Hi, Is it possible to altogether avoid authenticate section and just do ldap lookups in the authorize section? authorize { ldap { notfound = reject } } The problem is in the authenticate section, radius gets the userDN from the authorize and tries to "bind" ldap with password which we don't have. I also tried in users file Ldap-UserDN := `cn=Manager,dc=eng,dc=com/answer2` But for some reason it is not working. Please help. Let me know if you need more information or please guide me to any documentation. Thanks and Regards, Eric. --- Eric Martell <workoutexcite@yahoo.com> wrote:
I am little bit confused as how to configure radiusd.conf in the authorize and/or authenticate section. So password is going to act like ldap attribute.
We are going to pass, username and ldap attribute (home phone #) as input for each user.
The way it is configured now is in the modules,
ldap { server = "10.11.12.2" identity = "cn=Manager,dc=eng,dc=com" password = answer2 basedn = "dc=eng,dc=com"
filter =
"(&(uid=%{Stripped-User-Name:-%{User-Name}})(phone=1231313128))"
// just for testing
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
}
authorize { .. .. .. ldap ...
}
authenticate { Auth-Type LDAP { ldap } }
In the logs it says:
rlm_ldap: - authorize rlm_ldap: performing user authorization for test1 radius_xlat: '(&(uid=test1)(phone=1231313128))' radius_xlat: 'dc=eng,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: bind as cn=Manager,dc=eng,dc=com/answer2 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=eng,dc=com, with filter (&(uid=test1)(phone=1231313128)) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user test1 authorized to use remote access
this is good.... But in the authenticate section
rlm_ldap: - authenticate rlm_ldap: login attempt by "test1" with password "1231313128" rlm_ldap: user DN: id=1967816, dc=eng,dc=com rlm_ldap: bind as id=1967816, dc=eng,dc=com/1231313128
rlm_ldap: waiting for bind result ... rlm_ldap: id=1967816, dc=eng,dc=com bind to 10.11.12.2:389 failed Inappropriate authentication rlm_ldap: ldap_connect() failed
Not sure why it is trying to bind as id=1967816, dc=eng,dc=com/1231313128
The only thing I want to do it, just authorize the ldap and pass the user through.
Please let me know if I am missing something.
Thanks so much.
Regards, Erik.
____________________________________________________________________________________
Be a better sports nut! Let your teams follow you with Yahoo Mobile. Try it now.
http://mobile.yahoo.com/sports;_ylt=At9_qDKvtAbMuh1G1SQtBI7ntAcJ
____________________________________________________________________________________ Get easy, one-click access to your favorites. Make Yahoo! your homepage. http://www.yahoo.com/r/hs
I am extremely sorry. Looks like it created new thread with same title. Really apologized. Admin's please merge the thread. Eric. --- Eric Martell <workoutexcite@yahoo.com> wrote:
Hi, Is it possible to altogether avoid authenticate section and just do ldap lookups in the authorize section?
authorize { ldap { notfound = reject } }
The problem is in the authenticate section, radius gets the userDN from the authorize and tries to "bind" ldap with password which we don't have.
I also tried in users file Ldap-UserDN := `cn=Manager,dc=eng,dc=com/answer2`
But for some reason it is not working.
Please help.
Let me know if you need more information or please guide me to any documentation.
Thanks and Regards, Eric.
--- Eric Martell <workoutexcite@yahoo.com> wrote:
I am little bit confused as how to configure radiusd.conf in the authorize and/or authenticate section. So password is going to act like ldap attribute.
We are going to pass, username and ldap attribute (home phone #) as input for each user.
The way it is configured now is in the modules,
ldap { server = "10.11.12.2" identity = "cn=Manager,dc=eng,dc=com" password = answer2 basedn = "dc=eng,dc=com"
filter =
"(&(uid=%{Stripped-User-Name:-%{User-Name}})(phone=1231313128))"
// just for testing
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
}
authorize { .. .. .. ldap ...
