Hi,
I am testing the freeradius server,
and try to clarify rules applied in freeradius. In the following trials, I
could not figure out how to make Autz-Type Ldap1 in authorize section to
correctly set Auth-Type used in authentication without the help from “Auth-Type
:= Ldap1”.
With the following entry in users file,
**************
DEFAULT Called-Station-Id =~
".*Guest@myu", Autz-Type := Ldap1, Auth-Type := Ldap1
**************
the user authentication worked fine.
Below is the debug output.
**************
rad_recv: Access-Request
packet from host 192.168.1.113 port 20000, id=19, length=98
User-Name = "tester"
Called-Station-Id = "00-1B-BA-A5-45-40:Guest@myu"
NAS-Port = 189
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "nortel"
NAS-IP-Address = 192.168.1.113
User-Password = "testing"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "tester", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: No
EAP-Message, not doing EAP
++[eap] returns noop
expand: %{Called-Station-Id} -> 00-1B-BA-A5-45-40:Guest@myu
expand: %{Called-Station-Id} -> 00-1B-BA-A5-45-40:Guest@myu
users:
Matched entry DEFAULT at line 70
++[files] returns ok
rlm_pap: WARNING! No
"known good" password found for the user. Authentication may
fail because of this.
++[pap] returns noop
Found Autz-Type Ldap1
+- entering group Ldap1
++- entering redundant-load-balance
group redundant-load-balance
rlm_ldap: - authorize
rlm_ldap: performing user
authorization for tester
WARNING: Deprecated
conditional expansion ":-". See "man unlang" for
details
expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=tester)
expand: ou=people,dc=myu,dc=ca -> ou=people,dc=myu,dc=ca
rlm_ldap: ldap_get_conn:
Checking Id: 0
rlm_ldap: ldap_get_conn: Got
Id: 0
rlm_ldap: attempting LDAP
reconnection
rlm_ldap: (re)connect to
ldap.myu.ca:389, authentication 0
rlm_ldap: setting TLS CACert
File to /usr/local/etc/raddb/certs/unbCA.crt
rlm_ldap: setting TLS
Require Cert to never
rlm_ldap: bind as
uid=radius,dc=myu,dc=ca/PWD12345678 to ldap.myu.ca:389
rlm_ldap: waiting for bind
result ...
rlm_ldap: Bind was
successful
rlm_ldap: performing search
in ou=people,dc=myu,dc=ca, with filter (uid=tester)
rlm_ldap: Added
User-Password = {SSHA}jSTYFonbXmIE6pReKdYUvq0RhxuhLUAT6FYcG== in check items
rlm_ldap: looking for check
items in directory...
rlm_ldap: looking for reply
items in directory...
rlm_ldap: user tester
authorized to use remote access
rlm_ldap: ldap_release_conn:
Release Id: 0
+++[myldap2] returns ok
++- redundant-load-balance
group redundant-load-balance returns ok
rad_check_password:
Found Auth-Type Ldap1
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!
Replacing User-Password in config items with
Cleartext-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your
configuration so that the "known
good"
!!!
!!! clear text password is
in Cleartext-Password, and not in User-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
auth: type "Ldap1"
+- entering group Ldap1
++- entering
redundant-load-balance group redundant-load-balance
rlm_ldap: - authenticate
rlm_ldap: login attempt by
"tester" with password "testing"
rlm_ldap: user DN:
uid=tester,ou=people,dc=myu,dc=ca
rlm_ldap: (re)connect to
ldap.myu.ca:389, authentication 1
rlm_ldap: setting TLS CACert
File to /usr/local/etc/raddb/certs/myuCA.crt
rlm_ldap: setting TLS
Require Cert to never
rlm_ldap: bind as
uid=tester,ou=people,dc=myu,dc=ca/testing to ldap.myu.ca:389
rlm_ldap: waiting for bind
result ...
rlm_ldap: Bind was
successful
rlm_ldap: user tester
authenticated succesfully
+++[myldap2] returns ok
++- redundant-load-balance
group redundant-load-balance returns ok
Login OK: [tester] (from
client unbsj113 port 189)
Sending Access-Accept of id
19 to 192.168.1.113 port 20000
Finished request 0.
Going to the next request
Waking up in 0.8 seconds.
Waking up in 4.1 seconds.
Cleaning up request 0 ID 19
with timestamp +99
Ready to process requests.
**************
However when I removed Auth-Type
:= Ldap1 in the entry,
**************
DEFAULT Called-Station-Id =~
".*Guest@myu", Autz-Type := Ldap1
**************
the user authentication
failed. The Auth Type is set to Local instead of Ldap.
Below is the debug output.
