Freeradius - LDAP Authenication
Hi All, I'm rather new to radius and especially freeradius. I have the following need. Cisco VPN needs to authenticate users against a Radius server, which in turn needs to proxy the user authentication to our Sun One Iplanet LDAP server (running on another machine). I have the vpn talking successfully to freeradius, but I cannot get the onward connection to the LDAP to work. I have validated that the server running freeradius is able to talk to the ldap by using ldapsearch. The config I am using is based upon the ldap_howto.txt under /docs. I have searched the mailing list but to no avail. Many Thanks in advance Simon Barnes What follows is the radiusd output and the radius.conf Radiusd Output bash-3.00# /usr/local/sbin/radiusd -X -A Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 512 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/usr/local/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded LDAP ldap: server = "198.100.0.18" ldap: port = 389 ldap: net_timeout = 1 ldap: timeout = 4 ldap: timelimit = 3 ldap: identity = "cn=directory manager" ldap: tls_mode = no ldap: start_tls = no ldap: tls_cacertfile = "(null)" ldap: tls_cacertdir = "(null)" ldap: tls_certfile = "(null)" ldap: tls_keyfile = "(null)" ldap: tls_randfile = "(null)" ldap: tls_require_cert = "allow" ldap: password = "c0ntr01m3" ldap: basedn = "o=marymount.edu,o=marymount.edu" ldap: filter = "(&(objectClass=aRadiusAccount)(uid=%u))" ldap: base_filter = "(objectclass=radiusprofile)" ldap: default_profile = "(null)" ldap: profile_attribute = "(null)" ldap: password_header = "{clear}" ldap: password_attribute = "userPassword" ldap: access_attr = "(null)" ldap: groupname_attribute = "cn" ldap: groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupO fUniqueNames)(uniquemember=%{Ldap-UserDn})))" ldap: groupmembership_attribute = "(null)" ldap: dictionary_mapping = "/usr/local/etc/raddb/ldap.attrmap" ldap: ldap_debug = 0 ldap: ldap_connections_number = 5 ldap: compare_check_items = no ldap: access_attr_used_for_allow = yes ldap: do_xlat = yes rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap<->radius mappings from file /usr/local/etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port conns: 0x788780 Module: Instantiated ldap (ldap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups" preprocess: hints = "/usr/local/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Listening on authentication *:1812 Listening on accounting *:1813 Listening on proxy *:1814 Ready to process requests. rad_recv: Access-Request packet from host 38.118.63.2:1158, id=44, length=71 User-Name = "testuser" User-Password = "******" Vendor-3076-Attr-32 = 0x00000004 NAS-IP-Address = 38.118.63.2 NAS-Port-Type = Virtual Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL rlm_realm: Found realm "NULL" rlm_realm: Adding Stripped-User-Name = "testuser" rlm_realm: Proxying request from user testuser to realm NULL rlm_realm: Adding Realm = "NULL" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for testuser radius_xlat: '(&(objectClass=aRadiusAccount)(uid=testuser))' radius_xlat: 'o=marymount.edu,o=marymount.edu' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 198.100.0.18:389, authentication 0 rlm_ldap: bind as cn=account mgr/********* to 198.100.0.18:389 rlm_ldap: cn=directory manager bind to 198.100.0.18:389 failed: Can't contact LDAP server rlm_ldap: (re)connection attempt failed rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns fail for request 0 modcall: group authorize returns fail for request 0 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 38.118.63.2:1158, id=44, length=71 Discarding duplicate request from client vpn:1158 - ID: 44 --- Walking the entire request list --- Waking up in 2 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 44 with timestamp 42f37a00 Nothing to do. Sleeping until we see a request. Radius.conf prefix = /usr/local exec_prefix = ${prefix} sysconfdir = ${prefix}/etc localstatedir = ${prefix}/var sbindir = ${exec_prefix}/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct # Location of config and logfiles. confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd log_file = ${logdir}/radius.log libdir = ${exec_prefix}/lib pidfile = ${run_dir}/radiusd.pid #user = nobody #group = nobody max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 512 bind_address = * port = 0 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log_stripped_names = no log_auth = no log_auth_badpass = no log_auth_goodpass = no usercollide = no lower_user = no lower_pass = no nospace_user = no nospace_pass = no # The program to execute to do concurrency checks. checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = no } proxy_requests = yes $INCLUDE ${confdir}/proxy.conf $INCLUDE ${confdir}/clients.