On 13.07.22 11:52, Krishna Chaitanya wrote:
Matthew, Not really,Somehow, I missed reading all of the debug report. I am very new to Linux and having a hard time interpreting all of the Debug report. However, After going through the errors:
1. I can say that the username is not being used twice.Even, created another user profile with username "krishnachaitanya" and getting the same error message when running the radtest. 2. In the next test run, modified "base_dn" details as 'O=QI-CAP.COM,CN=Certificate Authority' and the test resulted in the below error.After reviewing the highlighted errors, finding it confused to understand and not really sure the fix for these errors.As far as I know, PAP can read only clear text passwords and in mycase the passwords are not encrypted when running the radtest command as "radtest krishnachaitanya *Freeip@1234 *122.1.5.84 1812 testing123" and not sure why am seeing PAP password errors. 3. and I am not sure why am seeing the messages "(0) ldap: Waiting for search result... (0) ldap: The specified DN wasn't found (0) ldap: Search returned no results" when "rlm_ldap bind is successful". Is there any relation between them?
*Please help!*
[Ready to process requests (0) Received Access-Request Id 252 from 122.1.5.84:55576 to 122.1.5.84:1812 length 86 (0) User-Name = "krishnachaitanya" (0) User-Password = "Freeip@1234" (0) NAS-IP-Address = 122.1.5.84 (0) NAS-Port = 1812 (0) Message-Authenticator = 0x7d7802787a4d84809dbcd42a46873fe6 (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "krishnachaitanya", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) [files] = noop rlm_ldap (ldap): Reserved connection (0) (0) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (0) ldap: --> (uid=krishnachaitanya) (0) ldap: Performing search in "O=QI-CAP.COM,CN=Certificate Authority" with filter "(uid=krishnachaitanya)", scope "sub" (0) ldap: Waiting for search result... (0) ldap: The specified DN wasn't found (0) ldap: Search returned no results rlm_ldap (ldap): Released connection (0) Need 5 more connections to reach 10 spares rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used rlm_ldap (ldap): Connecting to ldap://122.1.5.84:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (0) [ldap] = notfound (0) if ((ok || updated) && User-Password) { (0) if ((ok || updated) && User-Password) -> FALSE (0) [expiration] = noop (0) [logintime] = noop (0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (0) pap: WARNING: Authentication will fail unless a "known good" password is available (0) [pap] = noop (0) } # authorize = ok (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (0) Failed to authenticate the user (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/raddb/sites-enabled/default (0) Post-Auth-Type REJECT { (0) attr_filter.access_reject: EXPAND %{User-Name} (0) attr_filter.access_reject: --> krishnachaitanya (0) attr_filter.access_reject: Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) [eap] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Delaying response for 1.000000 seconds Waking up in 0.2 seconds. Waking up in 0.7 seconds. (0) Sending delayed response (0) Sent Access-Reject Id 252 from 122.1.5.84:1812 to 122.1.5.84:55576 length 20 Waking up in 3.9 seconds. (0) Cleaning up request packet ID 252 with timestamp +5 Ready to process requests
*Krishna Chaitanya Ala* *Network and Operations Engineer*
On Fri, 8 Jul 2022 at 16:27, Matthew Newton <mcn@freeradius.org> wrote:
On 08/07/2022 11:45, Krishna Chaitanya wrote:
# search result search: 2 result: 0 Success
# numResponses: 3 # numEntries: 2
*(0) ldap: ERROR: Ambiguous search result, returned 2 unsorted entries (should return 1 or 0). Enable sorting, or specify a more restrictive base_dn, filter or scope(0) ldap: ERROR: The following entries were returned:(0) ldap: ERROR: uid=admin,cn=users,cn=compat,dc=qi-cap,dc=com(0) ldap: ERROR: uid=admin,cn=users,cn=accounts,dc=qi-cap,dc=com* rlm_ldap (ldap): Released connection (0) Need 5 more connections to reach 10 spares
Did you read the debug output?
You have two users with the same uid. FreeRADIUS won't have any idea which one you want.
So you need to either not use the same username twice, or configure FreeRADIUS with a more restrictive base DN so that it only finds one of them.
-- Matthew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
(0) ldap: Performing search in "O=QI-CAP.COM,CN=Certificate Authority" with filter "(uid=krishnachaitanya)", scope "sub" (0) ldap: Waiting for search result... (0) ldap: The specified DN wasn't found (0) ldap: Search returned no results The user is not found in the LDAP. Do you use uid? oder cn? Wrong part of the tree? Whif is the LDIF of your user? Can you do a manual ldapsearch for the user? Mit freundlichen Grüßen, -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG,80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief Aufsichtsratsvorsitzender: Florian Kirstein