Re: Freeradius-Users Digest, Vol 39, Issue 18 topic 5: freeradius with multiple ldap servers
Hi Sambuddho: I met similar problem a few weeks ago. You need to set the ldap identity/password for your freeRadius server at modules/ldap: e.g. mine is like: server = "ldap.xxx.ca" identity = "cn=radius,ou=Applications,dc=xxx,dc=ca" password = "password" basedn = "ou=People,dc=xxx,dc=ca" The default setting is "read-only" anonymous search(i.e. without identity/password setting) and it will fail because ldap server does not allow anonymous search for other user's password. Hope this is helpful. Andy freeradius-users-request@lists.freeradius.org wrote:
Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-request@lists.freeradius.org
You can reach the person managing the list at freeradius-users-owner@lists.freeradius.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. Re: =?UTF-8?Q?freeradius-proxy_+_PAP_works, _PEAP_and_the_rest_doesn=C2=B4t?= (uni@christiankraus.de) 2. Re: freeradius-proxy + PAP works, PEAP and the rest doesn?t (Alan DeKok) 3. Re: freeradius-proxy + PAP works, PEAP and the rest doesn?t (Ivan Kalik) 4. Re: sqlippool (Ivan Kalik) 5. Re: freeradius with multiple ldap servers (Sambuddho Chakravarty) 6. Re:=?UTF-8?Q?freeradius-proxy_+_PAP_works,_PEAP_and_the_rest_doesn=C2=B4t?= (A.L.M.Buxey@lboro.ac.uk)
------------------------------
Message: 5 Date: Thu, 03 Jul 2008 12:50:25 -0400 From: Sambuddho Chakravarty <sc2516@columbia.edu> Subject: Re: freeradius with multiple ldap servers To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Message-ID: <1215103825.8819.81.camel@insomniac> Content-Type: text/plain; charset=utf-8
Hello Ivan But I don't have a field in the database by that name . The name of the field is "userPassword" . This is what the openLDAP migration scripts generated. Please let me know what mistake I am doing . Also , my question on failover. Is the failover used when the first LDAP server is down / unresponsive to connection attempts or when it is not able to authenticate (example bad username / password) ?
Thanks Sambuddho On Thu, 2008-07-03 at 10:24 +0100, Ivan Kalik wrote:
Password (radius) attribute should be Crypt-Password not User-Password.
Ivan Kalik Kalik Informatika ISP
Dana 3/7/2008, "Sambuddho Chakravarty" <sc2516@columbia.edu> pi?e:
Hello
I set the password_header to = {crypt} and password_attribute to "userPassword" (Thats the name of the field in the database). Now this is what the logs show,
rlm_ldap: performing search in ou=People,dc=example,dc=com, with filter (uid=try) rlm_ldap: Added User-Password = $1$n48a7wCp$RfvlOx1pZgiVNfmMmA2xS. in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user try authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 +++[ldap1] returns ok ++- policy redundant returns ok !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! auth: type Local auth: user supplied User-Password does NOT match local User-Password auth: Failed to validate the user. Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> try attr_filter: Matched entry DEFAULT at line 11
My guess is authorize{} worked but not authenticate {}. Also , I see both modules ldap1 and ldap2 being loaded but whenever I try to authenticate with the username/password that is found in ldap2 , the radius server never attempts to connect to the other LDAP server. Instead it search for the entries in the "ldap1"'s server only.
Any suggestions ?
Thanks Sambuddho
On Wed, 2008-07-02 at 23:45 +0100, Ivan Kalik wrote:
http://wiki.freeradius.org/index.php/Rlm_ldap
See use of password_header and password_attribute.
Ivan Kalik Kalik Informatika ISP
Dana 2/7/2008, "Sambuddho Chakravarty" <sc2516@columbia.edu> pi??e:
Hello I think I know what the problem is. The radius server is looking up using cleartext password , while the LDAP data base stores the hashed passwords. How can I force the radiuse server to search for the password as a hashed value (rather than searching for the clear-text value) ?
