Hi Alan, Thank you for the link to Network Radius. I was unaware that there was an issue with redhat and the standard freeradius packages. I have upgraded to 3.0.21 after adding the repositories in your link. This has fixed the chase_referrals issue, but I am still not binding as the user to LDAP. When performing a wireshark capture, the bind user shows as "<ROOT> simple". Do I need to set the ldap attributes to provide the user and password to the far end? Here is the latest output after upgrade and repository addtiion: (3) Received Access-Request Id 1 from 1.1.1.201:65445 to 1.1.1.190:1812 length 58 (3) NAS-IP-Address = 0.0.0.0 (3) User-Name = "testuser" (3) User-Password = "testpasswd123\000]\n" (3) NAS-Port = 0 (3) # Executing section authorize from file /etc/raddb/sites-enabled/default (3) authorize { (3) policy filter_username { (3) if (&User-Name) { (3) if (&User-Name) -> TRUE (3) if (&User-Name) { (3) if (&User-Name =~ / /) { (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@[^@]*@/ ) { (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (3) if (&User-Name =~ /\.\./ ) { (3) if (&User-Name =~ /\.\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\.$/) { (3) if (&User-Name =~ /\.$/) -> FALSE (3) if (&User-Name =~ /@\./) { (3) if (&User-Name =~ /@\./) -> FALSE (3) } # if (&User-Name) = notfound (3) } # policy filter_username = notfound (3) policy filter_password { (3) if (&User-Password && (&User-Password != "%{string:User-Password}")) { (3) EXPAND %{string:User-Password} (3) --> testpasswd123 (3) if (&User-Password && (&User-Password != "%{string:User-Password}")) -> TRUE (3) if (&User-Password && (&User-Password != "%{string:User-Password}")) { (3) update request { (3) EXPAND %{string:User-Password} (3) --> testpasswd123 (3) &Tmp-String-0 := testpasswd123 (3) EXPAND %{string:Tmp-String-0} (3) --> testpasswd123 (3) &User-Password := testpasswd123 (3) } # update request = noop (3) } # if (&User-Password && (&User-Password != "%{string:User-Password}")) = noop (3) } # policy filter_password = noop (3) [preprocess] = ok (3) [chap] = noop (3) [mschap] = noop (3) [digest] = noop (3) suffix: Checking for suffix after "@" (3) suffix: No '@' in User-Name = "testuser", looking up realm NULL (3) suffix: No such realm "NULL" (3) [suffix] = noop (3) eap: No EAP-Message, not doing EAP (3) [eap] = noop (3) [files] = noop (3) sql: EXPAND %{User-Name} (3) sql: --> testuser (3) sql: SQL-User-Name set to 'testuser' rlm_sql (sql): Closing connection (11): Hit idle_timeout, was idle for 96 seconds rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (12): Hit idle_timeout, was idle for 96 seconds rlm_sql (sql): You probably need to lower "min" rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (10): Hit idle_timeout, was idle for 95 seconds rlm_sql (sql): You probably need to lower "min" rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (13): Hit idle_timeout, was idle for 95 seconds rlm_sql (sql): You probably need to lower "min" rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): 0 of 0 connections in use. You may need to increase "spare" rlm_sql (sql): Opening additional connection (14), 1 of 32 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.5.65-MariaDB, protocol version 10 rlm_sql (sql): Reserved connection (14) (3) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (3) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'testuser' ORDER BY id (3) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'testuser' ORDER BY id (3) sql: User found in radcheck table (3) sql: Conditional check items matched, merging assignment check items (3) sql: Auth-Type := PAP (3) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (3) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'testuser' ORDER BY id (3) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'testuser' ORDER BY id rlm_sql (sql): 1 of 1 connections in use. You may need to increase "spare" rlm_sql (sql): Opening additional connection (15), 1 of 31 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.5.65-MariaDB, protocol version 10 rlm_sql (sql): Reserved connection (15) rlm_sql (sql): Released connection (15) Need 1 more connections to reach min connections (3) rlm_sql (sql): Opening additional connection (16), 1 of 30 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.5.65-MariaDB, protocol version 10 (3) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (3) sql: --> SELECT groupname FROM radusergroup WHERE username = 'testuser' ORDER BY priority (3) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'testuser' ORDER BY priority (3) sql: User found in the group table (3) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id (3) sql: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'sonus-admin' ORDER BY id (3) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'sonus-admin' ORDER BY id (3) sql: Group "sonus-admin": Conditional check items matched (3) sql: Group "sonus-admin": Merging assignment check items (3) sql: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id (3) sql: --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'sonus-admin' ORDER BY id (3) sql: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'sonus-admin' ORDER BY id (3) sql: Group "sonus-admin": Merging reply items (3) sql: GroupName := "Administrator" rlm_sql (sql): Released connection (14) (3) [sql] = ok rlm_ldap (ldap): Closing connection (8): Hit idle_timeout, was idle for 95 seconds rlm_ldap (ldap): You probably need to lower "min" rlm_ldap (ldap): Closing connection (9): Hit idle_timeout, was idle for 95 seconds rlm_ldap (ldap): You probably need to lower "min" rlm_ldap (ldap): 0 of 0 connections in use. You may need to increase "spare" rlm_ldap (ldap): Opening additional connection (10), 1 of 32 pending slots used rlm_ldap (ldap): Connecting