
       permissions = 384
       caller_id = yes
   }
   # Loaded module rlm_realm
   # Loading module "IPASS" from file /etc/raddb/mods-enabled/realm
   realm IPASS {
       format = "prefix"
       delimiter = "/"
       ignore_default = no
       ignore_null = no
   }
   # Loading module "suffix" from file /etc/raddb/mods-enabled/realm
   realm suffix {
       format = "suffix"
       delimiter = "@"
       ignore_default = no
       ignore_null = no
   }
   # Loading module "realmpercent" from file /etc/raddb/mods-enabled/realm
   realm realmpercent {
       format = "suffix"
       delimiter = "%"
       ignore_default = no
       ignore_null = no
   }
   # Loading module "ntdomain" from file /etc/raddb/mods-enabled/realm
   realm ntdomain {
       format = "prefix"
       delimiter = "\"
       ignore_default = no
       ignore_null = no
   }
   # Loaded module rlm_replicate
   # Loading module "replicate" from file /etc/raddb/mods-enabled/replicate
   # Loaded module rlm_soh
   # Loading module "soh" from file /etc/raddb/mods-enabled/soh
   soh {
       dhcp = yes
   }
   # Loading module "sradutmp" from file /etc/raddb/mods-enabled/sradutmp
   radutmp sradutmp {
       filename = "/var/log/radius/sradutmp"
       username = "%{User-Name}"
       case_sensitive = yes
       check_with_nas = yes
       permissions = 420
       caller_id = no
   }
   # Loaded module rlm_unix
   # Loading module "unix" from file /etc/raddb/mods-enabled/unix
   unix {
       radwtmp = "/var/log/radius/radwtmp"
   }
Creating attribute Unix-Group
   # Loaded module rlm_unpack
   # Loading module "unpack" from file /etc/raddb/mods-enabled/unpack
   # Loaded module rlm_utf8
   # Loading module "utf8" from file /etc/raddb/mods-enabled/utf8
   # Loaded module rlm_krb5
   # Loading module "krb5" from file /etc/raddb/mods-enabled/krb5
   krb5 {
       keytab = "/etc/raddb/radius.keytab"
       service_principal = "radius/server1.bpk2.com"
   }
   # Loaded module rlm_ldap
   # Loading module "ldap" from file /etc/raddb/mods-enabled/ldap
   ldap {
       server = "server1.bpk2.com"
    sasl {
        mech = "GSSAPI"
        realm = "BPK2.COM"
    }
       read_clients = yes
    user {
        scope = "sub"
        access_positive = yes
     sasl {
     }
    }
    group {
        filter = "(objectClass=posixGroup)"
        scope = "sub"
        name_attribute = "cn"
        membership_attribute = "memberOf"
        cacheable_name = no
        cacheable_dn = no
    }
    client {
        filter = "(objectClass=radiusClient)"
        scope = "sub"
        base_dn = "dc=bpk2,dc=com"
    }
    profile {
    }
    options {
        ldap_debug = 40
        chase_referrals = yes
        rebind = yes
        net_timeout = 1
        res_timeout = 10
        srv_timelimit = 3
        idle = 60
        probes = 3
        interval = 3
    }
    tls {
        start_tls = no
    }
   }
Creating attribute LDAP-Group
   # Loaded module rlm_sql
   # Loading module "sql" from file /etc/raddb/mods-enabled/sql
   sql {
       driver = "rlm_sql_mysql"
       server = "database.bpk2.com"
       port = 3306
       login = "radius"
       password = <<< secret >>>
       radius_db = "radius"
       read_groups = yes
       read_profiles = yes
       read_clients = no
       delete_stale_sessions = yes
       sql_user_name = "%{User-Name}"
       default_user_profile = ""
       client_query = "SELECT id, nasname, shortname, type, secret, 
server FROM nas"
       authorize_check_query = "SELECT id, username, attribute, value, 
op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id"
       authorize_reply_query = "SELECT id, username, attribute, value, 
op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id"
       authorize_group_check_query = "SELECT id, groupname, attribute, 
Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id"
       authorize_group_reply_query = "SELECT id, groupname, attribute, 
value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id"
       group_membership_query = "SELECT groupname FROM radusergroup 
WHERE username = '%{SQL-User-Name}' ORDER BY priority"
       simul_verify_query = "SELECT radacctid, acctsessionid, username, 
nasipaddress, nasportid, framedipaddress, callingstationid, 
framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND 
acctstoptime IS NULL"
       safe_characters = 
