On Wed, Sep 20, 2017 at 3:03 PM, Olivier <Olivier.Nicole@cs.ait.ac.th> wrote:
"Fajar A. Nugraha" <list@fajar.net> writes:
On Wed, Sep 20, 2017 at 12:11 PM, Olivier <Olivier.Nicole@cs.ait.ac.th> wrote:
"Fajar A. Nugraha" <list@fajar.net> writes:
The last part shouldn't be there, since you should've had an entry that adds Ldap-UserDN.
It should print something like this (0) authorize { (0) files: EXPAND uid=%{User-Name},ou=people,dc=company,dc=com (0) files: --> uid=testuser,ou=people,dc=company,dc=com (0) files: users: Matched entry DEFAULT at line 1 ... (0) [files] = ok
Did you edit the correct file? The default (in ubuntu) is /etc/freeradius/users (or /etc/raddb/users in most other distros), which is a symlink to mods-config/files/authorize
I found my mistake. When setting the chroot, I copied all raddb with cp(1) and the symlinks got overwritten by plain files. raddb/users was not a symlink anymore.
Now I get the correct result for authorize/files. I removed any reference to ldap in the authorize section of sites-enable/default.
Now I get the error "ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject"
Here's what works for me, tested on fresh openldap user (with only one user, the 'admin' user) on ubuntu:
- top of /etc/freeradius/users
admin Ldap-UserDN := "cn=%{User-Name},dc=ldap1,dc=s,dc=1elf,dc=net", Auth-Type := LDAP Fall-Through = yes
Adjust to your DN, obviously. If all your users are LDAP users, you should be able to replace 'admin' with 'DEFAULT'
- /etc/freeradius/sites-enabled/default:
comment-out '-ldap' from authorize section. You don't need it if you ONLY use LDAP for authentication with LDAP bind.
uncomment these lines from authenticate section (also read the comments before these lines to understand what they do): Auth-Type LDAP { ldap }
That's what I have (modulo the change of the DN).
Relevant part of my debug log using 'radtest' ... (0) # Executing section authorize from file /etc/freeradius/sites-enabled/default (0) authorize { ... (0) files: EXPAND cn=%{User-Name},dc=ldap1,dc=s,dc=1elf,dc=net (0) files: --> cn=admin,dc=ldap1,dc=s,dc=1elf,dc=net (0) files: users: Matched entry admin at line 1 (0) [files] = ok ... (0) } # authorize = ok (0) Found Auth-Type = LDAP (0) # Executing group from file /etc/freeradius/sites-enabled/default (0) Auth-Type LDAP { ... rlm_ldap (ldap): Reserved connection (0) (0) ldap: Login attempt by "admin" (0) ldap: Using user DN from request "cn=admin,dc=ldap1,dc=s,dc=
1elf,dc=net"
(0) ldap: Waiting for bind result... (0) ldap: Bind successful (0) ldap: Bind as user "cn=admin,dc=ldap1,dc=s,dc=1elf,dc=net" was successful ... (0) [ldap] = ok (0) } # Auth-Type LDAP = ok ... (0) Sent Access-Accept Id 122 from 127.0.0.1:1812 to 127.0.0.1:46573 length 0
But I still get:
(0) files: EXPAND uid=%{User-Name},ou=People,ou= csim,dc=cs,dc=ait,dc=ac,dc=th (0) files: --> uid=on,ou=People,ou=csim,dc=cs,dc=ait,dc=ac,dc=th (0) [files] = ok (0) [expiration] = noop (0) [logintime] = noop (0) } # authorize = ok (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
Short version: If you still get 'No Auth-Type found', your users file is different from mine. Doublecheck my example, and compare to yours. Auth-Type (in your case) should be set in users file (or whatever method you choose, can be db, ulang, etc) in authorize section.
Could it be something linked to user-Password vs. Cleartext-Password, as mentioned in raddb/README.rst:
From version 3.0 onwards the server no longer supports authenticating against a cleartext password in the 'User-Password' attribute. Any occurences of this (for instance, in the users file) should now be changed to 'Cleartext-Password' instead.
I see that radtest sends both User-Password and Cleartext-Password:
Sent Access-Request Id 17 from 0.0.0.0:24803 to 192.41.170.3:1812 length 72 User-Name = "on" User-Password = "**** password redacted" NAS-IP-Address = 192.41.170.6 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "**** password redacted"
but in the debug messages from radiusd -X, I only see the User-Password:
Ready to process requests (0) Received Access-Request Id 17 from 192.41.170.3:24803 to 192.41.170.3:1812 length 72 (0) User-Name = "on" (0) User-Password = "**** password redacted" (0) NAS-IP-Address = 192.41.170.6 (0) NAS-Port = 0 (0) Message-Authenticator = 0xb299934119453c5d6105169256071d2a
If you still get 'ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject', anything that comes after that doesn't matter. Fix that first. -- Fajar