Hello! radiusd: FreeRADIUS Version 1.1.3, for host x86_64-redhat-linux-gnu, built on Apr 25 2007 at 09:04:23 I need to make an authorization of some RADIUS clients in LDAP by RADIUS. Clients need only to check passwords. I can check this in ONE LDAP server at a time without problems. It's work fine. But i need some different. I need to check user/password in TWO different LDAP server. If ANY of LDAPs tell "password is ok" RADIUS must accept this userid/passwd pair. Userlists in this two LDAP have some overlap. Most (but not all) of the users presents in BOTH of LDAP servers. Passwords between LDAP servers are different. With curent configuration i get this: if username aren't found in first LDAP lets proceed to the next if username aren't found in second LDAP lets DENY access if username is found in first LDAP and password is accepted by first LDAP lets ALLOW access. if username is found in first LDAP and password aren't accepted by first LDAP lets DENY access. RADIUS doesn't check password in the second LDAP server. I know why but i doesn't know how to change this behavior. this is how looks users: --- LDAP1: uid=userid,o=org1 LDAP2: uid=userid,o=org2 --- As you can see organization is different in this two LDAP servers. I check this with "radtest" utility. /etc/raddb/radiusd.conf ------------------ modules { ldap tam { server = "ldap1.ts" basedn = "o=org1" filter = "(uid=%{User-Name})" authtype = tam start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 compare_check_items = no do_xlat = no access_attr_used_for_allow = no set_auth_type = yes } ldap lotus { server = "ldap2.ts" basedn = "o=org2" filter = "(uid=%{User-Name})" authtype = lotus start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 compare_check_items = no do_xlat = no access_attr_used_for_allow = no set_auth_type = yes } radutmp { filename = ${logdir}/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 0600 callerid = "yes" } } detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 #suppress { # User-Password #} } } authorize { group ldap { tam { notfound = 1 noop= 2 fail = 3 reject = 4 ok = return } lotus { notfound = 1 noop= 2 fail = 3 reject = 4 ok = return } handled } } authenticate { Auth-Type tam { tam { notfound = 1 noop= 2 fail = 3 reject = 4 ok = return } handled } Auth-Type lotus { lotus { notfound = 1 noop= 2 fail = 3 reject = 4 ok = return } handled } } -------------------------- logfiles: user exist in LDAP1 and password is good in LDAP1 --- rad_recv: Access-Request packet from host 192.168.110.3:49867, id=21, length=64 User-Name = "vmendelevich" User-Password = "11111111" NAS-IP-Address = 192.168.110.3 NAS-Port = 10 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall: entering group ldap for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for vmendelevich radius_xlat: '(uid=vmendelevich)' radius_xlat: 'o=org1' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap1.ts:389, authentication 0 rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to allow rlm_ldap: bind as / to ldap1.kmz.ts:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in o=org1, with filter (uid=vmendelevich) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Setting Auth-Type = tam rlm_ldap: user vmendelevich authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "tam" returns ok for request 0 modcall: leaving group ldap (returns ok) for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type tam auth: type "tam" Processing the authenticate section of radiusd.conf modcall: entering group tam for request 0 rlm_ldap: - authenticate rlm_ldap: login attempt by "vmendelevich" with password "11111111" rlm_ldap: user DN: uid=vmendelevich,o=org1 rlm_ldap: (re)connect to ldap1.ts:389, authentication 1 rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to allow rlm_ldap: bind as uid=vmendelevich,o=org1/11111111 to ldap1.ts:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user vmendelevich authenticated succesfully modcall[authenticate]: module "tam" returns ok for request 0 modcall: leaving group tam (returns ok) for request 0 Login OK: [vmendelevich] (from client VMendelevich port 10) Sending Access-Accept of id 21 to 192.168.110.3 port 49867 Finished request 0 Going to the next request ---- user doesn't exist in LDAP1, but exist in LDAP2 and password is good in LDAP2 --- rad_recv: Access-Request packet from host 192.168.110.3:44439, id=108, length=57 User-Name = "aldap" User-Password = "22222222" NAS-IP-Address = 192.168.110.3 NAS-Port = 10 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall: entering group ldap for request 1 rlm_ldap: - authorize rlm_ldap: performing user authorization for aldap radius_xlat: '(uid=aldap)' radius_xlat: 'o=tamknown' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=org1, with filter (uid=aldap) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "tam" returns notfound for request 1 rlm_ldap: - authorize rlm_ldap: performing user authorization for aldap radius_xlat: '(uid=aldap)' radius_xlat: 'o=org2' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap2.ts:389, authentication 0 rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to allow rlm_ldap: bind as cn=admin ldap,o=org2/22222222 to ldap2.ts:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in o=org2, with filter (uid=aldap) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Setting Auth-Type = lotus rlm_ldap: user aldap authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "lotus" returns ok for request 1 modcall: leaving group ldap (returns ok) for request 1 modcall: leaving group authorize (returns ok) for request 1 rad_check_password: Found Auth-Type lotus auth: type "lotus" Processing the authenticate section of radiusd.conf modcall: entering group lotus for request 1 rlm_ldap: - authenticate rlm_ldap: login attempt by "aldap" with password "22222222" rlm_ldap: user DN: CN=Admin LDAP,O=org2 rlm_ldap: (re)connect to ldap2.ts:389, authentication 1 rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to allow rlm_ldap: bind as CN=Admin LDAP,O=org2/22222222 to ldap2.ts:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user aldap authenticated succesfully modcall[authenticate]: module "lotus" returns ok for request 1 modcall: leaving group lotus (returns ok) for request 1 Login OK: [aldap] (from client VMendelevich port 10) Sending Access-Accept of id 108 to 192.168.110.3 port 44439 Finished request 1 Going to the next request --- username exist in BOTH LDAP but password can be accepted only by LDAP2 --- rad_recv: Access-Request packet from host 192.168.110.3:55540, id=92, length=64 User-Name = "vmendelevich" User-Password = "33333333" NAS-IP-Address = 192.168.110.3 NAS-Port = 10 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall: entering group ldap for request 2 rlm_ldap: - authorize rlm_ldap: performing user authorization for vmendelevich radius_xlat: '(uid=vmendelevich)' radius_xlat: 'o=org1' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=org1, with filter (uid=vmendelevich) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Setting Auth-Type = tam rlm_ldap: user vmendelevich authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "tam" returns ok for request 2 modcall: leaving group ldap (returns ok) for request 2 modcall: leaving group authorize (returns ok) for request 2 rad_check_password: Found Auth-Type tam auth: type "tam" Processing the authenticate section of radiusd.conf modcall: entering group tam for request 2 rlm_ldap: - authenticate rlm_ldap: login attempt by "vmendelevich" with password "33333333" rlm_ldap: user DN: uid=vmendelevich,o=org1 rlm_ldap: (re)connect to ldap1.ts:389, authentication 1 rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to allow rlm_ldap: bind as uid=vmendelevich,o=org1/33333333 to ldap1.ts:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind failed with invalid credentials modcall[authenticate]: module "tam" returns reject for request 2 modcall[authenticate]: module "handled" returns handled for request 2 modcall: leaving group tam (returns handled) for request 2 There was no response configured: rejecting request 2 Server rejecting request 2. Finished request 2 Going to the next request --- As i see i need to make something like "group" in authentication section. But i don't see how. Please advice. Thank you. UIN:9244669 Phone:+7(495)727-0982 ext.4162
radiusd: FreeRADIUS Version 1.1.3, for host x86_64-redhat-linux-gnu, built on Apr 25 2007 at 09:04:23
Upgrade. http://wiki.freeradius.org/Red_Hat_FAQ#Current_Pre-built_RPM.27s_for_RHEL_5_...
I need to make an authorization of some RADIUS clients in LDAP by RADIUS. Clients need only to check passwords. I can check this in ONE LDAP server at a time without problems. It's work fine. But i need some different.
I need to check user/password in TWO different LDAP server. If ANY of LDAPs tell "password is ok" RADIUS must accept this userid/passwd pair. Userlists in this two LDAP have some overlap. Most (but not all) of the users presents in BOTH of LDAP servers. Passwords between LDAP servers are different.