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
    accounting {
        reference = "%{tolower:type.%{Acct-Status-Type}.query}"
     type {
      accounting-on {
          query = "UPDATE radacct SET acctstoptime = 
FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime    = 
'%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime), 
acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE 
acctstoptime IS NULL AND nasipaddress   = '%{NAS-IP-Address}' AND 
acctstarttime <= FROM_UNIXTIME(%{integer:Event-Timestamp})"
      }
      accounting-off {
          query = "UPDATE radacct SET acctstoptime = 
FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime    = 
'%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime), 
acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE 
acctstoptime IS NULL AND nasipaddress   = '%{NAS-IP-Address}' AND 
acctstarttime <= FROM_UNIXTIME(%{integer:Event-Timestamp})"
      }
      start {
          query = "INSERT INTO radacct (acctsessionid, acctuniqueid,    
     username, realm,            nasipaddress,     nasportid, 
nasporttype,        acctstarttime, acctupdatetime, acctstoptime,        
acctsessiontime, acctauthentic, connectinfo_start,    connectinfo_stop, 
acctinputoctets, acctoutputoctets,    calledstationid, callingstationid, 
acctterminatecause,    servicetype, framedprotocol, framedipaddress) 
VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', 
'%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', 
'%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', 
FROM_UNIXTIME(%{integer:Event-Timestamp}), 
FROM_UNIXTIME(%{integer:Event-Timestamp}), NULL, '0', 
'%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', 
'%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', 
'%{Framed-Protocol}', '%{Framed-IP-Address}')"
      }
      interim-update {
          query = "UPDATE radacct SET acctupdatetime  = 
(@acctupdatetime_old:=acctupdatetime), acctupdatetime  = 
FROM_UNIXTIME(%{integer:Event-Timestamp}), acctinterval    = 
%{integer:Event-Timestamp} - UNIX_TIMESTAMP(@acctupdatetime_old), 
framedipaddress = '%{Framed-IP-Address}', acctsessiontime = 
%{%{Acct-Session-Time}:-NULL}, acctinputoctets = 
'%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', 
acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | 
'%{%{Acct-Output-Octets}:-0}' WHERE AcctUniqueId = 
'%{Acct-Unique-Session-Id}'"
      }
      stop {
          query = "UPDATE radacct SET acctstoptime    = 
FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime    = 
%{%{Acct-Session-Time}:-NULL}, acctinputoctets    = 
'%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', 
acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | 
'%{%{Acct-Output-Octets}:-0}', acctterminatecause = 
'%{Acct-Terminate-Cause}', connectinfo_stop = '%{Connect-Info}' WHERE 
AcctUniqueId = '%{Acct-Unique-Session-Id}'"
      }
     }
    }
    post-auth {
        reference = ".query"
        query = "INSERT INTO radpostauth (username, pass, reply, 
authdate) VALUES ( '%{SQL-User-Name}', 
'%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')"
    }
   }
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
Creating attribute SQL-Group
  instantiate {
  }
  modules {
   # Instantiating module "reject" from file /etc/raddb/mods-enabled/always
   # Instantiating module "fail" from file /etc/raddb/mods-enabled/always
   # Instantiating module "ok" from file /etc/raddb/mods-enabled/always
   # Instantiating module "handled" from file /etc/raddb/mods-enabled/always
   # Instantiating module "invalid" from file /etc/raddb/mods-enabled/always
   # Instantiating module "userlock" from file 
/etc/raddb/mods-enabled/always
   # Instantiating module "notfound" from file 
/etc/raddb/mods-enabled/always
   # Instantiating module "noop" from file /etc/raddb/mods-enabled/always
   # Instantiating module "updated" from file /etc/raddb/mods-enabled/always
   # Instantiating module "attr_filter.post-proxy" from file 
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy
   # Instantiating module "attr_filter.pre-proxy" from file 
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy
   # Instantiating module "attr_filter.access_reject" from file 
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject
[/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item 
"FreeRADIUS-Response-Delay"     found in filter list for realm "DEFAULT".
