am trying to setup what I thought should be a fairly simple Freeradius configuration but I am having problems.<br><br>Simply put I would like FreeRadius to authenticate against our LDAP servers and look into a couple groups to see if the user is <br>
authorized. I would also like to have redundant ldap servers so that
if one went down for maintenance or other reasons users could still
authenticate. I can get Freeradius to work with one LDAP server, but
when I try to implement the redundant I have not had any success.<br>
<br>According to the debug log, it is find the group the user belongs to correctly, but instead of setting the Auth-Type to LDAP it <br>is setting it to PAP and rejecting. When I configure the system for one LDAP server to Auth-Type is LDAP and everything works.<br>
<br>It is probably something simple that I am missing, and would appreciate any suggestions.<br><br>I have included the debug log below and the configuration files, I have removed all the comments out of the configuration <br>
files to be under the 100k size restriction for the list.<br><br>Thanks<br><br> <br><br>Output from request in debugging mode:<br><br>rad_recv: Access-Request packet from host 127.0.0.1 port 47611, id=245, length=60<br> User-Name = "testuser"<br>
User-Password = "testpassword"<br> NAS-IP-Address = 127.0.0.1<br> NAS-Port = 0<br>+- entering group authorize {...}<br>++[preprocess] returns ok<br>++[chap] returns noop<br>++[mschap] returns noop<br>
[suffix] No '@' in User-Name = "testuser", looking up realm NULL<br>[suffix] No such realm "NULL"<br>++[suffix] returns noop<br>[eap] No EAP-Message, not doing EAP<br>++[eap] returns noop<br>++[unix] returns updated<br>
[ldap-server1] Entering ldap_groupcmp()<br>[files] expand: ou=people,o=test,o=isp -> ou=people,o=test,o=isp<br>[files] expand: %{Stripped-User-Name} -><br>[files] ... expanding second conditional<br>
[files] expand: %{User-Name} -> testuser<br>[files] expand: (uid=%{%{Stripped-User-Name}:-<div id=":5w">%{User-Name}}) -> (uid=testuser)<br> [ldap-server1] ldap_get_conn: Checking Id: 0<br> [ldap-server1] ldap_get_conn: Got Id: 0<br>
[ldap-server1] attempting LDAP reconnection<br> [ldap-server1] (re)connect to <a href="http://ldapserver.somedomain.com:389/" target="_blank">ldapserver.somedomain.com:389</a>, authentication 0<br> [ldap-server1] bind as uid=testuser, ou=people, o=test, o=isp/testpassword to <a href="http://ldapserver.somedomain.com:389/" target="_blank">ldapserver.somedomain.com:389</a><br>
[ldap-server1] waiting for bind result ...<br> [ldap-server1] Bind was successful<br> [ldap-server1] performing search in ou=people,o=test,o=isp, with filter (uid=testuser)<br> [ldap-server1] ldap_release_conn: Release Id: 0<br>
[files] expand: (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquem<br>ember=%{control:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=uid\3dtestuser\2cou\3dpeople\2co\3dtest\2co\3disp))(&(o<br>
bjectClass=GroupOfUniqueNames)(uniquemember=uid\3dtestuser\2cou\3dpeople\2co\3dtest\2co\3disp)))<br> [ldap-server1] ldap_get_conn: Checking Id: 0<br> [ldap-server1] ldap_get_conn: Got Id: 0<br> [ldap-server1] performing search in cn=DialupFS,ou=Groups,o=test,o=isp, with filter (|(&(objectClass=GroupOfNames)(member=uid\<br>
3dtestuser\2cou\3dpeople\2co\3dtest\2co\3disp))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3dtestuser\2cou\3dpeople\2co\<br>3dtest\2co\3disp)))<br>rlm_ldap::ldap_groupcmp: User found in group cn=DialupFS,ou=Groups,o=test,o=isp<br>
[ldap-server1] ldap_release_conn: Release Id: 0<br>[files] users: Matched entry DEFAULT at line 166<br>++[files] returns ok<br>++- entering policy redundant {...}<br>[ldap-server1] performing user authorization for testuser<br>