Thanks Sambuddho On Wed, 2008-07-02 at 17:09 -0400, Sambuddho Chakravarty wrote:
Hello Alan I made sure this time that rlm_ldap was compiled. Now the following is the configuration
------/etc/raddb/modules/ldap-----------
ldap ldap1 { server = "a.b.c.d" ... }
ldap ldap2 { server = "w.x.y.z" ... }
-----/etc/raddb/radiusd.conf-----
authorize { ldap1
ldap2
}
authenticate { ldap1 ldap2 }
------------------------------------
When I execute /sbin/radiusd -X
It shows instantiating module ldap1 and module ldap2
.... Module: Instantiating ldap2 ldap ldap1 { server = "a.b.c.d" port = 389 .... Module: Instantiating ldap2 ldap ldap2 { server = "w.x.y.z" port = 389 ....
When sending a radtest request using the following command (from the same machine as one which is running the server)
$ radtest user "secret" localhost 2 testing123
I get ACCESS-REJECT reply from the sever.
On the server the logs show something like this --------------------------------------------------- It shows binding to both LDAP servers one by one through something like this :
rlm_ldap: performing user authorization for catch WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch) expand: ou=People,dc=example,dc=example -> ou=People,dc=example,dc=example rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 30.0.0.2:389, authentication 0 rlm_ldap: bind as / to 30.0.0.2:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=People,dc=example,dc=example, with filter (uid=catch) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap1] returns notfound rlm_ldap: - authorize rlm_ldap: performing user authorization for catch WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch) expand: ou=People,dc=example,dc=example -> ou=People,dc=example,dc=example rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 10.0.0.1:389, authentication 0 rlm_ldap: bind as / to 10.0.0.1:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=People,dc=example,dc=example, with filter (uid=catch) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap2] returns notfound
auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user.
You can see it is attempting to search both databases but fails. If I use a simple telnet or ssh to authenticate against the LDAP server it logs in fine. LDAP client login against the LDAP server is otherwise working fine. I know I have been bothering using trivial question. But any help would be appreciated :-)
Thanks in advance. Sambuddho
On Tue, 2008-07-01 at 22:33 +0200, Alan DeKok wrote:
> Sambuddho Chakravarty wrote: > >> This is exactly what I did . I forgot to put the separate module names >> > The consistent problems you see make me think that the issue is more > than "forgot". > > >> And now when I try to start the server this is what the error I see : >> >> >> server { >> modules { >> Module: Checking authenticate {...} for more modules to load >> //etc/raddb/modules/ldap1[29]: Failed to link to module 'rlm_ldap': >> > So.... was that module built? Apparently not... > > >> When trying with a single server ,it matches the radius request against >> rlm_pap and not rlm_ldap. I am confused. >> > Perhaps reading the debug output (and that of "configure" and "make") > would help. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/usershtml
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
------------------------------
Message: 6 Date: Thu, 3 Jul 2008 18:00:35 +0100 From: A.L.M.Buxey@lboro.ac.uk Subject: Re:=?UTF-8?Q?freeradius-proxy_+_PAP_works,_PEAP_and_the_rest_doesn=C2=B4t?=
To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Message-ID: <20080703170035.GA14834@lboro.ac.uk> Content-Type: text/plain; charset=us-ascii
hi,
if you really are using freeradius as a proxy, as you stated, then you dont need certificates...as the system will JUST proxy. if you mean you want to terminate EAP on your freeradius, then please dont call it a proxy. get the terminology correct.
what did you do wrong?
well, since 1.1.7 and 2.0.5 need completely different configs, i doubt you could make the same mistake twice...you CANT use a 1.1.7 config on a 2.0.5 box.
from what i can see, the daemon is clearly telling you something is wrong with your DH stuff. read eap.conf properly. get rid of that error. thats your primary task.
