You say the LDAP server is on another server....but your config says its on localhost. One of these statements isn't correct . As per five, send radius -X to the list, not just little snippets of what you feel like sending... alan -- Message may be brief as it has been sent from my mobile
Alan, *Sorry for the confusion I made. I have put the name of LDAP server accordingly , not the localhost. Just for privacy I didn't put here.* Here is the output of radiusd -X command: # radiusd -X FreeRADIUS Version 2.1.10, for host i386-portbld-freebsd8.2, built on Oct 21 2011 at 11:26:0 7 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including files in directory /usr/local/etc/raddb/modules/ including configuration file /usr/local/etc/raddb/modules/wimax including configuration file /usr/local/etc/raddb/modules/always including configuration file /usr/local/etc/raddb/modules/attr_filter including configuration file /usr/local/etc/raddb/modules/attr_rewrite including configuration file /usr/local/etc/raddb/modules/chap including configuration file /usr/local/etc/raddb/modules/checkval including configuration file /usr/local/etc/raddb/modules/counter including configuration file /usr/local/etc/raddb/modules/cui including configuration file /usr/local/etc/raddb/modules/detail including configuration file /usr/local/etc/raddb/modules/detail.example.com including configuration file /usr/local/etc/raddb/modules/detail.log including configuration file /usr/local/etc/raddb/modules/digest including configuration file /usr/local/etc/raddb/modules/dynamic_clients including configuration file /usr/local/etc/raddb/modules/echo including configuration file /usr/local/etc/raddb/modules/etc_group including configuration file /usr/local/etc/raddb/modules/exec including configuration file /usr/local/etc/raddb/modules/expiration including configuration file /usr/local/etc/raddb/modules/expr including configuration file /usr/local/etc/raddb/modules/files including configuration file /usr/local/etc/raddb/modules/inner-eap including configuration file /usr/local/etc/raddb/modules/ippool including configuration file /usr/local/etc/raddb/modules/krb5 including configuration file /usr/local/etc/raddb/modules/ldap including configuration file /usr/local/etc/raddb/modules/linelog including configuration file /usr/local/etc/raddb/modules/logintime including configuration file /usr/local/etc/raddb/modules/otp including configuration file /usr/local/etc/raddb/modules/mac2ip including configuration file /usr/local/etc/raddb/modules/mschap including configuration file /usr/local/etc/raddb/modules/mac2vlan including configuration file /usr/local/etc/raddb/modules/ntlm_auth including configuration file /usr/local/etc/raddb/modules/opendirectory including configuration file /usr/local/etc/raddb/modules/pam including configuration file /usr/local/etc/raddb/modules/pap including configuration file /usr/local/etc/raddb/modules/passwd including configuration file /usr/local/etc/raddb/modules/perl including configuration file /usr/local/etc/raddb/modules/policy including configuration file /usr/local/etc/raddb/modules/preprocess including configuration file /usr/local/etc/raddb/modules/radutmp including configuration file /usr/local/etc/raddb/modules/realm including configuration file /usr/local/etc/raddb/modules/smbpasswd including configuration file /usr/local/etc/raddb/modules/smsotp including configuration file /usr/local/etc/raddb/modules/sql_log including configuration file /usr/local/etc/raddb/modules/sqlcounter_expire_on_login including configuration file /usr/local/etc/raddb/modules/sradutmp including configuration file /usr/local/etc/raddb/modules/unix including configuration file /usr/local/etc/raddb/modules/acct_unique including configuration file /usr/local/etc/raddb/eap.conf including configuration file /usr/local/etc/raddb/policy.conf including files in directory /usr/local/etc/raddb/sites-enabled/ including configuration file /usr/local/etc/raddb/sites-enabled/default including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel including configuration file /usr/local/etc/raddb/sites-enabled/control-socket main { allow_core_dumps = no } including dictionary file /usr/local/etc/raddb/dictionary main { prefix = "/usr/local" localstatedir = "/var" logdir = "/var/log" libdir = "/usr/local/lib/freeradius-2.1.10" radacctdir = "/var/log/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/local/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 irt = 2 mrt = 16 mrc = 5 mrd = 30 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /usr/local/etc/raddb/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /usr/local/etc/raddb/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /usr/local/etc/raddb/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /usr/local/etc/raddb/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { # from file /usr/local/etc/raddb/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /usr/local/etc/raddb/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Instantiating module "ntlm_auth" from file /usr/local/etc/raddb/modules/ntlm_auth exec ntlm_auth { wait = yes program = "/usr/local/bin/ntlm_auth --request-nt-key --domain=CAMPUS --username=%{ms chap:User-Name} --password=%{User-Password}" input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /usr/local/etc/raddb/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /usr/local/etc/raddb/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /usr/local/etc/raddb/modules/unix unix { radwtmp = "/var/log/radwtmp" } /usr/local/etc/raddb/modules/ldap[29]: Failed to link to module 'rlm_ldap': file not found /usr/local/etc/raddb/sites-enabled/inner-tunnel[237]: Failed to load module "ldap". /usr/local/etc/raddb/sites-enabled/inner-tunnel[237]: Failed to parse "ldap" entry. Thanks, -- View this message in context: http://freeradius.1045715.n5.nabble.com/ldap-freeradius-tp2781398p4978759.ht... Sent from the FreeRadius - User mailing list archive at Nabble.com.