[/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item 
"FreeRADIUS-Response-Delay-USec"     found in filter list for realm 
"DEFAULT".
   # Instantiating module "attr_filter.access_challenge" from file 
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge
   # Instantiating module "attr_filter.accounting_response" from file 
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/accounting_response
   # Instantiating module "cache_eap" from file 
/etc/raddb/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) 
loaded and linked
   # Instantiating module "detail" from file /etc/raddb/mods-enabled/detail
   # Instantiating module "auth_log" from file 
/etc/raddb/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in 
detail output
   # Instantiating module "reply_log" from file 
/etc/raddb/mods-enabled/detail.log
   # Instantiating module "pre_proxy_log" from file 
/etc/raddb/mods-enabled/detail.log
   # Instantiating module "post_proxy_log" from file 
/etc/raddb/mods-enabled/detail.log
   # Instantiating module "eap" from file /etc/raddb/mods-enabled/eap
    # Linked to sub-module rlm_eap_md5
    # Linked to sub-module rlm_eap_leap
    # Linked to sub-module rlm_eap_gtc
    gtc {
        challenge = "Password: "
        auth_type = "PAP"
    }
    # Linked to sub-module rlm_eap_tls
    tls {
        tls = "tls-common"
    }
    tls-config tls-common {
        rsa_key_exchange = no
        dh_key_exchange = yes
        rsa_key_length = 512
        dh_key_length = 512
        verify_depth = 0
        ca_path = "/etc/raddb/certs"
        pem_file_type = yes
        private_key_file = "/etc/raddb/certs/server.pem"
        certificate_file = "/etc/raddb/certs/server.pem"
        ca_file = "/etc/raddb/certs/ca.pem"
        private_key_password = <<< secret >>>
        dh_file = "/etc/raddb/certs/dh"
        fragment_size = 1024
        include_length = yes
        check_crl = no
        check_all_crl = no
        cipher_list = "DEFAULT"
        ecdh_curve = "prime256v1"
     cache {
         enable = yes
         lifetime = 24
         max_entries = 255
     }
     verify {
     }
     ocsp {
         enable = no
         override_cert_url = yes
         url = "http://127.0.0.1/ocsp/"
         use_nonce = yes
         timeout = 0
         softfail = no
     }
    }
    # Linked to sub-module rlm_eap_ttls
    ttls {
        tls = "tls-common"
        default_eap_type = "md5"
        copy_request_to_tunnel = yes
        use_tunneled_reply = yes
        virtual_server = "inner-tunnel"
        include_length = yes
        require_client_cert = no
    }
tls: Using cached TLS configuration from previous invocation
    # Linked to sub-module rlm_eap_peap
    peap {
        tls = "tls-common"
        default_eap_type = "mschapv2"
        copy_request_to_tunnel = no
        use_tunneled_reply = no
        proxy_tunneled_request_as_eap = yes
        virtual_server = "inner-tunnel"
        soh = no
        require_client_cert = no
    }
tls: Using cached TLS configuration from previous invocation
    # Linked to sub-module rlm_eap_mschapv2
    mschapv2 {
        with_ntdomain_hack = no
        send_error = no
    }
   # Instantiating module "expiration" from file 
/etc/raddb/mods-enabled/expiration
   # Instantiating module "files" from file /etc/raddb/mods-enabled/files
reading pairlist file /etc/raddb/mods-config/files/authorize
reading pairlist file /etc/raddb/mods-config/files/accounting
