Hi all, I am building a new radius server on Centos7 and configuring for LDAP auth. I have an older version running on a different server, and have brought over my configs and adjusted to the new version requirements (for instance, adding the ipaddr attribute to all the client stanzas). However, I seem to be having an issue with the rlm_ldap module, and the ldap config itself. BTW, ran all updates this morning, so everything should be at the latest versions (from the repositories, anyway). FreeRADIUS Version 3.0.4 is what is now installed. So, here's my ldap file from the old server (that works properly): --------------------------------------------- ldap rg600-1 { server = "10.255.255.40" identity = "cn=admin,o=ourorg" password = r!da2Lp basedn = "ou=administration,o=ourorg" filter = "(uid=%u)" ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls { start_tls = no } access_attr = "uid" dictionary_mapping = ${confdir}/ldap.attrmap edir_account_policy_check = no groupname_attribute = gidnumber groupmembership_attribute = gidNumber } --------------------------------------------- I copied this file exactly to the new server. To test connectivity, I ran (on the new server): --------------------------------------------- ldapsearch -x -W -D "cn=admin,o=ourorg" -b "ou=administration,o=ourorg" objectclass=* --------------------------------------------- and, when asked, provided the r!da2Lp password, and successfully got the list of all objects... indicating that the connectivity, username, and password are perfectly correct. When I run radiusd -X -d /etc/raddb, I get the following end result of debug lines: --------------------------------------------- ... rlm_ldap (rg600-1): Opening additional connection (0) rlm_ldap (rg600-1): Connecting to 10.255.255.40:389 rlm_ldap (rg600-1): Waiting for bind result... rlm_ldap (rg600-1): Bind credentials incorrect: Invalid credentials rlm_ldap (rg600-1): Opening connection failed (0) rlm_ldap (rg600-1): Removing connection pool --------------------------------------------- indicating, I believe, a bad password or bad user ID. I have a feeling that the "!" in the password is causing issues. I have surrounded the password with single quotes, double quotes, ticks, and have escaped the ! with \, all to no avail. I cannot really change the password, as so many systems are using it that it is prohibitive. Anyone have any ideas? I'll supply any other required data... Thanks! Alex -- Alex Moen NSTII North Dakota Telephone Company 701-662-6481
On Mar 15, 2016, at 12:30 PM, Alex Moen <alexm@ndtel.com> wrote:
I am building a new radius server on Centos7 and configuring for LDAP auth. I have an older version running on a different server, and have brought over my configs and adjusted to the new version requirements (for instance, adding the ipaddr attribute to all the client stanzas). However, I seem to be having an issue with the rlm_ldap module, and the ldap config itself. BTW, ran all updates this morning, so everything should be at the latest versions (from the repositories, anyway). FreeRADIUS Version 3.0.4 is what is now installed.
So, here's my ldap file from the old server (that works properly):
--------------------------------------------- ldap rg600-1 { server = "10.255.255.40"
You don't need quotes around IP addresses.
identity = "cn=admin,o=ourorg" password = r!da2Lp
Put quotes around the password.
I have a feeling that the "!" in the password is causing issues. I have surrounded the password with single quotes, double quotes, ticks, and have escaped the ! with \, all to no avail.
I cannot really change the password, as so many systems are using it that it is prohibitive.
Anyone have any ideas? I'll supply any other required data...
What is the version of the server which works? Alan DeKok.
I did try quotes around the password, and I think I stated that in my first email... I tried single, double, and ticks, none of which worked. The old server is running FreeRADIUS Version 0.9.3. I will remove the quotes around the IP addresses. What is the "rule" about quotes? Why would we need quotes around some fields and not around others? Thanks! Alex On 03/15/2016 11:35 AM, Alan DeKok wrote:
On Mar 15, 2016, at 12:30 PM, Alex Moen <alexm@ndtel.com> wrote:
I am building a new radius server on Centos7 and configuring for LDAP auth. I have an older version running on a different server, and have brought over my configs and adjusted to the new version requirements (for instance, adding the ipaddr attribute to all the client stanzas). However, I seem to be having an issue with the rlm_ldap module, and the ldap config itself. BTW, ran all updates this morning, so everything should be at the latest versions (from the repositories, anyway). FreeRADIUS Version 3.0.4 is what is now installed.