alan
------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
End of Freeradius-Users Digest, Vol 39, Issue 18 ************************************************
Hi Andy Thanks a lot. The problem is that I have a file named ldap inside /etc/raddb/modules directory and it has two ldap modules , ldap1 and ldap2. ldap ldap1 { server = .... identity = .... (set the appropriate CN) password = password for the above CN basedn = "ou=People,dc=example,dc=com" ... } ldap ldap1 { server = .... identity = .... (set the appropriate CN) password = password for the above CN basedn = "ou=People,dc=example,dc=com" ... } The first server has a user named 'try' and the second one has one named 'catch'. When I try to perform authentication using radtest tool with the username and password (say for try ) , it searches it in the LDAP server which doesn't have it and doesn't search the one which actually has the username. When I try with username 'catch' , it finds the username and the password but then it goes into auth: type Local and fails. WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch) expand: ou=People,dc=example,dc=com -> ou=People,dc=example,dc=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,dc=example,dc=com, with filter (uid=catch) rlm_ldap: Added User-Password = $1$FYblmPWy$fmgebhCOLpHvhdECNP4EG0 in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user catch authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap2] returns ok !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! auth: type Local auth: user supplied User-Password does NOT match local User-Password auth: Failed to validate the user. Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> catch attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 48 to 127.0.0.1 port 1025 Finished request 2. Going to the next request Waking up in 4.9 seconds. Cleaning up request 2 ID 48 with timestamp +39 Ready to process requests. I know its trivial but I am now struggling with this for a long time. (Freeradius version : 2.05) Thanks Sambuddho On Thu, 2008-07-03 at 12:35 -0700, Andy An wrote:
Hi Sambuddho:
I met similar problem a few weeks ago. You need to set the ldap identity/password for your freeRadius server at modules/ldap: e.g. mine is like:
server = "ldap.xxx.ca" identity = "cn=radius,ou=Applications,dc=xxx,dc=ca" password = "password" basedn = "ou=People,dc=xxx,dc=ca"
The default setting is "read-only" anonymous search(i.e. without identity/password setting) and it will fail because ldap server does not allow anonymous search for other user's password. Hope this is helpful.
Andy
freeradius-users-request@lists.freeradius.org wrote:
Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-request@lists.freeradius.org
You can reach the person managing the list at freeradius-users-owner@lists.freeradius.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. Re: =?UTF-8?Q?freeradius-proxy_+_PAP_works, _PEAP_and_the_rest_doesn=C2=B4t?= (uni@christiankraus.de) 2. Re: freeradius-proxy + PAP works, PEAP and the rest doesn?t (Alan DeKok) 3. Re: freeradius-proxy + PAP works, PEAP and the rest doesn?t (Ivan Kalik) 4. Re: sqlippool (Ivan Kalik) 5. Re: freeradius with multiple ldap servers (Sambuddho Chakravarty) 6. Re:=?UTF-8?Q?freeradius-proxy_+_PAP_works,_PEAP_and_the_rest_doesn=C2=B4t?= (A.L.M.Buxey@lboro.ac.uk)
------------------------------
Message: 5 Date: Thu, 03 Jul 2008 12:50:25 -0400 From: Sambuddho Chakravarty <sc2516@columbia.edu> Subject: Re: freeradius with multiple ldap servers To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Message-ID: <1215103825.8819.81.camel@insomniac> Content-Type: text/plain; charset=utf-8
Hello Ivan But I don't have a field in the database by that name . The name of the field is "userPassword" . This is what the openLDAP migration scripts generated. Please let me know what mistake I am doing . Also , my question on failover. Is the failover used when the first LDAP server is down / unresponsive to connection attempts or when it is not able to authenticate (example bad username / password) ?
Thanks Sambuddho On Thu, 2008-07-03 at 10:24 +0100, Ivan Kalik wrote:
Password (radius) attribute should be Crypt-Password not User-Password.
Ivan Kalik Kalik Informatika ISP
Dana 3/7/2008, "Sambuddho Chakravarty" <sc2516@columbia.edu> pi?e:
Hello
I set the password_header to = {crypt} and password_attribute to "userPassword" (Thats the name of the field in the database). Now this is what the logs show,
rlm_ldap: performing search in ou=People,dc=example,dc=com, with filter (uid=try) rlm_ldap: Added User-Password = $1$n48a7wCp$RfvlOx1pZgiVNfmMmA2xS. in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user try authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 +++[ldap1] returns ok ++- policy redundant returns ok !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! auth: type Local auth: user supplied User-Password does NOT match local User-Password auth: Failed to validate the user. Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> try attr_filter: Matched entry DEFAULT at line 11
My guess is authorize{} worked but not authenticate {}. Also , I see both modules ldap1 and ldap2 being loaded but whenever I try to authenticate with the username/password that is found in ldap2 , the radius server never attempts to connect to the other LDAP server. Instead it search for the entries in the "ldap1"'s server only.
Any suggestions ?
