FreeRarius with multiple LDAP
I'm upgrading FreeRadius form version 1.x to 2.x and transfered the configs. I have a problem with definig authrize and authenticate sections. I've defined 2 ldap modules (ldap and ldap1) connecting to same LDAP servers but to different OU's The old configs have this in users setup: DEFAULT Realm == mydomain.com, Freeradius-Proxied-To == 127.0.0.1, Auth-Type := PAP User-Name = `%{User-Name}`, Fall-Through = yes DEFAULT Realm == mydomain.com, Freeradius-Proxied-To == 127.0.0.1, Autz-Type := LDAP DEFAULT User-Name =~ "^[Aa][Nn][Oo][Nn][Yy][Mm][Oo][Uu][Ss]|[Aa][Nn][Oo][Nn][Yy][Mm][Oo][Uu][Ss]@mydomain.com", Auth-Type := EAP In radiusd.conf ### authorize Autz-Type LDAP { ldap } ### ###authenticate Auth-Type PAP { pap ldap1 } #### LDAP conf ldap ldap { # # Note that this needs to match the name in the LDAP # server certificate, if you're using ldaps. server = "ldap.mydomain.com" identity = "cn=root,dc=my,dc=domain,dc=com" password = "test" basedn = "ou=workers,dc=my,dc=domain,dc=com" filter = "(eduPersonPrincipalName=%{User-Name})" #base_filter = "(objectclass=radiusprofile)" start_tls = no ldap ldap1 { # # Note that this needs to match the name in the LDAP # server certificate, if you're using ldaps. server = "ldap.mydomain.com" identity = "cn=root,dc=my,dc=domain,dc=com" password = "test" basedn = "ou=nonworkers,dc=my,dc=domain,dc=com" filter = "(&(eduPersonPrincipalName=%{User-Name})(schacUserStatus=eduroam:access:enabled))" #base_filter = "(objectclass=radiusprofile)" start_tls = no This setup works on old freeradius. This setup forwards request for anonymous user with EAP and goes to LDAP for local users with mydomain.com But this setup doesn't work with new version. I get this: rad_recv: Access-Request packet from host 127.0.0.1 port 59814, id=0, length=90 User-Name = "test@madomain.com" User-Password = "test" NAS-IP-Address = 88.200.21.64 NAS-Port = 1 Message-Authenticator = 0x035a720374f2f7d52319ed9431aed16e Wed Mar 28 15:17:25 2012 : Info: # Executing section authorize from file /etc/raddb/sites-enabled/default Wed Mar 28 15:17:25 2012 : Info: +- entering group authorize {...} Wed Mar 28 15:17:25 2012 : Info: ++[preprocess] returns ok Wed Mar 28 15:17:25 2012 : Info: [suffix] Looking up realm "mydomain.com" for User-Name = "test@mydomain.com" Wed Mar 28 15:17:25 2012 : Info: [suffix] Found realm "mydomain.com" Wed Mar 28 15:17:25 2012 : Info: [suffix] Adding Realm = "mydomain.comi" Wed Mar 28 15:17:25 2012 : Info: [suffix] Authentication realm is LOCAL. Wed Mar 28 15:17:25 2012 : Info: ++[suffix] returns ok Wed Mar 28 15:17:25 2012 : Info: [eap] No EAP-Message, not doing EAP Wed Mar 28 15:17:25 2012 : Info: ++[eap] returns noop Wed Mar 28 15:17:25 2012 : Info: [files] expand: %{User-Name} -> test@mydomain.com Wed Mar 28 15:17:25 2012 : Info: ++[files] returns noop Wed Mar 28 15:17:25 2012 : Info: ++[expiration] returns noop Wed Mar 28 15:17:25 2012 : Info: ++[logintime] returns noop Wed Mar 28 15:17:25 2012 : Info: [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. Wed Mar 28 15:17:25 2012 : Info: ++[pap] returns noop Wed Mar 28 15:17:25 2012 : Info: ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Wed Mar 28 15:17:25 2012 : Info: Failed to authenticate the user. Wed Mar 28 15:17:25 2012 : Auth: Login incorrect: [test@mydomain.com/test] (from client loopback port 1) Wed Mar 28 15:17:25 2012 : Info: Using Post-Auth-Type Reject Wed Mar 28 15:17:25 2012 : Info: # Executing group from file /etc/raddb/sites-enabled/default Wed Mar 28 15:17:25 2012 : Info: +- entering group REJECT {...} Wed Mar 28 15:17:25 2012 : Info: [attr_filter.access_reject] expand: %{User-Name} -> test@mydomain.com Wed Mar 28 15:17:25 2012 : Debug: attr_filter: Matched entry DEFAULT at line 11 Wed Mar 28 15:17:25 2012 : Info: ++[attr_filter.access_reject] returns updated Wed Mar 28 15:17:25 2012 : Info: Delaying reject of request 12 for 1 seconds Wed Mar 28 15:17:25 2012 : Debug: Going to the next request Wed Mar 28 15:17:25 2012 : Debug: Waking up in 0.9 seconds. Wed Mar 28 15:17:26 2012 : Info: Sending delayed reject for request 12 It looks it doesn't use LDAP at all. If I enable both ldap setups in authorize section in sites-available/default #authorize ldap ldap1 pap ### Then it doesn't use users file and always tryes to bind to first LDAP. For anonymous user too, which is wrong. Any pointers? Thanks S.