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { ldap { server = "198.100.0.18" identity = "cn=account mgr" password = ********* basedn = "o=marymount.edu,o=marymount.edu" #filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" #filter = "(posixAccount)(uid=%u))" filter = "(&(objectClass=aRadiusAccount)(uid=%u))" # base_filter = "(objectclass=radiusprofile)" start_tls = no # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" # profile_attribute = "radiusProfileDn" #access_attr = "dialupAccess" dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 password_header = "{clear}" password_attribute = userPassword # groupname_attribute = cn # groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(obje ctClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" # groupmembership_attribute = radiusGroupName timeout = 4 timelimit = 3 net_timeout = 1 compare_check_items = no # access_attr_used_for_allow = yes } realm suffix { format = suffix delimiter = "@" ignore_default = no ignore_null = no } preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users preproxy_usersfile = ${confdir}/preproxy_users compat = no } always fail { rcode = fail } always reject { rcode = reject } always ok { rcode = ok simulcount = 0 mpp = no } expr { } } instantiate { expr } authorize { preprocess suffix ldap } authenticate { authtype LDAP { ldap } } preacct { preprocess suffix } accounting { #radutmp #sradutmp } Simon Barnes System Administrator Marymount University
FreeRadius users mailing list <freeradius-users@lists.freeradius.org> on August 5, 2005 at 08:12 -0800 wrote:
rlm_ldap: - authorize rlm_ldap: performing user authorization for testuser radius_xlat: '(&(objectClass=aRadiusAccount)(uid=testuser))' radius_xlat: 'o=marymount.edu,o=marymount.edu' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 198.100.0.18:389, authentication 0 rlm_ldap: bind as cn=account mgr/********* to 198.100.0.18:389 rlm_ldap: cn=directory manager bind to 198.100.0.18:389 failed: Can't contact LDAP server rlm_ldap: (re)connection attempt failed rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0
Here's the section of your debug where the problem lies. note this line:
rlm_ldap: cn=directory manager bind to 198.100.0.18:389 failed: Can't contact LDAP server
Have you double checked the IP address? I'm not sure on how descriptive the error messages are -- perhaps double check that the admin user/password also works -- start by making it the full dn of the admin user in the 'identity' field. If you this doesn't work, let me know and we can go from there... -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George)
server (running on another machine). I have the vpn talking successfully to freeradius, but I cannot get the onward connection to the LDAP to work. I have validated that the server running freeradius is able to talk to the ldap by using ldapsearch.
rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 198.100.0.18:389, authentication 0 rlm_ldap: bind as cn=account mgr/********* to 198.100.0.18:389 rlm_ldap: cn=directory manager bind to 198.100.0.18:389 failed: Can't contact LDAP server rlm_ldap: (re)connection attempt failed
This is pretty clear that it cannot connect. What does your ldapsearch command look like? Perhaps, you have the wrong port or ip in your config? What does telnet 198.100.0.18 389 show you?
-----Original Message----- From: freeradius-users-bounces@lists.freeradius.org [mailto:freeradius-users-bounces@lists.freeradius.org] On Behalf Of Dusty Doris Sent: Friday, August 05, 2005 11:57 AM To: FreeRadius users mailing list Subject: Re: Freeradius - LDAP Authenication
This is pretty clear that it cannot connect. What does your ldapsearch command look like? Perhaps, you have the wrong port or ip in your config? What does telnet 198.100.0.18 389 show you?