}
authenticate { Auth-Type LDAP { ldap } }
In the logs it says:
rlm_ldap: - authorize rlm_ldap: performing user authorization for test1 radius_xlat: '(&(uid=test1)(phone=1231313128))' radius_xlat: 'dc=eng,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: bind as cn=Manager,dc=eng,dc=com/answer2
rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=eng,dc=com, with filter (&(uid=test1)(phone=1231313128)) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user test1 authorized to use remote access
this is good.... But in the authenticate section
rlm_ldap: - authenticate rlm_ldap: login attempt by "test1" with password "1231313128" rlm_ldap: user DN: id=1967816, dc=eng,dc=com rlm_ldap: bind as id=1967816, dc=eng,dc=com/1231313128
rlm_ldap: waiting for bind result ... rlm_ldap: id=1967816, dc=eng,dc=com bind to 10.11.12.2:389 failed Inappropriate authentication rlm_ldap: ldap_connect() failed
Not sure why it is trying to bind as id=1967816, dc=eng,dc=com/1231313128
The only thing I want to do it, just authorize the ldap and pass the user through.
Please let me know if I am missing something.
Thanks so much.
Regards, Erik.
____________________________________________________________________________________
Be a better sports nut! Let your teams follow you
with Yahoo Mobile. Try it now.
http://mobile.yahoo.com/sports;_ylt=At9_qDKvtAbMuh1G1SQtBI7ntAcJ
____________________________________________________________________________________
Get easy, one-click access to your favorites. Make Yahoo! your homepage. http://www.yahoo.com/r/hs
____________________________________________________________________________________ Be a better pen pal. Text or chat with friends inside Yahoo! Mail. See how. http://overview.mail.yahoo.com/
Eric Martell wrote:
Hi, Is it possible to altogether avoid authenticate section and just do ldap lookups in the authorize section?
authorize { ldap { notfound = reject } }
The problem is in the authenticate section, radius gets the userDN from the authorize and tries to "bind" ldap with password which we don't have.
I also tried in users file Ldap-UserDN := `cn=Manager,dc=eng,dc=com/answer2`
Assuming you are using a recent version of FreeRadius, you can do one of the following: modules { ldap { ... set_auth_type = no } } authorize { preprocess ldap pap } authenticate { Auth-Type PAP { pap } }
Thanks so much Phil. I am using freeradius-1.0.4 I am going to install the latest version and will try your suggestion. Thanks and Regards. Eric. --- Phil Mayers <p.mayers@imperial.ac.uk> wrote:
Eric Martell wrote:
Hi, Is it possible to altogether avoid authenticate section and just do ldap lookups in the authorize section?
authorize { ldap { notfound = reject } }
The problem is in the authenticate section, radius gets the userDN from the authorize and tries to "bind" ldap with password which we don't have.
I also tried in users file Ldap-UserDN := `cn=Manager,dc=eng,dc=com/answer2`
Assuming you are using a recent version of FreeRadius, you can do one of the following:
modules { ldap { ... set_auth_type = no } }
authorize { preprocess ldap pap }
authenticate { Auth-Type PAP { pap } }
____________________________________________________________________________________ Be a better pen pal. Text or chat with friends inside Yahoo! Mail. See how. http://overview.mail.yahoo.com/
Hi Phil, I need some help again. Is there a way in the ldap module we can specify to return only ONE result for search filter. In my ldap tree when search with a filter (&(uid=test1)(phone=1231313128)) I get multiple results. And in the log I get message as search failed. I just want to return whatever the first result. rlm_ldap: performing search in dc=eng,dc=com, with filter (&(uid=test1)(phone=1231313128)) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed Please help. Thanks and Regards, Eric. --- Eric Martell <workoutexcite@yahoo.com> wrote:
Thanks so much Phil. I am using freeradius-1.0.4
I am going to install the latest version and will try your suggestion.
Thanks and Regards. Eric.
--- Phil Mayers <p.mayers@imperial.ac.uk> wrote:
Eric Martell wrote:
Hi, Is it possible to altogether avoid authenticate section and just do ldap lookups in the authorize section?
authorize { ldap { notfound = reject } }
The problem is in the authenticate section, radius gets the userDN from the authorize and tries to "bind" ldap with password which we don't have.
