FreeRadius and Redundant LDAP Problems
am trying to setup what I thought should be a fairly simple Freeradius configuration but I am having problems. Simply put I would like FreeRadius to authenticate against our LDAP servers and look into a couple groups to see if the user is authorized. I would also like to have redundant ldap servers so that if one went down for maintenance or other reasons users could still authenticate. I can get Freeradius to work with one LDAP server, but when I try to implement the redundant I have not had any success. According to the debug log, it is find the group the user belongs to correctly, but instead of setting the Auth-Type to LDAP it is setting it to PAP and rejecting. When I configure the system for one LDAP server to Auth-Type is LDAP and everything works. It is probably something simple that I am missing, and would appreciate any suggestions. I have included the debug log below and the configuration files, I have removed all the comments out of the configuration files to be under the 100k size restriction for the list. Thanks Output from request in debugging mode: rad_recv: Access-Request packet from host 127.0.0.1 port 47611, id=245, length=60 User-Name = "testuser" User-Password = "testpassword" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "testuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns updated [ldap-server1] Entering ldap_groupcmp() [files] expand: ou=people,o=test,o=isp -> ou=people,o=test,o=isp [files] expand: %{Stripped-User-Name} -> [files] ... expanding second conditional [files] expand: %{User-Name} -> testuser [files] expand: (uid=%{%{Stripped-User-Name}:- %{User-Name}}) -> (uid=testuser) [ldap-server1] ldap_get_conn: Checking Id: 0 [ldap-server1] ldap_get_conn: Got Id: 0 [ldap-server1] attempting LDAP reconnection [ldap-server1] (re)connect to ldapserver.somedomain.com:389, authentication 0 [ldap-server1] bind as uid=testuser, ou=people, o=test, o=isp/testpassword to ldapserver.somedomain.com:389 [ldap-server1] waiting for bind result ... [ldap-server1] Bind was successful [ldap-server1] performing search in ou=people,o=test,o=isp, with filter (uid=testuser) [ldap-server1] ldap_release_conn: Release Id: 0 [files] expand: (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquem ember=%{control:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=uid\3dtestuser\2cou\3dpeople\2co\3dtest\2co\3disp))(&(o bjectClass=GroupOfUniqueNames)(uniquemember=uid\3dtestuser\2cou\3dpeople\2co\3dtest\2co\3disp))) [ldap-server1] ldap_get_conn: Checking Id: 0 [ldap-server1] ldap_get_conn: Got Id: 0 [ldap-server1] performing search in cn=DialupFS,ou=Groups,o=test,o=isp, with filter (|(&(objectClass=GroupOfNames)(member=uid\ 3dtestuser\2cou\3dpeople\2co\3dtest\2co\3disp))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3dtestuser\2cou\3dpeople\2co\ 3dtest\2co\3disp))) rlm_ldap::ldap_groupcmp: User found in group cn=DialupFS,ou=Groups,o=test,o=isp [ldap-server1] ldap_release_conn: Release Id: 0 [files] users: Matched entry DEFAULT at line 166 ++[files] returns ok ++- entering policy redundant {...} [ldap-server1] performing user authorization for testuser [ldap-server1] expand: %{Stripped-User-Name} -> [ldap-server1] ... expanding second conditional [ldap-server1] expand: %{User-Name} -> testuser [ldap-server1] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=testuser) [ldap-server1] expand: ou=people,o=test,o=isp -> ou=people,o=test,o=isp [ldap-server1] ldap_get_conn: Checking Id: 0 [ldap-server1] ldap_get_conn: Got Id: 0 [ldap-server1] performing search in ou=people,o=test,o=isp, with filter (uid=testuser) [ldap-server1] looking for check items in directory... [ldap-server1] sambaNtPassword -> NT-Password == 0x4234354137334235383034463441323531343346353339333433413430363642 [ldap-server1] sambaLmPassword -> LM-Password == 0x3036323444434332394538433236434346463137333635464146314646453839 [ldap-server1] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap-server1] user testuser authorized to use remote access [ldap-server1] ldap_release_conn: Release Id: 0 +++[ldap-server1] returns ok ++- policy redundant returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing NT-Password from hex encoding [pap] Normalizing LM-Password from hex encoding ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password "testpassword" [pap] Using CRYPT