Hello Ivan But I don't have a field in the database by that name . The name of the field is "userPassword" . This is what the openLDAP migration scripts generated. Please let me know what mistake I am doing . Also , my question on failover. Is the failover used when the first LDAP server is down / unresponsive to connection attempts or when it is not able to authenticate (example bad username / password) ? Thanks Sambuddho On Thu, 2008-07-03 at 10:24 +0100, Ivan Kalik wrote:
Password (radius) attribute should be Crypt-Password not User-Password.
Ivan Kalik Kalik Informatika ISP
Dana 3/7/2008, "Sambuddho Chakravarty" <sc2516@columbia.edu> piše:
Hello
I set the password_header to = {crypt} and password_attribute to "userPassword" (Thats the name of the field in the database). Now this is what the logs show,
rlm_ldap: performing search in ou=People,dc=example,dc=com, with filter (uid=try) rlm_ldap: Added User-Password = $1$n48a7wCp$RfvlOx1pZgiVNfmMmA2xS. in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user try authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 +++[ldap1] returns ok ++- policy redundant returns ok !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! auth: type Local auth: user supplied User-Password does NOT match local User-Password auth: Failed to validate the user. Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> try attr_filter: Matched entry DEFAULT at line 11
My guess is authorize{} worked but not authenticate {}. Also , I see both modules ldap1 and ldap2 being loaded but whenever I try to authenticate with the username/password that is found in ldap2 , the radius server never attempts to connect to the other LDAP server. Instead it search for the entries in the "ldap1"'s server only.
Any suggestions ?
Thanks Sambuddho
On Wed, 2008-07-02 at 23:45 +0100, Ivan Kalik wrote:
http://wiki.freeradius.org/index.php/Rlm_ldap
See use of password_header and password_attribute.
Ivan Kalik Kalik Informatika ISP
Dana 2/7/2008, "Sambuddho Chakravarty" <sc2516@columbia.edu> piĹĄe:
Hello I think I know what the problem is. The radius server is looking up using cleartext password , while the LDAP data base stores the hashed passwords. How can I force the radiuse server to search for the password as a hashed value (rather than searching for the clear-text value) ?
Thanks Sambuddho On Wed, 2008-07-02 at 17:09 -0400, Sambuddho Chakravarty wrote:
Hello Alan I made sure this time that rlm_ldap was compiled. Now the following is the configuration
------/etc/raddb/modules/ldap-----------
ldap ldap1 { server = "a.b.c.d" ... }
ldap ldap2 { server = "w.x.y.z" ... }
-----/etc/raddb/radiusd.conf-----
authorize { ldap1
ldap2
}
authenticate { ldap1 ldap2 }
------------------------------------
When I execute /sbin/radiusd -X
It shows instantiating module ldap1 and module ldap2
.... Module: Instantiating ldap2 ldap ldap1 { server = "a.b.c.d" port = 389 .... Module: Instantiating ldap2 ldap ldap2 { server = "w.x.y.z" port = 389 ....
When sending a radtest request using the following command (from the same machine as one which is running the server)
$ radtest user "secret" localhost 2 testing123
I get ACCESS-REJECT reply from the sever.
On the server the logs show something like this --------------------------------------------------- It shows binding to both LDAP servers one by one through something like this :
rlm_ldap: performing user authorization for catch WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch) expand: ou=People,dc=example,dc=example -> ou=People,dc=example,dc=example rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 30.0.0.2:389, authentication 0 rlm_ldap: bind as / to 30.0.0.2:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=People,dc=example,dc=example, with filter (uid=catch) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap1] returns notfound rlm_ldap: - authorize rlm_ldap: performing user authorization for catch WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch) expand: ou=People,dc=example,dc=example -> ou=People,dc=example,dc=example rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 10.0.0.1:389, authentication 0 rlm_ldap: bind as / to 10.0.0.1:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=People,dc=example,dc=example, with filter (uid=catch) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap2] returns notfound
auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user.
You can see it is attempting to search both databases but fails. If I use a simple telnet or ssh to authenticate against the LDAP server it logs in fine. LDAP client login against the LDAP server is otherwise working fine. I know I have been bothering using trivial question. But any help would be appreciated :-)
Thanks in advance. Sambuddho
On Tue, 2008-07-01 at 22:33 +0200, Alan DeKok wrote:
Sambuddho Chakravarty wrote: > This is exactly what I did . I forgot to put the separate module names
The consistent problems you see make me think that the issue is more than "forgot".
> And now when I try to start the server this is what the error I see : > > > server { > modules { > Module: Checking authenticate {...} for more modules to load > //etc/raddb/modules/ldap1[29]: Failed to link to module 'rlm_ldap':
So.... was that module built? Apparently not...
> When trying with a single server ,it matches the radius request against > rlm_pap and not rlm_ldap. I am confused.
Perhaps reading the debug output (and that of "configure" and "make") would help.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/usershtml
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html