I also tried in users file Ldap-UserDN := `cn=Manager,dc=eng,dc=com/answer2`
Assuming you are using a recent version of FreeRadius, you can do one of the following:
modules { ldap { ... set_auth_type = no } }
authorize { preprocess ldap pap }
authenticate { Auth-Type PAP { pap } }
____________________________________________________________________________________
Be a better pen pal. Text or chat with friends inside Yahoo! Mail. See how. http://overview.mail.yahoo.com/
____________________________________________________________________________________ Looking for last minute shopping deals? Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping
Eric Martell wrote:
Hi Phil, I need some help again. Is there a way in the ldap module we can specify to return only ONE result for search filter. In my ldap tree when search with a filter (&(uid=test1)(phone=1231313128)) I get multiple results.
And in the log I get message as search failed. I just want to return whatever the first result.
rlm_ldap: performing search in dc=eng,dc=com, with filter (&(uid=test1)(phone=1231313128)) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed
Please help.
I don't think you can. You'll need to use a different (more specific?) search filter that gives unique results (and anyway, matching a random choice of N returned is not sensible - how do you know the one that matches even has a password attribute or is even a valid user object?)
Thanks and Regards, Eric.
--- Eric Martell <workoutexcite@yahoo.com> wrote:
Thanks so much Phil. I am using freeradius-1.0.4
I am going to install the latest version and will try your suggestion.
Thanks and Regards. Eric.
--- Phil Mayers <p.mayers@imperial.ac.uk> wrote:
Eric Martell wrote:
Hi, Is it possible to altogether avoid authenticate section and just do ldap lookups in the authorize section?
authorize { ldap { notfound = reject } }
The problem is in the authenticate section, radius gets the userDN from the authorize and tries to "bind" ldap with password which we don't have.
I also tried in users file Ldap-UserDN := `cn=Manager,dc=eng,dc=com/answer2` Assuming you are using a recent version of FreeRadius, you can do one of the following:
modules { ldap { ... set_auth_type = no } }
authorize { preprocess ldap pap }
authenticate { Auth-Type PAP { pap } }
____________________________________________________________________________________
Be a better pen pal. Text or chat with friends inside Yahoo! Mail. See how. http://overview.mail.yahoo.com/
____________________________________________________________________________________ Looking for last minute shopping deals? Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping
Hi Phil, I installed the latest freeradius-1.1.7. I put the line
set_auth_type = no in ldap module
to ignore the authentication. But for some reason I get the following error in the log.
rlm_ldap: user test1 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. I commented out #DEFAULT Auth-Type := Local #Session-Timeout = 7200, #Fall-Through = Yes and #DEFAULT Auth-Type = System # Session-Timeout = 7200, # Fall-Through = 1 from the users file as I don't have anything in the local or in the system. All the checks are with ldap lookups. Please let me know if I am missing something. Thanks and Regards, Eric. --- Eric Martell <workoutexcite@yahoo.com> wrote:
Thanks so much Phil. I am using freeradius-1.0.4
I am going to install the latest version and will try your suggestion.
Thanks and Regards. Eric.
--- Phil Mayers <p.mayers@imperial.ac.uk> wrote:
Eric Martell wrote:
Hi, Is it possible to altogether avoid authenticate section and just do ldap lookups in the authorize section?
authorize { ldap { notfound = reject } }
The problem is in the authenticate section, radius gets the userDN from the authorize and tries to "bind" ldap with password which we don't have.
I also tried in users file Ldap-UserDN := `cn=Manager,dc=eng,dc=com/answer2`
Assuming you are using a recent version of FreeRadius, you can do one of the following:
modules { ldap { ... set_auth_type = no } }
authorize { preprocess ldap pap }
authenticate { Auth-Type PAP { pap } }
____________________________________________________________________________________
Be a better pen pal. Text or chat with friends inside Yahoo! Mail. See how. http://overview.mail.yahoo.com/
____________________________________________________________________________________ Looking for last minute shopping deals? Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping
Eric Martell wrote:
Hi Phil, I installed the latest freeradius-1.1.7. I put the line
set_auth_type = no in ldap module
to ignore the authentication. But for some reason I get the following error in the log.
rlm_ldap: user test1 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user.
