FreeRADIUS 3, FreeBSD, eDirectory

Peter Lambrechtsen peter at crypt.nz
Wed Aug 2 10:49:21 CEST 2017 

I suspect that you need to rebuild FR3 with the right LDAP library.
Something looks very odd there as I have compiled FR3 with eDir on RHEL 6&7
using universal password without an issue.

On 2/08/2017 19:47, "Marco Pirovano" <marco.pirovano at unibocconi.it> wrote:

> Hi Arran,
>
> yes, the universal password is enabled and is working with FR2.
>
> The problem is with FR3.
>
> On FR2 in debug mode:
>
> The client:
>
> [root at cariddi:~] radtest -x pirovano xxxxxxxx 10.5.255.241 1 yyyyyyyy
> Sending Access-Request of id 97 to 10.5.255.241 port 1812
>         User-Name = "pirovano"
>         User-Password = "xxxxxxxx"
>         NAS-IP-Address = 10.5.255.241
>         NAS-Port = 1
>         Message-Authenticator = 0x00000000000000000000000000000000
> rad_recv: Access-Accept packet from host 10.5.255.241 port 1812, id=97,
> length=20
>
> The FR2:
>
>  [eDirectory-UNI] ldap_get_conn: Checking Id: 0
>   [eDirectory-UNI] ldap_get_conn: Got Id: 0
>   [eDirectory-UNI] attempting LDAP reconnection
>   [eDirectory-UNI] (re)connect to ldap.unibocconi.it:389, authentication 0
>   [eDirectory-UNI] starting TLS
>   [eDirectory-UNI] bind as cn=RADIUSAdmin,ou=Servers,o=INetServices/zzzzzzzzz
> to ldap.unibocconi.it:389
>   [eDirectory-UNI] waiting for bind result ...
>   [eDirectory-UNI] Bind was successful
>   [eDirectory-UNI] performing search in ou=Faculty-Staff,ou=Bocconi,o=INetServices,
> with filter (cn=pirovano)
> [eDirectory-UNI] Added the eDirectory password xxxxxxxx in check items as
> Cleartext-Password
>
>
>
> On FR3 in debug mode:
>
> the client:
>
> [root at freeradius3:~] radtest pirovano xxxxxxxx 10.1.1.82 1 yyyyyyyy
> Sent Access-Request Id 157 from 0.0.0.0:35640 to 10.1.1.82:1812 length 78
>         User-Name = "pirovano"
>         User-Password = "xxxxxxxx"
>         NAS-IP-Address = 10.1.1.82
>         NAS-Port = 1
>         Message-Authenticator = 0x00
>         Cleartext-Password = "xxxxxxxx"
> Received Access-Reject Id 157 from 10.1.1.82:1812 to 0.0.0.0:0 length 20
> (0) -: Expected Access-Accept got Access-Reject
>
>
> The FR3:
>
> (0) eDirectory-ICT: EXPAND (cn=%{%{Stripped-User-Name}:-%{User-Name}})
> (0) eDirectory-ICT:    --> (cn=pirovano)
> (0) eDirectory-ICT: Performing search in "ou=Faculty-Staff,ou=Bocconi,o=INetServices"
> with filter "(cn=pirovano)", scope "sub"
> (0) eDirectory-ICT: Waiting for search result...
> ber_get_next failed.
> ber_get_next failed.
> (0) eDirectory-ICT: User object found at DN "cn=Pirovano,ou=ICT,ou=
> Faculty-Staff,ou=Bocconi,o=INetServices"
>
> (0) eDirectory-ICT: ERROR: Failed to retrieve eDirectory password: (80)
> Other (e.g., implementation specific) error
>
> rlm_ldap (eDirectory-ICT): Released connection (0)
> Need 5 more connections to reach 10 spares
> rlm_ldap (eDirectory-ICT): Opening additional connection (5), 1 of 27
> pending slots used
> rlm_ldap (eDirectory-ICT): Connecting to ldap://ldaps.unibocconi.it:636
> rlm_ldap (eDirectory-ICT): Waiting for bind result...
> rlm_ldap (eDirectory-ICT): Bind successful
> (0)     [eDirectory-ICT] = fail
> (0)   } # authorize = fail
>
>
>
> Thanks.
> Marco
>
>
> ----- Il 1-ago-17, alle 19:35, Arran Cudbard-Bell
> a.cudbardb at freeradius.org ha scritto:
>
> >> On Aug 1, 2017, at 11:29 AM, Marco Pirovano <
> marco.pirovano at unibocconi.it>
> >> wrote:
> >>
> >> Hello list,
> >>
> >> we are using FreeRADIUS to authenticate students wireless access.
> >> It's FreeRADIUS Version 2.2.8 running on FreeBSD 9.2-STABLE.
> >>
> >> Our LDAP server is eDirectory version 8.8
> >>
> >>
> >> Now, we are upgrading to FreeRADIUS 3.0.15 (installed from ports)
> running on
> >> FreeBSD 11.1-RELEASE.
> >> LDAP is always eDirectory 8.8.
> >>
> >> The bind to LDAP server it's ok, but the user is not authenticate, the
> error is:
> >>
> >>  Invalid user (eDirectory-ICT: Failed to retrieve eDirectory password:
> (80) Other
> >>  (e.g., implementation specific) error):
> >>
> >
> > Have you enabled universal password?
> >
> > https://www.netiq.com/documentation/edir_radius/pdfdoc/radiusadmin/
> radiusadmin.pdf
> >
> > -Arran
> >
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>
> --
> Marco Pirovano
> Infrastrutture e Tecnologie
> Information and Communication Technology
> Universita' Bocconi
> via Gobbi, 5 - 20136 Milano
> Tel. +39 02 5836.3173  Fax. +39 02 5836.3160
>
> Windows makes noise, Linux plays music,
> but BSD Rocks!
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html

More information about the Freeradius-Users mailing list