redundant LDAP server with free-radius
Hi All, 1. When i configure the free-radius to use redundant ldap, the radius server contacts the secondary ldap server first. My config file options are: authorize { ... .... redundant{ ldap_primary ldap_secondary } .. } authenticate { .. .. Auth-Type LDAP { redundant { ldap_primary ldap_secondary } } } #unix eap } ldap ldap_primary { ;; .. } ldap ldap_secondary { .... ... } 2. My users file has : DEFAULT LDAP-Group := "groupname1" some vendor specific attributes follows.. DEFAULT LDAP-Group := "groupname2" ..... Do i need to specify it as ldap_primary-LDAP-Group := "groupname1" ldap_secondary-LDAP-Group := "groupname1" ?? or the previous define itself will work ?? Its very urgent. Please reply me if you have any idea. Thanks in advance. Regards, Sumi.
"sumi thra" <sumi.techno@gmail.com> wrote:
1. When i configure the free-radius to use redundant ldap, the radius server contacts the secondary ldap server first.
It works for me. And since you haven't posted the debugging output as suggested in the README, FAQ, INSTALL, etc., my guess is you're doing something else wrong that causes the problem.
2. My users file has : DEFAULT LDAP-Group := "groupname1" some vendor specific attributes follows.. DEFAULT LDAP-Group := "groupname2" .....
Do i need to specify it as ldap_primary-LDAP-Group := "groupname1"
Did you read doc/rlm_ldap? Alan DeKok.
Yes. i got it now. Thank you so much for your information. :-) Regards Sumi On 4/25/06, Alan DeKok <aland@nitros9.org> wrote:
"sumi thra" <sumi.techno@gmail.com> wrote:
1. When i configure the free-radius to use redundant ldap, the radius server contacts the secondary ldap server first.
It works for me.
And since you haven't posted the debugging output as suggested in the README, FAQ, INSTALL, etc., my guess is you're doing something else wrong that causes the problem.
2. My users file has : DEFAULT LDAP-Group := "groupname1" some vendor specific attributes follows.. DEFAULT LDAP-Group := "groupname2" .....
Do i need to specify it as ldap_primary-LDAP-Group := "groupname1"
Did you read doc/rlm_ldap?
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi All, Please help me in fixing this issus. Still im not able to fix it... My access-request is not successed when i configure multiple ldap instances. I read the rlm_ldap document, according to that, I have the following configuration in radiusd.conf authorize { ... files redundant { ldap_primary ldap_secondary } eap } .. authenticate { ..... Auth-Type LDAP { redundant { ldap_primary ldap_secondary } } ...# primary ldap configuration ldap ldap_primary { server = 1.1.1.1 .... } In my users file i have the following policy: # Primary ldap server's group policy - accept DEFAULT ldap_primary-Ldap-Group == "ads-group1", Symbol-Wlan-Index =~ wlan1,Login-Time := "Any0000-2359" #Primary ldap server's group policy- reject DEFAULT ldap_primary-Ldap-Group == "ads-group1", Symbol-Wlan-Index =~ wlan2|wlan3|wlan4, Auth-Type := Reject DEFAULT Auth-Type := Reject Please find the logs below.. rad_recv: Access-Request packet from host 127.0.0.1:41256, id=85, length=277 User-Name = "sumithra" Called-Station-Id = "00-A0-F8-BF-E9-BC:wlan1" Calling-Station-Id = "00-0F-3D-E9-A6-54" NAS-Port = 1 NAS-Port-Type = Wireless-802.11 Framed-MTU = 1400 NAS-IP-Address = 127.0.0.1 NAS-Identifier = "WS5100" Symbol-Wlan-Index = "wlan1" NAS-Port-Id = "WLAN1" Connect-Info = "CONNECT 54Mbps 802.11a" State = 0x3477b37e06e1959a106065fa6b552b46 EAP-Message = 0x0205004715800000003d170301003865d55f3cd46e8f5b7036c78d38a3a9fc51dbdff5f8f256cedd0b1e3da150ed5a4f7f605fdced3725189e4836dc817af1cea9c7047ff1073e Message-Authenticator = 0x16f08ab431d475e4a824d796da35d410 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 modcall[authorize]: module "chap" returns noop for request 5 modcall[authorize]: module "mschap" returns noop for request 5 rlm_realm: No '/' in User-Name = "sumithra", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix_oblic" returns noop for request 5 rlm_realm: No '/' in User-Name = "sumithra", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "prefix_oblic" returns noop for request 5 rlm_realm: No '@' in User-Name = "sumithra", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix_at" returns noop for request 5 rlm_realm: No '@' in User-Name = "sumithra", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "prefix_at" returns noop for request 5 rlm_realm: No '%' in User-Name = "sumithra", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix_percent" returns noop for request 5 rlm_realm: No '%' in User-Name = "sumithra", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "prefix_percent" returns noop for request 5 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'ou=123,dc=123,dc=123,dc=com' radius_xlat: '(sAMAccountName=sumithra)' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=123,dc=123,dc=123,dc=com, with filter (sAMAccountName=sumithra) rlm_ldap: ldap_release_conn: Release Id: 0 radius_xlat: '(|(&(objectClass=GroupOfNames)(member=CN=sumithra,OU=123,DC=123,DC=123,DC=com))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN=sumithra,OU=123,DC=123,DC=123,DC=com)))' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=123,dc=123,dc=123,dc=com, with filter (&(cn=ads-group1)(|(&(objectClass=GroupOfNames)(member=CN=sumithra,OU=123,DC=123,DC=123,DC=com))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN=sumithra,OU=123,DC=123,DC=123,DC=com)))) rlm_ldap: object not found or got ambiguous search result rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in CN=sumithra,OU=123,DC=123,DC=123,DC=com, with filter (objectclass=*) rlm_ldap::ldap_groupcmp: ldap_get_values() failed rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'ou=123,dc=123,dc=123,dc=com' radius_xlat: '(|(&(objectClass=GroupOfNames)(member=CN=sumithra,OU=123,DC=123,DC=123,DC=com))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN=sumithra,OU=WIOS,DC=wios,DC=symbol,DC=com)))' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=123,dc=123,dc=123,dc=com, with filter (&(cn=ads-group1)(|(&(objectClass=GroupOfNames)(member=CN=sumithra,OU=123,DC=123,DC=123,DC=com))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN=sumithra,OU=123,DC=123,DC=123,DC=com)))) rlm_ldap: object not found or got ambiguous search result rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in CN=sumithra,OU=123,DC=123,DC=123,DC=com, with filter (objectclass=*) rlm_ldap::ldap_groupcmp: ldap_get_values() failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "files" returns notfound for request 5 modcall: entering group redundant for request 5 rlm_ldap: - authorize rlm_ldap: performing user authorization for sumithra radius_xlat: '(sAMAccountName=sumithra)' radius_xlat: 'ou=123,dc=123,dc=123,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=123,dc=123,dc=123,dc=com, with filter (sAMAccountName=sumithra) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user sumithra authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap_primary" returns ok for request 5 modcall: leaving group redundant (returns ok) for request 5 rlm_eap: EAP packet type response id 5 length 71 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 modcall: leaving group authorize (returns updated) for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: Request not found in the list rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request rlm_eap: Failed in handler modcall[authenticate]: module "eap" returns invalid for request 5 modcall: leaving group authenticate (returns invalid) for request 5 auth: Failed to validate the user. Delaying request 5 for 1 seconds Finished request 5 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 81 with timestamp 4450b417 Cleaning up request 1 ID 82 with timestamp 4450b417 Cleaning up request 2 ID 83 with timestamp 4450b417 Cleaning up request 3 ID 84 with timestamp 4450b417 Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 85 to 127.0.0.1 port 41256 Waking up in 4 seconds... Please reply me if you have any idea where the configuration is wrong. Thanks in advance. Regards Sumithra On 4/25/06, sumi thra <sumi.techno@gmail.com> wrote:
Yes. i got it now.
Thank you so much for your information. :-)
Regards Sumi
On 4/25/06, Alan DeKok < aland@nitros9.org> wrote:
"sumi thra" < sumi.techno@gmail.com> wrote:
1. When i configure the free-radius to use redundant ldap, the radius server contacts the secondary ldap server first.
It works for me.
And since you haven't posted the debugging output as suggested in the README, FAQ, INSTALL, etc., my guess is you're doing something else wrong that causes the problem.
2. My users file has : DEFAULT LDAP-Group := "groupname1" some vendor specific attributes follows.. DEFAULT LDAP-Group := "groupname2" .....
Do i need to specify it as ldap_primary-LDAP-Group := "groupname1"
Did you read doc/rlm_ldap?
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
"sumi thra" <sumi.techno@gmail.com> wrote:
My access-request is not successed when i configure multiple ldap instances. I read the rlm_ldap document, according to that,
I don't think this has anything to do with LDAP.
rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: Request not found in the list rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request
That's the problem. Alan DeKok.
On 4/27/06, Alan DeKok <aland@nitros9.org> wrote:
"sumi thra" <sumi.techno@gmail.com> wrote:
My access-request is not successed when i configure multiple ldap instances. I read the rlm_ldap document, according to that,
I don't think this has anything to do with LDAP.
rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: Request not found in the list rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request
That's the problem.
You mean to say that, this is an issue in free-radius ?? or my configuration is mismatching? Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Folks, sorry for bringing this up again. I am running FreeRADIUS 1.1.4 and OpenLDAP 2.3.32 on two Solaris10/x86 hosts. Non-redundant config works fine with FreeRADIUS and OpenLDAP on a single host. modules { ldap { .... } } authorize { ... ldap } authenticate { ... Auth-Type LDAP { ldap } } When I use a redundant config as per instruction in docs, I have the "auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user" in debugs and user is rejected. Please see config and debug output below. I guess I am mussing some fine detail here. Your help would be highly appreciated. modules { ldap ds-01 { .... } ldap ds-02 { .... } } authorize { ... redundant { ds-02 ds-01 } } authenticate { ... Auth-Type LDAP { redundant { ds-02 ds-01 } } } Debug output rad_recv: Access-Request packet from host 1.1.1.1:3283, id=29, length=47 User-Name = "qwer" User-Password = "qwer" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "qwer", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 modcall: entering group redundant for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for qwer radius_xlat: '(&(objectClass=posixAccount)(l=*)(uid=qwer))' radius_xlat: 'dc=my,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as / to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=my,dc=com, with filter (&(objectClass=posixAccount)(l=*)(uid=qwer)) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user alexeim authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ds-02" returns ok for request 0 modcall: leaving group redundant (returns ok) for request 0 modcall: leaving group authorize (returns ok) for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 TIA A.
