Hello All Will creating multiple instances of the /etc/raddb/modules/ldap1 and /etc/raddb/modules/ldap2 each with different LDAP server addresses and database information work for having a user authenticate against either of the two LDAP servers. By that I mean that say our user 'try' tries to authenticate and sends the radius server an authentication request message, then, by having two files /etc/raddb/modules/ldap1 and /etc/raddb/modules/ldap2 cause the server to connect to both the servers and check for authentication ? If no then can anyone please suggest what is the way for doing this ? Thanks Sambuddho
http://www.freeradius.org/radiusd/man/unlang.html Ivan Kalik Kalik Informatika ISP Dana 15/6/2008, "Sambuddho Chakravarty" <sc2516@columbia.edu> piše:
Hello All Will creating multiple instances of the /etc/raddb/modules/ldap1 and /etc/raddb/modules/ldap2 each with different LDAP server addresses and database information work for having a user authenticate against either of the two LDAP servers. By that I mean that say our user 'try' tries to authenticate and sends the radius server an authentication request message, then, by having two files /etc/raddb/modules/ldap1 and /etc/raddb/modules/ldap2 cause the server to connect to both the servers and check for authentication ? If no then can anyone please suggest what is the way for doing this ?
Thanks Sambuddho
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
As in: redundant { ldap1 ldap2 } On Jun 15, 2008, at 1:08 AM, Ivan Kalik wrote:
http://www.freeradius.org/radiusd/man/unlang.html
Ivan Kalik Kalik Informatika ISP
Dana 15/6/2008, "Sambuddho Chakravarty" <sc2516@columbia.edu> piše:
Hello All Will creating multiple instances of the /etc/raddb/modules/ldap1 and /etc/raddb/modules/ldap2 each with different LDAP server addresses and database information work for having a user authenticate against either of the two LDAP servers. By that I mean that say our user 'try' tries to authenticate and sends the radius server an authentication request message, then, by having two files /etc/raddb/modules/ldap1 and /etc/raddb/modules/ldap2 cause the server to connect to both the servers and check for authentication ? If no then can anyone please suggest what is the way for doing this ?
Thanks Sambuddho
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Yes , but on a freeradius-2.05 , when I create a separate authenticate {} and authorize {} subsection and plug in the following : authorize { Autz-Type LDAP { redundant { ${confdir}/modules/ldap1 ${confdir}/modules/ldap2 } } } authenticate { Auth-Type LDAP{ redundant{ ${confdir}/modules/ldap1 ${confdir}/modules/ldap2 } } } It doesn't work. Here the ldap1 and ldap2 are two separate files in the /etc/raddb/modules directory and have separate ldap server IP addresses. Can anyone please point out to me where I am going wrong ? Thanks Sambuddho On Sun, 2008-06-15 at 01:55 -0700, Chris wrote:
As in:
redundant { ldap1 ldap2 }
On Jun 15, 2008, at 1:08 AM, Ivan Kalik wrote:
http://www.freeradius.org/radiusd/man/unlang.html
Ivan Kalik Kalik Informatika ISP
Dana 15/6/2008, "Sambuddho Chakravarty" <sc2516@columbia.edu> piše:
Hello All Will creating multiple instances of the /etc/raddb/modules/ldap1 and /etc/raddb/modules/ldap2 each with different LDAP server addresses and database information work for having a user authenticate against either of the two LDAP servers. By that I mean that say our user 'try' tries to authenticate and sends the radius server an authentication request message, then, by having two files /etc/raddb/modules/ldap1 and /etc/raddb/modules/ldap2 cause the server to connect to both the servers and check for authentication ? If no then can anyone please suggest what is the way for doing this ?
Thanks Sambuddho
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sambuddho Chakravarty wrote:
Yes , but on a freeradius-2.05 , when I create a separate authenticate {} and authorize {} subsection and plug in the following :
authorize { Autz-Type LDAP {
You don't need to use Autz-Type in 2.0.
authenticate { Auth-Type LDAP{ redundant{
Don't use redundant sections here. Just list the two LDAP modules independently. The LDAP server that was used in the authorize section will ensure that it is also used in the authenticate section.
${confdir}/modules/ldap1
And I hope that's not what I think it is.
It doesn't work.
See the FAQ for "it doesn't work".
Here the ldap1 and ldap2 are two separate files in the /etc/raddb/modules directory and have separate ldap server IP addresses. Can anyone please point out to me where I am going wrong ?
Lots. The major one is that you are putting the module *configuration* into the authorize and authenticate sections. I have no idea why you think that's a good idea. The examples included in the server DO NOT DO THIS. The files in the "modules" directory belong in the "modules" section of radiusd.conf. This is documented in the comments, and in many examples. The entries in the "authorize" and "authenticate" sections are simply a one-word reference to the name of a module. Again, this is documented in the comments and in many examples. Alan DeKok.
Do you mean something like this authorize { redundant { ldap1 ldap2 } } authenticate { ldap1 ldap2 } The reason I list them here is to use them for authentication against multiple LDAP servers whose configuration information is in the two files modules/ldap1 and modules/ldap2. Does this look valid ? Thanks Sambuddho On Thu, 2008-06-19 at 09:35 +0200, Alan DeKok wrote:
Sambuddho Chakravarty wrote:
Yes , but on a freeradius-2.05 , when I create a separate authenticate {} and authorize {} subsection and plug in the following :
authorize { Autz-Type LDAP {
You don't need to use Autz-Type in 2.0.
authenticate { Auth-Type LDAP{ redundant{
Don't use redundant sections here. Just list the two LDAP modules independently. The LDAP server that was used in the authorize section will ensure that it is also used in the authenticate section.
${confdir}/modules/ldap1
And I hope that's not what I think it is.
It doesn't work.
See the FAQ for "it doesn't work".
Here the ldap1 and ldap2 are two separate files in the /etc/raddb/modules directory and have separate ldap server IP addresses. Can anyone please point out to me where I am going wrong ?
Lots. The major one is that you are putting the module *configuration* into the authorize and authenticate sections. I have no idea why you think that's a good idea. The examples included in the server DO NOT DO THIS.
The files in the "modules" directory belong in the "modules" section of radiusd.conf. This is documented in the comments, and in many examples.
