Problems using freeradius with ldap
I have problem when in Fedora 4 (sadly in my job I cannot change this) using radtest against LDAP Packages version: openldap-servers-2.2.29-1.FC4 openldap-clients-2.2.29-1.FC4 openldap-2.2.29-1.FC4 freeradius-1.0.4-1.FC4.1 This is part of /etc/raddb/radiusd.conf: ldap { server = "localhost" basedn = "ou=people,dc=mydomain,dc=com" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 password_attribute = userPassword (member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames) (uniquemember=%{Ldap-UserDn})))" timeout = 4 timelimit = 3 net_timeout = 1 } authorize { chap mschap suffix eap files ldap checkval } And this a portion of /etc/raddb/users: DEFAULT Auth-Type = System Fall-Through = 1 DEFAULT Auth-Type = LDAP Fall-Through = 1 I've appended the schemas in /etc/openldap/slapd.conf: /usr/share/doc/freeradius-1.0.4/RADIUS-LDAPv3.schema /usr/share/doc/freeradius-1.0.4/RADIUS-LDAP.schema Well, when I issue radtest in debug mode I get: radtest testuser sample localhost 0 testing123 Sending Access-Request of id 88 to 127.0.0.1:1812 User-Name = "testuser" User-Password = "sample" NAS-IP-Address = host.mydomain.com NAS-Port = 0 rad_recv: Access-Request packet from host 127.0.0.1:42077, id=88, length=58 User-Name = "testuser" User-Password = "sample" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 modcall[authorize]: module "chap" returns noop for request 2 modcall[authorize]: module "mschap" returns noop for request 2 rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 2 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 2 users: Matched entry DEFAULT at line 152 users: Matched entry DEFAULT at line 155 modcall[authorize]: module "files" returns ok for request 2 rlm_ldap: - authorize rlm_ldap: performing user authorization for testuser radius_xlat: '(uid=testuser)' radius_xlat: 'ou=people,dc=mydomain,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,dc=mydomain,dc=com, with filter (uid=testuser) rlm_ldap: Added password sample in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user testuser authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 2 modcall: group authorize returns ok for request 2 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 modcall[authenticate]: module "unix" returns notfound for request 2 modcall: group authenticate returns notfound for request 2 auth: Failed to validate the user. Delaying request 2 for 1 seconds Finished request 2 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 88 to 127.0.0.1:42077 Waking up in 4 seconds... rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=88, length=20 17:20:33 [root@spike] /etc/raddb $ --- Walking the entire request list --- Cleaning up request 2 ID 88 with timestamp 46dc6c8f Nothing to do. Sleeping until we see a request. Please could you lend me a hand to resolv this issue? Thanks in advance! -- Sergio Belkin Comunicación e Internet
You are picking up Auth-Type System from the users file. Comment it out. Ivan Kalik Kalik Informatika ISP Dana 3/9/2007, "Sergio Belkin" <sbelki@palermo.edu> piše:
I have problem when in Fedora 4 (sadly in my job I cannot change this) using radtest against LDAP
Packages version: openldap-servers-2.2.29-1.FC4 openldap-clients-2.2.29-1.FC4 openldap-2.2.29-1.FC4 freeradius-1.0.4-1.FC4.1
This is part of /etc/raddb/radiusd.conf:
ldap { server = "localhost" basedn = "ou=people,dc=mydomain,dc=com" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 password_attribute = userPassword (member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames) (uniquemember=%{Ldap-UserDn})))" timeout = 4 timelimit = 3 net_timeout = 1 }
authorize { chap mschap suffix eap files ldap checkval }
And this a portion of /etc/raddb/users: DEFAULT Auth-Type = System Fall-Through = 1 DEFAULT Auth-Type = LDAP Fall-Through = 1
I've appended the schemas in /etc/openldap/slapd.conf: /usr/share/doc/freeradius-1.0.4/RADIUS-LDAPv3.schema /usr/share/doc/freeradius-1.0.4/RADIUS-LDAP.schema
Well, when I issue radtest in debug mode I get: radtest testuser sample localhost 0 testing123 Sending Access-Request of id 88 to 127.0.0.1:1812 User-Name = "testuser" User-Password = "sample" NAS-IP-Address = host.mydomain.com NAS-Port = 0 rad_recv: Access-Request packet from host 127.0.0.1:42077, id=88, length=58 User-Name = "testuser" User-Password = "sample" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 modcall[authorize]: module "chap" returns noop for request 2 modcall[authorize]: module "mschap" returns noop for request 2 rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 2 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 2 users: Matched entry DEFAULT at line 152 users: Matched entry DEFAULT at line 155 modcall[authorize]: module "files" returns ok for request 2 rlm_ldap: - authorize rlm_ldap: performing user authorization for testuser radius_xlat: '(uid=testuser)' radius_xlat: 'ou=people,dc=mydomain,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,dc=mydomain,dc=com, with filter (uid=testuser) rlm_ldap: Added password sample in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user testuser authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 2 modcall: group authorize returns ok for request 2 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 modcall[authenticate]: module "unix" returns notfound for request 2 modcall: group authenticate returns notfound for request 2 auth: Failed to validate the user. Delaying request 2 for 1 seconds Finished request 2 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 88 to 127.0.0.1:42077 Waking up in 4 seconds... rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=88, length=20 17:20:33 [root@spike] /etc/raddb $ --- Walking the entire request list --- Cleaning up request 2 ID 88 with timestamp 46dc6c8f Nothing to do. Sleeping until we see a request.
