I'm not sure I understand why my approach is so incorrect. If I am wrong, please explain it to me. My understanding is we've AUTHORIZED the request by pulling the password information off of the LDAP server and storing it in memory. Then (according to my understanding of the radiusd.conf) in the authenticate {} block, we pick which modules in order will do the AUTHENTICATION part of the AAA session. One of the two modules will always fail. We first try the digest module and get this: Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 1 ERROR: No Digest-Nonce: Cannot perform Digest authentication modcall[authenticate]: module "digest" returns invalid for request 1 Then we move on to the next section of the Auth-Type LDAP configuration section of the authenticate {} block, and allow the LDAP module to take a crack at it and thus we have a sucessful authentication: rlm_ldap: - authenticate rlm_ldap: login attempt by "dcorbe" with password "cgpe845Z" rlm_ldap: user DN: uid=dcorbe,ou=People,dc=corbe,dc=net rlm_ldap: (re)connect to 127.0.0.1:389, authentication 1 rlm_ldap: bind as uid=dcorbe,ou=People,dc=corbe,dc=net/cgpe845Z to 127.0.0.1:389 rlm_ldap: waiting for bind result ... request 1 done rlm_ldap: Bind was successful rlm_ldap: user dcorbe authenticated succesfully modcall[authenticate]: module "ldap" returns ok for request 1 modcall: group Auth-Type returns ok for request 1 Sending Access-Accept of id 129 to 127.0.0.1:63703 -Daniel On 9/8/05, Daniel Corbe <daniel.junkmail@gmail.com> wrote:
Alan,
It achieved the desired effect. Quite simply, authentication against LDAP now works when DIGEST is present and when it is not.
I've built my radiusd.conf file based off the examples provided with the default installation.
I do not want a broken radius server on my hands as that will create more problems in the long run. I'm still unsure as to what the correct approach is. In the interests of finding the correct approach, I will undo what I have done and paste the results of the debug output.
To Recap, here are exerpts from my radius config:
modules { ldap { ldap_debug = 0x0028 server = "127.0.0.1" identity = "cn=Manager,dc=corbe,dc=net" password = "abcBABY123" basedn = "ou=People,dc=corbe,dc=net" filter = "(&(objectclass=posixAccount)(uid=dcorbe))" base_filter = ""
# set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # The StartTLS operation is supposed to be used with normal # ldap connections instead of using ldaps (port 689) connections start_tls = no
# tls_cacertfile = /path/to/cacert.pem # tls_cacertdir = /path/to/ca/dir/ # tls_certfile = /path/to/radius.crt # tls_keyfile = /path/to/radius.key # tls_randfile = /path/to/rnd # tls_require_cert = "demand"
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" # profile_attribute = "radiusProfileDn" #access_attr = "dialupAccess"
# Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = /usr/local/etc/raddb/ldap.attrmap
ldap_connections_number = 5
# # NOTICE: The password_header directive is NOT case insensitive # # password_header = "{clear}" # # Set: # password_attribute = nspmPassword # # to get the user's password from a Novell eDirectory # backend. This will work *only if* freeRADIUS is # configured to build with --with-edir option. # # # The server can usually figure this out on its own, and pull # the correct User-Password or NT-Password from the database. # profile_attribute = "radiusProfileDn" #access_attr = "dialupAccess"
# Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = /usr/local/etc/raddb/ldap.attrmap
ldap_connections_number = 5 # # Note that NT-Passwords MUST be stored as a 32-digit hex # string, and MUST start off with "0x", such as: # # 0x000102030405060708090a0b0c0d0e0f # # Without the leading "0x", NT-Passwords will not work. # This goes for NT-Passwords stored in SQL, too. # password_attribute = userPassword # # Un-comment the following to disable Novell eDirectory account # policy check and intruder detection. This will work *only if* # FreeRADIUS is configured to build with --with-edir option. # # edir_account_policy_check=no # # groupname_attribute = cn # groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" # groupmembership_attribute = radiusGroupName timeout = 4 timelimit = 3 net_timeout = 1 # compare_check_items = yes # do_xlat = yes # access_attr_used_for_allow = yes }