Alexei Monastyrnyi wrote:
When I use a redundant config as per instruction in docs, I have the "auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user" in debugs and user is rejected. Please see config and debug output below. I guess I am mussing some fine detail here. Your help would be highly appreciated.
The modules are named "ds-01" and "ds-02", not "LDAP". In this case, you will have to set Auth-Type to LDAP by hand. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Thanks Alan. But I do define it when switching from singe server to redundant group, don't I? Auth-Type LDAP { ldap } to Auth-Type LDAP { redundant { ds-02 ds-01 } } Isn't that enough? A. Alexei Monastyrnyi wrote:
/ When I use a redundant config as per instruction in docs, I have the />/ "auth: No authenticate method (Auth-Type) configuration found for the />/ request: Rejecting the user" in debugs and user is rejected. Please see />/ config and debug output below. I guess I am mussing some fine detail />/ here. Your help would be highly appreciated. / The modules are named "ds-01" and "ds-02", not "LDAP". In this case, you will have to set Auth-Type to LDAP by hand.
Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Alexei Monastyrnyi wrote:
But I do define it when switching from singe server to redundant group, don't I?
Yes.
Isn't that enough?
What did my previous response say? You can argue with me, or you can try what I suggested, and verify for yourself that it works. As a hint: when the LDAP module sets Auth-Type, it sets the value to the name of the module... which in your case is "ds-01", not "LDAP". Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
no arguing here, just clearing up things... :-) stay cool this works as expected, though it is not that obvious that Auth-Type name refers to module name, and not just names the method... Or I might have missed that from the documentation. Anyway, "fail-over" section does not reflect this IMO. Not a note of "authenticate" sub-section at all... should it be updated? http://wiki.freeradius.org/Fail-over authorize { ... redundant { ds-02 ds-01 } } authenticate { ... Auth-Type ds-01 { ds-01 } Auth-Type ds-02 { ds-02 } } on 2/1/2007 4:04 PM Alan DeKok wrote:
Alexei Monastyrnyi wrote:
But I do define it when switching from singe server to redundant group, don't I?
Yes.
Isn't that enough?
What did my previous response say?
You can argue with me, or you can try what I suggested, and verify for yourself that it works.
As a hint: when the LDAP module sets Auth-Type, it sets the value to the name of the module... which in your case is "ds-01", not "LDAP".
Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Alexei Monastyrnyi wrote:
this works as expected, though it is not that obvious that Auth-Type name refers to module name, and not just names the method...
It defines the method, but doesn't make the module set Auth-Type to that method.
Or I might have missed that from the documentation. Anyway, "fail-over" section does not reflect this IMO. Not a note of "authenticate" sub-section at all... should it be updated?
Modules having "authenticate" sections automatically have Auth-Type definitions created based on their name. This is normally the module name (i.e. LDAP), unless the module has an *instance* name, in which case it's the instance name. The LDAP module sets "Auth-Type" to it's *instance* name, not to "LDAP". That appears to be the piece you're missing. This has nothing to do with failover. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
got you, mate I was a kind of confused by authenticate { Auth-Type MS-CHAP { mschap } Looking at this makes things more clear. modules { mschap { authtype = MS-CHAP Still, "Failover" is a kind of inconsistent/incomplete without pointing this out (thought it is an indirect detail). Other parts of doc might well have a reference to that, but IMO it is worth referring to this on failover page, doc is supposed to help people getting answers ... People might never come to renaming module instances but for redundancy. Since it is Wiki, I can probably update it by adding ~200-300 bytes of text and in case you won't like it, you can always roll back. A. on 2/1/2007 4:55 PM Alan DeKok wrote:
Alexei Monastyrnyi wrote:
this works as expected, though it is not that obvious that Auth-Type name refers to module name, and not just names the method...
It defines the method, but doesn't make the module set Auth-Type to that method.
Or I might have missed that from the documentation. Anyway, "fail-over" section does not reflect this IMO. Not a note of "authenticate" sub-section at all... should it be updated?
Modules having "authenticate" sections automatically have Auth-Type definitions created based on their name. This is normally the module name (i.e. LDAP), unless the module has an *instance* name, in which case it's the instance name.
The LDAP module sets "Auth-Type" to it's *instance* name, not to "LDAP". That appears to be the piece you're missing.
This has nothing to do with failover.
Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
participants (4)
-
Alan DeKok -
Alan DeKok -
Alexei Monastyrnyi -
sumi thra