So, here's my ldap file from the old server (that works properly):
--------------------------------------------- ldap rg600-1 { server = "10.255.255.40"
You don't need quotes around IP addresses.
identity = "cn=admin,o=ourorg" password = r!da2Lp
Put quotes around the password.
I have a feeling that the "!" in the password is causing issues. I have surrounded the password with single quotes, double quotes, ticks, and have escaped the ! with \, all to no avail.
I cannot really change the password, as so many systems are using it that it is prohibitive.
Anyone have any ideas? I'll supply any other required data...
What is the version of the server which works?
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Alex Moen NSTII North Dakota Telephone Company 701-662-6481
On Mar 15, 2016, at 1:55 PM, Alex Moen <alexm@ndtel.com> wrote:
I did try quotes around the password, and I think I stated that in my first email... I tried single, double, and ticks, none of which worked.
Yes. But in general, quotes are a good idea.
The old server is running FreeRADIUS Version 0.9.3.
Wow... it's good to know it lasted a while.
I will remove the quotes around the IP addresses. What is the "rule" about quotes? Why would we need quotes around some fields and not around others?
IP addresses don't need quotes. Strings do. Mainly if you want to put spaces or "special" characters into a string, you need quotes. Alan DeKok.
On 03/15/2016 01:02 PM, Alan DeKok wrote:
On Mar 15, 2016, at 1:55 PM, Alex Moen <alexm@ndtel.com> wrote:
I did try quotes around the password, and I think I stated that in my first email... I tried single, double, and ticks, none of which worked.
Yes. But in general, quotes are a good idea.
The old server is running FreeRADIUS Version 0.9.3.
Wow... it's good to know it lasted a while.
Actually, it's performing flawlessly. No issues at all. However, the hardware is aging and is running an unpatched (in ages) version of Solaris 9. Currently, the uptime is 532 days. If it ain't broke, don't fix it... but it's gonna break any day. And now that I have said that, I have ensured the time is coming.
I will remove the quotes around the IP addresses. What is the "rule" about quotes? Why would we need quotes around some fields and not around others?
IP addresses don't need quotes. Strings do.
Mainly if you want to put spaces or "special" characters into a string, you need quotes.
Ah. OK, that makes complete sense.
Alan DeKok.
Thanks!! -- Alex Moen NSTII North Dakota Telephone Company 701-662-6481
On 15 Mar 2016, at 16:30, Alex Moen <alexm@ndtel.com> wrote:
Hi all,
I am building a new radius server on Centos7 and configuring for LDAP auth. I have an older version running on a different server, and have brought over my configs and adjusted to the new version requirements (for instance, adding the ipaddr attribute to all the client stanzas). However, I seem to be having an issue with the rlm_ldap module, and the ldap config itself. BTW, ran all updates this morning, so everything should be at the latest versions (from the repositories, anyway). FreeRADIUS Version 3.0.4 is what is now installed.
Do a network capture and see what's actually being sent. '!' has no special meaning in FreeRADIUS. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
On 03/15/2016 11:37 AM, Arran Cudbard-Bell wrote:
Do a network capture and see what's actually being sent.
'!' has no special meaning in FreeRADIUS.
OK, good call... I have done this. And have the error of my ways. Really, really dumb mistake. Wrong IP address for the LDAP server in the radius config. DUH. Sorry for the waste of time, guys. It always goes back to packet captures. -- Alex Moen NSTII North Dakota Telephone Company 701-662-6481
Don't 'bring over' your configs. Just take the initial 3.x config and edit as required as the server is not compatible with old config files and there are many new options and methods alan
On 03/15/2016 01:15 PM, Alan Buxey wrote:
Don't 'bring over' your configs. Just take the initial 3.x config and edit as required as the server is not compatible with old config files and there are many new options and methods
alan
Oh, yes, I have done that. I just used clippings from the original configs to fill in the 3.x files (clients, in particular). -- Alex Moen NSTII North Dakota Telephone Company 701-662-6481
participants (4)
-
Alan Buxey -
Alan DeKok -
Alex Moen -
Arran Cudbard-Bell