Hello, It is my understanding that Freeradius uses Ldap search in order to authenticate users and that the Ldap bind is used to point to the location where the search will be done at the Ldap server. I am using FR 1.1.0 but I think it is similar configuration in your FR version. #users file DEFAULT Auth-Type := LDAP Fall-Through = 1
rlm_ldap: object not found or got ambiguous search result Check your basedn in raddiusd.conf
For debugging I recommend you to use Ethereal. It is very useful. Natalia. On 21 Mar 2006 14:29:22 +0900, MAEDA <maeda-freeradius@atusi.org> wrote:
Hello,
I'm running Freeradius 1.0.4 with OpenLDAP 2.2.29 on my Fedora Core 4 box and try to configure radiusd so that ldap_search is not performed on authentication (i.e. just use ldap_bind for authentication). But so far, I've got no success. Radiusd seems to perform search anyway.
I've read the document doc/rlm_ldap and followed the instruction, but I couldn't get it working (I must be missing something).
I configured radiusd as follows:
In users:
DEFAULT Ldap-UserDn := `uid=%{User-Name},ou=people,dc=atusi,dc=org`, Auth-Type = LDAP
In radiusd.conf: modules {
ldap { server = "localhost" ldap_debug = 0xFFFF # identity = "cn=admin,o=My Org,c=UA" # password = mypass basedn = "ou=people,dc=atusi,dc=org" # filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" # base_filter = "(objectclass=radiusprofile)"
start_tls = no
access_attr = "dialupAccess"
ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 } ... }
authorize { preprocess chap mschap suffix eap files }
authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } Auth-Type LDAP { ldap } eap }
# All other parts are left as default.
When I test my setup with: (echo 'User-Name=mytestuser'; echo 'User-Password = mypassword') | radclient -c 1 127.0.0.1 auth testing123 radiusd (run with -X option) says:
rad_recv: Access-Request packet from host 127.0.0.1:32791, id=183, length=43 User-Name = "mytestuser" User-Password = "mypassword" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "mytestuser", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 214 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_ldap: - authenticate rlm_ldap: login attempt by "mytestuser" with password "mypassword" radius_xlat: '(uid=mytestuser)' radius_xlat: 'ou=people,dc=atusi,dc=org' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as / to localhost:389 ldap_bind ldap_simple_bind ldap_sasl_bind ldap_send_initial_request ldap_new_connection ldap_int_open_connection ldap_connect_to_host: TCP localhost:389 ldap_new_socket: 6 ldap_prepare_socket: 6 ldap_connect_to_host: Trying 127.0.0.1:389 ldap_connect_timeout: fd: 6 tm: 1 async: 0 ldap_ndelay_on: 6 ldap_is_sock_ready: 6 ldap_ndelay_off: 6 ldap_open_defconn: successful ldap_send_server_request rlm_ldap: waiting for bind result ... ldap_result msgid 1 ldap_chkResponseList for msgid=1, all=1 ldap_chkResponseList returns NULL wait4msg (timeout 4 sec, 0 usec), msgid 1 wait4msg continue, msgid 1, all 1 ** Connections: * host: localhost port: 389 (default) refcnt: 2 status: Connected last used: Tue Mar 21 13:31:12 2006
** Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ** Response Queue: Empty ldap_chkResponseList for msgid=1, all=1 ldap_chkResponseList returns NULL ldap_int_select read1msg: msgid 1, all 1 ldap_read: message type bind msgid 1, original id 1 new result: res_errno: 0, res_error: <>, res_matched: <> read1msg: 0 new referrals read1msg: mark request completed, id = 1 request 1 done res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_free_connection ldap_free_connection: refcnt 1 ldap_parse_result ldap_msgfree rlm_ldap: Bind was successful rlm_ldap: performing search in ou=people,dc=atusi,dc=org, with filter (uid=mytestuser) ldap_search put_filter: "(uid=mytestuser)" put_filter: simple put_simple_filter: "uid=mytestuser" ldap_send_initial_request ldap_send_server_request ldap_result msgid 2 ldap_chkResponseList for msgid=2, all=1 ldap_chkResponseList returns NULL wait4msg (timeout 4 sec, 0 usec), msgid 2 wait4msg continue, msgid 2, all 1 ** Connections: * host: localhost port: 389 (default) refcnt: 2 status: Connected last used: Tue Mar 21 13:31:12 2006
** Outstanding Requests: * msgid 2, origid 2, status InProgress outstanding referrals 0, parent count 0 ** Response Queue: Empty ldap_chkResponseList for msgid=2, all=1 ldap_chkResponseList returns NULL ldap_int_select read1msg: msgid 2, all 1 ldap_read: message type search-result msgid 2, original id 2 new result: res_errno: 0, res_error: <>, res_matched: <> read1msg: 0 new referrals read1msg: mark request completed, id = 2 request 2 done res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 2, msgid 2) ldap_free_connection ldap_free_connection: refcnt 1 ldap_parse_result rlm_ldap: object not found or got ambiguous search result ldap_msgfree rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authenticate]: module "ldap" returns notfound for request 0 modcall: group Auth-Type returns notfound for request 0 auth: Failed to validate the user.
According to the log lines: rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as / to localhost:389 I guessed (by reading rlm_ldap.c) Ldap-UserDn valuepair is not passed to ldap_authenticate() for some reason.
I tried to write `Ldap-UserDn := ...' as reply item of the DEFAULT entry in users file but in that case radiusd says: WARNING! Check item "Ldap-UserDn" ?found in reply item list for user "DEFAULT". ?This attribute MUST go on the first line with the other check items and still got the same result.
I also tried in radiusd.conf: modules { ldap { identity = "%{Ldap-UserDN}" password = `%{User-Password}` ... } } but these attributes are not xlated and passed to LDAP as they are.
Any clues would be greately appreciated. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html