encryption. [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> testuser attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 245 to 127.0.0.1 port 47611 Reply-Message = "FS User Authorized" Waking up in 4.9 seconds. Cleaning up request 0 ID 245 with timestamp +48 Ready to process requests. Default File: authorize { preprocess chap mschap User File: DEFAULT ldap-server1-Ldap-Group == "cn=DialupFS,ou=Groups,o=test,o=isp" Reply-Message = "FS User Authorized" DEFAULT ldap-server1-Ldap-Group == "cn=DialupST,ou=Groups,o=test,o=isp" Reply-Message = "ST User Authorized" DEFAULT ldap-server2-Ldap-Group == "cn=DialupFS,ou=Groups,o=test,o=isp" Reply-Message = "FS User Authorized" DEFAULT ldap-server2-Ldap-Group == "cn=DialupST,ou=Groups,o=test,o=isp" Reply-Message = "ST User Authorized" DEFAULT Auth-Type := Reject Reply-Message = "User Not Authorized" DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "CSLIP" Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "SLIP" Framed-Protocol = SLIP ldap module file: ldap ldap-server1 { server = "ldapserver.somedomain.com" identity = "uid=raduser, ou=people, o=test, o=isp" password = testpassword basedn = "ou=people,o=test,o=isp" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls { start_tls = no } dictionary_mapping = ${confdir}/ldap.attrmap edir_account_policy_check = no groupname_attribute = cn groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueName s)( uniquemember=%{control:Ldap-UserDn})))" } ldap ldap-server2 { server = "ldapserver2.somedomain.com" identity = "uid=raduser, ou=people, o=test, o=isp" password = testpassword basedn = "ou=people,o=test,o=isp" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls { start_tls = no } dictionary_mapping = ${confdir}/ldap.attrmap edir_account_policy_check = no groupname_attribute = cn groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueName s)( uniquemember=%{control:Ldap-UserDn})))" } The radiusd.conf file: prefix = /usr/local exec_prefix = ${prefix} sysconfdir = ${prefix}/etc localstatedir = ${prefix}/var sbindir = ${exec_prefix}/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct name = radiusd confdir = ${raddbdir} run_dir = ${localstatedir}/run/${name} db_dir = ${raddbdir} libdir = ${exec_prefix}/lib pidfile = ${run_dir}/${name}.pid max_request_time = 30 cleanup_delay = 5 max_requests = 1024 listen { type = auth ipaddr = * port = 0 } listen { ipaddr = * port = 0 type = acct } hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log { destination = files file = ${logdir}/radius.log syslog_facility = daemon stripped_names = no auth = no auth_badpass = no auth_goodpass = no } checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = yes } proxy_requests = yes $INCLUDE proxy.conf $INCLUDE clients.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { $INCLUDE ${confdir}/modules/ $INCLUDE eap.conf } instantiate { exec expr ldap-server1 ldap-server2 expiration logintime } $INCLUDE policy.conf $INCLUDE sites-enabled/ suffix eap { ok = return } unix files redundant { ldap-server1 ldap-server2 } expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix Auth-Type LDAP { redundant { ldap-server1 ldap-server2 } } eap } preacct { preprocess acct_unique suffix files } accounting { detail unix radutmp attr_filter.accounting_response } session { radutmp } post-auth { exec Post-Auth-Type REJECT { attr_filter.access_reject } } pre-proxy { } post-proxy { eap }
Kory Wheatley wrote:
According to the debug log, it is find the group the user belongs to correctly, but instead of setting the Auth-Type to LDAP it is setting it to PAP and rejecting.
Because the "unix" module is finding the users password in /etc/passwd (or via getpwent() ). Un-comment the "unix" entry from the "authorize" section of raddb/sites-available/default And please don't post the configuration. It's not necessary. If it was necessary, the documentation would ask for it. Alan DeKok.
I apologize for the inconvenience of sending the configuration files. I thought sending more detail would help :-). The below steps you provided still didn't work and ended with the same problem. Again I apologize. On Wed, Aug 11, 2010 at 1:56 PM, Alan DeKok <aland@deployingradius.com>wrote:
Kory Wheatley wrote:
According to the debug log, it is find the group the user belongs to correctly, but instead of setting the Auth-Type to LDAP it is setting it to PAP and rejecting.