Hi Dusty and Kris, The ip address I am using for the ldap is correct, when using ldapsearch ldapsearch -h 198.100.0.18 -b ou=people,o=marymount.edu,o=marymount.edu -D "cn=directory manager" -W I can connect and get prompted for the password, after which I get a complete dump of the LDAP. I did a tcpdump on the freeradius machine and this is the output tcpdump: listening on dc0 11:32:59.115890 morris.marymount.edu.34613 > cooper.marymount.edu.ldap: S 3685972564:3685972564(0) win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 1366456907 0> (DF) 11:32:59.116137 cooper.marymount.edu.ldap > morris.marymount.edu.34613: S 3939941434:3939941434(0) ack 3685972565 win 49232 <nop,nop,timestamp 48298597 1366456907,mss 1460,nop,wscale 0,nop,nop,sackOK> (DF) 11:32:59.116222 morris.marymount.edu.34613 > cooper.marymount.edu.ldap: . ack 1 win 16384 <nop,nop,timestamp 1366456907 48298597> (DF) 11:32:59.116312 morris.marymount.edu.34613 > cooper.marymount.edu.ldap: F 1:1(0) ack 1 win 16384 <nop,nop,timestamp 1366456907 48298597> (DF) 11:32:59.116427 cooper.marymount.edu.ldap > morris.marymount.edu.34613: . ack 2 win 49232 <nop,nop,timestamp 48298597 1366456907> (DF) 11:32:59.117917 cooper.marymount.edu.ldap > morris.marymount.edu.34613: F 1:1(0) ack 2 win 49232 <nop,nop,timestamp 48298597 1366456907> (DF) 11:32:59.117987 morris.marymount.edu.34613 > cooper.marymount.edu.ldap: . ack 2 win 16383 <nop,nop,timestamp 1366456907 48298597> (DF) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius users mailing list <freeradius-users@lists.freeradius.org> on August 5, 2005 at 09:58 -0800 wrote:
This is pretty clear that it cannot connect. What does your ldapsearch command look like? Perhaps, you have the wrong port or ip in your config? What does telnet 198.100.0.18 389 show you?
Hi Dusty and Kris,
The ip address I am using for the ldap is correct, when using ldapsearch
ldapsearch -h 198.100.0.18 -b ou=people,o=marymount.edu,o=marymount.edu -D "cn=directory manager" -W
I can connect and get prompted for the password, after which I get a complete dump of the LDAP.
What if you change the "identity" portion of the radiusd.conf to be the full DN of the admin user? I have a sneaking suspicion that the "can't connect" may also include "can't authenticate"... So, assuming that the "directory manager" user is in the people ou, try this for the identity: "cn=directory manager,ou=people,o-marymount.edu,o=marymount.edu" -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George)
What if you change the "identity" portion of the radiusd.conf to be the full DN of the admin user? I have a sneaking suspicion that the "can't connect" may also include "can't authenticate"...
So, assuming that the "directory manager" user is in the people ou, try this for the identity: "cn=directory manager,ou=people,o-marymount.edu,o=marymount.edu"
Kris, I have tried various accounts my own and test accounts along with variations of the DN and I get the same errors. I'm at a loss as ldapsearch and telneting to the port all seem to work. Simon
FreeRadius users mailing list <freeradius-users@lists.freeradius.org> on August 5, 2005 at 12:27 -0800 wrote:
I have tried various accounts my own and test accounts along with variations of the DN and I get the same errors. I'm at a loss as ldapsearch and telneting to the port all seem to work.
Well, having just looked at your config again, I'm wondering if it isn't this filter: ldap: filter = "(&(objectClass=aRadiusAccount)(uid=%u))" is that 'a' supposed to be there? Also, have you custom defined the LDAP schmea for this objectclass? If not, I don't believe the 'aRadiusAccount' is valid, at least not in the standard OpenLDAP w/FreeRadius extensions schema that I have. What if you start by removing that part of the filter and just searching for the uid? -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George)
Well, having just looked at your config again, I'm wondering if it isn't this filter: ldap: filter = "(&(objectClass=aRadiusAccount)(uid=%u))"
is that 'a' supposed to be there?
Also, have you custom defined the LDAP schmea for this objectclass? If not, I don't believe the 'aRadiusAccount' is valid, at least not in the standard OpenLDAP w/FreeRadius extensions schema that I have.
What if you start by removing that part of the filter and just searching for the uid?
Hi Kris, I have tried changing the LDAP filter by removing the "a" and also tried a plain filter just for uid, still getting the same error. In addition I also tried a different ldap account which tests successfully using LDAP search. I am now at a loss, if anyone has a working config that they wouldn't mind sharing that would be much appreciated. Thanks Simon
FreeRadius users mailing list <freeradius-users@lists.freeradius.org> on August 8, 2005 at 07:32 -0800 wrote:
I am now at a loss, if anyone has a working config that they wouldn't mind sharing that would be much appreciated.
