Hi, I use freeradius with EAP-TTLS y EAP-PEAP, below there is ldap log, I wonder why radius "bothers" to query for anonymous uid and not only for uid into the tunnel Dec 3 08:54:26 sinclair slapd[11285]: conn=1264 fd=15 ACCEPT from IP=123.45.67.89:56075 (IP=0.0.0.0:636) Dec 3 08:54:26 sinclair slapd[11285]: conn=1264 fd=15 TLS established tls_ssf=256 ssf=256 Dec 3 08:54:26 sinclair slapd[11285]: conn=1264 op=0 BIND dn="cn=freeradius,ou=applications,dc=cadorna,dc=edu" method=128 Dec 3 08:54:26 sinclair slapd[11285]: conn=1264 op=0 BIND dn="cn=freeradius,ou=applications,dc=cadorna,dc=edu" mech=SIMPLE ssf=0 Dec 3 08:54:26 sinclair slapd[11285]: conn=1264 op=0 RESULT tag=97 err=0 text= Dec 3 08:54:26 sinclair slapd[11285]: conn=1264 op=1 SRCH base="ou=people,dc=cadorna,dc=edu" scope=2 deref=0 filter="(uid=anonymous)" Dec 3 08:54:26 sinclair slapd[11285]: conn=1264 op=1 SRCH attr=radiusPassword radiusAllowed Dec 3 08:54:26 sinclair slapd[11285]: conn=1264 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text= Dec 3 08:54:26 sinclair slapd[11285]: conn=1264 op=2 SRCH base="ou=people,dc=cadorna,dc=edu" scope=2 deref=0 filter="(uid=anonymous)" Dec 3 08:54:26 sinclair slapd[11285]: conn=1264 op=2 SRCH attr=radiusPassword radiusAllowed Dec 3 08:54:26 sinclair slapd[11285]: conn=1264 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text= Dec 3 08:54:27 sinclair slapd[11285]: conn=1264 op=3 SRCH base="ou=people,dc=cadorna,dc=edu" scope=2 deref=0 filter="(uid=glinde)" Dec 3 08:54:27 sinclair slapd[11285]: conn=1264 op=3 SRCH attr=radiusPassword radiusAllowed Dec 3 08:54:27 sinclair slapd[11285]: conn=1264 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text= Dec 3 08:54:28 sinclair slapd[11285]: conn=1264 op=4 SRCH base="ou=people,dc=cadorna,dc=edu" scope=2 deref=0 filter="(uid=jinfan)" Dec 3 08:54:28 sinclair slapd[11285]: conn=1264 op=4 SRCH attr=radiusPassword radiusAllowed Dec 3 08:54:28 sinclair slapd[11285]: conn=1264 op=4 SEARCH RESULT tag=101 err=0 nentries=1 text= Dec 3 08:55:05 sinclair slapd[11285]: conn=1264 fd=15 closed (idletimeout) Does make sense to query for anonymous? Thanks in advance Thanks in advance! -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin -
Sergio Belkin wrote:
Hi, I use freeradius with EAP-TTLS y EAP-PEAP, below there is ldap log, I wonder why radius "bothers" to query for anonymous uid and not only for uid into the tunnel
Because you configured the ldap module *outside* of the tunnel, too. If you don't list it in sites-enabled/default, it will only do queries for inside of the TLS tunnel. Alan DeKok.
2008/12/3 Alan DeKok <aland@deployingradius.com>:
Sergio Belkin wrote:
Hi, I use freeradius with EAP-TTLS y EAP-PEAP, below there is ldap log, I wonder why radius "bothers" to query for anonymous uid and not only for uid into the tunnel
Because you configured the ldap module *outside* of the tunnel, too. If you don't list it in sites-enabled/default, it will only do queries for inside of the TLS tunnel.
Thanks Alan! That solved it. Now it remains a little problem on radiusd.log: Thu Dec 4 09:07:51 2008 : Error: rlm_ldap: ldap_search() failed: LDAP connection lost. Thu Dec 4 09:07:51 2008 : Info: rlm_ldap: Attempting reconnect Thu Dec 4 09:10:41 2008 : Error: rlm_ldap: ldap_search() failed: LDAP connection lost. Thu Dec 4 09:10:41 2008 : Info: rlm_ldap: Attempting reconnect Thu Dec 4 09:12:14 2008 : Error: rlm_ldap: ldap_search() failed: LDAP connection lost. Thu Dec 4 09:12:14 2008 : Info: rlm_ldap: Attempting reconnect Thu Dec 4 09:14:30 2008 : Error: rlm_ldap: ldap_search() failed: LDAP connection lost. Thu Dec 4 09:14:30 2008 : Info: rlm_ldap: Attempting reconnect Thu Dec 4 09:18:09 2008 : Error: rlm_ldap: ldap_search() failed: LDAP connection lost. Thu Dec 4 09:18:09 2008 : Info: rlm_ldap: Attempting reconnect What are these problem from? radius or ldap? ldap module config is as follows: ldap { server = "ldap.palermo.edu" identity = "cn=freeradius,ou=applications,dc=palermo,dc=edu" password = somepass basedn = "ou=people,dc=palermo,dc=edu" filter = "(uid=%u)" ldap_connections_number = 1 timeout = 60 timelimit = 120 net_timeout = 10 tls { cacertfile = /etc/raddb/cacert.pem randfile = /dev/urandom } access_attr = "radiusAllowed" dictionary_mapping = ${confdir}/ldap.attrmap edir_account_policy_check = no EOF Thanks in advance! -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin -
2008/12/5 Alan DeKok <aland@deployingradius.com>:
Sergio Belkin wrote:
That solved it. Now it remains a little problem on radiusd.log:
Thu Dec 4 09:07:51 2008 : Error: rlm_ldap: ldap_search() failed: LDAP connection lost.
Your LDAP server is likely timeout out the connections.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
My LDAP server has: idletimeout 30 timelimit 300 is not 30 enough? -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin -
participants (2)
-
Alan DeKok -
Sergio Belkin