<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<STYLE type=text/css>P {
MARGIN: 0px
}
</STYLE>
<STYLE type=text/css>BODY {
FONT-SIZE: 10pt; COLOR: #000000; FONT-FAMILY: 'Times New Roman'
}
</STYLE>
<META content="MSHTML 6.00.3790.2993" name=GENERATOR></HEAD>
<BODY>
<DIV id=DSEPDIV><SPAN
style="FONT-SIZE: 12pt; COLOR: rgb(0,0,0); FONT-FAMILY: Arial,sans-serif; TEXT-ALIGN: left"><STRONG>UNCLASSIFIED</STRONG></SPAN><BR><BR></DIV>
<DIV dir=ltr align=left><FONT face=Tahoma><B>From:</B>
freeradius-users-bounces+frank.ranner=defence.gov.au@lists.freeradius.org
[mailto:freeradius-users-bounces+frank.ranner=defence.gov.au@lists.freeradius.org]
<B>On Behalf Of </B>Renato Gregio de Souza Filho<BR><B>Sent:</B> Saturday, 19
January 2008 03:53<BR><B>To:</B>
freeradius-users@lists.freeradius.org<BR><B>Subject:</B> freeradius authenticate
over ldap database<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV>I'm trying to install and configure my freeradius at rhel 5 to authenticate
in ldapdatabase. i read the rml_ldap and configure then according i understand.
I start my server with no problem, but i'm not sure if its working good or bad.
I create a test user at ldap database with username and passowrd are "teste" and
try to test it from radtest, but it won't work. The password at ldap database
are crypt.<BR><BR>[root@poseidon raddb]# radtest teste teste localhost:1812
testing123<BR>Usage: radtest user passwd radius-server[:port] nas-port-number
secret [ppphint] [nasname]<BR>[root@poseidon raddb]# <BR><BR><BR>When i start my
radiusd, they start without problens. What i need to do to put it working fine
over ldap database?<BR><BR><BR><BR>[root@poseidon raddb]# radiusd -X<BR>Starting
- reading configuration files ...<BR>reread_config: reading
radiusd.conf<BR>Config: including file:
/etc/raddb/proxy.conf<BR>Config: including file:
/etc/raddb/clients.conf<BR>Config: including file:
/etc/raddb/snmp.conf<BR>Config: including file:
/etc/raddb/eap.conf<BR> main: prefix = "/usr"<BR> main: localstatedir
= "/var"<BR> main: logdir = "/var/log/radius"<BR> main: libdir =
"/usr/lib64"<BR> main: radacctdir =
"/var/log/radius/radacct"<BR> main: hostname_lookups = no<BR> main:
snmp = no<BR> main: max_request_time = 30<BR> main: cleanup_delay =
5<BR> main: max_requests = 1024<BR> main: delete_blocked_requests =
0<BR> main: port = 0<BR> main: allow_core_dumps = no<BR> main:
log_stripped_names = no<BR> main: log_file =
"/var/log/radius/radius.log"<BR> main: log_auth = no<BR> main:
log_auth_badpass = no<BR> main: log_auth_goodpass = no<BR> main:
pidfile = "/var/run/radiusd/radiusd.pid"<BR> main: user =
"radiusd"<BR> main: group = "radiusd"<BR> main: usercollide =
no<BR> main: lower_user = "no"<BR> main: lower_pass =
"no"<BR> main: nospace_user = "no"<BR> main: nospace_pass =
"no"<BR> main: checkrad = "/usr/sbin/checkrad"<BR> main:
proxy_requests = yes<BR> proxy: retry_delay = 5<BR> proxy: retry_count
= 3<BR> proxy: synchronous = no<BR> proxy: default_fallback =
yes<BR> proxy: dead_time = 120<BR> proxy: post_proxy_authorize =
no<BR> proxy: wake_all_if_all_dead = no<BR> security: max_attributes =
200<BR> security: reject_delay = 1<BR> security: status_server =
no<BR> main: debug_level = 0<BR>read_config_files: reading
dictionary<BR>read_config_files: reading naslist<BR>Using deprecated
naslist file. Support for this will go away
soon.<BR>read_config_files: reading clients<BR>read_config_files:
reading realms<BR>radiusd: entering modules setup<BR>Module: Library
search path is /usr/lib64<BR>Module: Loaded exec <BR> exec: wait =
yes<BR> exec: program = "(null)"<BR> exec: input_pairs =
"request"<BR> exec: output_pairs = "(null)"<BR> exec: packet_type =
"(null)"<BR>rlm_exec: Wait=yes but no output defined. Did you mean
output=none?<BR>Module: Instantiated exec (exec) <BR>Module: Loaded expr
<BR>Module: Instantiated expr (expr) <BR>Module: Loaded PAP <BR> pap:
encryption_scheme = "crypt"<BR>Module: Instantiated pap (pap) <BR>Module: Loaded
CHAP <BR>Module: Instantiated chap (chap) <BR>Module: Loaded MS-CHAP