Here's mine: #### radiusd.conf section ldap { server = "localhost" identity = "cn=radiusadmin,ou=roleaccounts,dc=sd57,dc=bc,dc=ca" password = neveryoumind basedn = "dc=sd57,dc=bc,dc=ca" filter = "(mail=%{User-Name})" start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 groupname_attribute = cn groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" #groupmembership_attribute = WirelessUsers timeout = 4 timelimit = 3 net_timeout = 1 # compare_check_items = yes # do_xlat = yes # access_attr_used_for_allow = yes } #### users file DEFAULT Ldap-Group == "NetworkAccessWireless", Auth-Type = LDAP Class = %l, Reply-Message = "%u", Fall-Through = 1 #### ldap LDIF (passwords removed to protect the innocent) dn: dc=sd57,dc=bc,dc=ca dc: sd57 objectClass: dcObject objectClass: organizationalUnit ou: Ess Dee Five Seven dn: ou=roleaccounts,dc=sd57,dc=bc,dc=ca ou: roleaccounts objectClass: organizationalUnit dn: cn=ldapadmin,ou=roleaccounts,dc=sd57,dc=bc,dc=ca objectClass: person cn: ldapadmin sn: AdminAcct userPassword: {CRYPT}* dn: cn=radiusadmin,ou=roleaccounts,dc=sd57,dc=bc,dc=ca objectClass: person cn: radiusadmin sn: AdminAcct userPassword: {CRYPT}* dn: ou=techstaff,dc=sd57,dc=bc,dc=ca ou: techstaff objectClass: organizationalUnit dn: cn=NetworkAccessWireless,dc=sd57,dc=bc,dc=ca objectClass: top objectClass: groupOfNames member: uid=kbenson,ou=techstaff,dc=sd57,dc=bc,dc=ca cn: NetworkAccessWireless dn: uid=kbenson,ou=techstaff,dc=sd57,dc=bc,dc=ca sn: Benson mail: kbenson@sd57.bc.ca cn: Kris Benson gidNumber: 100 homeDirectory: /home/staff/kbenson objectClass: inetOrgPerson objectClass: posixAccount uidNumber: 3 userPassword: {CRYPT}* uid: kbenson #### Let me know if there's anything else you would like to see... -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George)
Kris, Thanks for the configs, however I still cannot get this to work, I'm still seeing:- Aug 10 07:06:21 2005 : Debug: rlm_ldap: bind as uid=sbarnes,ou=people,o=marymount.edu.o=marymount.edu/cortina to info.marymount.edu:389 Wed Aug 10 07:06:21 2005 : Error: rlm_ldap: uid=sbarnes,ou=people,o=marymount.edu.o=marymount.edu bind to info.marymount.edu:389 failed: Can't contact LDAP server Even tried authentication to the backup LDAP server. Is there anyway to test the ldap module by hand as it were? Also I was wondering if this was an attribute mapping problem, anyone with SUN One IPlanet Directory server got this to work? Thanks Simon
FreeRadius users mailing list <freeradius-users@lists.freeradius.org> on August 10, 2005 at 05:34 -0800 wrote:
Kris,
Aug 10 07:06:21 2005 : Debug: rlm_ldap: bind as uid=sbarnes,ou=people,o=marymount.edu.o=marymount.edu/cortina to info.marymount.edu:389 Wed Aug 10 07:06:21 2005 : Error: rlm_ldap: uid=sbarnes,ou=people,o=marymount.edu.o=marymount.edu bind to info.marymount.edu:389 failed: Can't contact LDAP server
Even tried authentication to the backup LDAP server. Is there anyway to test the ldap module by hand as it were?
I think I'm at the end of my abilities here, but will make a couple more comments. First off, I'm nowhere near being an LDAP pro, but what's up with the "o=mayrmount.edu.o=marymount.edu" ? There are two things that stick out to me here -- first off, the '.' between the elements... I'm used to seeing a comma. Second, the duplication of the o=. Do you *really* have a child element named the same as its parent? I'm sorry I can't be of more assistance... but if ldapsearch works with the same binding credentials as FreeRadius (n.b. bind as the *user* "sbarnes" *not* as admin), then the issue looks to be something with the way FreeRadius & the Sun software interact. Is there, by chance, a policy restricting number of connections per minute on the Sun server? FreeRadius likes to connect at least twice in the authentication process -- once to search the directory, again to bind as the user it found. -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George)
Hi Kris, Thanks for your input.