Did you add the "pap" module to the bottom of the "authorize" section as per my example?
Hi Phil, Yes I did.. Here is the config. modules { ldap { .... set_auth_type = no } } authorize { preprocess ldap pap } authenticate { # # PAP authentication, when a back-end database listed # in the 'authorize' section supplies a password. The # password can be clear-text, or encrypted. Auth-Type PAP { pap } } I commented out everything from the users file as I am not using Local or System Auth-Type. I think I am might be missing something in the users file. Please advice. I get the following error. rlm_ldap: user test1 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 0 modcall: leaving group authorize (returns ok) for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. --- Phil Mayers <p.mayers@imperial.ac.uk> wrote:
Eric Martell wrote:
Hi Phil, I installed the latest freeradius-1.1.7. I put the line
set_auth_type = no in ldap module
to ignore the authentication. But for some reason I get the following error in the log.
rlm_ldap: user test1 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user.
Did you add the "pap" module to the bottom of the "authorize" section as per my example?
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
____________________________________________________________________________________ Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
rlm_ldap: user test1 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this.
That's the problem. Your LDAP module should be copying the LDAP attribute containing the password to the relevant check item. Slightly confusing, there are two ways to do this: 1. ldap.attrmap 2. password_attribute & password_header config items of ldap module What are those setup to do? A full "-X" debug would help at this point.
Hi Alan, Can you please help me out with the LDAP query? I am still stuck with the issue. Your response will be greatly appreciated. Thanks and Regards, Eric. --- Alan DeKok <aland@deployingradius.com> wrote:
Phil Mayers wrote:
Slightly confusing, there are two ways to do this:
This should be fixed before 2.0. There should be only one way to do things.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
____________________________________________________________________________________ Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
Eric Martell wrote:
Hi Alan, Can you please help me out with the LDAP query? I am still stuck with the issue.
What problem is left to solve? i.e. I read and answer a *lot* of email. I don't recall much past what's on my screen right now... Alan DeKok.
Hi Alan, I am trying to do ldap query lookup in the authorize section and after successful authorization ( if ldap entry exists on search query) ....reply with Access-Accept if not reject. I do not want to do authentication in LDAP as we are not storing "userPassword" attribute in ldap schema. So in a way trying to do.. if(ldap search success) { Access-Accept } else { Access-Reject } Please check the thread below what Phil told me to do... Hi Phil, Here is the detail configs and logs. Please let me know. Thanks and Regards. modules { ldap { server = "ldap://xxxxxxxxx:1389" identity = "uid=appuser,ou=appadm,o=entitlement" password = ****** basedn = "ou=roles,o=entitlement" dictionary_mapping = ${raddbdir}/ldap.attrmap filter = "(&(uid=%{Stripped-User-Name:-%{User-Name}})(entitlements=WIFILOC1)(attribute1=%{User-Password}))" start_tls = no ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 set_auth_type = no } } authorize { .. ldap pap } authenticate { Auth-Type PAP { pap } ..... } In the users files #DEFAULT Auth-Type := Local #Session-Timeout = 7200, #Fall-Through = Yes #DEFAULT Auth-Type := System #Session-Timeout = 7200, #Fall-Through = Yes Here is the detail log. rad_recv: Access-Request packet from host 216.2.193.1:55729, id=2, length=48 User-Name = "test1" User-Password = "11111" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "test1", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for test1 radius_xlat: '(&(uid=test1)(entitlements=WIFILOC1)(attribute1=11111))' radius_xlat: 'ou=roles,o=entitlement' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap://xxxx:1389, authentication 0 rlm_ldap: bind as uid=appuser,ou=appadm,o=entitlement/xxxx to ldap://xxxxxxx:1389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=roles,o=entitlement, with filter (&(uid=test1)(entitlements=WIFILOC1)(attribute1=11111)) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user test1 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 0 modcall: leaving group authorize (returns ok) for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 2 to 216.2.193.1 port 55729 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 2 with timestamp 4761660e Nothing to do. Sleeping until we see a request. --- Phil Mayers <p.mayers at imperial.ac.uk> wrote:
rlm_ldap: user test1 authorized to use remote
access
rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this.
