Hi all,<br><br>I am facing problems with Ldap and freeradius on RedHat
linux AS 4. I can sucessfully authenticate with windows xp machines
with freeradius local "users" file and md5 using cisco 2950. Radtest
is successful for the ldapusers, but the radius -X shows "rlm_ldap:
Attribute "User-Password" is required for authentication. &
modcall[authenticate]: module "ldap" returns invalid for request 0" <br><br>Any help will be appreciated. Thanks <br><br>I am using the configuration file from the source file. <br>-------------------<br>[
root@localhost ~]# cat /etc/raddb/radiusd.conf<br>prefix = /usr<br>exec_prefix = ${prefix}
<br>sysconfdir = /etc<br>localstatedir = /var<br>sbindir = ${exec_prefix}/sbin<br>logdir = ${localstatedir}/log/radius<br>raddbdir = ${sysconfdir}/raddb<br>radacctdir = ${logdir}/radacct<br><br>confdir = ${raddbdir}<br>run_dir = ${localstatedir}/run/radiusd
<br><br>log_file = ${logdir}/radius.log<br><br>libdir = /usr/lib/freeradius<br><br>pidfile = ${run_dir}/radiusd.pid<br><br><br>user = radiusd<br>group = radiusd<br><br>max_request_time = 30<br>delete_blocked_requests = no
<br>cleanup_delay = 5<br>max_requests = 0<br>bind_address = *<br>port = 0<br>hostname_lookups = no<br>allow_core_dumps = no<br>regular_expressions = yes<br>extended_expressions = yes<br>log_stripped_names = no<br>
log_auth = no
<br>log_auth_badpass = no<br>log_auth_goodpass = no<br><br># The program to execute to do concurrency checks.<br>#checkrad = ${sbindir}/checkrad<br><br>security {<br> max_attributes = 200<br> reject_delay = 0
<br> status_server = no<br>}<br><br>proxy_requests = yes<br>$INCLUDE ${confdir}/proxy.conf<br><br>$INCLUDE ${confdir}/clients.conf<br><br>thread pool {<br> start_servers = 5<br> max_servers = 32<br>
min_spare_servers = 3<br> max_spare_servers = 10<br> max_requests_per_server = 0<br>}<br><br>modules {<br><br> ldap {<br> server = "<a href="http://10.10.29.251/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
10.10.29.251</a>"
<br> #identity = "uid=freeradius,ou=admins,ou<div id="mb_0">=radius,dc=mydomain,dc=com"<br> #identity = "cn=Manager,dc=example,dc=com"<br> #password = password<br> basedn = "ou=people,dc=example,dc=com"
<br> #filter = "(&(uid=%{Stripped-User-Name:-%{User-Name}})(objectclass=radiusprofile)"<br> start_tls = no<br> tls_mode = no<br> #default_profile = "uid=dial,ou=profiles,ou=radius,dc=mydomain,dc=com"
<br> #profile_attribute = "radiusProfileDn"<br> dictionary_mapping = ${raddbdir}/ldap.attrmap<br> ldap_cache_timeout = 120<br> ldap_cache_size = 0<br> ldap_connections_number = 10
<br> #password_header = "{crypt}"<br> password_attribute = userPassword<br> #groupname_attribute = radiusGroupName<br> #groupmembership_filter = "(&(uid=%{Stripped-User-Name:-%{User-Name}}))(objectclass=radiusProfile)"
<br> #groupmembership_attribute = radiusGroupName<br> timeout = 3<br> timelimit = 5<br> net_timeout = 1<br> compare_check_items = no<br> #access_attr_used_for_allow = yes<br> }
<br><br> realm suffix {<br> format = suffix<br> delimiter = "@"<br> }<br><br> preprocess {<br> huntgroups = ${confdir}/huntgroups<br> #hints = ${confdir}/hints
<br> with_ascend_hack = no<br> ascend_channels_per_line = 23<br> with_ntdomain_hack = no<br> with_specialix_jetstream_hack = no<br> with_cisco_vsa_hack = no
<br> }<br><br> files {<br> usersfile = ${confdir}/users<br> #acctusersfile = ${confdir}/acct_users<br> compat = no<br> #use old style users<br> }
<br> # regular detail files<br> detail detail1 {<br> detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d<br> detailperm = 0600<br> dirperm = 0755<br> }
<br> # temp detail file to replicate to accountrad<br> detail detail2 {<br> detailfile= ${radacctdir}/detail-combined<br> detailperm = 0600<br> dirperm = 0755<br>
locking = yes<br> }<br><br> acct_unique {<br> key = "User-Name, Acct-Session-Id, NAS-IP-Address,Client-IP-Address, NAS-Port-Id"<br> }<br><br><br> #radutmp {
<br> # filename = ${logdir}/radutmp<br> # perm = 0600<br> # callerid = "yes"<br> #}<br><br> #radutmp sradutmp {<br> # filename = ${logdir}/sradutmp
<br> # perm = 0644<br> # callerid = "no"<br> #}<br><br> #attr_filter {<br> # attrsfile = ${confdir}/attrs<br> #}<br><br><br> # The "always" module is here for debugging purposes. Each
<br> # instance simply returns the same result, always, without<br> # doing anything.<br> always fail {<br> rcode = fail<br> }<br> always reject {<br> rcode = reject
<br> }<br> always ok {<br> rcode = ok<br> simulcount = 0<br> mpp = no<br> }<br><br> #<br> # The 'expression' module current has no configuration.