With curent configuration i get this:
if username aren't found in first LDAP lets proceed to the next if username aren't found in second LDAP lets DENY access
You probably don't need that after upgrade. Just force Auth-Type LDAP in users file.
if username is found in first LDAP and password is accepted by first LDAP lets ALLOW access. if username is found in first LDAP and password aren't accepted by first LDAP lets DENY access.
RADIUS doesn't check password in the second LDAP server. I know why but i doesn't know how to change this behavior.
Create failover inside Auth-Type LDAP: Auth-Type LDAP { tam { reject = 2 } if(reject) { lotus } } Ivan Kalik
On Wed, 25 Nov 2009 19:51:34 -0000 (UTC) tnt@kalik.net wrote: Thank you foк the reply.
radiusd: FreeRADIUS Version 1.1.3, for host x86_64-redhat-linux-gnu, built on Apr 25 2007 at 09:04:23
Upgrade.
http://wiki.freeradius.org/Red_Hat_FAQ#Current_Pre-built_RPM.27s_for_RHEL_5_...
Done. FreeRADIUS Version 2.1.7, for host x86_64-redhat-linux-gnu, built on Sep 18 2009 at 11:00:13 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
With curent configuration i get this:
if username aren't found in first LDAP lets proceed to the next if username aren't found in second LDAP lets DENY access
You probably don't need that after upgrade. Just force Auth-Type LDAP in users file.
As i doesn't have any other auth rather LDAP it is done automatically. I hope so. ;-)
Create failover inside Auth-Type LDAP:
Auth-Type LDAP { tam { reject = 2 } if(reject) { lotus } }
I have realised something like this in my long road to success. Unfortunately there an issue. LDAP1: uid=username,o=org1 LDAP2: uid=username,o=org2 As you can see "o=org..." is different. -------- rad_recv: Access-Request packet from host 192.168.110.3 port 46057, id=141, length=64 User-Name = "vmendelevich" User-Password = "33333333" NAS-IP-Address = 192.168.110.3 NAS-Port = 10 +- entering group authorize {...} ++- entering group ldap {...} [tam] performing user authorization for vmendelevich [tam] expand: (uid=%{User-Name}) -> (uid=vmendelevich) [tam] expand: o=org1 -> o=org1 rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to skoll-vm1.kmz.ts:389, authentication 0 rlm_ldap: bind as / to skoll-vm1.kmz.ts:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in o=org1, with filter (uid=vmendelevich) [tam] looking for check items in directory... [tam] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [tam] Setting Auth-Type = tam [tam] user vmendelevich authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 +++[tam] returns ok ++- group ldap returns ok Found Auth-Type = tam +- entering group tam {...} [tam] login attempt by "vmendelevich" with password "33333333" [tam] user DN: uid=vmendelevich,o=org1 rlm_ldap: (re)connect to ldap1.ts:389, authentication 1 rlm_ldap: bind as uid=vmendelevich,o=org1/33333333 to ldap1.ts:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind failed with invalid credentials ++[tam] returns reject ++? if (reject) ? Evaluating (reject) -> TRUE ++? if (reject) -> TRUE ++- entering if (reject) {...} [lotus] login attempt by "vmendelevich" with password "33333333" [lotus] user DN: uid=vmendelevich,o=org1 rlm_ldap: (re)connect to ldap2.ts:389, authentication 1 rlm_ldap: bind as uid=vmendelevich,o=org1/33333333 to ldap2.ts:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind failed with invalid credentials +++[lotus] returns reject ++- if (reject) returns reject Failed to authenticate the user. Login incorrect (rlm_ldap: Bind as user failed): [vmendelevich] (from client VMendelevich port 10) Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 141 to 192.168.110.3 port 46057 Waking up in 4.9 seconds. Cleaning up request 0 ID 141 with timestamp +223 Ready to process requests. ------------- You can see when radius try to authenticate on the second LDAP (ldap2.ts) it hasn't changed o=org1 to o=org2. This is a problem. we cannot modify any scheme of those two LDAP servers. UIN:9244669 Phone:+7(495)727-0982 ext.4162
With curent configuration i get this:
if username aren't found in first LDAP lets proceed to the next if username aren't found in second LDAP lets DENY access
You probably don't need that after upgrade. Just force Auth-Type LDAP in users file.
