Pop3 and LDAP authentication...Multiple radius servers
Hi, We have radius server which is inhouse which does the LDAP authentication. We got a new request from third party to do authentication for "their" users using POP3. So the request comes to radiusA (our inhouse radius). If the user has realm as @xyz.net ..then we forward the request to third party to authenticate which might be radiusB which does the authentication using POP3. If there is no realm attached, radiusA does the LDAP auth and return the response. Not sure how to specify in our radiusd.conf. I could not find any thread in the list. Please let me know the link if this is already discuss. Really Appreciated your quick response. Thanks and Regards.
http://radiuswiki.suntel.com.tr/Proxy.conf Ivan Kalik Kalik Informatika ISP Dana 25/8/2008, "Eric Martell" <workoutexcite@yahoo.com> piše:
Hi, We have radius server which is inhouse which does the LDAP authentication We got a new request from third party to do authentication for "their" users using POP3.
So the request comes to radiusA (our inhouse radius).
If the user has realm as @xyz.net ..then we forward the request to third party to authenticate which might be radiusB which does the authentication using POP3.
If there is no realm attached, radiusA does the LDAP auth and return the response.
Not sure how to specify in our radiusd.conf.
I could not find any thread in the list. Please let me know the link if this is already discuss.
Really Appreciated your quick response.
Thanks and Regards.
Thanks Ivan. Now I have 2 radius servers running on same machine as radiusa (port 1812) and radiusb (port 1912). I configured radiusa to do ldap auth and radiusb to do POP3 auth which works fine "individually" thru radclient. I setup proxy.conf in radiusa as realm xyz.net { type = radius authhost = radiusb.test1.net:1912 accthost = radiusb.test1.net:1913 secret = testing } I am sending request thru radclient on radiusa. But for some reason the request does not get proxied to radiusb. This is the radius -X log. rad_recv: Access-Request packet from host 167.206.23.94:1054, id=14, length=59 User-Name = "testaccount@xyz.net" User-Password = "test" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: Looking up realm "xyz.net" for User-Name = "testaccount@xyz.net" rlm_realm: Found realm "xyz.net" rlm_realm: Adding Stripped-User-Name = "testaccount" rlm_realm: Proxying request from user testaccount to realm xyz.net rlm_realm: Adding Realm = "xyz.net" rlm_realm: Preparing to proxy authentication request to realm "xyz.net" modcall[authorize]: module "suffix" returns updated for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 75 users: Matched entry DEFAULT at line 180 users: Matched entry DEFAULT at line 184 modcall[authorize]: module "files" returns ok for request 0 modcall: entering group group for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for testaccount radius_xlat: '(uid=testaccount)' radius_xlat: 'dc=test1,dc=net,o=internet' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection Please let me know if I am missing something. Thanks and Regards. --- On Mon, 8/25/08, Ivan Kalik <tnt@kalik.net> wrote: From: Ivan Kalik <tnt@kalik.net> Subject: Re: Pop3 and LDAP authentication...Multiple radius servers To: freeradius-users@lists.freeradius.org Date: Monday, August 25, 2008, 1:39 PM http://radiuswiki.suntel.com.tr/Proxy.conf Ivan Kalik Kalik Informatika ISP Dana 25/8/2008, "Eric Martell" <workoutexcite@yahoo.com> piše:
Hi, We have radius server which is inhouse which does the LDAP authentication We got a new request from third party to do authentication for "their" users using POP3.
So the request comes to radiusA (our inhouse radius).
If the user has realm as @xyz.net ..then we forward the request to third party to authenticate which might be radiusB which does the authentication using POP3.
If there is no realm attached, radiusA does the LDAP auth and return the response.
Not sure how to specify in our radiusd.conf.
I could not find any thread in the list. Please let me know the link if this is already discuss.
Really Appreciated your quick response.
Thanks and Regards.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Eric Martell wrote:
I am sending request thru radclient on radiusa. But for some reason the request does not get proxied to radiusb.
This is the radius -X log.
You've edited it so that most of it is missing. i.e. the part where it either decides to proxy, or to authenticate locally. Alan DeKok.
Here is the entire log. rad_recv: Access-Request packet from host 167.206.23.94:1054, id=14, length=59 User-Name = "testaccount@xyz.net" User-Password = "test" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: Looking up realm "xyz.net" for User-Name = "testaccount@xyz.net" rlm_realm: Found realm "xyz.net" rlm_realm: Adding Stripped-User-Name = "testaccount" rlm_realm: Proxying request from user testaccount to realm xyz.net rlm_realm: Adding Realm = "xyz.net" rlm_realm: Preparing to proxy authentication request to realm "xyz.net" modcall[authorize]: module "suffix" returns updated for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 75 users: Matched entry DEFAULT at line 180 users: Matched entry DEFAULT at line 184 modcall[authorize]: module "files" returns ok for request 0 modcall: entering group group for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for testaccount radius_xlat: '(uid=testaccount)' radius_xlat: 'dc=test1,dc=net,o=internet' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to test1dir.net:389, authentication 0 rlm_ldap: bind as uid=mmpProxy,o=internet/MMPzzzz to test1dir.net:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=test1,dc=net,o=internet, with filter (uid=testaccount) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap1" returns notfound for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for testaccount radius_xlat: '(&(uid=testaccount)(entitlements=WIFILOC1))' radius_xlat: 'ou=roles,o=entitlement' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap://asdadasdt:389, authentication 0 rlm_ldap: bind as uid=appuser,ou=appadm,o=entitlement/Paadaad to ldap://adasdasdas:389 rlm_ldap: uid=appuser,ou=appadm,o=entitlement bind to ldap://vadsdsdsad:389 failed: Can't contact LDAP server rlm_ldap: (re)connection attempt failed rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap2" returns fail for request 0 modcall: group group returns reject for request 0 modcall: group authorize returns reject for request 0 Invalid user (rlm_ldap: User not found): [testaccount@xyz.net] (from client adasdas port 0) Cancelling proxy as request was already rejected Request 0 rejected in proxy_send. Server rejecting request 0. Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 14 to 167.206.23.94:1054 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 14 with timestamp 48b41aaf Nothing to do. Sleeping until we see a request. --- On Tue, 8/26/08, Alan DeKok <aland@deployingradius.com> wrote: From: Alan DeKok <aland@deployingradius.com> Subject: Re: Pop3 and LDAP authentication...Multiple radius servers To: workoutexcite@yahoo.com, "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Date: Tuesday, August 26, 2008, 11:13 AM Eric Martell wrote:
I am sending request thru radclient on radiusa. But for some reason the request does not get proxied to radiusb.