Thanks Sambuddho
On Wed, 2008-07-02 at 23:45 +0100, Ivan Kalik wrote:
http://wiki.freeradius.org/index.php/Rlm_ldap
See use of password_header and password_attribute.
Ivan Kalik Kalik Informatika ISP
Dana 2/7/2008, "Sambuddho Chakravarty" <sc2516@columbia.edu> pi??e:
Hello I think I know what the problem is. The radius server is looking up using cleartext password , while the LDAP data base stores the hashed passwords. How can I force the radiuse server to search for the password as a hashed value (rather than searching for the clear-text value) ?
Thanks Sambuddho On Wed, 2008-07-02 at 17:09 -0400, Sambuddho Chakravarty wrote:
> Hello Alan > I made sure this time that rlm_ldap was compiled. Now the following is > the configuration > > ------/etc/raddb/modules/ldap----------- > > ldap ldap1 { > server = "a.b.c.d" > ... > } > > ldap ldap2 { > server = "w.x.y.z" > ... > } > > -----/etc/raddb/radiusd.conf----- > > > authorize { > ldap1 > > ldap2 > > } > > authenticate { > ldap1 > ldap2 > } > > ------------------------------------ > > When I execute /sbin/radiusd -X > > It shows instantiating module ldap1 and module ldap2 > > .... > Module: Instantiating ldap2 > ldap ldap1 { > server = "a.b.c.d" > port = 389 > .... > Module: Instantiating ldap2 > ldap ldap2 { > server = "w.x.y.z" > port = 389 > .... > > When sending a radtest request using the following command (from the > same machine as one which is running the server) > > $ radtest user "secret" localhost 2 testing123 > > I get ACCESS-REJECT reply from the sever. > > On the server the logs show something like this > --------------------------------------------------- > It shows binding to both LDAP servers one by one through something like > this : > > rlm_ldap: performing user authorization for catch > WARNING: Deprecated conditional expansion ":-". See "man unlang" for > details > expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch) > expand: ou=People,dc=example,dc=example -> > ou=People,dc=example,dc=example > rlm_ldap: ldap_get_conn: Checking Id: 0 > rlm_ldap: ldap_get_conn: Got Id: 0 > rlm_ldap: attempting LDAP reconnection > rlm_ldap: (re)connect to 30.0.0.2:389, authentication 0 > rlm_ldap: bind as / to 30.0.0.2:389 > rlm_ldap: waiting for bind result ... > rlm_ldap: Bind was successful > rlm_ldap: performing search in ou=People,dc=example,dc=example, with > filter (uid=catch) > rlm_ldap: object not found or got ambiguous search result > rlm_ldap: search failed > rlm_ldap: ldap_release_conn: Release Id: 0 > ++[ldap1] returns notfound > rlm_ldap: - authorize > rlm_ldap: performing user authorization for catch > WARNING: Deprecated conditional expansion ":-". See "man unlang" for > details > expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch) > expand: ou=People,dc=example,dc=example -> > ou=People,dc=example,dc=example > rlm_ldap: ldap_get_conn: Checking Id: 0 > rlm_ldap: ldap_get_conn: Got Id: 0 > rlm_ldap: attempting LDAP reconnection > rlm_ldap: (re)connect to 10.0.0.1:389, authentication 0 > rlm_ldap: bind as / to 10.0.0.1:389 > rlm_ldap: waiting for bind result ... > rlm_ldap: Bind was successful > rlm_ldap: performing search in ou=People,dc=example,dc=example, with > filter (uid=catch) > rlm_ldap: object not found or got ambiguous search result > rlm_ldap: search failed > rlm_ldap: ldap_release_conn: Release Id: 0 > ++[ldap2] returns notfound > > auth: No authenticate method (Auth-Type) configuration found for the > request: Rejecting the user > auth: Failed to validate the user. > > You can see it is attempting to search both databases but fails. If I > use a simple telnet or ssh to authenticate against the LDAP server it > logs in fine. LDAP client login against the LDAP server is otherwise > working fine. I know I have been bothering using trivial question. But > any help would be appreciated :-) > > Thanks in advance. > Sambuddho > > > > On Tue, 2008-07-01 at 22:33 +0200, Alan DeKok wrote: > >> Sambuddho Chakravarty wrote: >> >>> This is exactly what I did . I forgot to put the separate module names >>> >> The consistent problems you see make me think that the issue is more >> than "forgot". >> >> >>> And now when I try to start the server this is what the error I see : >>> >>> >>> server { >>> modules { >>> Module: Checking authenticate {...} for more modules to load >>> //etc/raddb/modules/ldap1[29]: Failed to link to module 'rlm_ldap': >>> >> So.... was that module built? Apparently not... >> >> >>> When trying with a single server ,it matches the radius request against >>> rlm_pap and not rlm_ldap. I am confused. >>> >> Perhaps reading the debug output (and that of "configure" and "make") >> would help. >> >> Alan DeKok. >> - >> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html >> > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/usershtml