Please could you lend me a hand to resolv this issue? Thanks in advance! -- Sergio Belkin Comunicación e Internet
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
El Monday 03 September 2007 18:12:40 tnt@kalik.co.yu escribió:
You are picking up Auth-Type System from the users file. Comment it out.
Ivan Kalik Kalik Informatika ISP
Dana 3/9/2007, "Sergio Belkin" <sbelki@palermo.edu> piše:
I have problem when in Fedora 4 (sadly in my job I cannot change this) using radtest against LDAP
Packages version: openldap-servers-2.2.29-1.FC4 openldap-clients-2.2.29-1.FC4 openldap-2.2.29-1.FC4 freeradius-1.0.4-1.FC4.1
This is part of /etc/raddb/radiusd.conf:
ldap { server = "localhost" basedn = "ou=people,dc=mydomain,dc=com" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 password_attribute = userPassword (member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames) (uniquemember=%{Ldap-UserDn})))" timeout = 4 timelimit = 3 net_timeout = 1 }
authorize { chap mschap suffix eap files ldap checkval }
And this a portion of /etc/raddb/users: DEFAULT Auth-Type = System Fall-Through = 1 DEFAULT Auth-Type = LDAP Fall-Through = 1
Thanks, finally I've did so and it worked out (using original version of FC4)! -- Sergio Belkin Comunicación e Internet
Sergio Belkin wrote:
I have problem when in Fedora 4 (sadly in my job I cannot change this) using radtest against LDAP ... freeradius-1.0.4-1.FC4.1
I am STRONGLY inclined to tell people using 3-year old versions of the server that they can get support from the FC project, not from us. And that version has a number of problems. See http://freeradius.org/security.html Despite using FC4, you *can* upgrade FreeRADIUS to a sane version by installing the "tar" file by hand. Alan DeKok.
El Tuesday 04 September 2007 02:24:16 Alan DeKok escribió:
Sergio Belkin wrote:
I have problem when in Fedora 4 (sadly in my job I cannot change this) using radtest against LDAP
...
freeradius-1.0.4-1.FC4.1
I am STRONGLY inclined to tell people using 3-year old versions of the server that they can get support from the FC project, not from us.
And that version has a number of problems. See http://freeradius.org/security.html
Despite using FC4, you *can* upgrade FreeRADIUS to a sane version by installing the "tar" file by hand.
OK, I am trying to compile the fresh version, but when I run make, it outputs at the end: In file included from rlm_sqlippool.c:37: /root/freeradius-1.1.7/src/include/modpriv.h:7:18: error: ltdl.h: No such file or directory In file included from rlm_sqlippool.c:37: /root/freeradius-1.1.7/src/include/modpriv.h:16: error: syntax error before 'lt_dlhandle' /root/freeradius-1.1.7/src/include/modpriv.h:16: warning: no semicolon at end of struct or union /root/freeradius-1.1.7/src/include/modpriv.h:17: warning: type defaults to 'int' in declaration of 'module_list_t' /root/freeradius-1.1.7/src/include/modpriv.h:17: warning: data definition has no type or storage class /root/freeradius-1.1.7/src/include/modpriv.h:27: error: syntax error before 'module_list_t' And a lot of others erros about "rlm_sqlippool.c", how can I fix it? Thanks in advance
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Sergio Belkin Comunicación e Internet
Hi,
OK, I am trying to compile the fresh version, but when I run make, it outputs at the end:
In file included from rlm_sqlippool.c:37: /root/freeradius-1.1.7/src/include/modpriv.h:7:18: error: ltdl.h: No such file> or directory
ta-dah! thats your answer printed on the screen right there. you dont have the required libtool development headers installed. depending on the distro this will be something like: libtool-ltdl-devel libtool-ltdl alan
El Tuesday 04 September 2007 11:09:33 A.L.M.Buxey@lboro.ac.uk escribió:
Hi,
OK, I am trying to compile the fresh version, but when I run make, it outputs at the end:
In file included from rlm_sqlippool.c:37: /root/freeradius-1.1.7/src/include/modpriv.h:7:18: error: ltdl.h: No such file> or directory
ta-dah! thats your answer printed on the screen right there. you dont have the required libtool development headers installed. depending on the distro this will be something like:
libtool-ltdl-devel libtool-ltdl
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Well, I did a workaround running: ./configure --prefix=/usr --without-rlm_sql --without-rlm_sqlippool --without-rlm_sqlcounter --without-rlm_sql_log --without-rlm_sqlhpwippool But now, after configuring for using ldap and running radiusd -X it complains as follows: Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" pap: auto_header = yes Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/usr/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) radiusd.conf[744] Failed to link to module 'rlm_ldap': rlm_ldap.so: cannot open shared object file: No such file or directory radiusd.conf[1960] Unknown module "ldap". radiusd.conf[1960] Failed to parse "ldap" entry. Any ideas? Thanks again! -- Sergio Belkin Comunicación e Internet
Hi,
Well, I did a workaround running: ./configure --prefix=/usr --without-rlm_sql --without-rlm_sqlippool --without-rlm_sqlcounter --without-rlm_sql_log --without-rlm_sqlhpwippool
working around means not fixing the issue - do you also have the required LDAP development libraries etc installed? if you dont check the output of ./configure then you dont know what it is deciding to drop by itself. alan
participants (4)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Sergio Belkin -
tnt@kalik.co.yu