The entries in the "authorize" and "authenticate" sections are simply a one-word reference to the name of a module. Again, this is documented in the comments and in many examples.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hello But this never really worked. I did exactly this . The ldap1 and ldap2 are files with the follwoing /etc/raddb/modules/ldap1---------------------------------------------------------------- ldap { server = "30.0.0.2" basedn = "ou=People,cu=example,c=com" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" port = 389 ldap_connections_number = 5 timeout = 40 timelimit = 30 net_timeout = 10 tls { start_tls = no require_cert = "demand" } dictionary_mapping = ${confdir}/ldap.attrmap edir_account_policy_check = no } /etc/raddb/modules/ldap2--------------------------------------- ldap { server = "10.0.0.1" basedn = "ou=People,cu=example,c=com" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" port = 389 ldap_connections_number = 5 timeout = 40 timelimit = 30 net_timeout = 10 tls { start_tls = no require_cert = "demand" } dictionary_mapping = ${confdir}/ldap.attrmap edir_account_policy_check = no } ---------------------------------------------------------------------------------- The only difference in both files is the LDAP server IP address . When I did as I mentioned in my previous email and executed /sbin/radiusd -X -C the execution ended with the following error Module: Checking authenticate {...} for more modules to load //etc/raddb/radiusd.conf[757]: Failed to find module "ldap1". //etc/raddb/radiusd.conf[756]: Errors parsing authenticate section. } Also , one more observation, when having a single LDAP server and when it actually worked fine, the debug messages showed found rlm_pap. While I think it should be showing rlm_ldap . Why is this so. But authentication worked fine and the client received a ACCESS-ACCEPT message as reply. Thanks Sambuddho On Thu, 2008-06-19 at 13:50 -0400, Sambuddho Chakravarty wrote:
Do you mean something like this
authorize { redundant { ldap1 ldap2 } }
authenticate { ldap1 ldap2 }
The reason I list them here is to use them for authentication against multiple LDAP servers whose configuration information is in the two files modules/ldap1 and modules/ldap2. Does this look valid ?
Thanks Sambuddho
On Thu, 2008-06-19 at 09:35 +0200, Alan DeKok wrote:
Sambuddho Chakravarty wrote:
Yes , but on a freeradius-2.05 , when I create a separate authenticate {} and authorize {} subsection and plug in the following :
authorize { Autz-Type LDAP {
You don't need to use Autz-Type in 2.0.
authenticate { Auth-Type LDAP{ redundant{
Don't use redundant sections here. Just list the two LDAP modules independently. The LDAP server that was used in the authorize section will ensure that it is also used in the authenticate section.
${confdir}/modules/ldap1
And I hope that's not what I think it is.
It doesn't work.
See the FAQ for "it doesn't work".
Here the ldap1 and ldap2 are two separate files in the /etc/raddb/modules directory and have separate ldap server IP addresses. Can anyone please point out to me where I am going wrong ?
Lots. The major one is that you are putting the module *configuration* into the authorize and authenticate sections. I have no idea why you think that's a good idea. The examples included in the server DO NOT DO THIS.
The files in the "modules" directory belong in the "modules" section of radiusd.conf. This is documented in the comments, and in many examples.
The entries in the "authorize" and "authenticate" sections are simply a one-word reference to the name of a module. Again, this is documented in the comments and in many examples.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sambuddho Chakravarty wrote:
Hello But this never really worked. I did exactly this . The ldap1 and ldap2 are files with the follwoing
/etc/raddb/modules/ldap1----------------------------------------------------------------
ldap { ... /etc/raddb/modules/ldap2---------------------------------------
ldap {
You have two modules named "ldap". Go read the comments at the top of the "modules" section in radiusd.conf. And before you go any further, PLEASE read the comments in the configuration files. You have been told to do this before, and it's clear that you either haven't done so, or you haven't understood them. Alan DeKok.
Hello This is exactly what I did . I forgot to put the separate module names here in the email it like this /etc/raddb/modules/ldap1---------------------------------------------------------------- ldap ldap1{ ... } /etc/raddb/modules/ldap2--------------------------------------- ldap ldap2{ .. } Or is it that it should be one file ? And now when I try to start the server this is what the error I see : server { modules { Module: Checking authenticate {...} for more modules to load //etc/raddb/modules/ldap1[29]: Failed to link to module 'rlm_ldap': rlm_ldap.so: cannot open shared object file: No such file or directory //etc/raddb/radiusd.conf[744]: Failed to find module "ldap1". //etc/raddb/radiusd.conf[743]: Errors parsing authenticate section. } } The radius.conf has this : authorize { redundant { ldap1 ldap2 } } authenticate { ldap1 ldap2 } Rest of radius.conf is untouched. When trying with a single server ,it matches the radius request against rlm_pap and not rlm_ldap. I am confused. Thanks Sambuddho On Tue, 2008-07-01 at 09:26 +0200, Alan DeKok wrote:
Sambuddho Chakravarty wrote:
Hello But this never really worked. I did exactly this . The ldap1 and ldap2 are files with the follwoing
/etc/raddb/modules/ldap1----------------------------------------------------------------
ldap { ... /etc/raddb/modules/ldap2---------------------------------------
ldap {
You have two modules named "ldap". Go read the comments at the top of the "modules" section in radiusd.conf.
And before you go any further, PLEASE read the comments in the configuration files. You have been told to do this before, and it's clear that you either haven't done so, or you haven't understood them.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sambuddho Chakravarty wrote:
This is exactly what I did . I forgot to put the separate module names
The consistent problems you see make me think that the issue is more than "forgot".
And now when I try to start the server this is what the error I see :
server { modules { Module: Checking authenticate {...} for more modules to load //etc/raddb/modules/ldap1[29]: Failed to link to module 'rlm_ldap':
So.... was that module built? Apparently not...
When trying with a single server ,it matches the radius request against rlm_pap and not rlm_ldap. I am confused.
Perhaps reading the debug output (and that of "configure" and "make") would help. Alan DeKok.
Hello Alan I made sure this time that rlm_ldap was compiled. Now the following is the configuration ------/etc/raddb/modules/ldap----------- ldap ldap1 { server = "a.b.c.d" ... } ldap ldap2 { server = "w.x.y.z" ... } -----/etc/raddb/radiusd.conf----- authorize { ldap1 ldap2 } authenticate { ldap1 ldap2 } ------------------------------------ When I execute /sbin/radiusd -X It shows instantiating module ldap1 and module ldap2 .... Module: Instantiating ldap2 ldap ldap1 { server = "a.b.c.d" port = 389 .... Module: Instantiating ldap2 ldap ldap2 { server = "w.x.y.z" port = 389 .... When sending a radtest request using the following command (from the same machine as one which is running the server) $ radtest user "secret" localhost 2 testing123 I get ACCESS-REJECT reply from the sever. On the server the logs show something like this --------------------------------------------------- It shows binding to both LDAP servers one by one through something like this : rlm_ldap: performing user authorization for catch WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch) expand: ou=People,dc=example,dc=example -> ou=People,dc=example,dc=example rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 30.0.0.2:389, authentication 0 rlm_ldap: bind as / to 30.0.0.2:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=People,dc=example,dc=example, with filter (uid=catch) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap1] returns notfound rlm_ldap: - authorize rlm_ldap: performing user authorization for catch WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch) expand: ou=People,dc=example,dc=example -> ou=People,dc=example,dc=example rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 10.0.0.1:389, authentication 0 rlm_ldap: bind as / to 10.0.0.1:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=People,dc=example,dc=example, with filter (uid=catch) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap2] returns notfound auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. You can see it is attempting to search both databases but fails. If I use a simple telnet or ssh to authenticate against the LDAP server it logs in fine. LDAP client login against the LDAP server is otherwise working fine. I know I have been bothering using trivial question. But any help would be appreciated :-) Thanks in advance. Sambuddho On Tue, 2008-07-01 at 22:33 +0200, Alan DeKok wrote:
Sambuddho Chakravarty wrote:
This is exactly what I did . I forgot to put the separate module names
The consistent problems you see make me think that the issue is more than "forgot".