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
------------------------------
Message: 6 Date: Thu, 3 Jul 2008 18:00:35 +0100 From: A.L.M.Buxey@lboro.ac.uk Subject: Re:=?UTF-8?Q?freeradius-proxy_+_PAP_works,_PEAP_and_the_rest_doesn=C2=B4t?=
To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Message-ID: <20080703170035.GA14834@lboro.ac.uk> Content-Type: text/plain; charset=us-ascii
hi,
if you really are using freeradius as a proxy, as you stated, then you dont need certificates...as the system will JUST proxy. if you mean you want to terminate EAP on your freeradius, then please dont call it a proxy. get the terminology correct.
what did you do wrong?
well, since 1.1.7 and 2.0.5 need completely different configs, i doubt you could make the same mistake twice...you CANT use a 1.1.7 config on a 2.0.5 box.
from what i can see, the daemon is clearly telling you something is wrong with your DH stuff. read eap.conf properly. get rid of that error. thats your primary task.
alan
------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
End of Freeradius-Users Digest, Vol 39, Issue 18 ************************************************
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hello Some progress. Added to ldap.attrmap --------------------------- checkItem Crypt-Password userPassword Added to modules/ldap ldap ldap1{ .... identity = (root DN) password = (password for the root DN) password_header="{crypt}" password_attribute=Crypt-Password ... } ldap ldap2{ .... identity = (root DN) password = (password for the root DN) password_header="{crypt}" password_attribute=Crypt-Password ... } The radiusd attempts to connect to the correct LDAP server. However , the attempt fails with error in binding due to invalid credentials rlm_ldap: waiting for bind result ... rlm_ldap: Bind failed with invalid credentials The username and password supplied are nevertheless correct. Any hints would be gratefully appreciated Thanks Sambuddho On Thu, 2008-07-03 at 15:54 -0400, Sambuddho Chakravarty wrote:
Hi Andy Thanks a lot. The problem is that I have a file named ldap inside /etc/raddb/modules directory and it has two ldap modules , ldap1 and ldap2.
ldap ldap1 { server = .... identity = .... (set the appropriate CN) password = password for the above CN basedn = "ou=People,dc=example,dc=com" ... }
ldap ldap1 { server = .... identity = .... (set the appropriate CN) password = password for the above CN basedn = "ou=People,dc=example,dc=com" ... }
The first server has a user named 'try' and the second one has one named 'catch'.
When I try to perform authentication using radtest tool with the username and password (say for try ) , it searches it in the LDAP server which doesn't have it and doesn't search the one which actually has the username. When I try with username 'catch' , it finds the username and the password but then it goes into
auth: type Local
and fails. WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch) expand: ou=People,dc=example,dc=com -> ou=People,dc=example,dc=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,dc=example,dc=com, with filter (uid=catch) rlm_ldap: Added User-Password = $1$FYblmPWy$fmgebhCOLpHvhdECNP4EG0 in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user catch authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap2] returns ok !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! auth: type Local auth: user supplied User-Password does NOT match local User-Password auth: Failed to validate the user. Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> catch attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 48 to 127.0.0.1 port 1025 Finished request 2. Going to the next request Waking up in 4.9 seconds. Cleaning up request 2 ID 48 with timestamp +39 Ready to process requests.