# # The 'digest' module currently has no configuration. # # "Digest" authentication against a Cisco SIP server. # See 'doc/rfc/draft-sterman-aaa-sip-00.txt' for details # on performing digest authentication for Cisco SIP servers. # digest { } }
authorize { # # If you have a Cisco SIP server authenticating against # FreeRADIUS, uncomment the following line, and the 'digest' # line in the 'authenticate' section. digest
# # The ldap module will set Auth-Type to LDAP if it has not # already been set ldap }
authenticate { # # If you have a Cisco SIP server authenticating against # FreeRADIUS, uncomment the following line, and the 'digest' # line in the 'authorize' section. digest Auth-Type LDAP { ldap } }
And here is the end result:
nrclient-67:~ root# radiusd -X su: radiusd: command not found nrclient-67:~ root# radiusd -X su: radiusd: command not found nrclient-67:~ root# /usr/local/sbin/radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/usr/local/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded DIGEST Module: Instantiated digest (digest) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/usr/local/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded LDAP ldap: server = "127.0.0.1" ldap: port = 389 ldap: net_timeout = 1 ldap: timeout = 4 ldap: timelimit = 3 ldap: identity = "cn=Manager,dc=corbe,dc=net" ldap: tls_mode = no ldap: start_tls = no ldap: tls_cacertfile = "(null)" ldap: tls_cacertdir = "(null)" ldap: tls_certfile = "(null)" ldap: tls_keyfile = "(null)" ldap: tls_randfile = "(null)" ldap: tls_require_cert = "allow" ldap: password = "cgpe845Z" ldap: basedn = "ou=People,dc=corbe,dc=net" ldap: filter = "(&(objectclass=posixAccount)(uid=dcorbe))" ldap: base_filter = "" ldap: default_profile = "(null)" ldap: profile_attribute = "(null)" ldap: password_header = "(null)" ldap: password_attribute = "userPassword" ldap: access_attr = "(null)" ldap: groupname_attribute = "cn" ldap: groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" ldap: groupmembership_attribute = "(null)" ldap: dictionary_mapping = "/usr/local/etc/raddb/ldap.attrmap" ldap: ldap_debug = 40 ldap: ldap_connections_number = 5 ldap: compare_check_items = no ldap: access_attr_used_for_allow = yes ldap: do_xlat = yes rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap<->radius mappings from file /usr/local/etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP userPassword mapped to RADIUS User-Password rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP userPassword mapped to RADIUS User-Password conns: 0x3b9970 Module: Instantiated ldap (ldap) Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups" preprocess: hints = "/usr/local/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/usr/local/etc/raddb/users" files: acctusersfile = "/usr/local/etc/raddb/acct_users" files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/usr/local/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Listening on proxy *:1814 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:63617, id=254, length=194 User-Name = "dcorbe@corbe.net" Digest-Attributes = 0x0a0864636f726265 Digest-Attributes = 0x010b636f7262652e6e6574 Digest-Attributes = 0x022a34333230383536323131353633633935656562343637396364326437646635393536323532323431 Digest-Attributes = 0x040f7369703a636f7262652e6e6574 Digest-Attributes = 0x030a5245474953544552 Digest-Response = "8c76e68b3b48b7c0d15933657df7b0d8" Service-Type = Sip-Session Sip-Uri-User = "dcorbe" NAS-IP-Address = 127.0.0.1 NAS-Port = 5060 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_digest: Converting Digest-Attributes to something sane... Digest-User-Name = "dcorbe" Digest-Realm = "corbe.net" Digest-Nonce = "4320856211563c95eeb4679cd2d7df5956252241" Digest-URI = "sip:corbe.net" Digest-Method = "REGISTER" rlm_digest: Adding Auth-Type = DIGEST modcall[authorize]: module "digest" returns ok for request 0 rlm_realm: Looking up realm "corbe.net" for User-Name = "dcorbe@corbe.net" rlm_realm: No such realm "corbe.net" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 156 users: Matched entry