suggestme wrote:
*Sorry for the confusion I made. I have put the name of LDAP server accordingly , not the localhost. Just for privacy I didn't put here.*
Here is the output of radiusd -X command:
Which is the same error. Your problem is simple. We are trying to help you, and you are refusing to read our messages. This isn't just you being lazy, it's you being rude. You were told *explicitly* how to solve the problem. If you didn't understand the answer, ask a question about the answer. But you need to posting the same question. If you do, you can be unsubscribed. Alan DeKok.
Alan DeKok wrote too quickly:
But you need to posting the same question. If you do, you can be unsubscribed.
You need to *stop* posting the same question. I think I might set up a bot to monitor the list. The same question 3 times from someone results in them being unsubscribed. Alan DeKok.
Alan, Sorry for any inconvenience caused by it. I just put the output 3rd time since Alan Buxey asked for the complete radiusd-X output, not the small 3 line output to get the complete picture. Yesterday only I joined this freeradius list. Yesterday I opened the thread thinking to get suggestion where you were the one to give suggestion, I couldn't figure out how to solve that; and today I found this 'LDAP+Freeradius' thread with the same issue and posted here thinking I Might get quick response from the individual who already faced and solved this issue. My intention is not to trouble by sending the same post. I just want suggestion from this group. Again, Sorry if my questions troubled you guys. Thanks Date: Wed, 9 Nov 2011 12:19:15 -0800 From: ml-node+s1045715n4978982h24@n5.nabble.com To: samanaupadhyay@hotmail.com Subject: Re: ldap+freeradius Alan DeKok wrote too quickly:
But you need to posting the same question. If you do, you can be unsubscribed.
You need to *stop* posting the same question. I think I might set up a bot to monitor the list. The same question 3 times from someone results in them being unsubscribed. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html If you reply to this email, your message will be added to the discussion below:http://freeradius.1045715.n5.nabble.com/ldap-freeradius-tp2781398p4978982.ht... To unsubscribe from ldap+freeradius, click here. See how NAML generates this email -- View this message in context: http://freeradius.1045715.n5.nabble.com/ldap-freeradius-tp2781398p4979011.ht... Sent from the FreeRadius - User mailing list archive at Nabble.com.
My intention is not to trouble by sending the same post. I just want suggestion from this group.
That's the problem. You have HAD suggestions. Why haven't you followed them?
Again, Sorry if my questions troubled you guys.
Thanks
------------------------------------------------------------------------ Date: Wed, 9 Nov 2011 12:19:15 -0800 From: [hidden email] </user/SendEmail.jtp?type=node&node=4979011&i=0> To: [hidden email] </user/SendEmail.jtp?type=node&node=4979011&i=1> Subject: Re: ldap+freeradius
Alan DeKok wrote too quickly:
But you need to posting the same question. If you do, you can be unsubscribed.
You need to *stop* posting the same question.
I think I might set up a bot to monitor the list. The same question 3 times from someone results in them being unsubscribed.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
------------------------------------------------------------------------ If you reply to this email, your message will be added to the discussion below: http://freeradius.1045715.n5.nabble.com/ldap-freeradius-tp2781398p4978982.ht...
To unsubscribe from ldap+freeradius, click here. See how NAML generates this email <http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble:email.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.InstantMailNamespace&breadcrumbs=instant+emails%21nabble:email.naml-instant_emails%21nabble:email.naml-send_instant_email%21nabble:email.naml>
------------------------------------------------------------------------ View this message in context: RE: ldap+freeradius <http://freeradius.1045715.n5.nabble.com/ldap-freeradius-tp2781398p4979011.html> Sent from the FreeRadius - User mailing list archive <http://freeradius.1045715.n5.nabble.com/FreeRadius-User-f2740693.html> at Nabble.com.
------------------------------------------------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
*Sorry for the confusion I made. I have put the name of LDAP server accordingly , not the localhost. Just for privacy I didn't put here.*
okay....
