Help with multiple LDAP servers
Hi, I know this has been discussed before on the list and there is documentation for this, but I have literally spent days on this and I cannot get the result that I am looking for. I am hoping someone can share a configuration with me that works. Basically, I am looking to have radius authenticate to two LDAP servers one after the other. It is not a true failover or load balance situation, as both servers need to be queried at the same time. Basically, I want the first LDAP server to be queried for a username/password, then if the user is not found, try the second one. I did not extend the schema on either LDAP server, and I do not really want to do that if at all possible, since I am just using freeradius for authentication. One a side note, if I just use one LDAP server in the configuration, it works fine. I can authenticate to both LDAP servers if I only list one. What seems to happen with this configuration is that it only trys the first LDAP server, and if the user does not exist, it quits right there and does not try the second (ad_ldap). Any help would be greatly appreciated. I am running the following version of freeradius: radiusd -v: radiusd: FreeRADIUS Version 1.1.3 rpm -qa | grep freeradius: freeradius-1.1.3-1.2.el5 Here are the relevant parts of my config: $sysconfdir/raddb/radiusd.conf: modules { ldap rhds_ldap { server = "xxx.xxx.com" identity = "cn=ciscoap,ou=System,dc=xx,dc=xx,dc=xx" password = "xxxx" basedn = "dc=xx,dc=xx,dc=xx" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" base_filter = "(objectclass=DUser)" start_tls = no access_attr = "uid" dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 } ldap ad_ldap { server = "yyy.yyy.com" identity = "CN=CiscoAP,CN=Users,DC=yy,DC=yy" password = "yyyy" basedn = "dc=yy,dc=yy" filter = "(samAccountName=%{Stripped-User-Name:-%{User-Name}})" base_filter = "(objectclass=person)" start_tls = no access_attr = "samAccountName" dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 } } authorize { redundant { rhds_ldap rhds_ldap notfound = reject } } authenticate { Auth-Type LDAP { rhds_ldap ad_ldap } } $sysconfdir/raddb/users: (added) DEFAULT Auth-Type := LDAP Fall-Through = Yes $sysconfdir/raddb/ldap.attrmap: (added) checkItem User-Password userPassword
I know this has been discussed before on the list and there is documentation for this, but I have literally spent days on this and I cannot get the result that I am looking for. I am hoping someone can share a configuration with me that works. Basically, I am looking to have radius authenticate to two LDAP servers one after the other. It is not a true failover or load balance situation, as both servers need to be queried at the same time. Basically, I want the first LDAP server to be queried for a username/password, then if the user is not found, try the second one.
radiusd -v: radiusd: FreeRADIUS Version 1.1.3
rpm -qa | grep freeradius: freeradius-1.1.3-1.2.el5
Upgrade. Then create redundant section for ldap servers in authorize. Ivan Kalik Kalik Informatika ISP
Upgrade. Then create redundant section for ldap servers in authorize.
Would I be able to go to latest 1.1.x release to get this working or do I need to go to 2.x?
Redundant should work in 1.1.7. But in 2.x you can use unlang for even more flexibility. Not to mention all the bug and security fixes and enhancements in years since 1.1.7. If you are upgrading go for the latest version. Ivan Kalik Kalik Informatika ISP
Quoting "Ivan Kalik" <tnt@kalik.net>:
Redundant should work in 1.1.7. But in 2.x you can use unlang for even more flexibility. Not to mention all the bug and security fixes and enhancements in years since 1.1.7. If you are upgrading go for the latest version.
I have upgraded to 1.1.7, and I still have the same behavior. Is my configuration right for what I want to do?
Redundant should work in 1.1.7. But in 2.x you can use unlang for even more flexibility. Not to mention all the bug and security fixes and enhancements in years since 1.1.7. If you are upgrading go for the latest version.
I have upgraded to 1.1.7, and I still have the same behavior. Is my configuration right for what I want to do?
So what does first ldap section return when user is missling - fail or reject (I see you have access attribute configured there)? If it's reject you need unlang (ie 2.x). Ivan Kalik Kalik Informatika ISP
Quoting "Ivan Kalik" <tnt@kalik.net>:
So what does first ldap section return when user is missling - fail or reject (I see you have access attribute configured there)? If it's reject you need unlang (ie 2.x).
