On 4/24/06, sumi thra <sumi.techno@gmail.com> wrote:
Hi Alan,

Thanks for your earliest reply.

Please find the attached configuration file for details & Let me know what is mis-configured.


Config file :

prefix = /usr
exec_prefix = /usr
sysconfdir = ${prefix}/etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/radius
raddbdir = /var/etc/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = ${exec_prefix}/lib/radius
pidfile = ${run_dir}/radiusd.pid
max_request_time = 90
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
#user = admin
#group = users
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = no
log_auth = no
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad

security {
    max_attributes = 200
    reject_delay = 1
    status_server = no
}

proxy_requests = yes
snmp = yes

$INCLUDE  ${confdir}/proxy.conf
$INCLUDE  ${confdir}/clients.conf
$INCLUDE  ${confdir}/snmp.conf

thread pool {
    start_servers = 5
    max_servers = 32
    min_spare_servers = 3
    max_spare_servers = 10
    max_requests_per_server = 0
}

modules {
    pap {
        encryption_scheme = clear
    }

    chap {
        authtype = CHAP
    }

    pam {
        pam_auth = radiusd
    }

    unix {
        cache = no
        cache_reload = 600
        radwtmp = /var/log/radius/radwtmp
    }

    mschap {
        authtype = MS-CHAP
        #use_mppe = no
        #require_encryption = yes
        #require_strong = yes
        #with_ntdomain_hack = no
    }

    ldap ldap_primary {
        server = 1.1.1.1
        port = 389
        identity = "cn=Manager,o=My Org,c=INDIA"
        password = secret
        basedn = o=My Org,c=INDIA
        filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
        start_tls = no
        access_attr = "dialupacces"
        dictionary_mapping = ${raddbdir}/ldap.attrmap
        ldap_connections_number = 5
        #password_header = "{SHA}"
        password_attribute = userPassword
        groupname_attribute = cn
        groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
        groupmembership_attribute = radiusGroupName
        timeout = 4
        timelimit = 3
        net_timeout = 1
        access_attr_used_for_allow = no
    }

    ldap ldap_secondary {
        server = ldap.your.domain
        port = 389
        identity = cn=admin,o=My Org,c=UA
        password = mypass
        basedn = o=My Org
        filter = (uid=%{Stripped-User-Name:-%{User-Name}})
        start_tls = no
        access_attr = "dialupacces"
        dictionary_mapping = ${raddbdir}/ldap.attrmap
        ldap_connections_number = 5
        #password_header = "{SHA}"
        password_attribute = userPassword
        groupname_attribute = cn
        groupmembership_filter = (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
        groupmembership_attribute = radiusGroupName
        timeout = 4
        timelimit = 3
        net_timeout = 1
        access_attr_used_for_allow = no
    }

    passwd etc_passwd {
        filename = /var/etc/passwd
        format = "*User-Name::User-Password"
        delimiter = :
    }

    passwd etc_group {
        filename = /var/etc/group
        format = "~Group-Name::*,User-Name"
        delimiter = :
    }

    realm suffix_oblic {
        format = suffix
        delimiter = /
        ignore_default = no
        ignore_null = no
    }

    realm prefix_oblic {
        format = prefix
        delimiter = /
        ignore_default = no
        ignore_null = no
    }

    realm suffix_at {
        format = suffix
        delimiter = @
        ignore_default = no
        ignore_null = no
    }

    realm prefix_at {
        format = prefix
        delimiter = @
        ignore_default = no
        ignore_null = no
    }

    realm suffix_percent {
        format = suffix
        delimiter = %
        ignore_default = no
        ignore_null = no
    }

    realm prefix_percent {
        format = prefix
        delimiter = %
        ignore_default = no
        ignore_null = no
    }

    checkval {
        item-name = Calling-Station-Id
        check-name = Calling-Station-Id
        data-type = string
        #notfound-reject = no
    }

    preprocess {
        huntgroups = ${confdir}/huntgroups
        hu_int32_ts = ${confdir}/hints
        with_ascend_hack = no
        ascend_channels_per_line = 23
        with_ntdomain_hack = no
        with_specialix_jetstream_hack = no
        with_cisco_vsa_hack = no
    }

    files {
        usersfile = ${confdir}/users
        acctusersfile = ${confdir}/acct_users
        compat = no
    }

    detail  {
        detailfile = ${radacctdir}/%{Client-IP-Address}/acct-%Y%m%d
        detailperm = 0666
    }

    acct_unique {
        key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
    }

    radutmp  {
        filename = /var/log/radius/radutmp
        username = %{User-Name}
        case_sensitive = yes
        check_with_nas = yes
        perm = 0600
        callerid = yes
    }

    radutmp {
        filename = /var/log/radius/sradutmp
        perm = 0644
        callerid = no
    }

    attr_filter {
        attrsfile = ${confdir}/attrs
    }

    counter daily {
        filename = ${raddbdir}/db.daily
        key = User-Name
        count-attribute = Acct-Session-Time
        reset = daily
        counter-name = Daily-Session-Time
        check-name = Max-Daily-Session
        allowed-servicetype = Framed-User
        cache-size = 5000
    }

    always fail {
        rcode = fail
    }

    always reject {
        rcode = reject
    }

    always ok {
        rcode = ok
        simulcount = 0
        mpp = no
    }

    expr {
    }

    digest {
    }

    exec  {
        wait = yes
        input_pairs = request
    }

    exec echo {
        wait = yes
        program = "/bin/echo %{User-Name}"
        input_pairs = request
        output_pairs = reply
    }

    ippool main_pool {
        range-start = 192.168.1.1
        range-stop = 192.168.3.254
        netmask = 255.255.255.0
        cache-size = 800
        session-db = ${raddbdir}/db.ippool
        ip-index = ${raddbdir}/db.ipindex
        override = no
        maximum-timeout = 0
    }

    $INCLUDE  ${confdir}/eap.conf
}

instantiate {
    #exec
    #expr
}

authorize {
    preprocess
    #etc_passwd
    #etc_group
    chap
    mschap
    suffix_oblic
    prefix_oblic
    suffix_at
    prefix_at
    suffix_percent
    prefix_percent
    files
    redundant{
            ldap_primary
            ldap_secondary
        }
    eap
}

authenticate {
    Auth-Type PAP {
        pap
    }

    Auth-Type CHAP {
        chap
    }

    Auth-Type MS-CHAP {
        mschap
    }

    Auth-Type LDAP {
        redundant {
            ldap_primary
            ldap_secondary
        }
    }

    #unix
    eap
}

preacct {
    preprocess
    acct_unique
    suffix_oblic
    files
}

accounting {
    detail
    #unix
    #radutmp
}

session {
    #radutmp
}

post-auth {
}

pre-proxy {
}

post_proxy {
    eap
}
 

Thanks
Sumithra.

On 4/24/06, Alan DeKok <aland@nitros9.org> wrote:
"sumi thra" <sumi.techno@gmail.com> wrote:
> My configuration in the radiusd.conf is...
>
> ldap {
>         redundant {

  Huh?  The "redundant" section doesn't go into "ldap", it goes into
"authorize".

    Yes. The redundant ldap config goes into authorize module.  Please look into the config file attached for detailed configuration.


  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html