I know its trivial but I am now struggling with this for a long time. (Freeradius version : 2.05)
Thanks Sambuddho
On Thu, 2008-07-03 at 12:35 -0700, Andy An wrote:
Hi Sambuddho:
I met similar problem a few weeks ago. You need to set the ldap identity/password for your freeRadius server at modules/ldap: e.g. mine is like:
server = "ldap.xxx.ca" identity = "cn=radius,ou=Applications,dc=xxx,dc=ca" password = "password" basedn = "ou=People,dc=xxx,dc=ca"
The default setting is "read-only" anonymous search(i.e. without identity/password setting) and it will fail because ldap server does not allow anonymous search for other user's password. Hope this is helpful.
Andy
freeradius-users-request@lists.freeradius.org wrote:
Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-request@lists.freeradius.org
You can reach the person managing the list at freeradius-users-owner@lists.freeradius.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. Re: =?UTF-8?Q?freeradius-proxy_+_PAP_works, _PEAP_and_the_rest_doesn=C2=B4t?= (uni@christiankraus.de) 2. Re: freeradius-proxy + PAP works, PEAP and the rest doesn?t (Alan DeKok) 3. Re: freeradius-proxy + PAP works, PEAP and the rest doesn?t (Ivan Kalik) 4. Re: sqlippool (Ivan Kalik) 5. Re: freeradius with multiple ldap servers (Sambuddho Chakravarty) 6. Re:=?UTF-8?Q?freeradius-proxy_+_PAP_works,_PEAP_and_the_rest_doesn=C2=B4t?= (A.L.M.Buxey@lboro.ac.uk)
------------------------------
Message: 5 Date: Thu, 03 Jul 2008 12:50:25 -0400 From: Sambuddho Chakravarty <sc2516@columbia.edu> Subject: Re: freeradius with multiple ldap servers To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Message-ID: <1215103825.8819.81.camel@insomniac> Content-Type: text/plain; charset=utf-8
Hello Ivan But I don't have a field in the database by that name . The name of the field is "userPassword" . This is what the openLDAP migration scripts generated. Please let me know what mistake I am doing . Also , my question on failover. Is the failover used when the first LDAP server is down / unresponsive to connection attempts or when it is not able to authenticate (example bad username / password) ?
Thanks Sambuddho On Thu, 2008-07-03 at 10:24 +0100, Ivan Kalik wrote:
Password (radius) attribute should be Crypt-Password not User-Password.
Ivan Kalik Kalik Informatika ISP
Dana 3/7/2008, "Sambuddho Chakravarty" <sc2516@columbia.edu> pi?e:
Hello
I set the password_header to = {crypt} and password_attribute to "userPassword" (Thats the name of the field in the database). Now this is what the logs show,
rlm_ldap: performing search in ou=People,dc=example,dc=com, with filter (uid=try) rlm_ldap: Added User-Password = $1$n48a7wCp$RfvlOx1pZgiVNfmMmA2xS. in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user try authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 +++[ldap1] returns ok ++- policy redundant returns ok !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! auth: type Local auth: user supplied User-Password does NOT match local User-Password auth: Failed to validate the user. Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> try attr_filter: Matched entry DEFAULT at line 11
My guess is authorize{} worked but not authenticate {}. Also , I see both modules ldap1 and ldap2 being loaded but whenever I try to authenticate with the username/password that is found in ldap2 , the radius server never attempts to connect to the other LDAP server. Instead it search for the entries in the "ldap1"'s server only.
Any suggestions ?
Thanks Sambuddho
On Wed, 2008-07-02 at 23:45 +0100, Ivan Kalik wrote:
http://wiki.freeradius.org/index.php/Rlm_ldap
See use of password_header and password_attribute.
