UNCLASSIFIED
From:
freeradius-users-bounces+frank.ranner=defence.gov.au@lists.freeradius.org
[mailto:freeradius-users-bounces+frank.ranner=defence.gov.au@lists.freeradius.org]
On Behalf Of Renato Gregio de Souza Filho
Sent: Saturday, 19
January 2008 03:53
To:
freeradius-users@lists.freeradius.org
Subject: freeradius authenticate
over ldap database
I'm trying to install and configure my freeradius at rhel 5 to authenticate
in ldapdatabase. i read the rml_ldap and configure then according i understand.
I start my server with no problem, but i'm not sure if its working good or bad.
I create a test user at ldap database with username and passowrd are "teste" and
try to test it from radtest, but it won't work. The password at ldap database
are crypt.
[root@poseidon raddb]# radtest teste teste localhost:1812
testing123
Usage: radtest user passwd radius-server[:port] nas-port-number
secret [ppphint] [nasname]
[root@poseidon raddb]#
When i start my
radiusd, they start without problens. What i need to do to put it working fine
over ldap database?
[root@poseidon raddb]# radiusd -X
Starting
- reading configuration files ...
reread_config: reading
radiusd.conf
Config: including file:
/etc/raddb/proxy.conf
Config: including file:
/etc/raddb/clients.conf
Config: including file:
/etc/raddb/snmp.conf
Config: including file:
/etc/raddb/eap.conf
main: prefix = "/usr"
main: localstatedir
= "/var"
main: logdir = "/var/log/radius"
main: libdir =
"/usr/lib64"
main: radacctdir =
"/var/log/radius/radacct"
main: hostname_lookups = no
main:
snmp = no
main: max_request_time = 30
main: cleanup_delay =
5
main: max_requests = 1024
main: delete_blocked_requests =
0
main: port = 0
main: allow_core_dumps = no
main:
log_stripped_names = no
main: log_file =
"/var/log/radius/radius.log"
main: log_auth = no
main:
log_auth_badpass = no
main: log_auth_goodpass = no
main:
pidfile = "/var/run/radiusd/radiusd.pid"
main: user =
"radiusd"
main: group = "radiusd"
main: usercollide =
no
main: lower_user = "no"
main: lower_pass =
"no"
main: nospace_user = "no"
main: nospace_pass =
"no"
main: checkrad = "/usr/sbin/checkrad"
main:
proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count
= 3
proxy: synchronous = no
proxy: default_fallback =
yes
proxy: dead_time = 120
proxy: post_proxy_authorize =
no
proxy: wake_all_if_all_dead = no
security: max_attributes =
200
security: reject_delay = 1
security: status_server =
no
main: debug_level = 0
read_config_files: reading
dictionary
read_config_files: reading naslist
Using deprecated
naslist file. Support for this will go away
soon.
read_config_files: reading clients
read_config_files:
reading realms
radiusd: entering modules setup
Module: Library
search path is /usr/lib64
Module: Loaded exec
exec: wait =
yes
exec: program = "(null)"
exec: input_pairs =
"request"
exec: output_pairs = "(null)"
exec: packet_type =
"(null)"
rlm_exec: Wait=yes but no output defined. Did you mean
output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap:
encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded
CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption =
no
mschap: require_strong = no
mschap: with_ntdomain_hack =
no
mschap: passwd = "(null)"
mschap: ntlm_auth =
"(null)"
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix:
shadow = "/etc/shadow"
unix: group = "(null)"
unix: radwtmp =
"/var/log/radius/radwtmp"
unix: usegroup = no
unix:
cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = "md5"
eap: timer_expire =
60
eap: ignore_unknown_eap_types = no
eap:
cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type
md5
rlm_eap: Loaded and initialized type leap
gtc: challenge =
"Password: "
gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized
type gtc
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and
initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded
preprocess
preprocess: huntgroups =
"/etc/raddb/huntgroups"
preprocess: hints =
"/etc/raddb/hints"
preprocess: with_ascend_hack =
no
preprocess: ascend_channels_per_line = 23
preprocess:
with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack =
no
preprocess: with_cisco_vsa_hack = no
preprocess:
with_alvarion_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm:
delimiter = "@"
realm: ignore_default = no
realm: ignore_null
= no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = "/etc/raddb/users"
files: acctusersfile =
"/etc/raddb/acct_users"
files: preproxy_usersfile =
"/etc/raddb/preproxy_users"
files: compat = "no"
Module:
Instantiated files (files)
Module: Loaded LDAP
ldap: server =
"localhost"
ldap: port = 389
ldap: net_timeout =
1
ldap: timeout = 4
ldap: timelimit = 3
ldap:
identity = "cn=admin,dc=radius,dc=com,dc=br"
ldap: tls_mode =
no
ldap: start_tls = no
ldap: tls_cacertfile =
"(null)"
ldap: tls_cacertdir = "(null)"
ldap: tls_certfile =
"(null)"
ldap: tls_keyfile = "(null)"
ldap: tls_randfile =
"(null)"
ldap: tls_require_cert = "allow"
ldap: password =
"pcistl00"
ldap: basedn = "dc=radius,dc=com,dc=br"
ldap:
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
ldap: base_filter
= "(objectclass=radiusprofile)"
ldap: default_profile =
"(null)"
ldap: profile_attribute = "(null)"
ldap:
password_header = "(null)"
ldap: password_attribute =
"(null)"
ldap: access_attr = "dialupAccess"
ldap:
groupname_attribute = "cn"
ldap: groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
ldap:
groupmembership_attribute = "(null)"
ldap: dictionary_mapping =
"/etc/raddb/ldap.attrmap"
ldap: ldap_debug = 0
ldap:
ldap_connections_number = 5
ldap: compare_check_items =
no
ldap: access_attr_used_for_allow = yes
ldap: do_xlat =
yes
ldap: set_auth_type = yes
rlm_ldap: Registering ldap_groupcmp
for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name
ldap
rlm_ldap: Over-riding set_auth_type, as we're not listed in the
"authenticate" section.
rlm_ldap: reading ldap<->radius mappings from
file /etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS
$GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS
$GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS
Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS
Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS
Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS
Calling-Station-Id
rlm_ldap: LDAP sambaLMPassword mapped to RADIUS
LM-Password
rlm_ldap: LDAP sambaNTPassword mapped to RADIUS
NT-Password
rlm_ldap: LDAP sambaAcctFlags mapped to RADIUS
SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS
Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS
NAS-IP-Address
rlm_ldap: LDAP radiusServiceType mapped to RADIUS
Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS
Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS
Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS
Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS
Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS
Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS
Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS
Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS
Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS
Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS
Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS
Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS
Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS
Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS
Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS
Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS
Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS
Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS
Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS
Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS
Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS
Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS
Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to
RADIUS Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone
mapped to RADIUS Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped
to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS
Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS
Reply-Message
conns: 0x555574851690
Module: Instantiated ldap (ldap)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key =
"User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address,
NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded
detail
detail: detailfile =
"/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail:
detailperm = 384
detail: dirperm = 493
detail: locking =
no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/var/log/radius/radutmp"
radutmp:
username = "%{User-Name}"
radutmp: case_sensitive =
yes
radutmp: check_with_nas = yes
radutmp: perm =
384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812
Listening on accounting
*:1813
Ready to process requests.
att
Renato
Gregio
Perhaps you
could have shown the log messages resulting from the radclient request. Also,
the ldif record of your test user.
In any case,
my guess would be that the user in ldap doesnt have a radiusprofile objectclass
(ldap: base_filter =
"(objectclass=radiusprofile)"
) that you have
specified.
regards,
Frank
Ranner