And now when I try to start the server this is what the error I see :
server { modules { Module: Checking authenticate {...} for more modules to load //etc/raddb/modules/ldap1[29]: Failed to link to module 'rlm_ldap':
So.... was that module built? Apparently not...
When trying with a single server ,it matches the radius request against rlm_pap and not rlm_ldap. I am confused.
Perhaps reading the debug output (and that of "configure" and "make") would help.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hello I think I know what the problem is. The radius server is looking up using cleartext password , while the LDAP data base stores the hashed passwords. How can I force the radiuse server to search for the password as a hashed value (rather than searching for the clear-text value) ? Thanks Sambuddho On Wed, 2008-07-02 at 17:09 -0400, Sambuddho Chakravarty wrote:
Hello Alan I made sure this time that rlm_ldap was compiled. Now the following is the configuration
------/etc/raddb/modules/ldap-----------
ldap ldap1 { server = "a.b.c.d" ... }
ldap ldap2 { server = "w.x.y.z" ... }
-----/etc/raddb/radiusd.conf-----
authorize { ldap1
ldap2
}
authenticate { ldap1 ldap2 }
------------------------------------
When I execute /sbin/radiusd -X
It shows instantiating module ldap1 and module ldap2
.... Module: Instantiating ldap2 ldap ldap1 { server = "a.b.c.d" port = 389 .... Module: Instantiating ldap2 ldap ldap2 { server = "w.x.y.z" port = 389 ....
When sending a radtest request using the following command (from the same machine as one which is running the server)
$ radtest user "secret" localhost 2 testing123
I get ACCESS-REJECT reply from the sever.
On the server the logs show something like this --------------------------------------------------- It shows binding to both LDAP servers one by one through something like this :
rlm_ldap: performing user authorization for catch WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch) expand: ou=People,dc=example,dc=example -> ou=People,dc=example,dc=example rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 30.0.0.2:389, authentication 0 rlm_ldap: bind as / to 30.0.0.2:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=People,dc=example,dc=example, with filter (uid=catch) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap1] returns notfound rlm_ldap: - authorize rlm_ldap: performing user authorization for catch WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch) expand: ou=People,dc=example,dc=example -> ou=People,dc=example,dc=example rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 10.0.0.1:389, authentication 0 rlm_ldap: bind as / to 10.0.0.1:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=People,dc=example,dc=example, with filter (uid=catch) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap2] returns notfound
auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user.
You can see it is attempting to search both databases but fails. If I use a simple telnet or ssh to authenticate against the LDAP server it logs in fine. LDAP client login against the LDAP server is otherwise working fine. I know I have been bothering using trivial question. But any help would be appreciated :-)
Thanks in advance. Sambuddho
On Tue, 2008-07-01 at 22:33 +0200, Alan DeKok wrote:
Sambuddho Chakravarty wrote:
This is exactly what I did . I forgot to put the separate module names
The consistent problems you see make me think that the issue is more than "forgot".
And now when I try to start the server this is what the error I see :
server { modules { Module: Checking authenticate {...} for more modules to load //etc/raddb/modules/ldap1[29]: Failed to link to module 'rlm_ldap':
So.... was that module built? Apparently not...
When trying with a single server ,it matches the radius request against rlm_pap and not rlm_ldap. I am confused.
Perhaps reading the debug output (and that of "configure" and "make") would help.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
http://wiki.freeradius.org/index.php/Rlm_ldap See use of password_header and password_attribute. Ivan Kalik Kalik Informatika ISP Dana 2/7/2008, "Sambuddho Chakravarty" <sc2516@columbia.edu> piše:
Hello I think I know what the problem is. The radius server is looking up using cleartext password , while the LDAP data base stores the hashed passwords. How can I force the radiuse server to search for the password as a hashed value (rather than searching for the clear-text value) ?
Thanks Sambuddho On Wed, 2008-07-02 at 17:09 -0400, Sambuddho Chakravarty wrote:
Hello Alan I made sure this time that rlm_ldap was compiled. Now the following is the configuration
------/etc/raddb/modules/ldap-----------
ldap ldap1 { server = "a.b.c.d" ... }
ldap ldap2 { server = "w.x.y.z" ... }
-----/etc/raddb/radiusd.conf-----
authorize { ldap1
ldap2
}
authenticate { ldap1 ldap2 }
------------------------------------
When I execute /sbin/radiusd -X
It shows instantiating module ldap1 and module ldap2
.... Module: Instantiating ldap2 ldap ldap1 { server = "a.b.c.d" port = 389 .... Module: Instantiating ldap2 ldap ldap2 { server = "w.x.y.z" port = 389 ....
When sending a radtest request using the following command (from the same machine as one which is running the server)
$ radtest user "secret" localhost 2 testing123
I get ACCESS-REJECT reply from the sever.
On the server the logs show something like this --------------------------------------------------- It shows binding to both LDAP servers one by one through something like this :
rlm_ldap: performing user authorization for catch WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch) expand: ou=People,dc=example,dc=example -> ou=People,dc=example,dc=example rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 30.0.0.2:389, authentication 0 rlm_ldap: bind as / to 30.0.0.2:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=People,dc=example,dc=example, with filter (uid=catch) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap1] returns notfound rlm_ldap: - authorize rlm_ldap: performing user authorization for catch WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch) expand: ou=People,dc=example,dc=example -> ou=People,dc=example,dc=example rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 10.0.0.1:389, authentication 0 rlm_ldap: bind as / to 10.0.0.1:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=People,dc=example,dc=example, with filter (uid=catch) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap2] returns notfound
auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user.
You can see it is attempting to search both databases but fails. If I use a simple telnet or ssh to authenticate against the LDAP server it logs in fine. LDAP client login against the LDAP server is otherwise working fine. I know I have been bothering using trivial question. But any help would be appreciated :-)
Thanks in advance. Sambuddho
On Tue, 2008-07-01 at 22:33 +0200, Alan DeKok wrote:
Sambuddho Chakravarty wrote:
This is exactly what I did . I forgot to put the separate module names
The consistent problems you see make me think that the issue is more than "forgot".
And now when I try to start the server this is what the error I see :
server { modules { Module: Checking authenticate {...} for more modules to load //etc/raddb/modules/ldap1[29]: Failed to link to module 'rlm_ldap':
So.... was that module built? Apparently not...
When trying with a single server ,it matches the radius request against rlm_pap and not rlm_ldap. I am confused.