<br> expr {<br> }<br><br>}<br><br>instantiate {<br> expr<br>}<br><br>authorize {<br> preprocess<br> suffix<br> files<br> ldap<br>}<br><br>authenticate {<br> authtype LDAP {
<br> ldap<br> }<br>}<br><br>preacct {<br> preprocess<br> suffix<br> files<br>}<br><br>accounting {<br> acct_unique<br> detail1<br> detail2<br> #radutmp
<br> #sradutmp<br>}<br><br><br>#session {<br> #radutmp<br>#}<br><br>#post-auth {<br> # Get an address from the IP Pool.<br> #main_pool<br>#}<br>----------------------------------------<br>
The ldif file<br>dn: uid=ldapuser5,ou=People,dc=example,dc=com<br>uid: ldapuser5<br>cn: ldapuser5<br>userPassword: {crypt}$1$1jD47Q.o$o.Aqkoe/Z7au.phSO6ULW1<br>objectclass: radiusprofile<br>objectClass: account<br>#objectClass: posixAccount
<br>objectClass: top<br>objectClass: shadowAccount<br>radiusServiceType: Framed-User<br>radiusFramedProtocol: Ethernet<br>radiusFramedIPNetmask: <a href="http://255.255.255.0/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
255.255.255.0</a><br>radiusFramedRouting: None
<br>---------------------------------------------------------------------------------------------------------<br><br><br><br>Ready to process requests.<br>rad_recv: Access-Request packet from host <a href="http://10.10.29.49:1812/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
10.10.29.49:1812</a>, id=61, length=133<br> NAS-IP-Address = <a href="http://10.10.29.49/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">10.10.29.49</a><br> NAS-Port = 50035<br> NAS-Port-Type = Ethernet
<br> User-Name = "ldapuser5"
<br> Called-Station-Id = "00-14-69-B1-DE-63"<br> Calling-Station-Id = "00-11-85-81-FE-9F"<br> Service-Type = Framed-User<br> Framed-MTU = 1500<br> EAP-Message = 0x0200000e016c6461707573657235
<br> Message-Authenticator = 0xa87b5810daf6ae5596070a302b227a3a<br> Processing the authorize section of radiusd.conf<br>modcall: entering group authorize for request 0<br> modcall[authorize]: module "preprocess" returns ok for request 0
<br> rlm_realm: No '@' in User-Name = "ldapuser5", looking up realm NULL<br> rlm_realm: No such realm "NULL"<br> modcall[authorize]: module "suffix" returns noop for request 0<br> users: Matched DEFAULT at 153
<br> users: Matched DEFAULT at 157<br> users: Matched DEFAULT at 175<br> users: Matched DEFAULT at 204<br> modcall[authorize]: module "files" returns ok for request 0<br>rlm_ldap: - authorize<br>rlm_ldap: performing user authorization for ldapuser5
<br>radius_xlat: '(uid=ldapuser5)'<br>radius_xlat: 'ou=people,dc=example,dc=com'<br>rlm_ldap: ldap_get_conn: Checking Id: 0<br>rlm_ldap: ldap_get_conn: Got Id: 0<br>rlm_ldap: attempting LDAP reconnection<br>rlm_ldap: (re)connect to
<a href="http://10.10.29.251:389/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">10.10.29.251:389</a>, authentication 0<br>rlm_ldap: bind as / to <a href="http://10.10.29.251:389/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
10.10.29.251:389</a><br>rlm_ldap: waiting for bind result ...<br>rlm_ldap: Bind was successful
<br>rlm_ldap: performing search in ou=people,dc=example,dc=com, with filter (uid=ldapuser5)<br>rlm_ldap: Added password {crypt}$1$1jD47Q.o$o.Aqkoe/Z7au.phSO6ULW1 in check items<br>rlm_ldap: looking for check items in directory...
<br>rlm_ldap: looking for reply items in directory...<br>rlm_ldap: Adding radiusFramedRouting as Framed-Routing, value None & op=11<br>rlm_ldap: Adding radiusFramedIPNetmask as Framed-IP-Netmask, value <a href="http://255.255.255.0/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
255.255.255.0</a> & op=11<br>rlm_ldap: Adding radiusFramedProtocol as Framed-Protocol, value Ethernet & op=11<br>rlm_ldap: Adding radiusServiceType as Service-Type, value Framed-User & op=11<br>rlm_ldap: user ldapuser5 authorized to use remote access
<br>rlm_ldap: ldap_release_conn: Release Id: 0<br> modcall[authorize]: module "ldap" returns ok for request 0<br>modcall: group authorize returns ok for request 0<br> rad_check_password: Found Auth-Type LDAP
<br>
auth: type "LDAP"<br> Processing the authenticate section of radiusd.conf<br>modcall: entering group authtype for request 0<br>rlm_ldap: - authenticate<br>rlm_ldap: Attribute "User-Password" is required for authentication.
<br> modcall[authenticate]: module "ldap" returns invalid for request 0<br>modcall: group authtype returns invalid for request 0<br>auth: Failed to validate the user.<br>Sending Access-Reject of id 61 to <a href="http://10.10.29.49:1812/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
10.10.29.49:1812</a><br>Finished request 0<br>Going to the next request<br>--- Walking the entire request list ---<br>Waking up in 6 seconds...<br>--- Walking the entire request list ---<br>Cleaning up request 0 ID 61 with timestamp 44458f3a
<br>Nothing to do. Sleeping until we see a request.<br><br><br>Abey Babu Thomas
</div>