[ldap-server1] expand: %{Stripped-User-Name} -><br>[ldap-server1] ... expanding second conditional<br>[ldap-server1] expand: %{User-Name} -> testuser<br>[ldap-server1] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=testuser)<br>
[ldap-server1] expand: ou=people,o=test,o=isp -> ou=people,o=test,o=isp<br> [ldap-server1] ldap_get_conn: Checking Id: 0<br> [ldap-server1] ldap_get_conn: Got Id: 0<br> [ldap-server1] performing search in ou=people,o=test,o=isp, with filter (uid=testuser)<br>
[ldap-server1] looking for check items in directory...<br> [ldap-server1] sambaNtPassword -> NT-Password == 0x4234354137334235383034463441323531343346353339333433413430363642<br> [ldap-server1] sambaLmPassword -> LM-Password == 0x3036323444434332394538433236434346463137333635464146314646453839<br>
[ldap-server1] looking for reply items in directory...<br>WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?<br>[ldap-server1] user testuser authorized to use remote access<br>
[ldap-server1] ldap_release_conn: Release Id: 0<br>+++[ldap-server1] returns ok<br>++- policy redundant returns ok<br>++[expiration] returns noop<br>++[logintime] returns noop<br>[pap] Normalizing NT-Password from hex encoding<br>
[pap] Normalizing LM-Password from hex encoding<br>++[pap] returns updated<br>Found Auth-Type = PAP<br>+- entering group PAP {...}<br>[pap] login attempt with password "testpassword"<br>[pap] Using CRYPT encryption.<br>
[pap] Passwords don't match<br>++[pap] returns reject<br>Failed to authenticate the user.<br>Using Post-Auth-Type Reject<br>+- entering group REJECT {...}<br>[attr_filter.access_reject] expand: %{User-Name} -> testuser<br>
attr_filter: Matched entry DEFAULT at line 11<br>++[attr_filter.access_reject] returns updated<br>Delaying reject of request 0 for 1 seconds<br>Going to the next request<br>Waking up in 0.9 seconds.<br>Sending delayed reject for request 0<br>
Sending Access-Reject of id 245 to 127.0.0.1 port 47611<br> Reply-Message = "FS User Authorized"<br>Waking up in 4.9 seconds.<br>Cleaning up request 0 ID 245 with timestamp +48<br>Ready to process requests.<br>
<br>Default File:<br><br><br>authorize {<br> preprocess<br><br><br> chap<br><br> mschap<br><br><br><br>User File:<br><br><br><br><br><br><br><br><br><br>DEFAULT ldap-server1-Ldap-Group == "cn=DialupFS,ou=Groups,o=test,o=isp"<br>
Reply-Message = "FS User Authorized"<br><br>DEFAULT ldap-server1-Ldap-Group == "cn=DialupST,ou=Groups,o=test,o=isp"<br> Reply-Message = "ST User Authorized"<br><br>DEFAULT ldap-server2-Ldap-Group == "cn=DialupFS,ou=Groups,o=test,o=isp"<br>
Reply-Message = "FS User Authorized"<br><br>DEFAULT ldap-server2-Ldap-Group == "cn=DialupST,ou=Groups,o=test,o=isp"<br> Reply-Message = "ST User Authorized"<br><br>DEFAULT Auth-Type := Reject<br>
Reply-Message = "User Not Authorized"<br><br>DEFAULT Framed-Protocol == PPP<br> Framed-Protocol = PPP,<br> Framed-Compression = Van-Jacobson-TCP-IP<br><br>DEFAULT Hint == "CSLIP"<br>
Framed-Protocol = SLIP,<br> Framed-Compression = Van-Jacobson-TCP-IP<br><br>DEFAULT Hint == "SLIP"<br> Framed-Protocol = SLIP<br><br><br><br><br>ldap module file:<br><br><br>ldap ldap-server1 {<br>
server = "<a href="http://ldapserver.somedomain.com/" target="_blank">ldapserver.somedomain.com</a>"<br> identity = "uid=raduser, ou=people, o=test, o=isp"<br> password = testpassword<br>
basedn = "ou=people,o=test,o=isp"<br>
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"<br><br> ldap_connections_number = 5<br><br> timeout = 4<br><br> timelimit = 3<br><br> net_timeout = 1<br><br> tls {<br>
