Greetings I'm new to radius but have been reading. I have a freeradius server running on ubuntu 11, my users file is an ldap server which works great. My question is, how can i search and alternate LDAP server for user credentials ? If the first LDAP search fails try the next server in line. I found some documentation- * http://freeradius.org/radiusd/doc/ldap_howto.txt does not mention a second server. *http://freeradius.org/radiusd/doc/configurable_failover explains the redundant setup for sql accounting. so far I tried adding the second ldap server, it's info is read during module load -- no errors. The problem is,.. only one of the ldap systems contains the correct info. So one WILL fail and the other will pass. with that being said,.. How do i configure my server to Pass if either system returns " ok " ? currently it will fail even if one LDAP system returns good. authorize { preprocess chap mschap digest suffix eap { ok = return } files redundant { ldap1 ldap2 } expiration logintime pap # Autz-Type Status-Server { # # } } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } digest # # Pluggable Authentication Modules. # pam unix Auth-Type LDAP { ldap1 ldap2 } eap # Auth-Type eap { # eap { # handled = 1 # } # if (handled && (Response-Packet-Type == Access-Challenge)) { # attr_filter.access_challenge.post-auth # handled # override the "updated" code from attr_filter # } # } } Any Assistance would be helpful. -j
Hi Jeff, On 04.05.2012 14:30, jeff donovan wrote:
how can i search and alternate LDAP server for user credentials ? If the first LDAP search fails try the next server in line.
Just mention only this ldap server in authenticate section: authenticate { Auth-Type LDAP { ldap1 # the ldap server which has the credentials } } That's it. Only the ldap servers you have mentioned in authorize section will be queried for group memberships. Greetz, Tobias
jeff donovan wrote:
I'm new to radius but have been reading.
That's always positive.
how can i search and alternate LDAP server for user credentials ? If the first LDAP search fails try the next server in line.
Do you mean "fail" or "notfound"? They're different...
I found some documentation- * http://freeradius.org/radiusd/doc/ldap_howto.txt does not mention a second server. *http://freeradius.org/radiusd/doc/configurable_failover explains the redundant setup for sql accounting.
See also "man unlang". It explains this in more detail.
so far I tried adding the second ldap server, it's info is read during module load -- no errors. The problem is,.. only one of the ldap systems contains the correct info. So one WILL fail and the other will pass. with that being said,.. How do i configure my server to Pass if either system returns " ok " ? currently it will fail even if one LDAP system returns good.
That's because you're using a "redundant" block. It treats "notfound" as "LDAP server is still up", and it doesn't fail over to the next one. Because there was no failure!
authorize { ... redundant { ldap1 ldap2 }
Change that to: ldap1 if (notfound) { ldap2 } And it will work. Alan DeKok.
On May 4, 2012, at 10:14 AM, Alan DeKok wrote:
jeff donovan wrote:
I'm new to radius but have been reading.
That's always positive.
how can i search and alternate LDAP server for user credentials ? If the first LDAP search fails try the next server in line.
Do you mean "fail" or "notfound"? They're different...
true,. i will probably come across both.
I found some documentation- * http://freeradius.org/radiusd/doc/ldap_howto.txt does not mention a second server. *http://freeradius.org/radiusd/doc/configurable_failover explains the redundant setup for sql accounting.
See also "man unlang". It explains this in more detail.
k tnx-more reading :)
so far I tried adding the second ldap server, it's info is read during module load -- no errors. The problem is,.. only one of the ldap systems contains the correct info. So one WILL fail and the other will pass. with that being said,.. How do i configure my server to Pass if either system returns " ok " ? currently it will fail even if one LDAP system returns good.
That's because you're using a "redundant" block. It treats "notfound" as "LDAP server is still up", and it doesn't fail over to the next one. Because there was no failure!
authorize { ... redundant { ldap1 ldap2 }
Change that to:
ldap1 if (notfound) { ldap2 }
And it will work.
thanks for the reply. can i really use if then else ? with that said, i should be able to apply the same for fail ? --- ill post more when i adjust my settings and try with the not found. then I try with fail. -j
On May 4, 2012, at 10:14 AM, Alan DeKok wrote:
snip
authorize { ... redundant { ldap1 ldap2 }
Change that to:
ldap1 if (notfound) { ldap2 }
And it will work.