to ldap://ldap.example.com:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Reserved connection (10) (3) ldap: EXPAND (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}}) (3) ldap: --> (samaccountname=testuser) (3) ldap: Performing search in "OU=Employees,OU=Domain Users,DC=example,DC=com" with filter "(samaccountname=testuser)", scope "sub" (3) ldap: Waiting for search result... (3) ldap: ERROR: Failed performing search: Operations error with LDAP database. Please see the LDAP server configuration / documentation for more information. (3) ldap: ERROR: Server said: 000004DC: LdapErr: DSID-0C0907E1, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580. rlm_ldap (ldap): Released connection (10) Need 2 more connections to reach min connections (3) rlm_ldap (ldap): Opening additional connection (11), 1 of 31 pending slots used rlm_ldap (ldap): Connecting to ldap://ldap.example.com:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (3) [ldap] = fail (3) } # authorize = fail (3) Invalid user (ldap: Failed performing search: Operations error with LDAP database. Please see the LDAP server configuration / documentation for more information.): [testuser] (from client 1.1.1.201 port 0) (3) Using Post-Auth-Type Reject (3) # Executing group from file /etc/raddb/sites-enabled/default (3) Post-Auth-Type REJECT { (3) sql: EXPAND .query (3) sql: --> .query (3) sql: Using query template 'query' rlm_sql (sql): Reserved connection (14) (3) sql: EXPAND %{User-Name} (3) sql: --> testuser (3) sql: SQL-User-Name set to 'testuser' (3) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S.%M') (3) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'testuser', 'testpasswd123', 'Access-Reject', '2020-06-01 08:48:57.890570') (3) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'testuser', 'testpasswd123', 'Access-Reject', '2020-06-01 08:48:57.890570') (3) sql: SQL query returned: success (3) sql: 1 record(s) updated rlm_sql (sql): Released connection (14) Need 7 more connections to reach 10 spares rlm_sql (sql): Opening additional connection (17), 1 of 29 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.5.65-MariaDB, protocol version 10 (3) [sql] = ok (3) attr_filter.access_reject: EXPAND %{User-Name} (3) attr_filter.access_reject: --> testuser (3) attr_filter.access_reject: Matched entry DEFAULT at line 11 (3) [attr_filter.access_reject] = updated (3) [eap] = noop (3) policy remove_reply_message_if_eap { (3) if (&reply:EAP-Message && &reply:Reply-Message) { (3) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (3) else { (3) [noop] = noop (3) } # else = noop (3) } # policy remove_reply_message_if_eap = noop (3) } # Post-Auth-Type REJECT = updated (3) Delaying response for 1.000000 seconds Waking up in 0.9 seconds. (3) (3) Discarding duplicate request from client 1.1.1.201 port 65445 - ID: 1 due to delayed response Waking up in 0.3 seconds. (3) Sending delayed response (3) Sent Access-Reject Id 1 from 1.1.1.190:1812 to 1.1.1.201:65445 length 20 Waking up in 3.9 seconds. (3) Cleaning up request packet ID 1 with timestamp +1251 Ready to process requests On Fri, May 29, 2020 at 3:19 PM Alan DeKok <aland@deployingradius.com> wrote:
On May 29, 2020, at 3:06 PM, Jason Leiby <leibyj@gmail.com> wrote:
I placed the auth-type update control snippet in the authenticate section
No... you have to update Auth-Type *before* the authenticate section, in the authorize section.
When you set Auth-Type, you're telling the server which "authenticate" sub-section to use. So putting an "update control" in the authenticate section does nothing.
and I still get the same error message of:
(1) ldap: ERROR: Failed performing search: Please set 'chase_referrals=yes' and 'rebind=yes'. See the ldap module configuration for details. (1) ldap: ERROR: Server said: 000004DC: LdapErr: DSID-0C0907E1, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580.
What is also strange is that the first error about chase_referrals and rebind should be gone as I have those flags uncommented in the ldap module
Those settings are still commented out. If "chase_referrals" was set, the error would be:
Operations error with LDAP database. Please see the LDAP server configuration / documentation for more information.
Here is the full output from radiusd -X
If you read the *rest* of the debug output, you will see it printing out the configuration for the LDAP module. And "chase_referrals" won't be set.
... rlm_ldap (ldap): Connecting to ldap://ldap.example.com:389 TLSMC: MozNSS compatibility interception begins. tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration is present. tlsmc_intercept_initialization: INFO: successfully intercepted TLS initialization. Continuing with OpenSSL only.
Arg. You're using RedHat, which (in there infinite wisdom) decided to switch libldap to something which isn't compatible with OpenSSL.
FreeRADIUS uses OpenSSL. I suspect this incompatibility will cause issues. For more details, see http://packages.networkradius.com
We provide *working* packages, and documentation on how to fix issues created by OS vendors.
TLSMC: MozNSS compatibility interception ends. rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Reserved connection (6) (1) ldap: EXPAND (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}}) (1) ldap: --> (samaccountname=testuser) (1) ldap: Performing search in "OU=Employees,OU=Domain Users,DC=example,DC=com" with filter "(samaccountname=testuser)", scope "sub" (1) ldap: Waiting for search result... (1) ldap: ERROR: Failed performing search: Please set 'chase_referrals=yes' and 'rebind=yes'. See the ldap module configuration for details.
You don't have "chase_referrals = yes".
Fix that first, Then try switching to a different FreeRADIUS package.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html