Here is the output of radiusd -X command:
and there. bingo.
libdir = "/usr/local/lib/freeradius-2.1.10"
urgh. why? really...why? when you did the ./configure stage did you ask for it to go into this special non-standard directory? if its there....then you need to ensure that your system knows its there too - and a default server wont. you will need to edit the configuration file for your dynamic linker - usually /etc/ld.so.conf ..and then re-run /sbin/ldconfig ..you need to ensure your linker shows that it knows this.... /sbin/ldconfig -v if you need to check and double-check. if you dont see the freeradius libraries there at all then you need to check again. finally...if you dont see the rlm_ldap.so then go back one more step...and check that the LDAP module was actually built int he first place! ./configure --with-whatever-options | grep WARN you need to ensure you have LDAP support installed - the ldap development libraries usually something like openldap-devel in your package manager the fact that all the other bits work suggests that the other .so files are found..which points to the lack of ldap development libraries as the main culprit
/usr/local/etc/raddb/modules/ldap[29]: Failed to link to module 'rlm_ldap': file not found /usr/local/etc/raddb/sites-enabled/inner-tunnel[237]: Failed to load module "ldap". /usr/local/etc/raddb/sites-enabled/inner-tunnel[237]: Failed to parse "ldap" entry.
yep. the .so dynamic library file cannot be loaded alan
Guys, I configured FreeRadius for Authentication with Active Directory by following the steps as suggested by Alan's deployingradius.com. Everything is working successfully like Samba, Kerberos, ntlm_auth configuration, I can successfully join the domain as an administrator and also user can be authenticated by their credentials successfully. Now I need one suggestion here: Is there any way that administrator be able to read and write the information about user's access privileges by joining the domain. Such as users are allowed/denied for WIFi access, VPN access etc. I don't know whether it is possible or not by confguring anything with Samba/Kerberos/ntlm_auth/FreeRadius or should I need any other program to obtain this goal. I am configuring FreeRadius for the 1st time so, your idea will be greately appreciated. Thanks, Date: Wed, 9 Nov 2011 18:06:16 -0800 From: ml-node+s1045715n4979784h86@n5.nabble.com To: samanaupadhyay@hotmail.com Subject: Re: ldap+freeradius Hi,
*Sorry for the confusion I made. I have put the name of LDAP server accordingly , not the localhost. Just for privacy I didn't put here.*
okay....
Here is the output of radiusd -X command:
and there. bingo.
libdir = "/usr/local/lib/freeradius-2.1.10"
urgh. why? really...why? when you did the ./configure stage did you ask for it to go into this special non-standard directory? if its there....then you need to ensure that your system knows its there too - and a default server wont. you will need to edit the configuration file for your dynamic linker - usually /etc/ld.so.conf ..and then re-run /sbin/ldconfig ..you need to ensure your linker shows that it knows this.... /sbin/ldconfig -v if you need to check and double-check. if you dont see the freeradius libraries there at all then you need to check again. finally...if you dont see the rlm_ldap.so then go back one more step...and check that the LDAP module was actually built int he first place! ./configure --with-whatever-options | grep WARN you need to ensure you have LDAP support installed - the ldap development libraries usually something like openldap-devel in your package manager the fact that all the other bits work suggests that the other .so files are found..which points to the lack of ldap development libraries as the main culprit
/usr/local/etc/raddb/modules/ldap[29]: Failed to link to module 'rlm_ldap': file not found /usr/local/etc/raddb/sites-enabled/inner-tunnel[237]: Failed to load module "ldap". /usr/local/etc/raddb/sites-enabled/inner-tunnel[237]: Failed to parse "ldap" entry.
yep. the .so dynamic library file cannot be loaded alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html If you reply to this email, your message will be added to the discussion below:http://freeradius.1045715.n5.nabble.com/ldap-freeradius-tp2781398p4979784.ht... To unsubscribe from ldap+freeradius, click here. See how NAML generates this email -- View this message in context: http://freeradius.1045715.n5.nabble.com/ldap-freeradius-tp2781398p4984367.ht... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Hi,
I configured FreeRadius for Authentication with Active Directory by following the steps as suggested by Alan's deployingradius.com. Everything is working successfully like Samba, Kerberos, ntlm_auth configuration, I can successfully join the domain as an administrator and also user can be authenticated by their credentials successfully. Now I need one suggestion here: Is there any way that administrator be able to read and write the information about user's access privileges by joining the domain. Such as users are allowed/denied for WIFi access, VPN access etc. I don't know whether it is possible or not by confguring anything with Samba/Kerberos/ntlm_auth/FreeRadius or should I need any other program to obtain this goal.
currently, you are just doing authentication - you now need to think about authorization and policy - there are many ways of doing this - hints,huntgroups, SQL, external scripts using perl;python;ruby, unlang , LDAP attributes etc. you need to decided where you skills lie and what methods/facilities you have in place for checking... if you already have a DB for access info...then use that! :-) - you can then reject, set values, set return attributes etc via your chosen method. there are example, docs, wiki entries, config comments etc for this operation. alan
participants (3)
-
Alan Buxey -
Alan DeKok -
suggestme