<BR> mschap: use_mppe = yes<BR> mschap: require_encryption =
no<BR> mschap: require_strong = no<BR> mschap: with_ntdomain_hack =
no<BR> mschap: passwd = "(null)"<BR> mschap: ntlm_auth =
"(null)"<BR>Module: Instantiated mschap (mschap) <BR>Module: Loaded System
<BR> unix: cache = no<BR> unix: passwd = "(null)"<BR> unix:
shadow = "/etc/shadow"<BR> unix: group = "(null)"<BR> unix: radwtmp =
"/var/log/radius/radwtmp"<BR> unix: usegroup = no<BR> unix:
cache_reload = 600<BR>Module: Instantiated unix (unix) <BR>Module: Loaded eap
<BR> eap: default_eap_type = "md5"<BR> eap: timer_expire =
60<BR> eap: ignore_unknown_eap_types = no<BR> eap:
cisco_accounting_username_bug = no<BR>rlm_eap: Loaded and initialized type
md5<BR>rlm_eap: Loaded and initialized type leap<BR> gtc: challenge =
"Password: "<BR> gtc: auth_type = "PAP"<BR>rlm_eap: Loaded and initialized
type gtc<BR> mschapv2: with_ntdomain_hack = no<BR>rlm_eap: Loaded and
initialized type mschapv2<BR>Module: Instantiated eap (eap) <BR>Module: Loaded
preprocess <BR> preprocess: huntgroups =
"/etc/raddb/huntgroups"<BR> preprocess: hints =
"/etc/raddb/hints"<BR> preprocess: with_ascend_hack =
no<BR> preprocess: ascend_channels_per_line = 23<BR> preprocess:
with_ntdomain_hack = no<BR> preprocess: with_specialix_jetstream_hack =
no<BR> preprocess: with_cisco_vsa_hack = no<BR> preprocess:
with_alvarion_vsa_hack = no<BR>Module: Instantiated preprocess (preprocess)
<BR>Module: Loaded realm <BR> realm: format = "suffix"<BR> realm:
delimiter = "@"<BR> realm: ignore_default = no<BR> realm: ignore_null
= no<BR>Module: Instantiated realm (suffix) <BR>Module: Loaded files
<BR> files: usersfile = "/etc/raddb/users"<BR> files: acctusersfile =
"/etc/raddb/acct_users"<BR> files: preproxy_usersfile =
"/etc/raddb/preproxy_users"<BR> files: compat = "no"<BR>Module:
Instantiated files (files) <BR>Module: Loaded LDAP <BR> ldap: server =
"localhost"<BR> ldap: port = 389<BR> ldap: net_timeout =
1<BR> ldap: timeout = 4<BR> ldap: timelimit = 3<BR> ldap:
identity = "cn=admin,dc=radius,dc=com,dc=br"<BR> ldap: tls_mode =
no<BR> ldap: start_tls = no<BR> ldap: tls_cacertfile =
"(null)"<BR> ldap: tls_cacertdir = "(null)"<BR> ldap: tls_certfile =
"(null)"<BR> ldap: tls_keyfile = "(null)"<BR> ldap: tls_randfile =
"(null)"<BR> ldap: tls_require_cert = "allow"<BR> ldap: password =
"pcistl00"<BR> ldap: basedn = "dc=radius,dc=com,dc=br"<BR> ldap:
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"<BR> ldap: base_filter
= "(objectclass=radiusprofile)"<BR> ldap: default_profile =
"(null)"<BR> ldap: profile_attribute = "(null)"<BR> ldap:
password_header = "(null)"<BR> ldap: password_attribute =
"(null)"<BR> ldap: access_attr = "dialupAccess"<BR> ldap:
groupname_attribute = "cn"<BR> ldap: groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"<BR> ldap:
groupmembership_attribute = "(null)"<BR> ldap: dictionary_mapping =
"/etc/raddb/ldap.attrmap"<BR> ldap: ldap_debug = 0<BR> ldap:
ldap_connections_number = 5<BR> ldap: compare_check_items =
no<BR> ldap: access_attr_used_for_allow = yes<BR> ldap: do_xlat =
yes<BR> ldap: set_auth_type = yes<BR>rlm_ldap: Registering ldap_groupcmp
for Ldap-Group<BR>rlm_ldap: Registering ldap_xlat with xlat_name
ldap<BR>rlm_ldap: Over-riding set_auth_type, as we're not listed in the
"authenticate" section.<BR>rlm_ldap: reading ldap<->radius mappings from
file /etc/raddb/ldap.attrmap<BR>rlm_ldap: LDAP radiusCheckItem mapped to RADIUS
$GENERIC$<BR>rlm_ldap: LDAP radiusReplyItem mapped to RADIUS
$GENERIC$<BR>rlm_ldap: LDAP radiusAuthType mapped to RADIUS
Auth-Type<BR>rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS
Simultaneous-Use<BR>rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS
Called-Station-Id<BR>rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS
Calling-Station-Id<BR>rlm_ldap: LDAP sambaLMPassword mapped to RADIUS
LM-Password<BR>rlm_ldap: LDAP sambaNTPassword mapped to RADIUS
NT-Password<BR>rlm_ldap: LDAP sambaAcctFlags mapped to RADIUS
SMB-Account-CTRL-TEXT<BR>rlm_ldap: LDAP radiusExpiration mapped to RADIUS