As i doesn't have any other auth rather LDAP it is done automatically. I hope so. ;-)
Enable files (and comment out ldap entries) and put: DEFAULT Auth-Type := tam at the top of the users file. That's much cheaper way.
Create failover inside Auth-Type LDAP:
Auth-Type LDAP { tam { reject = 2 } if(reject) { lotus } }
I have realised something like this in my long road to success. Unfortunately there an issue.
LDAP1: uid=username,o=org1 LDAP2: uid=username,o=org2
As you can see "o=org..." is different.
You can see when radius try to authenticate on the second LDAP (ldap2.ts) it hasn't changed o=org1 to o=org2. This is a problem. we cannot modify any scheme of those two LDAP servers.
Check base_dn. You say it is different but server debug would disagree. Ivan Kalik
On Thu, 26 Nov 2009 18:21:29 -0000 (UTC) tnt@kalik.net wrote:
As i doesn't have any other auth rather LDAP it is done automatically. I hope so. ;-)
Enable files (and comment out ldap entries) and put:
DEFAULT Auth-Type := tam
at the top of the users file. That's much cheaper way.
Hm... I think i don't understand you. What to disable in what section? authorize or authentificate?
Check base_dn. You say it is different but server debug would disagree.
But they are. ldap tam { server = "skoll-vm1.kmz.ts" basedn = "o=tamknown" filter = "(uid=%{User-Name})" authtype = tam start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 compare_check_items = no do_xlat = no access_attr_used_for_allow = no set_auth_type = yes } ldap lotus { server = "ldap.kmz.ts" basedn = "o=tsas" filter = "(uid=%{User-Name})" authtype = lotus start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 compare_check_items = no do_xlat = no access_attr_used_for_allow = no set_auth_type = yes } Previous version have written different base dn on the screen on every debug. You can see it in my first message. Now i cannot see it on the screen. Below is unmodified output. rad_recv: Access-Request packet from host 192.168.110.3 port 52866, id=87, length=64 User-Name = "vmendelevich" User-Password = "33333333" NAS-IP-Address = 192.168.110.3 NAS-Port = 10 +- entering group authorize {...} ++- entering group ldap {...} [tam] performing user authorization for vmendelevich [tam] expand: (uid=%{User-Name}) -> (uid=vmendelevich) [tam] expand: o=tamknown -> o=tamknown rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to skoll-vm1.kmz.ts:389, authentication 0 rlm_ldap: bind as / to skoll-vm1.kmz.ts:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in o=tamknown, with filter (uid=vmendelevich) [tam] looking for check items in directory... [tam] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [tam] Setting Auth-Type = tam [tam] user vmendelevich authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 +++[tam] returns ok ++- group ldap returns ok Found Auth-Type = tam +- entering group tam {...} [tam] login attempt by "vmendelevich" with password "33333333" [tam] user DN: uid=vmendelevich,o=tamknown rlm_ldap: (re)connect to skoll-vm1.kmz.ts:389, authentication 1 rlm_ldap: bind as uid=vmendelevich,o=tamknown/33333333 to skoll-vm1.kmz.ts:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind failed with invalid credentials ++[tam] returns reject ++? if (reject) ? Evaluating (reject) -> TRUE ++? if (reject) -> TRUE ++- entering if (reject) {...} [lotus] login attempt by "vmendelevich" with password "33333333" [lotus] user DN: uid=vmendelevich,o=tamknown rlm_ldap: (re)connect to ldap.kmz.ts:389, authentication 1 rlm_ldap: bind as uid=vmendelevich,o=tamknown/33333333 to ldap.kmz.ts:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind failed with invalid credentials +++[lotus] returns reject ++- if (reject) returns reject Failed to authenticate the user. Login incorrect (rlm_ldap: Bind as user failed): [vmendelevich] (from client VMendelevich port 10) Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 87 to 192.168.110.3 port 52866 Waking up in 4.9 seconds. Cleaning up request 0 ID 87 with timestamp +14 Ready to process requests. My problem has begun exactly at this point. When authentification is passed on the second server base_dn is used from the first request to first server. UIN:9244669 Phone:+7(495)727-0982 ext.4162
On Thu, 26 Nov 2009 18:21:29 -0000 (UTC) tnt@kalik.net wrote:
As i doesn't have any other auth rather LDAP it is done automatically. I hope so. ;-)
Enable files (and comment out ldap entries) and put:
DEFAULT Auth-Type := tam
at the top of the users file. That's much cheaper way.