Because the "unix" module is finding the users password in /etc/passwd (or via getpwent() ).
Un-comment the "unix" entry from the "authorize" section of raddb/sites-available/default
And please don't post the configuration. It's not necessary. If it was necessary, the documentation would ask for it.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi, Is there a way to add vendor specific attributes to the RADIUS response without adding the vendor to the dictionary. If the vendor is part of the dictionary, then I use pairmake with the attribute name as in the dictionary and this works. pairmake("Cisco-AVpair", "....", T_OP_SET); Thanks, Latha.
Thanks for the prompt reply. I can defly do that, not an issue. I have a module running in freeradius. Assuming my module already handles delivering vendor specific attribute in the RADIUS response (this is available to me through some shared memory) and tomorrow there is a new vendor, then can I do it without releasing a new code ? Thanks, Latha. --- On Thu, 8/12/10, Alan DeKok <aland@deployingradius.com> wrote: From: Alan DeKok <aland@deployingradius.com> Subject: Re: Vendor Specific Attributes To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Date: Thursday, August 12, 2010, 1:47 AM Latha Krishnamurthi wrote:
Is there a way to add vendor specific attributes to the RADIUS response without adding the vendor to the dictionary.
What's so hard about adding a dictionary entry for the attribute? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Latha Krishnamurthi wrote:
Thanks for the prompt reply. I can defly do that, not an issue. I have a module running in freeradius.
Assuming my module already handles delivering vendor specific attribute in the RADIUS response (this is available to me through some shared memory) and tomorrow there is a new vendor, then can I do it without releasing a new code ?
Update the dictionaries. That's what dictionaries are for. Alan DeKok.
Thanks Alan. Will do that. -Latha. --- On Thu, 8/12/10, Alan DeKok <aland@deployingradius.com> wrote: From: Alan DeKok <aland@deployingradius.com> Subject: Re: Vendor Specific Attributes To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Date: Thursday, August 12, 2010, 12:40 PM Latha Krishnamurthi wrote:
Thanks for the prompt reply. I can defly do that, not an issue. I have a module running in freeradius. Assuming my module already handles delivering vendor specific attribute in the RADIUS response (this is available to me through some shared memory) and tomorrow there is a new vendor, then can I do it without releasing a new code ?
Update the dictionaries. That's what dictionaries are for. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Per your suggestions from the last email I checked and the: Un-comment the "unix" entry from the "authorize" section of raddb/sites-available/default Was un-commented and below is the output from trying to authenticate a user that is a member of the DialupFS group and does not have an account in /etc/passwd. For some reason it is falling though to PAP and saying "No authenticate method (Auth-Type) configuration found for the request:". This behavior only started when I tried to implement redundant ldap servers and in the users file having DEFAULT LDAP Groups for each LDAP module. If I do not use the redundant LDAP servers and just place both LDAP servers in the LDAP module like this it works correctly: server ="server1.somedomain.com, server2.somedomain.com" Thanks for your help rad_recv: Access-Request packet from host 127.0.0.1 port 52514, id=166, length=60 User-Name = "testuser1" User-Password = "testpassword" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "testuser1", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [ldap-server1] Entering ldap_groupcmp() [files] expand: ou=people,o=test <http://isu.edu/>,o=isp -> ou=people,o=test <http://isu.edu/>,o=isp [files] expand: %{Stripped-User-Name} -> [files] ... expanding second conditional [files] expand: %{User-Name} -> testuser1 [files] expand: (uid=%{%{Stripped-User-Name}:- %{User-Name}}) -> (uid=testuser1) [ldap-server1] ldap_get_conn: Checking Id: 0 [ldap-server1] ldap_get_conn: Got Id: 0 [ldap-server1] attempting LDAP reconnection [ldap-server1] (re)connect to server1.somedomain.com:389<http://frank.isos.isu.edu:389/>, authentication 0 [ldap-server1] bind as