reading pairlist file /etc/raddb/mods-config/files/pre-proxy
   # Instantiating module "linelog" from file 
/etc/raddb/mods-enabled/linelog
   # Instantiating module "log_accounting" from file 
/etc/raddb/mods-enabled/linelog
   # Instantiating module "logintime" from file 
/etc/raddb/mods-enabled/logintime
   # Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap
rlm_mschap (mschap): using internal authentication
   # Instantiating module "pap" from file /etc/raddb/mods-enabled/pap
   # Instantiating module "etc_passwd" from file 
/etc/raddb/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
   # Instantiating module "preprocess" from file 
/etc/raddb/mods-enabled/preprocess
reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups
reading pairlist file /etc/raddb/mods-config/preprocess/hints
   # Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm
   # Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm
   # Instantiating module "realmpercent" from file 
/etc/raddb/mods-enabled/realm
   # Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm
   # Instantiating module "krb5" from file /etc/raddb/mods-enabled/krb5
Using MIT Kerberos library
rlm_krb5 (krb5): Using service principal "radius/server1.bpk2.com@"
rlm_krb5 (krb5): Using keytab "FILE:/etc/raddb/radius.keytab"
rlm_krb5 (krb5): Initialising connection pool
    pool {
        start = 10
        min = 4
        max = 10
        spare = 3
        uses = 0
        lifetime = 0
        cleanup_interval = 30
        idle_timeout = 60
        retry_delay = 1
        spread = no
    }
rlm_krb5 (krb5): Opening additional connection (0), 1 of 10 pending 
slots used
rlm_krb5 (krb5): Opening additional connection (1), 1 of 9 pending slots 
used
rlm_krb5 (krb5): Opening additional connection (2), 1 of 8 pending slots 
used
rlm_krb5 (krb5): Opening additional connection (3), 1 of 7 pending slots 
used
rlm_krb5 (krb5): Opening additional connection (4), 1 of 6 pending slots 
used
rlm_krb5 (krb5): Opening additional connection (5), 1 of 5 pending slots 
used
rlm_krb5 (krb5): Opening additional connection (6), 1 of 4 pending slots 
used
rlm_krb5 (krb5): Opening additional connection (7), 1 of 3 pending slots 
used
rlm_krb5 (krb5): Opening additional connection (8), 1 of 2 pending slots 
used
rlm_krb5 (krb5): Opening additional connection (9), 1 of 1 pending slots 
used
   # Instantiating module "ldap" from file /etc/raddb/mods-enabled/ldap
rlm_ldap: libldap vendor: OpenLDAP, version: 20444
    accounting {
        reference = "%{tolower:type.%{Acct-Status-Type}}"
    }
    post-auth {
        reference = "."
    }
rlm_ldap (ldap): Initialising connection pool
    pool {
        start = 5
        min = 3
        max = 32
        spare = 10
        uses = 0
        lifetime = 0
        cleanup_interval = 30
        idle_timeout = 60
        retry_delay = 30
        spread = no
    }
rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending 
slots used
rlm_ldap (ldap): Connecting to ldap://server1.bpk2.com:389
rlm_ldap (ldap): Starting SASL mech(s): GSSAPI
SASL/GSSAPI authentication started
rlm_ldap (ldap): Bind with (anonymous) to ldap://server1.bpk2.com:389 
failed: Local error
rlm_ldap (ldap): Opening connection failed (0)
rlm_ldap (ldap): Removing connection pool
/etc/raddb/mods-enabled/ldap[8]: Instantiation failed for module "ldap"



More information about the Freeradius-Users mailing list