Perhaps reading the debug output (and that of "configure" and "make") would help.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hello I set the password_header to = {crypt} and password_attribute to "userPassword" (Thats the name of the field in the database). Now this is what the logs show, rlm_ldap: performing search in ou=People,dc=example,dc=com, with filter (uid=try) rlm_ldap: Added User-Password = $1$n48a7wCp$RfvlOx1pZgiVNfmMmA2xS. in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user try authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 +++[ldap1] returns ok ++- policy redundant returns ok !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! auth: type Local auth: user supplied User-Password does NOT match local User-Password auth: Failed to validate the user. Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> try attr_filter: Matched entry DEFAULT at line 11 My guess is authorize{} worked but not authenticate {}. Also , I see both modules ldap1 and ldap2 being loaded but whenever I try to authenticate with the username/password that is found in ldap2 , the radius server never attempts to connect to the other LDAP server. Instead it search for the entries in the "ldap1"'s server only. Any suggestions ? Thanks Sambuddho On Wed, 2008-07-02 at 23:45 +0100, Ivan Kalik wrote:
http://wiki.freeradius.org/index.php/Rlm_ldap
See use of password_header and password_attribute.
Ivan Kalik Kalik Informatika ISP
Dana 2/7/2008, "Sambuddho Chakravarty" <sc2516@columbia.edu> piše:
Hello I think I know what the problem is. The radius server is looking up using cleartext password , while the LDAP data base stores the hashed passwords. How can I force the radiuse server to search for the password as a hashed value (rather than searching for the clear-text value) ?
Thanks Sambuddho On Wed, 2008-07-02 at 17:09 -0400, Sambuddho Chakravarty wrote:
Hello Alan I made sure this time that rlm_ldap was compiled. Now the following is the configuration
------/etc/raddb/modules/ldap-----------
ldap ldap1 { server = "a.b.c.d" ... }
ldap ldap2 { server = "w.x.y.z" ... }
-----/etc/raddb/radiusd.conf-----
authorize { ldap1
ldap2
}
authenticate { ldap1 ldap2 }
------------------------------------
When I execute /sbin/radiusd -X
It shows instantiating module ldap1 and module ldap2
.... Module: Instantiating ldap2 ldap ldap1 { server = "a.b.c.d" port = 389 .... Module: Instantiating ldap2 ldap ldap2 { server = "w.x.y.z" port = 389 ....
When sending a radtest request using the following command (from the same machine as one which is running the server)
$ radtest user "secret" localhost 2 testing123
I get ACCESS-REJECT reply from the sever.
On the server the logs show something like this --------------------------------------------------- It shows binding to both LDAP servers one by one through something like this :
rlm_ldap: performing user authorization for catch WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch) expand: ou=People,dc=example,dc=example -> ou=People,dc=example,dc=example rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 30.0.0.2:389, authentication 0 rlm_ldap: bind as / to 30.0.0.2:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=People,dc=example,dc=example, with filter (uid=catch) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap1] returns notfound rlm_ldap: - authorize rlm_ldap: performing user authorization for catch WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch) expand: ou=People,dc=example,dc=example -> ou=People,dc=example,dc=example rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 10.0.0.1:389, authentication 0 rlm_ldap: bind as / to 10.0.0.1:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=People,dc=example,dc=example, with filter (uid=catch) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap2] returns notfound
auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user.
You can see it is attempting to search both databases but fails. If I use a simple telnet or ssh to authenticate against the LDAP server it logs in fine. LDAP client login against the LDAP server is otherwise working fine. I know I have been bothering using trivial question. But any help would be appreciated :-)
Thanks in advance. Sambuddho
On Tue, 2008-07-01 at 22:33 +0200, Alan DeKok wrote:
Sambuddho Chakravarty wrote:
This is exactly what I did . I forgot to put the separate module names
The consistent problems you see make me think that the issue is more than "forgot".
And now when I try to start the server this is what the error I see :
server { modules { Module: Checking authenticate {...} for more modules to load //etc/raddb/modules/ldap1[29]: Failed to link to module 'rlm_ldap':
So.... was that module built? Apparently not...
When trying with a single server ,it matches the radius request against rlm_pap and not rlm_ldap. I am confused.
Perhaps reading the debug output (and that of "configure" and "make") would help.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Password (radius) attribute should be Crypt-Password not User-Password. Ivan Kalik Kalik Informatika ISP Dana 3/7/2008, "Sambuddho Chakravarty" <sc2516@columbia.edu> piše:
Hello
I set the password_header to = {crypt} and password_attribute to "userPassword" (Thats the name of the field in the database). Now this is what the logs show,
rlm_ldap: performing search in ou=People,dc=example,dc=com, with filter (uid=try) rlm_ldap: Added User-Password = $1$n48a7wCp$RfvlOx1pZgiVNfmMmA2xS. in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user try authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 +++[ldap1] returns ok ++- policy redundant returns ok !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! auth: type Local auth: user supplied User-Password does NOT match local User-Password auth: Failed to validate the user. Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> try attr_filter: Matched entry DEFAULT at line 11
My guess is authorize{} worked but not authenticate {}. Also , I see both modules ldap1 and ldap2 being loaded but whenever I try to authenticate with the username/password that is found in ldap2 , the radius server never attempts to connect to the other LDAP server. Instead it search for the entries in the "ldap1"'s server only.
Any suggestions ?
Thanks Sambuddho
On Wed, 2008-07-02 at 23:45 +0100, Ivan Kalik wrote:
http://wiki.freeradius.org/index.php/Rlm_ldap
See use of password_header and password_attribute.
Ivan Kalik Kalik Informatika ISP
Dana 2/7/2008, "Sambuddho Chakravarty" <sc2516@columbia.edu> piĹĄe:
Hello I think I know what the problem is. The radius server is looking up using cleartext password , while the LDAP data base stores the hashed passwords. How can I force the radiuse server to search for the password as a hashed value (rather than searching for the clear-text value) ?
Thanks Sambuddho On Wed, 2008-07-02 at 17:09 -0400, Sambuddho Chakravarty wrote:
Hello Alan I made sure this time that rlm_ldap was compiled. Now the following is the configuration
------/etc/raddb/modules/ldap-----------
ldap ldap1 { server = "a.b.c.d" ... }
ldap ldap2 { server = "w.x.y.z" ... }
-----/etc/raddb/radiusd.conf-----
authorize { ldap1
ldap2
}
authenticate { ldap1 ldap2 }
------------------------------------
When I execute /sbin/radiusd -X
It shows instantiating module ldap1 and module ldap2
.... Module: Instantiating ldap2 ldap ldap1 { server = "a.b.c.d" port = 389 .... Module: Instantiating ldap2 ldap ldap2 { server = "w.x.y.z" port = 389 ....
When sending a radtest request using the following command (from the same machine as one which is running the server)
$ radtest user "secret" localhost 2 testing123
I get ACCESS-REJECT reply from the sever.
On the server the logs show something like this --------------------------------------------------- It shows binding to both LDAP servers one by one through something like this :
rlm_ldap: performing user authorization for catch WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch) expand: ou=People,dc=example,dc=example -> ou=People,dc=example,dc=example rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 30.0.0.2:389, authentication 0 rlm_ldap: bind as / to 30.0.0.2:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=People,dc=example,dc=example, with filter (uid=catch) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap1] returns notfound rlm_ldap: - authorize rlm_ldap: performing user authorization for catch WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch) expand: ou=People,dc=example,dc=example -> ou=People,dc=example,dc=example rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 10.0.0.1:389, authentication 0 rlm_ldap: bind as / to 10.0.0.1:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=People,dc=example,dc=example, with filter (uid=catch) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap2] returns notfound
auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user.