That's the problem.
Your LDAP module should be copying the LDAP attribute containing the password to the relevant check item.
Slightly confusing, there are two ways to do this:
1. ldap.attrmap 2. password_attribute & password_header config items of ldap module
What are those setup to do?
A full "-X" debug would help at this point. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Assuming you are using a recent version of FreeRadius, you can do one of the following:
modules { ldap { ... set_auth_type = no } } authorize { preprocess ldap pap } authenticate { Auth-Type PAP { pap } }
--- Alan DeKok <aland@deployingradius.com> wrote:
Eric Martell wrote:
Hi Alan, Can you please help me out with the LDAP query? I am still stuck with the issue.
What problem is left to solve?
i.e. I read and answer a *lot* of email. I don't recall much past what's on my screen right now...
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
____________________________________________________________________________________ Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
OK, so password is not in LDAP. Where is it then? Are you trying to accept users without passwords? Consider using a perl script to implement that logic and forget about LDAP module in Freeradius. Ivan Kalik Kalik Informatika ISP Dana 4/1/2008, "Eric Martell" <workoutexcite@yahoo.com> piše:
Hi Alan, I am trying to do ldap query lookup in the authorize section and after successful authorization ( if ldap entry exists on search query) ....reply with Access-Accept if not reject.
I do not want to do authentication in LDAP as we are not storing "userPassword" attribute in ldap schema.
So in a way trying to do..
if(ldap search success) { Access-Accept } else { Access-Reject }
Please check the thread below what Phil told me to do...
Hi Phil, Here is the detail configs and logs. Please let me know. Thanks and Regards.
modules { ldap {
server = "ldap://xxxxxxxxx:1389" identity = "uid=appuser,ou=appadm,o=entitlement" password = ****** basedn = "ou=roles,o=entitlement"
dictionary_mapping = ${raddbdir}/ldap.attrmap filter = "(&(uid=%{Stripped-User-Name:-%{User-Name}})(entitlements=WIFILOC1)(attribute1=%{User-Password}))"
start_tls = no ldap_connections_number = 5
timeout = 4 timelimit = 3 net_timeout = 1
set_auth_type = no } }
authorize { ... ldap pap }
authenticate { Auth-Type PAP { pap }
...... }
In the users files #DEFAULT Auth-Type := Local #Session-Timeout = 7200, #Fall-Through = Yes
#DEFAULT Auth-Type := System #Session-Timeout = 7200, #Fall-Through = Yes
Here is the detail log.
rad_recv: Access-Request packet from host 216.2.193.1:55729, id=2, length=48 User-Name = "test1" User-Password = "11111" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "test1", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for test1 radius_xlat: '(&(uid=test1)(entitlements=WIFILOC1)(attribute1=11111))' radius_xlat: 'ou=roles,o=entitlement' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap://xxxx:1389, authentication 0 rlm_ldap: bind as uid=appuser,ou=appadm,o=entitlement/xxxx to ldap://xxxxxxx:1389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=roles,o=entitlement, with filter (&(uid=test1)(entitlements=WIFILOC1)(attribute1=11111)) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user test1 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 0 modcall: leaving group authorize (returns ok) for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 2 to 216.2.193.1 port 55729 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 2 with timestamp 4761660e Nothing to do. Sleeping until we see a request.
--- Phil Mayers <p.mayers at imperial.ac.uk> wrote:
rlm_ldap: user test1 authorized to use remote
access
rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this.
That's the problem.
Your LDAP module should be copying the LDAP attribute containing the password to the relevant check item.
Slightly confusing, there are two ways to do this:
1. ldap.attrmap 2. password_attribute & password_header config items of ldap module
What are those setup to do?
A full "-X" debug would help at this point. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Assuming you are using a recent version of FreeRadius, you can do one of the following:
modules { ldap { ... set_auth_type = no } }
authorize { preprocess ldap pap }
authenticate { Auth-Type PAP { pap } }
--- Alan DeKok <aland@deployingradius.com> wrote:
Eric Martell wrote:
Hi Alan, Can you please help me out with the LDAP query? I am still stuck with the issue.