Ivan Kalik Kalik Informatika ISP
Dana 2/7/2008, "Sambuddho Chakravarty" <sc2516@columbia.edu> pi??e:
> Hello > I think I know what the problem is. The radius server is looking up > using cleartext password , while the LDAP data base stores the hashed > passwords. How can I force the radiuse server to search for the password > as a hashed value (rather than searching for the clear-text value) ? > > Thanks > Sambuddho > On Wed, 2008-07-02 at 17:09 -0400, Sambuddho Chakravarty wrote: > >> Hello Alan >> I made sure this time that rlm_ldap was compiled. Now the following is >> the configuration >> >> ------/etc/raddb/modules/ldap----------- >> >> ldap ldap1 { >> server = "a.b.c.d" >> ... >> } >> >> ldap ldap2 { >> server = "w.x.y.z" >> ... >> } >> >> -----/etc/raddb/radiusd.conf----- >> >> >> authorize { >> ldap1 >> >> ldap2 >> >> } >> >> authenticate { >> ldap1 >> ldap2 >> } >> >> ------------------------------------ >> >> When I execute /sbin/radiusd -X >> >> It shows instantiating module ldap1 and module ldap2 >> >> .... >> Module: Instantiating ldap2 >> ldap ldap1 { >> server = "a.b.c.d" >> port = 389 >> .... >> Module: Instantiating ldap2 >> ldap ldap2 { >> server = "w.x.y.z" >> port = 389 >> .... >> >> When sending a radtest request using the following command (from the >> same machine as one which is running the server) >> >> $ radtest user "secret" localhost 2 testing123 >> >> I get ACCESS-REJECT reply from the sever. >> >> On the server the logs show something like this >> --------------------------------------------------- >> It shows binding to both LDAP servers one by one through something like >> this : >> >> rlm_ldap: performing user authorization for catch >> WARNING: Deprecated conditional expansion ":-". See "man unlang" for >> details >> expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch) >> expand: ou=People,dc=example,dc=example -> >> ou=People,dc=example,dc=example >> rlm_ldap: ldap_get_conn: Checking Id: 0 >> rlm_ldap: ldap_get_conn: Got Id: 0 >> rlm_ldap: attempting LDAP reconnection >> rlm_ldap: (re)connect to 30.0.0.2:389, authentication 0 >> rlm_ldap: bind as / to 30.0.0.2:389 >> rlm_ldap: waiting for bind result ... >> rlm_ldap: Bind was successful >> rlm_ldap: performing search in ou=People,dc=example,dc=example, with >> filter (uid=catch) >> rlm_ldap: object not found or got ambiguous search result >> rlm_ldap: search failed >> rlm_ldap: ldap_release_conn: Release Id: 0 >> ++[ldap1] returns notfound >> rlm_ldap: - authorize >> rlm_ldap: performing user authorization for catch >> WARNING: Deprecated conditional expansion ":-". See "man unlang" for >> details >> expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch) >> expand: ou=People,dc=example,dc=example -> >> ou=People,dc=example,dc=example >> rlm_ldap: ldap_get_conn: Checking Id: 0 >> rlm_ldap: ldap_get_conn: Got Id: 0 >> rlm_ldap: attempting LDAP reconnection >> rlm_ldap: (re)connect to 10.0.0.1:389, authentication 0 >> rlm_ldap: bind as / to 10.0.0.1:389 >> rlm_ldap: waiting for bind result ... >> rlm_ldap: Bind was successful >> rlm_ldap: performing search in ou=People,dc=example,dc=example, with >> filter (uid=catch) >> rlm_ldap: object not found or got ambiguous search result >> rlm_ldap: search failed >> rlm_ldap: ldap_release_conn: Release Id: 0 >> ++[ldap2] returns notfound >> >> auth: No authenticate method (Auth-Type) configuration found for the >> request: Rejecting the user >> auth: Failed to validate the user. >> >> You can see it is attempting to search both databases but fails. If I >> use a simple telnet or ssh to authenticate against the LDAP server it >> logs in fine. LDAP client login against the LDAP server is otherwise >> working fine. I know I have been bothering using trivial question. But >> any help would be appreciated :-) >> >> Thanks in advance. >> Sambuddho >> >> >> >> On Tue, 2008-07-01 at 22:33 +0200, Alan DeKok wrote: >> >>> Sambuddho Chakravarty wrote: >>> >>>> This is exactly what I did . I forgot to put the separate module names >>>> >>> The consistent problems you see make me think that the issue is more >>> than "forgot". >>> >>> >>>> And now when I try to start the server this is what the error I see : >>>> >>>> >>>> server { >>>> modules { >>>> Module: Checking authenticate {...} for more modules to load >>>> //etc/raddb/modules/ldap1[29]: Failed to link to module 'rlm_ldap': >>>> >>> So.... was that module built? Apparently not... >>> >>> >>>> When trying with a single server ,it matches the radius request against >>>> rlm_pap and not rlm_ldap. I am confused. >>>> >>> Perhaps reading the debug output (and that of "configure" and "make") >>> would help. >>> >>> Alan DeKok. >>> - >>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html >>> >> - >> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html >> > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/usershtml > > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
------------------------------
Message: 6 Date: Thu, 3 Jul 2008 18:00:35 +0100 From: A.L.M.Buxey@lboro.ac.uk Subject: Re:=?UTF-8?Q?freeradius-proxy_+_PAP_works,_PEAP_and_the_rest_doesn=C2=B4t?=
To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Message-ID: <20080703170035.GA14834@lboro.ac.uk> Content-Type: text/plain; charset=us-ascii
hi,
if you really are using freeradius as a proxy, as you stated, then you dont need certificates...as the system will JUST proxy. if you mean you want to terminate EAP on your freeradius, then please dont call it a proxy. get the terminology correct.