You can see it is attempting to search both databases but fails. If I use a simple telnet or ssh to authenticate against the LDAP server it logs in fine. LDAP client login against the LDAP server is otherwise working fine. I know I have been bothering using trivial question. But any help would be appreciated :-)
Thanks in advance. Sambuddho
On Tue, 2008-07-01 at 22:33 +0200, Alan DeKok wrote:
Sambuddho Chakravarty wrote:
This is exactly what I did . I forgot to put the separate module names
The consistent problems you see make me think that the issue is more than "forgot".
And now when I try to start the server this is what the error I see :
server { modules { Module: Checking authenticate {...} for more modules to load //etc/raddb/modules/ldap1[29]: Failed to link to module 'rlm_ldap':
So.... was that module built? Apparently not...
When trying with a single server ,it matches the radius request against rlm_pap and not rlm_ldap. I am confused.
Perhaps reading the debug output (and that of "configure" and "make") would help.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/usershtml
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hello Ivan But I don't have a field in the database by that name . The name of the field is "userPassword" . This is what the openLDAP migration scripts generated. Please let me know what mistake I am doing . Also , my question on failover. Is the failover used when the first LDAP server is down / unresponsive to connection attempts or when it is not able to authenticate (example bad username / password) ? Thanks Sambuddho On Thu, 2008-07-03 at 10:24 +0100, Ivan Kalik wrote:
Password (radius) attribute should be Crypt-Password not User-Password.
Ivan Kalik Kalik Informatika ISP
Dana 3/7/2008, "Sambuddho Chakravarty" <sc2516@columbia.edu> piše:
Hello
I set the password_header to = {crypt} and password_attribute to "userPassword" (Thats the name of the field in the database). Now this is what the logs show,
rlm_ldap: performing search in ou=People,dc=example,dc=com, with filter (uid=try) rlm_ldap: Added User-Password = $1$n48a7wCp$RfvlOx1pZgiVNfmMmA2xS. in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user try authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 +++[ldap1] returns ok ++- policy redundant returns ok !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! auth: type Local auth: user supplied User-Password does NOT match local User-Password auth: Failed to validate the user. Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> try attr_filter: Matched entry DEFAULT at line 11
My guess is authorize{} worked but not authenticate {}. Also , I see both modules ldap1 and ldap2 being loaded but whenever I try to authenticate with the username/password that is found in ldap2 , the radius server never attempts to connect to the other LDAP server. Instead it search for the entries in the "ldap1"'s server only.
Any suggestions ?
Thanks Sambuddho
On Wed, 2008-07-02 at 23:45 +0100, Ivan Kalik wrote:
http://wiki.freeradius.org/index.php/Rlm_ldap
See use of password_header and password_attribute.
Ivan Kalik Kalik Informatika ISP
Dana 2/7/2008, "Sambuddho Chakravarty" <sc2516@columbia.edu> piĹĄe:
Hello I think I know what the problem is. The radius server is looking up using cleartext password , while the LDAP data base stores the hashed passwords. How can I force the radiuse server to search for the password as a hashed value (rather than searching for the clear-text value) ?
Thanks Sambuddho On Wed, 2008-07-02 at 17:09 -0400, Sambuddho Chakravarty wrote:
Hello Alan I made sure this time that rlm_ldap was compiled. Now the following is the configuration
------/etc/raddb/modules/ldap-----------
ldap ldap1 { server = "a.b.c.d" ... }
ldap ldap2 { server = "w.x.y.z" ... }
-----/etc/raddb/radiusd.conf-----
authorize { ldap1
ldap2
}
authenticate { ldap1 ldap2 }
------------------------------------
When I execute /sbin/radiusd -X
It shows instantiating module ldap1 and module ldap2
.... Module: Instantiating ldap2 ldap ldap1 { server = "a.b.c.d" port = 389 .... Module: Instantiating ldap2 ldap ldap2 { server = "w.x.y.z" port = 389 ....
When sending a radtest request using the following command (from the same machine as one which is running the server)
$ radtest user "secret" localhost 2 testing123
I get ACCESS-REJECT reply from the sever.
On the server the logs show something like this --------------------------------------------------- It shows binding to both LDAP servers one by one through something like this :
rlm_ldap: performing user authorization for catch WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch) expand: ou=People,dc=example,dc=example -> ou=People,dc=example,dc=example rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 30.0.0.2:389, authentication 0 rlm_ldap: bind as / to 30.0.0.2:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=People,dc=example,dc=example, with filter (uid=catch) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap1] returns notfound rlm_ldap: - authorize rlm_ldap: performing user authorization for catch WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch) expand: ou=People,dc=example,dc=example -> ou=People,dc=example,dc=example rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 10.0.0.1:389, authentication 0 rlm_ldap: bind as / to 10.0.0.1:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=People,dc=example,dc=example, with filter (uid=catch) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap2] returns notfound
auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user.
You can see it is attempting to search both databases but fails. If I use a simple telnet or ssh to authenticate against the LDAP server it logs in fine. LDAP client login against the LDAP server is otherwise working fine. I know I have been bothering using trivial question. But any help would be appreciated :-)
Thanks in advance. Sambuddho
On Tue, 2008-07-01 at 22:33 +0200, Alan DeKok wrote:
Sambuddho Chakravarty wrote: > This is exactly what I did . I forgot to put the separate module names
The consistent problems you see make me think that the issue is more than "forgot".
> And now when I try to start the server this is what the error I see : > > > server { > modules { > Module: Checking authenticate {...} for more modules to load > //etc/raddb/modules/ldap1[29]: Failed to link to module 'rlm_ldap':
So.... was that module built? Apparently not...
> When trying with a single server ,it matches the radius request against > rlm_pap and not rlm_ldap. I am confused.
Perhaps reading the debug output (and that of "configure" and "make") would help.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/usershtml
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
But I don't have a field in the database by that name .
No, you don't. I am talking about ldap section of radiusd.conf. You need to set the appropriate radius password attribute. http://wiki.freeradius.org/index.php/Rlm_ldap
Also , my question on failover. Is the failover used when the first LDAP server is down / unresponsive to connection attempts or when it is not able to authenticate (example bad username / password) ?
No response or no user in that ldap database. If the user is present but password is wrong user will be rejected. Ivan Kalik Kalik Informatika ISP
Hello , Maybe I didn't as the correct question previously. Is it that failover works only when the first LDAP server is not reachable ? In my case both servers are reachable. I want to configure a case where if the login fails in one of the servers , the other one is tried. Thanks Sambuddho On Wed, 2008-07-02 at 23:45 +0100, Ivan Kalik wrote:
http://wiki.freeradius.org/index.php/Rlm_ldap
See use of password_header and password_attribute.