Sebastijan Šilec wrote
Sent: Wednesday, March 28, 2012 10:06 AM DEFAULT Realm == mydomain.com, Freeradius-Proxied-To == 127.0.0.1, Auth-Type := PAP User-Name = `%{User-Name}`, Fall-Through = yes
DEFAULT Realm == mydomain.com, Freeradius-Proxied-To == 127.0.0.1, Autz-Type := LDAP
DEFAULT User-Name =~ "^[Aa][Nn][Oo][Nn][Yy][Mm][Oo][Uu][Ss]|[Aa][Nn][Oo][Nn][Yy][Mm ][Oo][Uu][Ss]@mydomain.com", Auth-Type := EAP
...
Wed Mar 28 15:17:25 2012 : Info: [suffix] Found realm "mydomain.com" Wed Mar 28 15:17:25 2012 : Info: [suffix] Adding Realm = "mydomain.comi"
Is that just a typo from anonymizing, or is there really an extra "i" there?
On 28.3.2012 16:15, Brian Julin wrote:
Sebastijan Šilec wrote
Sent: Wednesday, March 28, 2012 10:06 AM DEFAULT Realm == mydomain.com, Freeradius-Proxied-To == 127.0.0.1, Auth-Type := PAP User-Name = `%{User-Name}`, Fall-Through = yes
DEFAULT Realm == mydomain.com, Freeradius-Proxied-To == 127.0.0.1, Autz-Type := LDAP
DEFAULT User-Name =~ "^[Aa][Nn][Oo][Nn][Yy][Mm][Oo][Uu][Ss]|[Aa][Nn][Oo][Nn][Yy][Mm ][Oo][Uu][Ss]@mydomain.com", Auth-Type := EAP ...
Wed Mar 28 15:17:25 2012 : Info: [suffix] Found realm "mydomain.com" Wed Mar 28 15:17:25 2012 : Info: [suffix] Adding Realm = "mydomain.comi" Is that just a typo from anonymizing, or is there really an extra "i" there?
Just a typo...i stripped out the real domains. S.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 28/03/12 15:05, Sebastijan Šilec wrote:
I'm upgrading FreeRadius form version 1.x to 2.x and transfered the configs.
I have a problem with definig authrize and authenticate sections.
I've defined 2 ldap modules (ldap and ldap1) connecting to same LDAP servers but to different OU's
The old configs have this in users setup:
DEFAULT Realm == mydomain.com, Freeradius-Proxied-To == 127.0.0.1, Auth-Type := PAP User-Name = `%{User-Name}`, Fall-Through = yes
DEFAULT Realm == mydomain.com, Freeradius-Proxied-To == 127.0.0.1, Autz-Type := LDAP
DEFAULT User-Name =~ "^[Aa][Nn][Oo][Nn][Yy][Mm][Oo][Uu][Ss]|[Aa][Nn][Oo][Nn][Yy][Mm][Oo][Uu][Ss]@mydomain.com", Auth-Type := EAP
In radiusd.conf ### authorize Autz-Type LDAP { ldap } ###
###authenticate Auth-Type PAP { pap ldap1 }
####
LDAP conf
ldap ldap { # # Note that this needs to match the name in the LDAP # server certificate, if you're using ldaps. server = "ldap.mydomain.com" identity = "cn=root,dc=my,dc=domain,dc=com" password = "test" basedn = "ou=workers,dc=my,dc=domain,dc=com" filter = "(eduPersonPrincipalName=%{User-Name})" #base_filter = "(objectclass=radiusprofile)"
start_tls = no
ldap ldap1 { # # Note that this needs to match the name in the LDAP # server certificate, if you're using ldaps. server = "ldap.mydomain.com" identity = "cn=root,dc=my,dc=domain,dc=com" password = "test" basedn = "ou=nonworkers,dc=my,dc=domain,dc=com" filter = "(&(eduPersonPrincipalName=%{User-Name})(schacUserStatus=eduroam:access:enabled))"
#base_filter = "(objectclass=radiusprofile)"
start_tls = no
This setup works on old freeradius. This setup forwards request for anonymous user with EAP and goes to LDAP for local users with mydomain.com
But this setup doesn't work with new version.