DEFAULT at line 221 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for dcorbe@corbe.net radius_xlat: '(&(objectclass=posixAccount)(uid=dcorbe))' radius_xlat: 'ou=People,dc=corbe,dc=net' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 127.0.0.1:389, authentication 0 rlm_ldap: bind as cn=Manager,dc=corbe,dc=net/cgpe845Z to 127.0.0.1:389 rlm_ldap: waiting for bind result ... request 1 done rlm_ldap: Bind was successful rlm_ldap: performing search in ou=People,dc=corbe,dc=net, with filter (&(objectclass=posixAccount)(uid=dcorbe)) request 2 done rlm_ldap: Added password cgpe845Z in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding userPassword as User-Password, value cgpe845Z & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: Adding userPassword as User-Password, value cgpe845Z & op=11 rlm_ldap: user dcorbe@corbe.net authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_ldap: - authenticate rlm_ldap: Attribute "User-Password" is required for authentication. modcall[authenticate]: module "ldap" returns invalid for request 0 modcall: group Auth-Type returns invalid for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... rad_recv: Access-Request packet from host 127.0.0.1:63619, id=255, length=194 User-Name = "dcorbe@corbe.net" Digest-Attributes = 0x0a0864636f726265 Digest-Attributes = 0x010b636f7262652e6e6574 Digest-Attributes = 0x022a34333230383536323131353633633935656562343637396364326437646635393536323532323431 Digest-Attributes = 0x040f7369703a636f7262652e6e6574 Digest-Attributes = 0x030a5245474953544552 Digest-Response = "8c76e68b3b48b7c0d15933657df7b0d8" Service-Type = Sip-Session Sip-Uri-User = "dcorbe" NAS-IP-Address = 127.0.0.1 NAS-Port = 5060 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_digest: Converting Digest-Attributes to something sane... Digest-User-Name = "dcorbe" Digest-Realm = "corbe.net" Digest-Nonce = "4320856211563c95eeb4679cd2d7df5956252241" Digest-URI = "sip:corbe.net" Digest-Method = "REGISTER" rlm_digest: Adding Auth-Type = DIGEST modcall[authorize]: module "digest" returns ok for request 1 rlm_realm: Looking up realm "corbe.net" for User-Name = "dcorbe@corbe.net" rlm_realm: No such realm "corbe.net" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 1 users: Matched entry DEFAULT at line 156 users: Matched entry DEFAULT at line 221 modcall[authorize]: module "files" returns ok for request 1 rlm_ldap: - authorize rlm_ldap: performing user authorization for dcorbe@corbe.net radius_xlat: '(&(objectclass=posixAccount)(uid=dcorbe))' radius_xlat: 'ou=People,dc=corbe,dc=net' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,dc=corbe,dc=net, with filter (&(objectclass=posixAccount)(uid=dcorbe)) request 3 done rlm_ldap: Added password cgpe845Z in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding userPassword as User-Password, value cgpe845Z & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: Adding userPassword as User-Password, value cgpe845Z & op=11 rlm_ldap: user dcorbe@corbe.net authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 1 modcall: group authorize returns ok for request 1 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 1 rlm_ldap: - authenticate rlm_ldap: Attribute "User-Password" is required for authentication. modcall[authenticate]: module "ldap" returns invalid for request 1 modcall: group Auth-Type returns invalid for request 1 auth: Failed to validate the user. Delaying request 1 for 1 seconds Finished request 1 Going to the next request --- Walking the entire request list --- Sending Access-Reject of id 254 to 127.0.0.1:63617 Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 255 to 127.0.0.1:63619 Waking up in 2 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 254 with timestamp 43208436 Waking up in 2 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 255 with timestamp 43208438 Nothing to do. Sleeping until we see a request.
Thank You.
-Daniel
On 9/8/05, Alan DeKok <aland@ox.org> wrote:
Daniel Corbe <daniel.junkmail@gmail.com> wrote:
Yes.. what I did below worked.
It worked for reasons other than what you believe. The configuration you posted is, quite simply, wrong.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html