greetings i read the unlang pages. I modified my Authorize section, and you are correct, the user is found on ldap1 or checks the next server. Now it seems to be sticking on the first reject in the Authenticate section. here is what I have; authenticate { Auth-Type LDAP { ldap1 if (reject) { ldap2 } } I have also tried Auth-Type LDAP { ldap1 ldap2 } in this case if the credentials do not exist on ldap1 everything stops. here is my debug; [ldap1] performing user authorization for drfoo [ldap1] expand: %{Stripped-User-Name} -> [ldap1] ... expanding second conditional [ldap1] expand: %{User-Name} -> drfoo [ldap1] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=drfoo) [ldap1] expand: cn=users,dc=ldap1,dc=example.com -> cn=users,dc=ldap1,dc=example.com [ldap1] ldap_get_conn: Checking Id: 0 [ldap1] ldap_get_conn: Got Id: 0 [ldap1] performing search in cn=users,dc=ldap1,dc=example.com, with filter (uid=drfoo) [ldap1] object not found [ldap1] search failed [ldap1] ldap_release_conn: Release Id: 0 ++[ldap1] returns notfound ++? if (notfound) ? Evaluating (notfound) -> TRUE ++? if (notfound) -> TRUE ++- entering if (notfound) {...} [ldap2] performing user authorization for drfoo [ldap2] expand: %{Stripped-User-Name} -> [ldap2] ... expanding second conditional [ldap2] expand: %{User-Name} -> drfoo [ldap2] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=drfoo) [ldap2] expand: cn=users,dc=ldap2,dc=example.com -> cn=users,dc=ldap2,dc=example.com [ldap2] ldap_get_conn: Checking Id: 0 [ldap2] ldap_get_conn: Got Id: 0 [ldap2] performing search in cn=users,dc=ldap2,dc=example.com, with filter (uid=drfoo) [ldap2] No default NMAS login sequence [ldap2] looking for check items in directory... [ldap2] userPassword -> Password-With-Header == "********" [ldap2] looking for reply items in directory... [ldap2] Setting Auth-Type = LDAP [ldap2] user drfoo authorized to use remote access [ldap2] ldap_release_conn: Release Id: 0 +++[ldap2] returns ok ++- if (notfound) returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Failed to decode Password-With-Header = "********" [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = LDAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group LDAP {...} [ldap1] login attempt by "drfoo" with password "XxXxXxX" [ldap1] user DN: uid=drfoo,cn=users,dc=ldap2,dc=example.com [ldap1] (re)connect to ldap1.example.com:389, authentication 1 [ldap1] bind as uid=drfoo,cn=users,dc=ldap2,dc=example.com/XxXxXxX to ldap1.example.com:389 [ldap1] waiting for bind result ... [ldap1] Bind failed with invalid credentials ++[ldap1] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...}
On 04.05.2012 21:05, jeff donovan wrote:
Found Auth-Type = LDAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group LDAP {...} [ldap1] login attempt by "drfoo" with password "XxXxXxX" [ldap1] user DN: uid=drfoo,cn=users,dc=ldap2,dc=example.com [ldap1] (re)connect to ldap1.example.com:389, authentication 1 [ldap1] bind as uid=drfoo,cn=users,dc=ldap2,dc=example.com/XxXxXxX to ldap1.example.com:389 [ldap1] waiting for bind result ... [ldap1] Bind failed with invalid credentials ++[ldap1] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...}
OK, so what happened here? The ldap bind has failed! That's not the failure message that the user you want to authenticate has wrong credentials. Be sure you configured the ldap modules correctly or send the whole radiusd -X debug output. Best regards, Tobias Hachmer
On May 4, 2012, at 3:58 PM, Tobias Hachmer wrote:
On 04.05.2012 21:05, jeff donovan wrote:
Found Auth-Type = LDAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group LDAP {...} [ldap1] login attempt by "drfoo" with password "XxXxXxX" [ldap1] user DN: uid=drfoo,cn=users,dc=ldap2,dc=example.com [ldap1] (re)connect to ldap1.example.com:389, authentication 1 [ldap1] bind as uid=drfoo,cn=users,dc=ldap2,dc=example.com/XxXxXxX to ldap1.example.com:389 [ldap1] waiting for bind result ... [ldap1] Bind failed with invalid credentials ++[ldap1] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...}
OK, so what happened here? The ldap bind has failed! That's not the failure message that the user you want to authenticate has wrong credentials. Be sure you configured the ldap modules correctly or send the whole radiusd -X debug output.
greetings sorry i snipped the bottom off , I didn't think it relevant since nothing happened after it tried to auth on ldap1. Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> drfoo attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 2 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 2 Sending Access-Reject of id 158 to 10.135.1.15 port 65478 Waking up in 4.9 seconds. Cleaning up request 2 ID 158 with timestamp +22 Ready to process requests. and that is correct. The user does not exist on LDAP1, his records are on LDAP2, which it finds, but it trys to auth against ldap1 ( which will fail ). I need it to step to ldap2 I thought the result code was " reject " so under authentication if result of ldap1 = reject try ldap2. Auth-Type LDAP { ldap1 if (reject) { ldap2 } }
On May 4, 2012, at 7:40 PM, jeff donovan wrote:
<snip>
and that is correct. The user does not exist on LDAP1, his records are on LDAP2, which it finds, but it trys to auth against ldap1 ( which will fail ). I need it to step to ldap2
greetings I made two changes. and it worked.,.. not sure if it the best syntax, but it's the first time I got both systems to call back. authorize { ldap1 if (notfound) { ldap2 } if (reject) { ldap2 } authenticate { Auth-Type LDAP { ldap1{ reject = 1 ok = return } ldap2 { reject = 1 ok = return } } works very well. thanks for your assistance -j
jeff donovan wrote:
I made two changes. and it worked.,.. not sure if it the best syntax, but it's the first time I got both systems to call back.