start_tls = no<br><br><br> }<br><br><br> dictionary_mapping = ${confdir}/ldap.attrmap<br><br><br> edir_account_policy_check = no<br><br> groupname_attribute = cn<br> groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueName<br>
s)(<br>uniquemember=%{control:Ldap-UserDn})))"<br><br><br><br><br>}<br>ldap ldap-server2 {<br> server = "<a href="http://ldapserver2.somedomain.com/" target="_blank">ldapserver2.somedomain.com</a>"<br>
identity = "uid=raduser, ou=people, o=test, o=isp"<br>
password = testpassword<br> basedn = "ou=people,o=test,o=isp"<br> filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"<br><br> ldap_connections_number = 5<br><br> timeout = 4<br>
<br> timelimit = 3<br><br> net_timeout = 1<br><br> tls {<br> start_tls = no<br><br><br> }<br><br><br> dictionary_mapping = ${confdir}/ldap.attrmap<br><br><br> edir_account_policy_check = no<br>
<br> groupname_attribute = cn<br> groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueName<br>s)(<br>uniquemember=%{control:Ldap-UserDn})))"<br>
<br><br><br><br>}<br><br>The radiusd.conf file:<br><br><br>prefix = /usr/local<br>exec_prefix = ${prefix}<br>sysconfdir = ${prefix}/etc<br>localstatedir = ${prefix}/var<br>sbindir = ${exec_prefix}/sbin<br>logdir = ${localstatedir}/log/radius<br>
raddbdir = ${sysconfdir}/raddb<br>radacctdir = ${logdir}/radacct<br><br>name = radiusd<br><br>confdir = ${raddbdir}<br>run_dir = ${localstatedir}/run/${name}<br><br>db_dir = ${raddbdir}<br><br>libdir = ${exec_prefix}/lib<br>
<br>pidfile = ${run_dir}/${name}.pid<br><br><br><br>max_request_time = 30<br><br>cleanup_delay = 5<br><br>max_requests = 1024<br><br>listen {<br> type = auth<br><br><br> ipaddr = *<br><br><br> port = 0<br>
<br><br>}<br><br>listen {<br> ipaddr = *<br> port = 0<br> type = acct<br>}<br><br>hostname_lookups = no<br><br>allow_core_dumps = no<br><br>regular_expressions = yes<br>extended_expressions = yes<br>
<br>log {<br> destination = files<br><br> file = ${logdir}/radius.log<br><br><br> syslog_facility = daemon<br><br> stripped_names = no<br><br> auth = no<br><br> auth_badpass = no<br>
auth_goodpass = no<br><br>}<br><br>checkrad = ${sbindir}/checkrad<br><br>security {<br> max_attributes = 200<br><br> reject_delay = 1<br><br> status_server = yes<br>}<br><br>proxy_requests = yes<br>
$INCLUDE proxy.conf<br><br><br><br>$INCLUDE clients.conf<br><br><br>thread pool {<br> start_servers = 5<br><br> max_servers = 32<br><br> min_spare_servers = 3<br> max_spare_servers = 10<br><br>
max_requests_per_server = 0<br>}<br><br>modules {<br><br> $INCLUDE ${confdir}/modules/<br><br> $INCLUDE eap.conf<br><br><br><br>}<br><br>instantiate {<br> exec<br><br> expr<br> ldap-server1<br>
ldap-server2<br> expiration<br> logintime<br><br>}<br><br>$INCLUDE policy.conf<br><br>$INCLUDE sites-enabled/<br><br><br><br><br><br><br><br> suffix<br><br> eap {<br> ok = return<br>
}<br><br> unix<br><br> files<br><br><br><br> redundant {<br> ldap-server1<br> ldap-server2<br> }<br><br><br> expiration<br> logintime<br><br>
pap<br><br>}<br><br><br><br>authenticate {<br> Auth-Type PAP {<br> pap<br> }<br><br> Auth-Type CHAP {<br> chap<br> }<br><br> Auth-Type MS-CHAP {<br>
mschap<br> }<br><br><br><br> unix<br><br> Auth-Type LDAP {<br> redundant {<br> ldap-server1<br> ldap-server2<br> }<br>
<br> }<br><br> eap<br><br>}<br><br><br>preacct {<br> preprocess<br><br><br><br><br> acct_unique<br><br> suffix<br><br> files<br>}<br><br>accounting {<br> detail<br><br> unix<br>
<br> radutmp<br><br><br><br><br><br><br> attr_filter.accounting_response<br><br>}<br><br><br>session {<br> radutmp<br><br>}<br><br><br>post-auth {<br><br><br><br><br><br> exec<br><br><br><br> Post-Auth-Type REJECT {<br>
attr_filter.access_reject<br> }<br>}<br><br>pre-proxy {<br><br><br><br>}<br><br>post-proxy {<br><br><br><br><br> eap<br><br>}<br></div>