what did you do wrong?
well, since 1.1.7 and 2.0.5 need completely different configs, i doubt you could make the same mistake twice...you CANT use a 1.1.7 config on a 2.0.5 box.
from what i can see, the daemon is clearly telling you something is wrong with your DH stuff. read eap.conf properly. get rid of that error. thats your primary task.
alan
------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
End of Freeradius-Users Digest, Vol 39, Issue 18 ************************************************
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Added to ldap.attrmap --------------------------- checkItem Crypt-Password userPassword
Don't do that. userPassword is already mapped in ldap module: # password_attribute: Define the attribute which contains the user # password. # While integrating FreeRADIUS with Novell eDirectory, set # 'password_attribute = nspmpassword' in order to use the universal # password of the eDirectory users for RADIUS authentication. This will # work only if FreeRADIUS is configured to build with --with-edir option. # # default: NULL - don't add password # # password_attribute = "userPassword" # password_radius_attribute: Defined the RADIUS attribute where the extracted # user password will be stored to. Can be used to set it to NT-Password or any # other similar attribute instead of the default # # default: User-Password # # password_radius_attribute = "NT-Password"
Added to modules/ldap
ldap ldap1{ ....
identity = (root DN) password = (password for the root DN)
password_header="{crypt}" password_attribute=Crypt-Password
No, not password_attribute but password_radius_attribute. password_attribute should remain userPassword (as it is by default). Ivan Kalik Kalik Informatika ISP
Hello Ivan Problem still the same I changed :- On Thu, 2008-07-03 at 22:20 +0100, Ivan Kalik wrote:
Added to ldap.attrmap --------------------------- checkItem Crypt-Password userPassword
Removed this from ldap.attrmap
Don't do that. userPassword is already mapped in ldap module:
# password_attribute: Define the attribute which contains the user # password. # While integrating FreeRADIUS with Novell eDirectory, set # 'password_attribute = nspmpassword' in order to use the universal # password of the eDirectory users for RADIUS authentication. This will # work only if FreeRADIUS is configured to build with --with-edir option. # # default: NULL - don't add password # # password_attribute = "userPassword"
# password_radius_attribute: Defined the RADIUS attribute where the extracted # user password will be stored to. Can be used to set it to NT-Password or any # other similar attribute instead of the default # # default: User-Password # # password_radius_attribute = "NT-Password"
Added to modules/ldap
ldap ldap1{ ....
identity = (root DN) password = (password for the root DN)
password_header="{crypt}" password_attribute=Crypt-Password
Yes changed this to password_radius_attribute=Crypt-Password However , if I change the password_attribute=userPassword, the auth type is detected wrongly as Local auth: type Local auth: user supplied User-Password does NOT match local User-Password Thanks Sambuddho
No, not password_attribute but password_radius_attribute. password_attribute should remain userPassword (as it is by default).
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ldap ldap1{ ....
identity = (root DN) password = (password for the root DN)
password_header="{crypt}" password_attribute=Crypt-Password
Yes changed this to password_radius_attribute=Crypt-Password
However , if I change the password_attribute=userPassword, the auth type is detected wrongly as Local
OK. I had a quick look at the code. It looks like you dont need to use any of those settings at all. You should have a (crypt) header in userPassword field and ldap module will put the value into appropriate attribute on it's own (it has auto-header discovery now). Ivan Kalik Kalik Informatika ISP
participants (3)
-
Andy An -
Ivan Kalik -
Sambuddho Chakravarty