This is the radius -X log.
You've edited it so that most of it is missing. i.e. the part where it either decides to proxy, or to authenticate locally. Alan DeKok.
Eric Martell wrote:
Here is the entire log. ... rlm_ldap: performing search in dc=test1,dc=net,o=internet, with filter (uid=testaccount)
If you're proxying the request, why have you configured the server to do lookups in LDAP?
ldap://vadsdsdsad:389 failed: Can't contact LDAP server rlm_ldap: (re)connection attempt failed rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap2" returns fail for request 0 modcall: group group returns reject for request 0
That would seem to show why it's being rejeect. The LDAP server is down. And I don't think "vadsdsdsad" is a real host name in your network. Perhaps you could explain why you think the server should work after you've configured it to use resources that don't exist. Alan DeKok.
Alan thanks for the reply. I already have radiusa which does the LDAP authentication ( which has ldap1 and ldap2 groups) . New business request came to add POP3 authentication for third party. so I added new radius server radiusb which does the POP3 auth. I am using radiusa to do proxy depends on the realm xyz.net to forward to radiusb and all other requests (no realm in the usernames) still go to radiusa. I am running radiusa on 1812 and radiusb on 1912. I did not see any log messages in radiusb server. I thought when using radiusa proxy, it forwards the request to radiusb. The user testaccount@xyz.net is configured in radiusb which does pop3 auth. No testaccount@xyz.net user exists in radiusa ( in ldap). Hope this helps. Let me know if I am doing it right. Here is the radius -X log, rad_recv: Access-Request packet from host 167.206.23.94:1357, id=15, length=59 User-Name = "testaccount@xyz.net" User-Password = "test" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: Looking up realm "xyz.net" for User-Name = "testaccount@xyz.net" rlm_realm: Found realm "xyz.net" rlm_realm: Adding Stripped-User-Name = "testaccount" rlm_realm: Proxying request from user testaccount to realm xyz.net rlm_realm: Adding Realm = "xyz.net" rlm_realm: Preparing to proxy authentication request to realm "xyz.net" modcall[authorize]: module "suffix" returns updated for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 75 users: Matched entry DEFAULT at line 180 users: Matched entry DEFAULT at line 184 modcall[authorize]: module "files" returns ok for request 0 modcall: entering group group for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for testaccount radius_xlat: '(uid=testaccount)' radius_xlat: 'dc=opt,dc=net,o=internet' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap1:389, authentication 0 rlm_ldap: bind as uid=mmpProxy,o=internet/MMPass to ldap1:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=opt,dc=net,o=internet, with filter (uid=testaccount) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap1" returns notfound for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for testaccount radius_xlat: '(&(uid=testaccount)(entitlements=WIFILOC1))' radius_xlat: 'ou=roles,o=entitlement' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap://ldap2:1389, authentication 0 rlm_ldap: bind as uid=appuser,ou=appadm,o=entitlement/PaBlAn0 to ldap://ldap2:1389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=roles,o=entitlement, with filter (&(uid=testaccount)(entitlements=WIFILOC1)) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap2" returns notfound for request 0 modcall: group group returns reject for request 0 modcall: group authorize returns reject for request 0 Invalid user (rlm_ldap: User not found): [testaccount@xyz.net] (from client test1 port 0) Cancelling proxy as request was already rejected Request 0 rejected in proxy_send. Server rejecting request 0. Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 15 to 167.206.23.94:1357 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 15 with timestamp 48b424b1 Nothing to do. Sleeping until we see a request. --- On Tue, 8/26/08, Alan DeKok <aland@deployingradius.com> wrote: From: Alan DeKok <aland@deployingradius.com> Subject: Re: Pop3 and LDAP authentication...Multiple radius servers To: workoutexcite@yahoo.com, "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Date: Tuesday, August 26, 2008, 12:00 PM Eric Martell wrote:
Here is the entire log. ... rlm_ldap: performing search in dc=test1,dc=net,o=internet, with filter (uid=testaccount)
If you're proxying the request, why have you configured the server to do lookups in LDAP?
ldap://vadsdsdsad:389 failed: Can't contact LDAP server rlm_ldap: (re)connection attempt failed rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap2" returns fail for request 0 modcall: group group returns reject for request 0
That would seem to show why it's being rejeect. The LDAP server is down. And I don't think "vadsdsdsad" is a real host name in your network. Perhaps you could explain why you think the server should work after you've configured it to use resources that don't exist. Alan DeKok.
Eric Martell wrote:
I am using radiusa to do proxy depends on the realm xyz.net to forward to radiusb and all other requests (no realm in the usernames) still go to radiusa.
Then you need to configure the server to *not* look up userd@xyz.net in LDAP. See "man unlang" in the latest version. Alan DeKok.
participants (3)
-
Alan DeKok -
Eric Martell -
Ivan Kalik