Hi everybody,<br>I have a big problem in freeradius installed in version 1.1.4 on RHEL 5, and today it's the third day i'm looking for a solution :(<br>Here is the problem:<br>I configured Freeradius to look in openldap directory to auth and auth an user.<br>
The authentication phase is OK<br>During the auth phase, a ldap search is done : if the user is member of a group identified by the host ip he wants to connect, the user is authorized.<br>The problem is here : freeradius receives an Access-Request packet with a NAS-IP-Address (the good one) and to search in the ldap, it doesn't send the ip received in the packet but another one ! <br>
<br>Why this attribute is modified ?<br>Is there any cache (the other ip comes from another equipment) ?<br><br>Thanks for any helpful idea<br><br>Here are <br>/etc/raddb/users (I also tried with ldap-group == "%{NAS-IP-Address}" )<br>
--------------------------------------------------------<br>DEFAULT ldap-group == "%{Client-Ip-Address}", Auth-Type := LDAP<br> Service-Type = 1,<br> Fall-Through = no<br><br>DEFAULT Auth-Type := Reject<br>
Fall-Through = no,<br> Reply-Message = "You are not authorized to log in to this host :("<br>--------------------------------------------------------<br><br>/etc/raddb/clients.conf<br>--------------------------------------------------------<br>
client <a href="http://126.50.0.0/8">126.50.0.0/8</a> {<br> secret = secretsecret<br> shortname = shortname<br>} <br>--------------------------------------------------------<br>
<br>radius LOG (with radiusd -X)<br>--------------------------------------------------------<br>
rad_recv: Access-Request packet from host <b><span style="color: rgb(255, 0, 0);">126.50.0.148</span></b>:1645, id=17, length=82<br> NAS-IP-Address = <b style="color: rgb(255, 0, 0);">126.50.0.148</b><br> NAS-Port = 1<br>
NAS-Port-Type = Virtual<br> User-Name = "testadmin"<br> Calling-Station-Id = "XX.XX.XX.XX"<br> User-Password = "XXXXXXXXX"<br> Processing the authorize section of radiusd.conf<br>
modcall: entering group authorize for request 4<br> modcall[authorize]: module "preprocess" returns ok for request 4<br>rlm_ldap: Entering ldap_groupcmp()<br>radius_xlat: 'dc=example,dc=com'<br>radius_xlat: '(uid=testadmin)'<br>
rlm_ldap: ldap_get_conn: Checking Id: 0<br>rlm_ldap: ldap_get_conn: Got Id: 0<br>rlm_ldap: performing search in dc=example,dc=com, with filter (uid=testadmin)<br>rlm_ldap: ldap_search() failed: LDAP connection lost.<br>rlm_ldap: Attempting reconnect<br>
rlm_ldap: attempting LDAP reconnection<br>rlm_ldap: closing existing LDAP connection<br>rlm_ldap: (re)connect to <a href="http://127.0.0.1:389">127.0.0.1:389</a>, authentication 0<br>rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to allow<br>
rlm_ldap: starting TLS<br>rlm_ldap: bind as uid=radius,ou=applications,dc=example,dc=com/radiuspass to <a href="http://127.0.0.1:389">127.0.0.1:389</a><br>rlm_ldap: waiting for bind result ...<br>rlm_ldap: Bind was successful<br>
rlm_ldap: performing search in dc=example,dc=com, with filter (uid=testadmin)<br>rlm_ldap: ldap_release_conn: Release Id: 0<br>radius_xlat: '(|(&(objectClass=GroupOfNames)(member=uid\3dtestAdmin\2cuid\3dtest01\2cou\3dusers\2cdc\3dexample\2cdc\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3dtestAdmin\2cuid\3dtest01\2cou\3dusers\2cdc\3dexample\2cdc\3dcom)))'<br>
rlm_ldap: ldap_get_conn: Checking Id: 0<br>rlm_ldap: ldap_get_conn: Got Id: 0<br>rlm_ldap: performing search in dc=example,dc=com, with filter (&(cn=<b style="color: rgb(255, 0, 0);">126.50.0.147</b>)(|(&(objectClass=GroupOfNames)(member=uid\3dtestAdmin\2cuid\3dtest01\2cou\3dusers\2cdc\3dexample\2cdc\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3dtestAdmin\2cuid\3dtest01\2cou\3dusers\2cdc\3dexample\2cdc\3dcom))))<br>
rlm_ldap::ldap_groupcmp: User found in group 126.50.0.147<br>rlm_ldap: ldap_release_conn: Release Id: 0<br> users: Matched entry DEFAULT at line 3<br> modcall[authorize]: module "files" returns ok for request 4<br>
rlm_ldap: - authorize<br>rlm_ldap: performing user authorization for testadmin<br>radius_xlat: '(uid=testadmin)'<br>radius_xlat: 'dc=example,dc=com'<br>rlm_ldap: ldap_get_conn: Checking Id: 0<br>rlm_ldap: ldap_get_conn: Got Id: 0<br>
rlm_ldap: performing search in dc=example,dc=com, with filter (uid=testadmin)<br>rlm_ldap: looking for check items in directory...<br>rlm_ldap: looking for reply items in directory...<br>rlm_ldap: user testadmin authorized to use remote access<br>
rlm_ldap: ldap_release_conn: Release Id: 0<br> modcall[authorize]: module "ldap" returns ok for request 4<br>modcall: leaving group authorize (returns ok) for request 4<br> rad_check_password: Found Auth-Type LDAP<br>
auth: type "LDAP"<br> Processing the authenticate section of radiusd.conf<br>modcall: entering group LDAP for request 4<br>rlm_ldap: - authenticate<br>rlm_ldap: login attempt by "testadmin" with password "XXXXXXXXX"<br>
rlm_ldap: user DN: uid=testAdmin,uid=test01,ou=users,dc=example,dc=com<br>rlm_ldap: (re)connect to <a href="http://127.0.0.1:389">127.0.0.1:389</a>, authentication 1<br>rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to allow<br>
rlm_ldap: starting TLS<br>rlm_ldap: bind as uid=testAdmin,uid=test01,ou=users,dc=example,dc=com/XXXXXXXXX to <a href="http://127.0.0.1:389">127.0.0.1:389</a><br>rlm_ldap: waiting for bind result ...<br>rlm_ldap: Bind was successful<br>
rlm_ldap: user testadmin authenticated succesfully<br> modcall[authenticate]: module "ldap" returns ok for request 4<br>modcall: leaving group LDAP (returns ok) for request 4<br>Login OK: [testadmin/XXXXXXXXX] (from client petitnom port 1 cli 126.100.100.6)<br>
Sending Access-Accept of id 17 to 126.50.0.148 port 1645<br> Service-Type = Login-User<br>Finished request 4<br>Going to the next request<br>--- Walking the entire request list ---<br>Waking up in 6 seconds...<br clear="all">
--------------------------------------------------------<br>
<br><br>-- <br>KeV<br>