I think I'm at the end of my abilities here, but will make a couple more comments.
First off, I'm nowhere near being an LDAP pro, but what's up with the "o=mayrmount.edu.o=marymount.edu" ? There are two things that stick out to me here -- first off, the '.' between the elements... I'm used to seeing a comma. Second, the duplication of the o=. Do you *really* have a child element named the same as its parent?
We do indeed have a child with the same name as the parent and they both have "." in them. Fun Hey
I'm sorry I can't be of more assistance... but if ldapsearch works with the same binding credentials as FreeRadius (n.b. bind as the *user* "sbarnes" *not* as admin), then the issue looks to be something with the way FreeRadius & the Sun software interact.
I'll try and investigate to see if there are differences between the Sun and openldap and how they interact with freeradius.. Any one else out there with SUN directory server / iplanet?
Is there, by chance, a policy restricting number of connections per minute on the Sun server? FreeRadius likes to connect at least twice in the authentication process -- once to search the directory, again to bind as the user it found.
As far as I know no policy restricting access request per minute, but I will check. Simon Barnes
FreeRadius users mailing list <freeradius-users@lists.freeradius.org> on August 10, 2005 at 11:17 -0800 wrote:
I think I'm at the end of my abilities here, but will make a couple more comments.
First off, I'm nowhere near being an LDAP pro, but what's up with the "o=mayrmount.edu.o=marymount.edu" ? There are two things that stick out to me here -- first off, the '.' between the elements... I'm used to seeing a comma. Second, the duplication of the o=. Do you *really* have a child element named the same as its parent?
We do indeed have a child with the same name as the parent and they both have "." in them. Fun Hey
For sure.... one other idea, then... If your structure is this: o=marymount.edu. | -> o=marymount.edu. should this maybe be "o=marymount.edu.,o=marymount.edu." ? (note trailing periods, making an FQDN) Or perhaps if your structure is this: o=marymount.edu | -> o=marymount.edu should this maybe be "o=marymount.edu,o=marymount.edu" ? Just a thought... your original looks like a typo, based on the fact that the two fields are not being joined by a comma. HTH, -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George)
Kris and List Still having no luck getting rlm_ldap to work. I used a packet sniffer to check traffic and all I see is a SYN packet to the ldap and the a SYN back to the radius followed by a RST packet from the radius server to the ldap. Cannot decipher any user details in the first packet so I assume none are being sent. I searched the archives for this and came across a patch for ver 0.6, can I assume that this was rolled into subsequent versions? Not sure on how to proceed any other pointers any one? Thanks Simon -----Original Message----- From: freeradius-users-bounces@lists.freeradius.org [mailto:freeradius-users-bounces@lists.freeradius.org] On Behalf Of Kris Benson Sent: Wednesday, August 10, 2005 2:20 PM To: FreeRadius users mailing list Cc: 'FreeRadius users mailing list' Subject: Re: Freeradius - LDAP Authenication FreeRadius users mailing list <freeradius-users@lists.freeradius.org> on August 10, 2005 at 11:17 -0800 wrote:
I think I'm at the end of my abilities here, but will make a couple more comments.
First off, I'm nowhere near being an LDAP pro, but what's up with the "o=mayrmount.edu.o=marymount.edu" ? There are two things that stick out to me here -- first off, the '.' between the elements... I'm used to seeing a comma. Second, the duplication of the o=. Do you *really* have a child element named the same as its parent?
We do indeed have a child with the same name as the parent and they both have "." in them. Fun Hey
For sure.... one other idea, then... If your structure is this: o=marymount.edu. | -> o=marymount.edu. should this maybe be "o=marymount.edu.,o=marymount.edu." ? (note trailing periods, making an FQDN) Or perhaps if your structure is this: o=marymount.edu | -> o=marymount.edu should this maybe be "o=marymount.edu,o=marymount.edu" ? Just a thought... your original looks like a typo, based on the fact that the two fields are not being joined by a comma. HTH, -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Dusty Doris -
Kris Benson -
Simon Barnes