Ivan Kalik Kalik Informatika ISP
Dana 2/7/2008, "Sambuddho Chakravarty" <sc2516@columbia.edu> piše:
Hello I think I know what the problem is. The radius server is looking up using cleartext password , while the LDAP data base stores the hashed passwords. How can I force the radiuse server to search for the password as a hashed value (rather than searching for the clear-text value) ?
Thanks Sambuddho On Wed, 2008-07-02 at 17:09 -0400, Sambuddho Chakravarty wrote:
Hello Alan I made sure this time that rlm_ldap was compiled. Now the following is the configuration
------/etc/raddb/modules/ldap-----------
ldap ldap1 { server = "a.b.c.d" ... }
ldap ldap2 { server = "w.x.y.z" ... }
-----/etc/raddb/radiusd.conf-----
authorize { ldap1
ldap2
}
authenticate { ldap1 ldap2 }
------------------------------------
When I execute /sbin/radiusd -X
It shows instantiating module ldap1 and module ldap2
.... Module: Instantiating ldap2 ldap ldap1 { server = "a.b.c.d" port = 389 .... Module: Instantiating ldap2 ldap ldap2 { server = "w.x.y.z" port = 389 ....
When sending a radtest request using the following command (from the same machine as one which is running the server)
$ radtest user "secret" localhost 2 testing123
I get ACCESS-REJECT reply from the sever.
On the server the logs show something like this --------------------------------------------------- It shows binding to both LDAP servers one by one through something like this :
rlm_ldap: performing user authorization for catch WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch) expand: ou=People,dc=example,dc=example -> ou=People,dc=example,dc=example rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 30.0.0.2:389, authentication 0 rlm_ldap: bind as / to 30.0.0.2:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=People,dc=example,dc=example, with filter (uid=catch) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap1] returns notfound rlm_ldap: - authorize rlm_ldap: performing user authorization for catch WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch) expand: ou=People,dc=example,dc=example -> ou=People,dc=example,dc=example rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 10.0.0.1:389, authentication 0 rlm_ldap: bind as / to 10.0.0.1:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=People,dc=example,dc=example, with filter (uid=catch) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap2] returns notfound
auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user.
You can see it is attempting to search both databases but fails. If I use a simple telnet or ssh to authenticate against the LDAP server it logs in fine. LDAP client login against the LDAP server is otherwise working fine. I know I have been bothering using trivial question. But any help would be appreciated :-)
Thanks in advance. Sambuddho
On Tue, 2008-07-01 at 22:33 +0200, Alan DeKok wrote:
Sambuddho Chakravarty wrote:
This is exactly what I did . I forgot to put the separate module names
The consistent problems you see make me think that the issue is more than "forgot".
And now when I try to start the server this is what the error I see :
server { modules { Module: Checking authenticate {...} for more modules to load //etc/raddb/modules/ldap1[29]: Failed to link to module 'rlm_ldap':
So.... was that module built? Apparently not...
When trying with a single server ,it matches the radius request against rlm_pap and not rlm_ldap. I am confused.
Perhaps reading the debug output (and that of "configure" and "make") would help.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hello Ivan Problem still persists. What do you mean by the {crypt} header. These are simple /etc/passwd file converted into a ldif database using LDAP Migration Scripts from padl.com This is what the logs look like (supplied clear text passwd - from radtest) rlm_ldap: bind as uid=try,ou=People,dc=example,dc=com/trialanderror to 30.0.0.2:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind failed with invalid credentials ++[ldap1] returns reject auth: Failed to validate the user. Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> try attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Thanks Sambuddho On Wed, 2008-07-02 at 23:45 +0100, Ivan Kalik wrote:
http://wiki.freeradius.org/index.php/Rlm_ldap
See use of password_header and password_attribute.
Ivan Kalik Kalik Informatika ISP
Dana 2/7/2008, "Sambuddho Chakravarty" <sc2516@columbia.edu> piše:
Hello I think I know what the problem is. The radius server is looking up using cleartext password , while the LDAP data base stores the hashed passwords. How can I force the radiuse server to search for the password as a hashed value (rather than searching for the clear-text value) ?
Thanks Sambuddho On Wed, 2008-07-02 at 17:09 -0400, Sambuddho Chakravarty wrote:
Hello Alan I made sure this time that rlm_ldap was compiled. Now the following is the configuration
------/etc/raddb/modules/ldap-----------
ldap ldap1 { server = "a.b.c.d" ... }
ldap ldap2 { server = "w.x.y.z" ... }
-----/etc/raddb/radiusd.conf-----
authorize { ldap1
ldap2
}
authenticate { ldap1 ldap2 }
------------------------------------
When I execute /sbin/radiusd -X
It shows instantiating module ldap1 and module ldap2
.... Module: Instantiating ldap2 ldap ldap1 { server = "a.b.c.d" port = 389 .... Module: Instantiating ldap2 ldap ldap2 { server = "w.x.y.z" port = 389 ....
When sending a radtest request using the following command (from the same machine as one which is running the server)
$ radtest user "secret" localhost 2 testing123
I get ACCESS-REJECT reply from the sever.
On the server the logs show something like this --------------------------------------------------- It shows binding to both LDAP servers one by one through something like this :
rlm_ldap: performing user authorization for catch WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch) expand: ou=People,dc=example,dc=example -> ou=People,dc=example,dc=example rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 30.0.0.2:389, authentication 0 rlm_ldap: bind as / to 30.0.0.2:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=People,dc=example,dc=example, with filter (uid=catch) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap1] returns notfound rlm_ldap: - authorize rlm_ldap: performing user authorization for catch WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch) expand: ou=People,dc=example,dc=example -> ou=People,dc=example,dc=example rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 10.0.0.1:389, authentication 0 rlm_ldap: bind as / to 10.0.0.1:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=People,dc=example,dc=example, with filter (uid=catch) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap2] returns notfound
auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user.
You can see it is attempting to search both databases but fails. If I use a simple telnet or ssh to authenticate against the LDAP server it logs in fine. LDAP client login against the LDAP server is otherwise working fine. I know I have been bothering using trivial question. But any help would be appreciated :-)
Thanks in advance. Sambuddho
On Tue, 2008-07-01 at 22:33 +0200, Alan DeKok wrote:
Sambuddho Chakravarty wrote:
This is exactly what I did . I forgot to put the separate module names
The consistent problems you see make me think that the issue is more than "forgot".
And now when I try to start the server this is what the error I see :
server { modules { Module: Checking authenticate {...} for more modules to load //etc/raddb/modules/ldap1[29]: Failed to link to module 'rlm_ldap':
So.... was that module built? Apparently not...
When trying with a single server ,it matches the radius request against rlm_pap and not rlm_ldap. I am confused.
Perhaps reading the debug output (and that of "configure" and "make") would help.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem still persists. What do you mean by the {crypt} header.
From RFC2256:
5.36. userPassword ( 2.5.4.35 NAME 'userPassword' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} ) Passwords are stored using an Octet String syntax and are not encrypted. Since you are intent on violating RFC you need to add a password header to indicate what type of encryption is used.
rlm_ldap: waiting for bind result ... rlm_ldap: Bind failed with invalid credentials ++[ldap1] returns reject auth: Failed to validate the user.