What problem is left to solve?
i.e. I read and answer a *lot* of email. I don't recall much past what's on my screen right now...
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
____________________________________________________________________________________ Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi Ivan, Actually in the implementation we are going to treat on the website zipcode as a password field. we are asking people to enter username and zipcode which is store in the LDAP Schema. In the radius, I am going to receive username (User-Name) and zipcode ( User-Password). In the ldap module do query filter = "(&(uid=%{Stripped-User-Name:-%{User-Name}})(entitlements=WIFILOC1)(zipcode=%{User-Password}))" and depends on the resultset, give access or reject. Please let me know if this clear and any other better way to handle this in radius. Thanks and Regards. Eric. --- tnt@kalik.co.yu wrote:
OK, so password is not in LDAP. Where is it then? Are you trying to accept users without passwords? Consider using a perl script to implement that logic and forget about LDAP module in Freeradius.
Ivan Kalik Kalik Informatika ISP
Dana 4/1/2008, "Eric Martell" <workoutexcite@yahoo.com> pi¹e:
Hi Alan, I am trying to do ldap query lookup in the authorize section and after successful authorization ( if ldap entry exists on search query) ....reply with Access-Accept if not reject.
I do not want to do authentication in LDAP as we are not storing "userPassword" attribute in ldap schema.
So in a way trying to do..
if(ldap search success) { Access-Accept } else { Access-Reject }
Please check the thread below what Phil told me to do...
Hi Phil, Here is the detail configs and logs. Please let me know. Thanks and Regards.
modules { ldap {
server = "ldap://xxxxxxxxx:1389" identity = "uid=appuser,ou=appadm,o=entitlement" password = ****** basedn = "ou=roles,o=entitlement"
dictionary_mapping = ${raddbdir}/ldap.attrmap filter =
"(&(uid=%{Stripped-User-Name:-%{User-Name}})(entitlements=WIFILOC1)(attribute1=%{User-Password}))"
start_tls = no ldap_connections_number = 5
timeout = 4 timelimit = 3 net_timeout = 1
set_auth_type = no } }
authorize { ... ldap pap }
authenticate { Auth-Type PAP { pap }
...... }
In the users files #DEFAULT Auth-Type := Local #Session-Timeout = 7200, #Fall-Through = Yes
#DEFAULT Auth-Type := System #Session-Timeout = 7200, #Fall-Through = Yes
Here is the detail log.
rad_recv: Access-Request packet from host 216.2.193.1:55729, id=2, length=48 User-Name = "test1" User-Password = "11111" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns
ok
for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "test1", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for test1 radius_xlat:
'(&(uid=test1)(entitlements=WIFILOC1)(attribute1=11111))'
radius_xlat: 'ou=roles,o=entitlement' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap://xxxx:1389, authentication 0 rlm_ldap: bind as uid=appuser,ou=appadm,o=entitlement/xxxx to ldap://xxxxxxx:1389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=roles,o=entitlement, with filter
(&(uid=test1)(entitlements=WIFILOC1)(attribute1=11111))
rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user test1 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 0 modcall: leaving group authorize (returns ok) for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 2 to 216.2.193.1 port 55729 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 2 with timestamp 4761660e Nothing to do. Sleeping until we see a request.
--- Phil Mayers <p.mayers at imperial.ac.uk> wrote:
rlm_ldap: user test1 authorized to use remote
access
rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this.
That's the problem.
Your LDAP module should be copying the LDAP attribute containing the password to the relevant check item.
Slightly confusing, there are two ways to do this:
=== message truncated === ____________________________________________________________________________________ Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs
On Jan 4, 2008 9:54 AM, Eric Martell <workoutexcite@yahoo.com> wrote:
Hi Ivan, Actually in the implementation we are going to treat on the website zipcode as a password field. we are asking people to enter username and zipcode which is store in the LDAP Schema.
In the radius, I am going to receive username (User-Name) and zipcode ( User-Password). In the ldap module do query filter =
"(&(uid=%{Stripped-User-Name:-%{User-Name}})(entitlements=WIFILOC1)(zipcode=%{User-Password}))"
and depends on the resultset, give access or reject.