Hm... I think i don't understand you. What to disable in what section? authorize or authentificate?
Remove tam and lotus from authorize section of default virtual server - you are not authorizing anything just doing authentication. Instead just put that line at the top of the users file and enable files in authorize.
Check base_dn. You say it is different but server debug would disagree.
But they are.
ldap tam { server = "skoll-vm1.kmz.ts" basedn = "o=tamknown" filter = "(uid=%{User-Name})" authtype = tam start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 compare_check_items = no do_xlat = no access_attr_used_for_allow = no set_auth_type = yes } ldap lotus { server = "ldap.kmz.ts" basedn = "o=tsas" filter = "(uid=%{User-Name})" authtype = lotus start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 compare_check_items = no do_xlat = no access_attr_used_for_allow = no set_auth_type = yes }
Post the debug of server startup (part before requests can be processed. Ivan Kalik
On Fri, 27 Nov 2009 14:57:44 -0000 (UTC) tnt@kalik.net wrote:
Remove tam and lotus from authorize section of default virtual server - you are not authorizing anything just doing authentication. Instead just put that line at the top of the users file and enable files in authorize.
OK. Thanks you. Now i understand. Done this.
Post the debug of server startup (part before requests can be processed.
This REALY big. I think you are interested in LDAP part? --------------------- FreeRADIUS Version 2.1.7, for host x86_64-redhat-linux-gnu, built on Sep 18 2009 at 11:00:13 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/ldap including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/otp including configuration file /etc/raddb/modules/cui including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/pam group = radiusd user = radiusd including dictionary file /etc/raddb/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/radius" libdir = "/usr/lib64" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log_auth = yes log_auth_badpass = no log_auth_goodpass = no log_stripped_names = no security { max_attributes = 200 reject_delay = 1 status_server = no } } radiusd: #### Loading Realms and Home Servers #### radiusd: #### Loading Clients #### client client1 { require_message_authenticator = no secret = "123" shortname = "client1" } client client2 { require_message_authenticator = no secret = "123" shortname = "client2" } client client3 { require_message_authenticator = no secret = "123" shortname = "client3" } radiusd: #### Instantiating modules #### radiusd: #### Loading Virtual Servers #### server { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_ldap Module: Instantiating tam ldap tam { server = "skoll-vm1.kmz.ts" port = 389 password = "" identity = "" net_timeout = 1 timeout = 4 timelimit = 3 tls_mode = no start_tls = no tls_require_cert = "allow" basedn = "o=tamknown" filter = "(uid=%{User-Name})" base_filter = "(objectclass=radiusprofile)" auto_header = no access_attr_used_for_allow = no groupname_attribute = "cn" groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" dictionary_mapping = "/etc/raddb/ldap.attrmap" ldap_debug = 0 ldap_connections_number = 5 compare_check_items = no do_xlat = no set_auth_type = yes } rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Creating new attribute tam-Ldap-Group rlm_ldap: Registering ldap_groupcmp for tam-Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name tam rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id conns: 0xf72da70 Module: Instantiating lotus ldap lotus { server = "ldap.kmz.ts" port = 389 password = "1234567890" identity = "cn=user,o=tsas" net_timeout = 1 timeout = 4 timelimit = 3 tls_mode = no start_tls = no tls_require_cert = "allow" basedn = "o=tsas" filter = "(uid=%{User-Name})" base_filter = "(objectclass=radiusprofile)" auto_header = no access_attr_used_for_allow = no groupname_attribute = "cn" groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" dictionary_mapping = "/etc/raddb/ldap.attrmap" ldap_debug = 0 ldap_connections_number = 5 compare_check_items = no do_xlat = no set_auth_type = yes } rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Creating new attribute lotus-Ldap-Group rlm_ldap: Registering ldap_groupcmp for lotus-Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name lotus rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id conns: 0xf72f840 Module: Linked to module rlm_always Module: Instantiating handled always handled { rcode = "handled" simulcount = 0 mpp = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "/etc/raddb/users" compat = "no" } } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } Listening on authentication address * port 1812 Listening on proxy address * port 1814 Ready to process requests. --------------- testing this conf. password is a fake? so authentication failed. but you can see than used basedn is from the first server not from the second. --------------- rad_recv: Access-Request packet from host 192.168.110.3 port 45965, id=14, length=64 User-Name = "vmendelevich" User-Password = "33333333" NAS-IP-Address = 192.168.110.3 NAS-Port = 10 +- entering group authorize {...} [files] users: Matched entry DEFAULT at line 52 ++[files] returns ok Found Auth-Type = tam +- entering group tam {...} [tam] login attempt by "vmendelevich" with password "33333333" [tam] expand: (uid=%{User-Name}) -> (uid=vmendelevich) [tam] expand: o=tamknown -> o=tamknown rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to skoll-vm1.kmz.ts:389, authentication 0 rlm_ldap: bind as / to skoll-vm1.kmz.ts:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in o=tamknown, with filter (uid=vmendelevich) rlm_ldap: ldap_release_conn: Release Id: 0 [tam] user DN: uid=vmendelevich,o=tamknown rlm_ldap: (re)connect to skoll-vm1.kmz.ts:389, authentication 1 rlm_ldap: bind as uid=vmendelevich,o=tamknown/33333333 to skoll-vm1.kmz.ts:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind failed with invalid credentials ++[tam] returns reject ++? if (reject) ? Evaluating (reject) -> TRUE ++? if (reject) -> TRUE ++- entering if (reject) {...} [lotus] login attempt by "vmendelevich" with password "33333333" [lotus] user DN: uid=vmendelevich,o=tamknown rlm_ldap: (re)connect to ldap.kmz.ts:389, authentication 1 rlm_ldap: bind as uid=vmendelevich,o=tamknown/33333333 to ldap.kmz.ts:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind failed with invalid credentials +++[lotus] returns reject ++- if (reject) returns reject Failed to authenticate the user. Login incorrect (rlm_ldap: Bind as user failed): [vmendelevich] (from client VMendelevich port 10) Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 14 to 192.168.110.3 port 45965 Waking up in 4.9 seconds. Cleaning up request 0 ID 14 with timestamp +457 Ready to process requests. ------------- IMHO i must see when connecting to first server: [tam] user DN: uid=vmendelevich,o=tamknown and this when to second: [lotus] user DN: uid=vmendelevich,o=tsas i think this happend because expanding is made only once: +- entering group tam {...} [tam] login attempt by "vmendelevich" with password "33333333" [tam] expand: (uid=%{User-Name}) -> (uid=vmendelevich) [tam] expand: o=tamknown -> o=tamknown Thanks you once more for you answers. UIN:9244669 Phone:+7(495)727-0982 ext.4162
IMHO i must see when connecting to first server:
[tam] user DN: uid=vmendelevich,o=tamknown
and this when to second:
[lotus] user DN: uid=vmendelevich,o=tsas
i think this happend because expanding is made only once:
+- entering group tam {...} [tam] login attempt by "vmendelevich" with password "33333333" [tam] expand: (uid=%{User-Name}) -> (uid=vmendelevich) [tam] expand: o=tamknown -> o=tamknown
Correct. I don't know why second instance didn't expand. Perhaps you should file the bug report and see if Alan will fix this. I know that you should try to avoid ldap authentication but if you can have different passwords for the same user (which is very bad design) in redundant ldap servers, doing redundant authentication is the only way. Can you list tam and lotus in authorize section and just make sure that expansion works as expected there. Ivan Kalik
participants (2)
-
tnt@kalik.net -
Vladimir Mendelevich