authorize {
ldap1 if (notfound) { ldap2 }
This is OK.
if (reject) { ldap2 }
This doesn't do anything. If ldap1 rejects the user (which it won't in the "authorize" section), then it will *immediately* return reject. i.e. the "if reject" line won't be reached.
authenticate {
Auth-Type LDAP { ldap1{ reject = 1 ok = return } ldap2 { reject = 1 ok = return } }
This is wrong, too. You've forced "Auth-Type := LDAP" somewhere in your config. You could instead use "set_auth_type" in the modules/ldap configuration. It's recommended to *not* use it, but it's fine here. Then, just do: authenticate { ... ldap1 ldap2 ... } If the "ldap1" module finds the user, it sets Auth-Type = "ldap1". And the same for ldap2. This means that there are fewer queries to ldap1 in the "authenticate" phase. That's nice. Alan DeKok.
On May 5, 2012, at 5:09 AM, Alan DeKok wrote:
jeff donovan wrote:
I made two changes. and it worked.,.. not sure if it the best syntax, but it's the first time I got both systems to call back.
authorize {
ldap1 if (notfound) { ldap2 }
This is OK.
if (reject) { ldap2 }
This doesn't do anything. If ldap1 rejects the user (which it won't in the "authorize" section), then it will *immediately* return reject. i.e. the "if reject" line won't be reached.
you are correct. An authorize section would not return reject. i removed it and things work fine.
authenticate {
Auth-Type LDAP { ldap1{ reject = 1 ok = return } ldap2 { reject = 1 ok = return } }
This is wrong, too. You've forced "Auth-Type := LDAP" somewhere in your config.
the config Im using is stock ubuntu,..which has a few default includes. radiusd.conf specifies; $INCLUDE ${confdir}/modules/ i have a file in modules called ldap. Located in this file are two ldap servers entries. # ldap ldap1 { server = "ldap1.example.com" basedn = "cn=users,dc=ldap1,dc=example.com" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls { start_tls = no } dictionary_mapping = ${confdir}/ldap.attrmap # edir_account_policy_check = no #ldap_debug = 0x0028 } ldap ldap2 { server = "ldap2.example.com" basedn = "cn=users,dc=ldap2,dc=example.com" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls { start_tls = no } dictionary_mapping = ${confdir}/ldap.attrmap # edir_account_policy_check = no #ldap_debug = 0x0028 } }
You could instead use "set_auth_type" in the modules/ldap configuration. It's recommended to *not* use it, but it's fine here.
Then, just do:
authenticate { ... ldap1 ldap2 ... }
--- oof okay. authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } digest # pam unix ldap1 ldap2 eap } Yes Totally works.! my bad i thought I had to set the AUTH type. similar to some of the other configs.
If the "ldap1" module finds the user, it sets Auth-Type = "ldap1". And the same for ldap2.
This means that there are fewer queries to ldap1 in the "authenticate" phase. That's nice.
im into that. thanks for the help. hopefully my stumbles will aid someone in the future. -j
On 05/05/2012 01:40 AM, jeff donovan wrote:
greetings sorry i snipped the bottom off , I didn't think it relevant since nothing happened after it tried to auth on ldap1.
Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> drfoo attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 2 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 2 Sending Access-Reject of id 158 to 10.135.1.15 port 65478 Waking up in 4.9 seconds. Cleaning up request 2 ID 158 with timestamp +22 Ready to process requests.
Hi Jeff, are you sure you configured your ldap modules right? For me it seems you don't because your ldap bind fails. configure your ldap1 module for the ldap1 server with a bind user which exists on ldap server 1. In debug output your ldap1 module references with a user dn in "cn=users,dc=ldap2,dc=example.com". Is this correct or have it to be "cn=users,dc=ldap1,dc=example.com" ? As I tried to explain before it's not the authentication of the user in radius request which fails but the bind user so the ldap module wasn't able to check the user credentials! Please reread the ldap documentation if this is unclear... Regards, Tobias Hachmer
On 05.05.2012 10:36, Tobias Hachmer wrote:
As I tried to explain before it's not the authentication of the user in radius request which fails but the bind user so the ldap module wasn't able to check the user credentials! Please reread the ldap documentation if this is unclear...
Sorry, I have to correct myself. The authentication will be done as a simple user bind with username and cleartext-password from radius-request. only in authorize section the binddn user from ldap module will be taken to do the ldap search. Please correct me again if I'm false. Sorry for confusing... Best regards, Tobias Hachmer
participants (3)
-
Alan DeKok -
jeff donovan -
Tobias Hachmer