[freeradius] fail-over ldap + reply-item missing
Hi all I try to do a fail-over with two ldap on my freeradius. I read this article http://wiki.freeradius.org/Fail-over, I instantiated two openldap modules and i use the keyword redundant in my /raddb/site-available/default in authorize and authenticate section. redundant { Primary-ldap Secondary-ldap } I also enabled reply_log When the two ldap are launched, it works. reply log : Tue Jun 9 11:45:53 2009 Packet-Type = Access-Accept Reply-Message = "Utilisateur: fmehault, group: Administrateur" Cisco-AVPair = "shell:priv-lvl=15" Service-Type = NAS-Prompt-User But if i stop the Secondary-ldap, I have just : reply log : Tue Jun 9 11:49:19 2009 Packet-Type = Access-Accept I can see in my log that radiusd try to contact Secondary-ldap at first. Why ? Then it test 3 times, rather than test Primary-ldap, why ? I will be please to give you more information about my problem to help me to fix it, ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop rlm_ldap: Entering ldap_groupcmp() [files] expand: dc=netplus,dc=fr -> dc=netplus,dc=fr [files] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [files] expand: (&(uid=%{Stripped-User-Name:-%{User-Name}})(radiusHuntgroupName=%{Huntgroup-name})) -> (&(uid=fmehault)(radiusHuntgroupName=swLabo)) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 10.96.18.4:389, authentication 0 rlm_ldap: bind as cn=root,dc=netplus,dc=fr/secret to 10.96.18.4:389 rlm_ldap: cn=root,dc=netplus,dc=fr bind to 10.96.18.4:389 failed: Can't contact LDAP server rlm_ldap: (re)connection attempt failed rlm_ldap::ldap_groupcmp: search failed rlm_ldap: ldap_release_conn: Release Id: 0 [...] rlm_ldap: cn=root,dc=netplus,dc=fr bind to 10.96.18.4:389 failed: Can't contact LDAP server [...] rlm_ldap: cn=root,dc=netplus,dc=fr bind to 10.96.18.4:389 failed: Can't contact LDAP server resume : Primary-ldap started Secondary-ldap started It works Primary-ldap stoped Secondary-ldap started It works Primary-ldap started Secondary-ldap stoped Access-Accept without reply-item ... If someone can explain me what is my problem Regards, François
I try to do a fail-over with two ldap on my freeradius. I read this article http://wiki.freeradius.org/Fail-over, I instantiated two openldap modules and i use the keyword redundant in my /raddb/site-available/default in authorize and authenticate section.
redundant { Primary-ldap Secondary-ldap }
I also enabled reply_log When the two ldap are launched, it works.
reply log :
Tue Jun 9 11:45:53 2009 Packet-Type = Access-Accept Reply-Message = "Utilisateur: fmehault, group: Administrateur" Cisco-AVPair = "shell:priv-lvl=15" Service-Type = NAS-Prompt-User
But if i stop the Secondary-ldap, I have just :
reply log :
Tue Jun 9 11:49:19 2009 Packet-Type = Access-Accept
I can see in my log that radiusd try to contact Secondary-ldap at first. Why ? Then it test 3 times, rather than test Primary-ldap, why ?
Read rlm_ldap documentation about group support. You are not using instances in groups. Ivan Kalik Kalik Informatika ISP
Thanks for your responce, I read http://freeradius.org/radiusd/doc/rlm_ldap , I am focus on section GROUP SUPPORT. So I have two ldap module instances in raddb/modules/ldap : ldap ldaplabobe2 { [...] } ldap ldaplabobe1 { [...] } I added the ldap module in the instantiate{} block in radiusd.conf. instantiate { exec expr expiration logintime ldaplabobe2 ldaplabobe1 } I use this form in my raddb/users : DEFAULT ldaplabobe2-Ldap-Group == administrateur, User-Profile := "cn=administrateur,ou=Profiles,dc=netplus,dc=fr" Reply-Message = "Utilisateur: %{User-name}, group: Administrateur", Fall-Through = yes DEFAULT ldaplabobe2-Ldap-Group == stagiaire, User-Profile := "cn=stagiaire,ou=Profiles,dc=netplus,dc=fr" Reply-Message = "Utilisateur: %{User-name}, group: Stagiaire", Fall-Through = yes DEFAULT ldaplabobe1-Ldap-Group == administrateur, User-Profile := "cn=administrateur,ou=Profiles,dc=netplus,dc=fr" Reply-Message = "Utilisateur: %{User-name}, group: Administrateur", Fall-Through = yes DEFAULT ldaplabobe1-Ldap-Group == stagiaire, User-Profile := "cn=stagiaire,ou=Profiles,dc=netplus,dc=fr" Reply-Message = "Utilisateur: %{User-name}, group: Stagiaire", Fall-Through = yes Instead of DEFAULT Ldap-Group == administrateur, User-Profile := "cn=administrateur,ou=Profiles,dc=netplus,dc=fr" Reply-Message = "Utilisateur: %{User-name}, group: Administrateur", Fall-Through = yes DEFAULT Ldap-Group == stagiaire, User-Profile := "cn=stagiaire,ou=Profiles,dc=netplus,dc=fr" Reply-Message = "Utilisateur: %{User-name}, group: Stagiaire", Fall-Through = yes Then I still use redundant in authorize and authenticate section in raddb/site-available/default (I test whithout also) And now I have Access-Reject for all, some reply-item are in the users file, others are in my openldap (I use radiusgroupname with ou=profiles,dc=netplus,dc=fr + radiusprofile attribute ...) So I progress I think but it doesn't work for now. Sorry if I need some help, I begin with openldap, I read lot of documentation freeradius, openldap, PAM (my head will explose) and all is new for me , so maybe I read the solution at my problem but don't remember :s Thansk for your help. Regards, François rad_recv: Access-Request packet from host 192.168.0.50 port 1812, id=253, length=80 NAS-IP-Address = 192.168.0.50 NAS-Port = 1 NAS-Port-Type = Virtual User-Name = "fmehault" Calling-Station-Id = "192.168.0.80" User-Password = "toto" +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radacct/192.168.0.50/auth-detail-20090609 [auth_log] /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radacct/192.168.0.50/auth-detail-20090609 [auth_log] expand: %t -> Tue Jun 9 16:27:02 2009 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "fmehault", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop rlm_ldap: Entering ldap_groupcmp() [files] expand: dc=netplus,dc=fr -> dc=netplus,dc=fr [files] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [files] expand: (&(uid=%{Stripped-User-Name:-%{User-Name}})(radiusHuntgroupName=%{Huntgroup-name})) -> (&(uid=fmehault)(radiusHuntgroupName=swLabo)) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 10.96.18.10:389, authentication 0 rlm_ldap: bind as cn=root,dc=netplus,dc=fr/secret to 10.96.18.10:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=netplus,dc=fr, with filter (&(uid=fmehault)(radiusHuntgroupName=swLabo)) rlm_ldap: ldap_release_conn: Release Id: 0 [files] expand: (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=cn\3dFrancois MEHAULT\2cou\3dUtilisateurs\2cdc\3dnetplus\2cdc\3dfr))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dFrancois MEHAULT\2cou\3dUtilisateurs\2cdc\3dnetplus\2cdc\3dfr))) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=netplus,dc=fr, with filter (&(cn=administrateur)(|(&(objectClass=GroupOfNames)(member=cn\3dFrancois MEHAULT\2cou\3dUtilisateurs\2cdc\3dnetplus\2cdc\3dfr))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dFrancois MEHAULT\2cou\3dUtilisateurs\2cdc\3dnetplus\2cdc\3dfr)))) rlm_ldap: object not found rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in cn=Francois MEHAULT,ou=Utilisateurs,dc=netplus,dc=fr, with filter (objectclass=*) rlm_ldap::groupcmp: Group administrateur not found or user not a member rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: Entering ldap_groupcmp() [files] expand: dc=netplus,dc=fr -> dc=netplus,dc=fr [files] expand: (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=cn\3dFrancois MEHAULT\2cou\3dUtilisateurs\2cdc\3dnetplus\2cdc\3dfr))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dFrancois MEHAULT\2cou\3dUtilisateurs\2cdc\3dnetplus\2cdc\3dfr))) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=netplus,dc=fr, with filter (&(cn=stagiaire)(|(&(objectClass=GroupOfNames)(member=cn\3dFrancois MEHAULT\2cou\3dUtilisateurs\2cdc\3dnetplus\2cdc\3dfr))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dFrancois MEHAULT\2cou\3dUtilisateurs\2cdc\3dnetplus\2cdc\3dfr)))) rlm_ldap: object not found rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in cn=Francois MEHAULT,ou=Utilisateurs,dc=netplus,dc=fr, with filter (objectclass=*) rlm_ldap::ldap_groupcmp: User found in group stagiaire rlm_ldap: ldap_release_conn: Release Id: 0 [files] users: Matched entry DEFAULT at line 252 [files] expand: Utilisateur: %{User-name}, group: Stagiaire -> Utilisateur: fmehault, group: Stagiaire rlm_ldap: Entering ldap_groupcmp() [files] expand: dc=netplus,dc=fr -> dc=netplus,dc=fr [files] expand: (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=cn\3dFrancois MEHAULT\2cou\3dUtilisateurs\2cdc\3dnetplus\2cdc\3dfr))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dFrancois