Please let me know if this clear and any other better way to handle this in radius.
Couldn't you just map zipcode to the password attribute in ldap.attrmap: checkItem Cleartext-Password zipcode you could then exclude the zipcode condition from your ldap filter as FreeRADIUS should do the work. -- Nicholas Hall ngharo@gmail.com 262.208.6271
Please let me know if this clear and any other better way to handle this in radius.
Yes. Why don't you strore zip code as userPassword? Since you are going to use it as password I really don't see why not. That would make things quite simple. Ivan Kalik Kalik Informatika ISP
Eric Martell wrote:
I am trying to do ldap query lookup in the authorize section and after successful authorization ( if ldap entry exists on search query) ....reply with Access-Accept if not reject.
So... you're not authenticating anyone?
I do not want to do authentication in LDAP as we are not storing "userPassword" attribute in ldap schema.
How will users be authenticated?
So in a way trying to do..
if(ldap search success) { Access-Accept } else { Access-Reject }
Try this: authorize { ... ldap { notfound = reject } files } And have the "users" file: DEFAULT Auth-Type := Accept. Of course, in 2.0, you can use "unlang" to write a rule that looks pretty much like your pseudo-code above. Alan DeKok.
Hi Phil, Here is the detail configs and logs. Please let me know. Thanks and Regards. modules { ldap { server = "ldap://xxxxxxxxx:1389" identity = "uid=appuser,ou=appadm,o=entitlement" password = ****** basedn = "ou=roles,o=entitlement" dictionary_mapping = ${raddbdir}/ldap.attrmap filter = "(&(uid=%{Stripped-User-Name:-%{User-Name}})(entitlements=WIFILOC1)(attribute1=%{User-Password}))" start_tls = no ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 set_auth_type = no } } authorize { .. ldap pap } authenticate { Auth-Type PAP { pap } ..... } In the users files #DEFAULT Auth-Type := Local #Session-Timeout = 7200, #Fall-Through = Yes #DEFAULT Auth-Type := System #Session-Timeout = 7200, #Fall-Through = Yes Here is the detail log. rad_recv: Access-Request packet from host 216.2.193.1:55729, id=2, length=48 User-Name = "test1" User-Password = "11111" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "test1", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for test1 radius_xlat: '(&(uid=test1)(entitlements=WIFILOC1)(attribute1=11111))' radius_xlat: 'ou=roles,o=entitlement' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap://xxxx:1389, authentication 0 rlm_ldap: bind as uid=appuser,ou=appadm,o=entitlement/xxxx to ldap://xxxxxxx:1389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=roles,o=entitlement, with filter (&(uid=test1)(entitlements=WIFILOC1)(attribute1=11111)) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user test1 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 0 modcall: leaving group authorize (returns ok) for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 2 to 216.2.193.1 port 55729 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 2 with timestamp 4761660e Nothing to do. Sleeping until we see a request. --- Phil Mayers <p.mayers@imperial.ac.uk> wrote:
rlm_ldap: user test1 authorized to use remote
access
rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this.
That's the problem.
Your LDAP module should be copying the LDAP attribute containing the password to the relevant check item.
Slightly confusing, there are two ways to do this:
1. ldap.attrmap 2. password_attribute & password_header config items of ldap module
What are those setup to do?
A full "-X" debug would help at this point. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
____________________________________________________________________________________ Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs ____________________________________________________________________________________ Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
Hi Phil, Please let me know if you need more info. I am still stuck with the problem. Thanks and Regards, Eric. --- Phil Mayers <p.mayers@imperial.ac.uk> wrote:
rlm_ldap: user test1 authorized to use remote
access
rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this.
That's the problem.
Your LDAP module should be copying the LDAP attribute containing the password to the relevant check item.
Slightly confusing, there are two ways to do this:
1. ldap.attrmap 2. password_attribute & password_header config items of ldap module
What are those setup to do?
A full "-X" debug would help at this point. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
____________________________________________________________________________________ Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
participants (5)
-
Alan DeKok -
Eric Martell -
Nicholas Hall -
Phil Mayers -
tnt@kalik.co.yu