Without the header userPassword is treated as clear text (not crypted value) and that does't match. Ivan Kalik Kalik Informatika ISP
Hello Ivan Does that mean that I cannot authenticate against a LDAP server from a freeradius server using cleartext passwords. So the freeradius client needs to send the password in encrypted format. But other programs which using LDAP server to authenticate (eg. the pam_ldap ) takes as input the cleartext password. Is there a solution to this ? Maybe I am mistaken somewhere . Please let me know. Thanks Sambuddho On Fri, 2008-07-04 at 09:56 +0100, Ivan Kalik wrote:
Problem still persists. What do you mean by the {crypt} header.
From RFC2256:
5.36. userPassword
( 2.5.4.35 NAME 'userPassword' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} )
Passwords are stored using an Octet String syntax and are not encrypted.
Since you are intent on violating RFC you need to add a password header to indicate what type of encryption is used.
rlm_ldap: waiting for bind result ... rlm_ldap: Bind failed with invalid credentials ++[ldap1] returns reject auth: Failed to validate the user.
Without the header userPassword is treated as clear text (not crypted value) and that does't match.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Interestingly the bind as the root DN works with password supplied in clear-text through the ldap {} module... Thanks Sambuddho On Sat, 2008-07-05 at 18:03 -0400, Sambuddho Chakravarty wrote:
Hello Ivan Does that mean that I cannot authenticate against a LDAP server from a freeradius server using cleartext passwords. So the freeradius client needs to send the password in encrypted format. But other programs which using LDAP server to authenticate (eg. the pam_ldap ) takes as input the cleartext password. Is there a solution to this ? Maybe I am mistaken somewhere . Please let me know. Thanks Sambuddho On Fri, 2008-07-04 at 09:56 +0100, Ivan Kalik wrote:
Problem still persists. What do you mean by the {crypt} header.
From RFC2256:
5.36. userPassword
( 2.5.4.35 NAME 'userPassword' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} )
Passwords are stored using an Octet String syntax and are not encrypted.
Since you are intent on violating RFC you need to add a password header to indicate what type of encryption is used.
rlm_ldap: waiting for bind result ... rlm_ldap: Bind failed with invalid credentials ++[ldap1] returns reject auth: Failed to validate the user.
Without the header userPassword is treated as clear text (not crypted value) and that does't match.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sambuddho Chakravarty wrote:
Does that mean that I cannot authenticate against a LDAP server from a freeradius server using cleartext passwords.
No. That is not what he said.
So the freeradius client needs to send the password in encrypted format.
No. That is not what he said.
But other programs which using LDAP server to authenticate (eg. the pam_ldap ) takes as input the cleartext password.
We know. We've been doing this for years.
Is there a solution to this ?
Do what Ivan said.
Maybe I am mistaken somewhere.
Lots.
Please let me know.
We're trying to help you. It's not working. Alan DeKok.
Hello Alan and Ivan My intent is not to pester you with my queries but the problem is still what it was initially. Ill once again tell you the configuration that I am using. ------------------------radiusd.conf----------------------------------- /* Most of the stuff is untouched. */ /* Added authenticate{} and authorize{} section */ authenticate { ldap1 ldap2 } authorize{ ldap1 ldap2 } -----------------module/ldap------------------------------ ldap ldap1{ # # Note that this needs to match the name in the LDAP # server certificate, if you're using ldaps. server = "...." identity = "....." password = ..... basedn = "ou=People,dc=example,dc=com" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" ldap_connections_number = 5 password_header="{crypt}" password_attribute=userPassword password_radius_attribute=Crypt-Password ..... } ldap ldap1{ # # Note that this needs to match the name in the LDAP # server certificate, if you're using ldaps. server = "...." identity = "....." password = ..... basedn = "ou=People,dc=example,dc=com" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" ldap_connections_number = 5 password_header="{crypt}" password_attribute=userPassword password_radius_attribute=Crypt-Password ..... } 'users' and 'client' file is unchanged. I run the server with the following command line options. 'radiusd -X' To test I run the radtest tool with the following option. radtest catch "catchall" localhost 2 testing123 Here catch and catchall are user and password in the LDAP database created from a unix account on the host hosting the LDAP database. The migration from the regular unix /etc/passwd to the LDIF file was done using the migration tools. The reply received was rad_recv: Access-Reject. The following was the debug output from the server. rlm_ldap: performing search in ou=People,dc=example,dc=com, with filter (uid=catch) rlm_ldap: Added User-Password = $1$FYblmPWy$fmgebhCOLpHvhdECNP4EG0 in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user catch authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap2] returns ok !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! auth: type Local auth: user supplied User-Password does NOT match local User-Password auth: Failed to validate the user. Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> catch attr_filter: Matched entry DEFAULT at line 11 Please point me out what may have possibly gone wrong. Another observation : 1. When I try to test using the username 'try' stored in the other ldap database, it doesn't search in the other LDAP server but only searches in the one which doesn't have it and fails. 2. The problem in (1) doesn't occur when I comment out the 'password_attribute' line in the modules/ldap file. It then searches the appropriate LDAP database , however fails with the following output. rlm_ldap: waiting for bind result ... rlm_ldap: Bind failed with invalid credentials Please advice. Thanks Sambuddho On Sun, 2008-07-06 at 08:06 +0200, Alan DeKok wrote:
Sambuddho Chakravarty wrote:
Does that mean that I cannot authenticate against a LDAP server from a freeradius server using cleartext passwords.
No. That is not what he said.
So the freeradius client needs to send the password in encrypted format.
No. That is not what he said.
But other programs which using LDAP server to authenticate (eg. the pam_ldap ) takes as input the cleartext password.
We know. We've been doing this for years.
Is there a solution to this ?
Do what Ivan said.
Maybe I am mistaken somewhere.
Lots.
Please let me know.
We're trying to help you. It's not working.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sambuddho Chakravarty wrote:
My intent is not to pester you with my queries but the problem is still what it was initially. Ill once again tell you the configuration that I am using.
The difficulty I'm having is being *able* to help you. At this point it's clear that the documentation isn't helping you, and neither are the answers on this list.
------------------------radiusd.conf-----------------------------------
/* Most of the stuff is untouched. */
/* Added authenticate{} and authorize{} section */
Why? Have you even bothered trying to understand how the server works? Are you completely un-aware of the existing documentation and sample configuration files? You seem insistent on ignoring the examples, ignoring the documentation, and ignoring the responses on this list.
Please point me out what may have possibly gone wrong.
We did. You were given clear directions on what to do. You failed to follow the directions. At this point, I have to say that there's no point in you continuing to post questions until you've managed to follow the instructions to your previous questions. Alan DeKok.
Hello Alan I went through the documentation on the website and in the doc/ directory in the source distribution. I read through the ldap_howto.txt. Is that the example you refer to ? (Thats the only one I found with the source distribution). It had many components that I dont require. I scrolled down the find the freeradius configuration. But I am still now clear how to exactly tailor it for my needs. Is there an example / url I can use as reference ? Am I looking at the wrong place ? Thanks Sambuddho On Sun, 2008-07-06 at 19:15 +0200, Alan DeKok wrote:
Sambuddho Chakravarty wrote:
My intent is not to pester you with my queries but the problem is still what it was initially. Ill once again tell you the configuration that I am using.