MEHAULT\2cou\3dUtilisateurs\2cdc\3dnetplus\2cdc\3dfr))) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 10.96.18.4:389, authentication 0 rlm_ldap: bind as cn=root,dc=netplus,dc=fr/secret to 10.96.18.4:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=netplus,dc=fr, with filter (&(cn=administrateur)(|(&(objectClass=GroupOfNames)(member=cn\3dFrancois MEHAULT\2cou\3dUtilisateurs\2cdc\3dnetplus\2cdc\3dfr))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dFrancois MEHAULT\2cou\3dUtilisateurs\2cdc\3dnetplus\2cdc\3dfr)))) rlm_ldap: object not found rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in cn=Francois MEHAULT,ou=Utilisateurs,dc=netplus,dc=fr, with filter (objectclass=*) rlm_ldap::groupcmp: Group administrateur not found or user not a member rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: Entering ldap_groupcmp() [files] expand: dc=netplus,dc=fr -> dc=netplus,dc=fr [files] expand: (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=cn\3dFrancois MEHAULT\2cou\3dUtilisateurs\2cdc\3dnetplus\2cdc\3dfr))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dFrancois MEHAULT\2cou\3dUtilisateurs\2cdc\3dnetplus\2cdc\3dfr))) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=netplus,dc=fr, with filter (&(cn=stagiaire)(|(&(objectClass=GroupOfNames)(member=cn\3dFrancois MEHAULT\2cou\3dUtilisateurs\2cdc\3dnetplus\2cdc\3dfr))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dFrancois MEHAULT\2cou\3dUtilisateurs\2cdc\3dnetplus\2cdc\3dfr)))) rlm_ldap: object not found rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in cn=Francois MEHAULT,ou=Utilisateurs,dc=netplus,dc=fr, with filter (objectclass=*) rlm_ldap::ldap_groupcmp: User found in group stagiaire rlm_ldap: ldap_release_conn: Release Id: 0 [files] users: Matched entry DEFAULT at line 260 [files] expand: Utilisateur: %{User-name}, group: Stagiaire -> Utilisateur: fmehault, group: Stagiaire ++[files] returns ok ++- entering policy redundant {...} [ldaplabobe2] performing user authorization for fmehault [ldaplabobe2] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldaplabobe2] expand: (&(uid=%{Stripped-User-Name:-%{User-Name}})(radiusHuntgroupName=%{Huntgroup-name})) -> (&(uid=fmehault)(radiusHuntgroupName=swLabo)) [ldaplabobe2] expand: dc=netplus,dc=fr -> dc=netplus,dc=fr rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=netplus,dc=fr, with filter (&(uid=fmehault)(radiusHuntgroupName=swLabo)) rlm_ldap: performing search in cn=stagiaire,ou=Profiles,dc=netplus,dc=fr, with filter (objectclass=radiusprofile) rlm_ldap: radiusServiceType -> Service-Type = NAS-Prompt-User [ldaplabobe2] looking for check items in directory... [ldaplabobe2] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldaplabobe2] user fmehault authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 +++[ldaplabobe2] returns ok ++- policy redundant returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> fmehault attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 253 to 192.168.0.50 port 1812 Reply-Message = "Utilisateur: fmehault, group: Stagiaire" Waking up in 4.5 seconds.
(following my last mail) I read in my log: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user So in the user file I replace DEFAULT ldaplabobe2-Ldap-Group == administrateur, User-Profile := "cn=administrateur,ou=Profiles,dc=netplus,dc=fr Reply-Message = "Utilisateur: %{User-name}, group: Administrateur", Fall-Through = yes By DEFAULT ldaplabobe2-Ldap-Group == administrateur, User-Profile := "cn=administrateur,ou=Profiles,dc=netplus,dc=fr", Auth-Type := LDAP Reply-Message = "Utilisateur: %{User-name}, group: Administrateur", Fall-Through = yes And I start radiud -X and I have : /usr/local/etc/raddb/users[247]: Parse error (check) for entry DEFAULT: Unknown value LDAP for attribute Auth-Type Errors reading /usr/local/etc/raddb/users /usr/local/etc/raddb/modules/files[7]: Instantiation failed for module "files" /usr/local/etc/raddb/sites-enabled/inner-tunnel[111]: Failed to find module "files". /usr/local/etc/raddb/sites-enabled/inner-tunnel[34]: Errors parsing authorize section. } } Errors initializing modules But in raddb/site-available/default, in section authenticate i have Auth-Type LDAP : authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix Auth-Type LDAP { redundant { ldaplabobe2 ldaplabobe1 } } eap }
participants (2)
-
François Mehault -
Ivan Kalik