Expiration<BR>rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS
NAS-IP-Address<BR>rlm_ldap: LDAP radiusServiceType mapped to RADIUS
Service-Type<BR>rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS
Framed-Protocol<BR>rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS
Framed-IP-Address<BR>rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS
Framed-IP-Netmask<BR>rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS
Framed-Route<BR>rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS
Framed-Routing<BR>rlm_ldap: LDAP radiusFilterId mapped to RADIUS
Filter-Id<BR>rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS
Framed-MTU<BR>rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS
Framed-Compression<BR>rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS
Login-IP-Host<BR>rlm_ldap: LDAP radiusLoginService mapped to RADIUS
Login-Service<BR>rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS
Login-TCP-Port<BR>rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS
Callback-Number<BR>rlm_ldap: LDAP radiusCallbackId mapped to RADIUS
Callback-Id<BR>rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS
Framed-IPX-Network<BR>rlm_ldap: LDAP radiusClass mapped to RADIUS
Class<BR>rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS
Session-Timeout<BR>rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS
Idle-Timeout<BR>rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS
Termination-Action<BR>rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS
Login-LAT-Service<BR>rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS
Login-LAT-Node<BR>rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS
Login-LAT-Group<BR>rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS
Framed-AppleTalk-Link<BR>rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to
RADIUS Framed-AppleTalk-Network<BR>rlm_ldap: LDAP radiusFramedAppleTalkZone
mapped to RADIUS Framed-AppleTalk-Zone<BR>rlm_ldap: LDAP radiusPortLimit mapped
to RADIUS Port-Limit<BR>rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS
Login-LAT-Port<BR>rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS
Reply-Message<BR>conns: 0x555574851690<BR>Module: Instantiated ldap (ldap)
<BR>Module: Loaded Acct-Unique-Session-Id <BR> acct_unique: key =
"User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address,
NAS-Port"<BR>Module: Instantiated acct_unique (acct_unique) <BR>Module: Loaded
detail <BR> detail: detailfile =
"/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"<BR> detail:
detailperm = 384<BR> detail: dirperm = 493<BR> detail: locking =
no<BR>Module: Instantiated detail (detail) <BR>Module: Loaded radutmp
<BR> radutmp: filename = "/var/log/radius/radutmp"<BR> radutmp:
username = "%{User-Name}"<BR> radutmp: case_sensitive =
yes<BR> radutmp: check_with_nas = yes<BR> radutmp: perm =
384<BR> radutmp: callerid = yes<BR>Module: Instantiated radutmp (radutmp)
<BR>Listening on authentication *:1812<BR>Listening on accounting
*:1813<BR>Ready to process requests.<BR><BR><BR><BR><BR><BR>att<BR>Renato
Gregio<BR><SPAN class=350543804-13112007><FONT face=Arial
color=#0000ff> </FONT></SPAN></DIV>
<DIV><SPAN class=350543804-13112007></SPAN> </DIV>
<DIV><SPAN class=350543804-13112007><FONT face=Arial color=#0000ff>Perhaps you
could have shown the log messages resulting from the radclient request. Also,
the ldif record of your test user. </FONT></SPAN></DIV>
<DIV><SPAN class=350543804-13112007><FONT face=Arial color=#0000ff>In any case,
my guess would be that the user in ldap doesnt have a radiusprofile objectclass
(<FONT face="Times New Roman" color=#000000>ldap: base_filter =
"(objectclass=radiusprofile)"</FONT><BR>) that you have
specified.</FONT></SPAN></DIV>
<DIV><SPAN class=350543804-13112007><FONT face=Arial
color=#0000ff></FONT></SPAN> </DIV>
<DIV><SPAN class=350543804-13112007><FONT face=Arial
color=#0000ff>regards,</FONT></SPAN></DIV>
<DIV><SPAN class=350543804-13112007><FONT face=Arial color=#0000ff>Frank
Ranner</FONT></SPAN></DIV></BODY></HTML>