**************
rad_recv: Access-Request
packet from host 192.168.1.113 port 20000, id=20, length=98
User-Name = "tester"
Called-Station-Id = "00-1B-BA-A5-45-40:Guest@myu"
NAS-Port = 192
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "nortel"
NAS-IP-Address = 192.168.1.113
User-Password = "testing"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "tester", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: No
EAP-Message, not doing EAP
++[eap] returns noop
expand: %{Called-Station-Id} -> 00-1B-BA-A5-45-40:Guest@myu
expand: %{Called-Station-Id} -> 00-1B-BA-A5-45-40:Guest@myu
users:
Matched entry DEFAULT at line 71
++[files] returns ok
rlm_pap: WARNING! No
"known good" password found for the user. Authentication may
fail because of this.
++[pap] returns noop
Found Autz-Type Ldap1
+- entering group Ldap1
++- entering
redundant-load-balance group redundant-load-balance
rlm_ldap: - authorize
rlm_ldap: performing user
authorization for tester
WARNING: Deprecated
conditional expansion ":-". See "man unlang" for
details
expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=tester)
expand: ou=people,dc=myu,dc=ca -> ou=people,dc=myu,dc=ca
rlm_ldap: ldap_get_conn:
Checking Id: 0
rlm_ldap: ldap_get_conn: Got
Id: 0
rlm_ldap: attempting LDAP
reconnection
rlm_ldap: (re)connect to
ldap2.myu.ca:389, authentication 0
rlm_ldap: setting TLS CACert
File to /usr/local/etc/raddb/certs/myuCA.crt
rlm_ldap: setting TLS
Require Cert to never
rlm_ldap: bind as
uid=radius,dc=myu,dc=ca/PWD12345678 to ldap2.myu.ca:389
rlm_ldap: waiting for bind
result ...
rlm_ldap: Bind was
successful
rlm_ldap: performing search
in ou=people,dc=myu,dc=ca, with filter (uid=tester)
rlm_ldap: Added
User-Password = {SSHA}jSTYFonbXmIE6pReKdYUvq0RhxuhLUAT6FYcG== in check items
rlm_ldap: looking for check
items in directory...
rlm_ldap: looking for reply
items in directory...
rlm_ldap: user tester
authorized to use remote access
rlm_ldap: ldap_release_conn:
Release Id: 0
+++[myldap] returns ok
++- redundant-load-balance
group redundant-load-balance returns ok
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!
Replacing User-Password in config items with
Cleartext-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your
configuration so that the "known
good"
!!!
!!! clear text password is
in Cleartext-Password, and not in User-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
auth: type Local
auth: user supplied
User-Password does NOT match local User-Password
auth: Failed to validate the
user.
Login incorrect: [tester]
(from client unbsj113 port 192)
Delaying reject of request 0
for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for
request 0
Sending Access-Reject of id
20 to 192.168.1.113 port 20000
Waking up in 4.9 seconds.
Cleaning up request 0 ID 20
with timestamp +111
Ready to process requests.
**************
In radiusd.conf,
ldap myldap {
server
= "ldap2.myu.ca"
identity
= "uid=radius,dc=myu,dc=ca"
password
= PWD12345678
basedn
= "ou=people,dc=myu,dc=ca"
filter
= "(uid=%{Stripped-User-Name:-%{User-Name}})"
ldap_connections_number
= 5
timeout
= 4
timelimit
= 3
net_timeout
= 1
tls
{
start_tls
= no
#
cacertfile = /path/to/cacert.pem
#
cacertdir = /path/to/ca/dir/
#
certfile = /path/to/radius.crt
cacertfile =
/usr/local/etc/raddb/certs/myuCA.crt
#
keyfile = /path/to/radius.key
#
randfile = /path/to/rnd
require_cert =
"never"
}
#
default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
# profile_attribute = "radiusProfileDn"
#
access_attr = "dialupAccess"
dictionary_mapping
= ${confdir}/ldap.attrmap
password_attribute
= userPassword
#
password_header = "{clear}"
edir_account_policy_check
= no
#
groupname_attribute = cn
#
groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
#
groupmembership_attribute = radiusGroupName
groupmembership_attribute
= eduPersonPrimaryAffiliation
#
compare_check_items = yes
#
do_xlat = yes
#
access_attr_used_for_allow = yes
set_auth_type
= yes
#ldap_debug
= 0x0028
}
ldap myldap2 {
...
}
authorize {
...
Autz-Type
Ldap1 {
redundant-load-balance{
myldap
myldap2
}
}
...
}
authenticate {
...
Auth-Type
Ldap1 {
redundant-load-balance{
myldap
myldap2
}
}
...
}
Thanks for your help!
Andrew