I get this:
rad_recv: Access-Request packet from host 127.0.0.1 port 59814, id=0, length=90 User-Name = "test@madomain.com" User-Password = "test" NAS-IP-Address = 88.200.21.64 NAS-Port = 1 Message-Authenticator = 0x035a720374f2f7d52319ed9431aed16e Wed Mar 28 15:17:25 2012 : Info: # Executing section authorize from file /etc/raddb/sites-enabled/default Wed Mar 28 15:17:25 2012 : Info: +- entering group authorize {...} Wed Mar 28 15:17:25 2012 : Info: ++[preprocess] returns ok Wed Mar 28 15:17:25 2012 : Info: [suffix] Looking up realm "mydomain.com" for User-Name = "test@mydomain.com" Wed Mar 28 15:17:25 2012 : Info: [suffix] Found realm "mydomain.com" Wed Mar 28 15:17:25 2012 : Info: [suffix] Adding Realm = "mydomain.comi" Wed Mar 28 15:17:25 2012 : Info: [suffix] Authentication realm is LOCAL. Wed Mar 28 15:17:25 2012 : Info: ++[suffix] returns ok Wed Mar 28 15:17:25 2012 : Info: [eap] No EAP-Message, not doing EAP Wed Mar 28 15:17:25 2012 : Info: ++[eap] returns noop Wed Mar 28 15:17:25 2012 : Info: [files] expand: %{User-Name} -> test@mydomain.com Wed Mar 28 15:17:25 2012 : Info: ++[files] returns noop Wed Mar 28 15:17:25 2012 : Info: ++[expiration] returns noop Wed Mar 28 15:17:25 2012 : Info: ++[logintime] returns noop Wed Mar 28 15:17:25 2012 : Info: [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. Wed Mar 28 15:17:25 2012 : Info: ++[pap] returns noop Wed Mar 28 15:17:25 2012 : Info: ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Wed Mar 28 15:17:25 2012 : Info: Failed to authenticate the user. Wed Mar 28 15:17:25 2012 : Auth: Login incorrect: [test@mydomain.com/test] (from client loopback port 1) Wed Mar 28 15:17:25 2012 : Info: Using Post-Auth-Type Reject Wed Mar 28 15:17:25 2012 : Info: # Executing group from file /etc/raddb/sites-enabled/default Wed Mar 28 15:17:25 2012 : Info: +- entering group REJECT {...} Wed Mar 28 15:17:25 2012 : Info: [attr_filter.access_reject] expand: %{User-Name} -> test@mydomain.com Wed Mar 28 15:17:25 2012 : Debug: attr_filter: Matched entry DEFAULT at line 11 Wed Mar 28 15:17:25 2012 : Info: ++[attr_filter.access_reject] returns updated Wed Mar 28 15:17:25 2012 : Info: Delaying reject of request 12 for 1 seconds Wed Mar 28 15:17:25 2012 : Debug: Going to the next request Wed Mar 28 15:17:25 2012 : Debug: Waking up in 0.9 seconds. Wed Mar 28 15:17:26 2012 : Info: Sending delayed reject for request 12
It looks it doesn't use LDAP at all.
If I enable both ldap setups in authorize section in sites-available/default
#authorize
ldap ldap1 pap
###
Then it doesn't use users file and always tryes to bind to first LDAP. For anonymous user too, which is wrong.
Any pointers?
1. Don't set Auth-Type. It's almost always wrong, and confusing 2. Don't use Autz-Type any more. Use an "unlang" block (see below) 3. Please spell out in a bit more detail what process you want; it's unclear from your email. When do you want ldap, ldap1 to be called? How does "pap" work unless you're setting a cleartext password? why How about something like this: authorize { ... suffix ... if (Realm == mydomain.com) { # only call ldap module for these users ldap # only permit pap for these users pap } else { # permit EAP for other users eap } } authenticate { ... } Unless you specify the rules you want to choose ldap1 instead of ldap, it's not obvious where "ldap1" fits in here.
participants (3)
-
Brian Julin -
Phil Mayers -
Sebastijan Šilec