Here is my output of radtest with a user on the second LDAP server. This server never gets quieried unless the first one is offline. I also made these changes to radiusd.conf after re-reading the configurable_failover document. I would appreciate some pointers because I am just not getting it. redundant { rhds_ldap notfound = 1 ok = return ad_ldap notfound = 1 ok = return } modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 modcall: entering group redundant for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for testuser radius_xlat: '(uid=testuser)' radius_xlat: 'dc=xx,dc=xx,dc=xx' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to xx.xx.com:389, authentication 0 rlm_ldap: bind as cn=ciscoap,ou=System,dc=xx,dc=xx,dc=xx/xxxx to xx.xx.com:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=xx,dc=xx,dc=xx, with filter (uid=testuser) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "rhds_ldap" returns notfound for request 0 modcall: leaving group redundant (returns notfound) for request 0 users: Matched entry DEFAULT at line 153 users: Matched entry DEFAULT at line 216 modcall[authorize]: module "files" returns ok for request 0 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group LDAP for request 0 rlm_ldap: - authenticate rlm_ldap: login attempt by "testuser" with password "password" radius_xlat: '(uid=testuser)' radius_xlat: 'dc=xx,dc=xx,dc=xx' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=xx,dc=xx,dc=xx, with filter (uid=testuser) rlm_ldap: object not found or got ambiguous search result rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authenticate]: module "rhds_ldap" returns notfound for request 0 modcall: leaving group LDAP (returns notfound) for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 236 to 127.0.0.1 port 41511 Waking up in 4 seconds...
Quoting "Ivan Kalik" <tnt@kalik.net>:
So what does first ldap section return when user is missling - fail or reject (I see you have access attribute configured there)? If it's reject you need unlang (ie 2.x).
Here is my output of radtest with a user on the second LDAP server. This server never gets quieried unless the first one is offline. I also made these changes to radiusd.conf after re-reading the configurable_failover document. I would appreciate some pointers because I am just not getting it.
redundant {
rhds_ldap notfound = 1 ok = return ad_ldap notfound = 1 ok = return }
modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 modcall: entering group redundant for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for testuser radius_xlat: '(uid=testuser)' radius_xlat: 'dc=xx,dc=xx,dc=xx' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to xx.xx.com:389, authentication 0 rlm_ldap: bind as cn=ciscoap,ou=System,dc=xx,dc=xx,dc=xx/xxxx to xx.xx.com:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=xx,dc=xx,dc=xx, with filter (uid=testuser) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "rhds_ldap" returns notfound for request 0
Ok. You can remove redundant (module is not failing, so no failover needed). Just list the two modules one below the other. ...
users: Matched entry DEFAULT at line 216
...
rad_check_password: Found Auth-Type LDAP auth: type "LDAP"
Remove that from users file. Let pap module do the authentication. Ldap should return the password to radius via ldap.attrmap.
Quoting "Ivan Kalik" <tnt@kalik.net>:
Ok. You can remove redundant (module is not failing, so no failover needed). Just list the two modules one below the other.
Removing the redundant lines, seems to make this work!
...
rad_check_password: Found Auth-Type LDAP auth: type "LDAP"
Remove that from users file. Let pap module do the authentication. Ldap should return the password to radius via ldap.attrmap.
I still need this in the users file though. Without it, I get rejections. It seems like this is all working well right now. Thanks a lot!
...
rad_check_password: Found Auth-Type LDAP auth: type "LDAP"
Remove that from users file. Let pap module do the authentication. Ldap should return the password to radius via ldap.attrmap.
I still need this in the users file though. Without it, I get rejections. It seems like this is all working well right now. Thanks a lot!
Then your ldap isn't passing the user password to radius (or is encrypted and has a header and auto-headers aren't enabled). Ivan Kalik Kalik Informatika ISP
AJ wrote:
I know this has been discussed before on the list and there is documentation for this, but I have literally spent days on this and I cannot get the result that I am looking for. I am hoping someone can share a configuration with me that works. Basically, I am looking to have radius authenticate to two LDAP servers one after the other. It is not a true failover or load balance situation, as both servers need to be queried at the same time. Basically, I want the first LDAP server to be queried for a username/password, then if the user is not found, try the second one.
In 1.1.x, read doc/configurable_failover It explains how to configure what you want, including the module return codes. Alan DeKok.
participants (3)
-
AJ -
Alan DeKok -
Ivan Kalik