The difficulty I'm having is being *able* to help you. At this point it's clear that the documentation isn't helping you, and neither are the answers on this list.
------------------------radiusd.conf-----------------------------------
/* Most of the stuff is untouched. */
/* Added authenticate{} and authorize{} section */
Why? Have you even bothered trying to understand how the server works? Are you completely un-aware of the existing documentation and sample configuration files?
You seem insistent on ignoring the examples, ignoring the documentation, and ignoring the responses on this list.
Please point me out what may have possibly gone wrong.
We did. You were given clear directions on what to do. You failed to follow the directions.
At this point, I have to say that there's no point in you continuing to post questions until you've managed to follow the instructions to your previous questions.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
I went through the documentation on the website and in the doc/ directory in the source distribution. I read through the ldap_howto.txt. Is that the example you refer to ? (Thats the only one I found with the source distribution). It had many components that I dont require. I scrolled down the find the freeradius configuration. But I am still now clear how to exactly tailor it for my needs. Is there an example / url I can use as reference ? Am I looking at the wrong place ?
first basic question. why did you add an authenticate and authorise section to radiusd.conf? that stuff is already in the sites-enabled/default file - which gets read and used on server startup. if you have to edit such entries, edit them in the right place. radiusd.conf now is a very basic file which sets up logging, imports other conf files and a few other mundane things. what you COULD do, and what is 'reasonable' is to rename the sites-enabled/default file to something like sites-enabled/my-service and then edit it for your required service. alan
Does that mean that I cannot authenticate against a LDAP server from a freeradius server using cleartext passwords.
But you are not using cleartext passwords. Passwords in ldap are encrypted.
So the freeradius client needs to send the password in encrypted format. But other programs which using LDAP server to authenticate (eg. the pam_ldap ) takes as input the cleartext password. Is there a solution to this ?
You need to add a header to the userPassword field. If you don't know what password header is and how to do that, ask on the ldap list. Ivan Kalik Kalik Informatika ISP
Hello Ivan The ldap database has passwords have the '{crypt}' header. What I meant by cleartext passwords is that I am typing in the password in clear text in the radtest program. Thanks Sambuddho On Mon, 2008-07-07 at 10:08 +0100, Ivan Kalik wrote:
Does that mean that I cannot authenticate against a LDAP server from a freeradius server using cleartext passwords.
But you are not using cleartext passwords. Passwords in ldap are encrypted.
So the freeradius client needs to send the password in encrypted format. But other programs which using LDAP server to authenticate (eg. the pam_ldap ) takes as input the cleartext password. Is there a solution to this ?
You need to add a header to the userPassword field. If you don't know what password header is and how to do that, ask on the ldap list.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hello Ivan and Alan Thanks a lot for tolerating my pestering. It has worked. The problem was with the PAP module. The auto header detection was turned off. It works perfectly now. Thanks Sambuddho On Mon, 2008-07-07 at 10:08 +0100, Ivan Kalik wrote:
Does that mean that I cannot authenticate against a LDAP server from a freeradius server using cleartext passwords.
But you are not using cleartext passwords. Passwords in ldap are encrypted.
So the freeradius client needs to send the password in encrypted format. But other programs which using LDAP server to authenticate (eg. the pam_ldap ) takes as input the cleartext password. Is there a solution to this ?
You need to add a header to the userPassword field. If you don't know what password header is and how to do that, ask on the ldap list.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ldap ldap1 { .. } ldap ldap2 { .. } Ivan Kalik Kalik Informatika ISP Dana 1/7/2008, "Sambuddho Chakravarty" <sc2516@columbia.edu> piše:
Hello But this never really worked. I did exactly this . The ldap1 and ldap2 are files with the follwoing
/etc/raddb/modules/ldap1----------------------------------------------------------------
ldap { server = "30.0.0.2" basedn = "ou=People,cu=example,c=com" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" port = 389 ldap_connections_number = 5
timeout = 40
timelimit = 30 net_timeout = 10 tls { start_tls = no
require_cert = "demand" }
dictionary_mapping = ${confdir}/ldap.attrmap edir_account_policy_check = no }
/etc/raddb/modules/ldap2---------------------------------------
ldap { server = "10.0.0.1" basedn = "ou=People,cu=example,c=com" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" port = 389 ldap_connections_number = 5
timeout = 40
timelimit = 30 net_timeout = 10 tls { start_tls = no
require_cert = "demand" }
dictionary_mapping = ${confdir}/ldap.attrmap edir_account_policy_check = no }
----------------------------------------------------------------------------------
The only difference in both files is the LDAP server IP address . When I did as I mentioned in my previous email and executed /sbin/radiusd -X -C the execution ended with the following error
Module: Checking authenticate {...} for more modules to load //etc/raddb/radiusd.conf[757]: Failed to find module "ldap1". //etc/raddb/radiusd.conf[756]: Errors parsing authenticate section. }
Also , one more observation, when having a single LDAP server and when it actually worked fine, the debug messages showed
found rlm_pap. While I think it should be showing rlm_ldap . Why is this so. But authentication worked fine and the client received a ACCESS-ACCEPT message as reply.
Thanks Sambuddho
On Thu, 2008-06-19 at 13:50 -0400, Sambuddho Chakravarty wrote:
Do you mean something like this
authorize { redundant { ldap1 ldap2 } }
authenticate { ldap1 ldap2 }
The reason I list them here is to use them for authentication against multiple LDAP servers whose configuration information is in the two files modules/ldap1 and modules/ldap2. Does this look valid ?
Thanks Sambuddho
On Thu, 2008-06-19 at 09:35 +0200, Alan DeKok wrote:
Sambuddho Chakravarty wrote:
Yes , but on a freeradius-2.05 , when I create a separate authenticate {} and authorize {} subsection and plug in the following :
authorize { Autz-Type LDAP {
You don't need to use Autz-Type in 2.0.
authenticate { Auth-Type LDAP{ redundant{
Don't use redundant sections here. Just list the two LDAP modules independently. The LDAP server that was used in the authorize section will ensure that it is also used in the authenticate section.
${confdir}/modules/ldap1
And I hope that's not what I think it is.
It doesn't work.
See the FAQ for "it doesn't work".
Here the ldap1 and ldap2 are two separate files in the /etc/raddb/modules directory and have separate ldap server IP addresses. Can anyone please point out to me where I am going wrong ?
Lots. The major one is that you are putting the module *configuration* into the authorize and authenticate sections. I have no idea why you think that's a good idea. The examples included in the server DO NOT DO THIS.
The files in the "modules" directory belong in the "modules" section of radiusd.conf. This is documented in the comments, and in many examples.
The entries in the "authorize" and "authenticate" sections are simply a one-word reference to the name of a module. Again, this is documented in the comments and in many examples.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (5)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Chris -
Ivan Kalik -
Sambuddho Chakravarty