uid=raduser, ou=people, o=test <http://isu.edu/>, o=isp/testpassword to server1.somedomain.com:389<http://frank.isos.isu.edu:389/> [ldap-server1] waiting for bind result ... [ldap-server1] Bind was successful [ldap-server1] performing search in ou=people,o=test <http://isu.edu/>,o=isp, with filter (uid=testuser1) [ldap-server1] ldap_release_conn: Release Id: 0 [files] expand: (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=uid\3dtestuser1\2cou\3dpeople\2co\ 3dtest <http://3disu.edu/> \2co\3disp))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3dtestuser1\2cou\3dpeople\2co\ 3dtest <http://3disu.edu/>\2co\3disp))) [ldap-server1] ldap_get_conn: Checking Id: 0 [ldap-server1] ldap_get_conn: Got Id: 0 [ldap-server1] performing search in cn=DialupFS,ou=Groups,o=test<http://isu.edu/>,o=isp, with filter (|(&(objectClass=GroupOfNames)(member=uid\3dtestuser1\2cou\3dpeople\2co\ 3dtest <http://3disu.edu/> \2co\3disp))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3dtestuser1\2cou\3dpeople\2co\ 3dtest <http://3disu.edu/>\2co\3disp))) [ldap-server1] ldap_release_conn: Release Id: 0 [files] users: Matched entry DEFAULT at line 166 ++[files] returns ok ++- entering policy redundant {...} [ldap-server1] performing user authorization for testuser1 [ldap-server1] expand: %{Stripped-User-Name} -> [ldap-server1] ... expanding second conditional [ldap-server1] expand: %{User-Name} -> testuser1 [ldap-server1] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=testuser1) [ldap-server1] expand: ou=people,o=test <http://isu.edu/>,o=isp -> ou=people,o=test <http://isu.edu/>,o=isp [ldap-server1] ldap_get_conn: Checking Id: 0 [ldap-server1] ldap_get_conn: Got Id: 0 [ldap-server1] performing search in ou=people,o=test <http://isu.edu/>,o=isp, with filter (uid=testuser1) [ldap-server1] looking for check items in directory... [ldap-server1] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap-server1] user testuser1 authorized to use remote access [ldap rlm_ldap::ldap_groupcmp: User found in group cn=DialupFS,ou=Groups,o=test <http://isu.edu/>,o=isp -server1] ldap_release_conn: Release Id: 0 +++[ldap-server1] returns ok ++- policy redundant returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop No authenticate method (Auth-Type) configuration found for the request:Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> testuser1 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 166 to 127.0.0.1 port 52514 Reply-Message = "FS User Authorized" Waking up in 4.9 seconds. Cleaning up request 0 ID 166 with timestamp +74 Ready to process requests. On Thu, Aug 12, 2010 at 1:59 AM, Alan Buxey <A.L.M.Buxey@lboro.ac.uk> wrote:
Hi,
I apologize for the inconvenience of sending the configuration files. I thought sending more detail would help :-). The below steps you provided still didn't work and ended with the same problem. Again I apologize.
....radiusd -X ?
we cannot help without this information
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Per your suggestions from the last email I checked and the: Un-comment the "unix" entry from the "authorize" section of raddb/sites-available/default Was un-commented and below is the output from trying to authenticate a user that is a member of the DialupFS group and does not have an account in /etc/passwd. For some reason it is falling though to PAP and saying "No authenticate method (Auth-Type) configuration found for the request:". This behavior only started when I tried to implement redundant ldap servers and in the users file having DEFAULT LDAP Groups for each LDAP module. If I do not use the redundant LDAP servers and just place both LDAP servers in the LDAP module like this it works correctly: server ="server1.somedomain.com, server2.somedomain.com" Thanks for your help rad_recv: Access-Request packet from host 127.0.0.1 port 52514, id=166, length=60 User-Name = "testuser1" User-Password = "testpassword" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "testuser1", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [ldap-server1] Entering ldap_groupcmp() [files] expand: ou=people,o=test <http://isu.edu/>,o=isp -> ou=people,o=test <http://isu.edu/>,o=isp [files] expand: %{Stripped-User-Name} -> [files] ... expanding second conditional [files] expand: %{User-Name} -> testuser1 [files] expand: (uid=%{%{Stripped-User-Name}:- %{User-Name}}) -> (uid=testuser1) [ldap-server1] ldap_get_conn: Checking Id: 0 [ldap-server1] ldap_get_conn: Got Id: 0 [ldap-server1] attempting LDAP reconnection [ldap-server1] (re)connect to server1.somedomain.com:389<http://frank.isos.isu.edu:389/>, authentication 0 [ldap-server1] bind as uid=raduser, ou=people, o=test <http://isu.edu/>, o=isp/testpassword to server1.somedomain.com:389<http://frank.isos.isu.edu:389/> [ldap-server1] waiting for bind result ... [ldap-server1] Bind was successful [ldap-server1] performing search in ou=people,o=test <http://isu.edu/>,o=isp, with filter (uid=testuser1) [ldap-server1] ldap_release_conn: Release Id: 0 [files] expand: (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=uid\3dtestuser1\2cou\3dpeople\2co\ 3dtest <http://3disu.edu/> \2co\3disp))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3dtestuser1\2cou\3dpeople\2co\ 3dtest <http://3disu.edu/>\2co\3disp))) [ldap-server1] ldap_get_conn: Checking Id: 0 [ldap-server1] ldap_get_conn: Got Id: 0 [ldap-server1] performing search in cn=DialupFS,ou=Groups,o=test<http://isu.edu/>,o=isp, with filter (|(&(objectClass=GroupOfNames)(member=uid\3dtestuser1\2cou\3dpeople\2co\ 3dtest <http://3disu.edu/> \2co\3disp))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3dtestuser1\2cou\3dpeople\2co\ 3dtest <http://3disu.edu/>\2co\3disp))) [ldap-server1] ldap_release_conn: Release Id: 0 [files] users: Matched entry DEFAULT at line 166 ++[files] returns ok ++- entering policy redundant {...} [ldap-server1] performing user authorization for testuser1 [ldap-server1] expand: %{Stripped-User-Name} -> [ldap-server1] ... expanding second conditional [ldap-server1] expand: %{User-Name} -> testuser1 [ldap-server1] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=testuser1) [ldap-server1] expand: ou=people,o=test <http://isu.edu/>,o=isp -> ou=people,o=test <http://isu.edu/>,o=isp [ldap-server1] ldap_get_conn: Checking Id: 0 [ldap-server1] ldap_get_conn: Got Id: 0 [ldap-server1] performing search in ou=people,o=test <http://isu.edu/>,o=isp, with filter (uid=testuser1) [ldap-server1] looking for check items in directory... [ldap-server1] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap-server1] user testuser1 authorized to use remote access [ldap rlm_ldap::ldap_groupcmp: User found in group cn=DialupFS,ou=Groups,o=test <http://isu.edu/>,o=isp -server1] ldap_release_conn: Release Id: 0 +++[ldap-server1] returns ok ++- policy redundant returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop No authenticate method (Auth-Type) configuration found for the request:Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> testuser1 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 166 to 127.0.0.1 port 52514 Reply-Message = "FS User Authorized" Waking up in 4.9 seconds. Cleaning up request 0 ID 166 with timestamp +74 Ready to process requests. On Thu, Aug 12, 2010 at 1:59 AM, Alan Buxey <A.L.M.Buxey@lboro.ac.uk> wrote:
Hi,
I apologize for the inconvenience of sending the configuration files. I thought sending more detail would help :-). The below steps you provided still didn't work and ended with the same problem. Again I apologize.
....radiusd -X ?
we cannot help without this information
alan
Kory Wheatley wrote:
Was un-commented and below is the output from trying to authenticate a user that is a member of the DialupFS group and does not have an account in /etc/passwd. For some reason it is falling though to PAP and saying "No authenticate method (Auth-Type) configuration found for the request:".
Because of an earlier error, which you ignored:
[ldap-server1] looking for check items in directory... [ldap-server1] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
The LDAP query did not return a "known good" password. So the user cannot be authenticated.
This behavior only started when I tried to implement redundant ldap servers and in the users file having DEFAULT LDAP Groups for each LDAP module.
I have no idea what that means.
If I do not use the redundant LDAP servers and just place both LDAP servers in the LDAP module like this it works correctly:
server ="server1.somedomain.com, server2.somedomain.com "
Since you haven't explained what you put in the "users" file entry, it is difficult to know what was misconfigured. Alan DeKok.
participants (4)
-
Alan Buxey -
Alan DeKok -
Kory Wheatley -
Latha Krishnamurthi