ldap authentication failure
Hi all, I am facing problems with Ldap and freeradius on RedHat linux AS 4. I can sucessfully authenticate with windows xp machines with freeradius local "users" file and md5 using cisco 2950. Radtest is successful for the ldapusers, but the radius -X shows "rlm_ldap: Attribute "User-Password" is required for authentication. & modcall[authenticate]: module "ldap" returns invalid for request 0" Any help will be appreciated. Thanks I am using the configuration file from the source file. ------------------- [root@localhost ~]# cat /etc/raddb/radiusd.conf prefix = /usr exec_prefix = ${prefix} sysconfdir = /etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd log_file = ${logdir}/radius.log libdir = /usr/lib/freeradius pidfile = ${run_dir}/radiusd.pid user = radiusd group = radiusd max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 0 bind_address = * port = 0 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log_stripped_names = no log_auth = no log_auth_badpass = no log_auth_goodpass = no # The program to execute to do concurrency checks. #checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 0 status_server = no } proxy_requests = yes $INCLUDE ${confdir}/proxy.conf $INCLUDE ${confdir}/clients.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { ldap { server = "10.10.29.251" #identity = "uid=freeradius,ou=admins,ou=radius,dc=mydomain,dc=com" #identity = "cn=Manager,dc=example,dc=com" #password = password basedn = "ou=people,dc=example,dc=com" #filter = "(&(uid=%{Stripped-User-Name:-%{User-Name}})(objectclass=radiusprofile)" start_tls = no tls_mode = no #default_profile = "uid=dial,ou=profiles,ou=radius,dc=mydomain,dc=com" #profile_attribute = "radiusProfileDn" dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_cache_timeout = 120 ldap_cache_size = 0 ldap_connections_number = 10 #password_header = "{crypt}" password_attribute = userPassword #groupname_attribute = radiusGroupName #groupmembership_filter = "(&(uid=%{Stripped-User-Name:-%{User-Name}}))(objectclass=radiusProfile)" #groupmembership_attribute = radiusGroupName timeout = 3 timelimit = 5 net_timeout = 1 compare_check_items = no #access_attr_used_for_allow = yes } realm suffix { format = suffix delimiter = "@" } preprocess { huntgroups = ${confdir}/huntgroups #hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } files { usersfile = ${confdir}/users #acctusersfile = ${confdir}/acct_users compat = no #use old style users } # regular detail files detail detail1 { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 dirperm = 0755 } # temp detail file to replicate to accountrad detail detail2 { detailfile= ${radacctdir}/detail-combined detailperm = 0600 dirperm = 0755 locking = yes } acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address,Client-IP-Address, NAS-Port-Id" } #radutmp { # filename = ${logdir}/radutmp # perm = 0600 # callerid = "yes" #} #radutmp sradutmp { # filename = ${logdir}/sradutmp # perm = 0644 # callerid = "no" #} #attr_filter { # attrsfile = ${confdir}/attrs #} # The "always" module is here for debugging purposes. Each # instance simply returns the same result, always, without # doing anything. always fail { rcode = fail } always reject { rcode = reject } always ok { rcode = ok simulcount = 0 mpp = no } # # The 'expression' module current has no configuration. expr { } } instantiate { expr } authorize { preprocess suffix files ldap } authenticate { authtype LDAP { ldap } } preacct { preprocess suffix files } accounting { acct_unique detail1 detail2 #radutmp #sradutmp } #session { #radutmp #} #post-auth { # Get an address from the IP Pool. #main_pool #} ---------------------------------------- The ldif file dn: uid=ldapuser5,ou=People,dc=example,dc=com uid: ldapuser5 cn: ldapuser5 userPassword: {crypt}$1$1jD47Q.o$o.Aqkoe/Z7au.phSO6ULW1 objectclass: radiusprofile objectClass: account #objectClass: posixAccount objectClass: top objectClass: shadowAccount radiusServiceType: Framed-User radiusFramedProtocol: Ethernet radiusFramedIPNetmask: 255.255.255.0 radiusFramedRouting: None --------------------------------------------------------------------------------------------------------- Ready to process requests. rad_recv: Access-Request packet from host 10.10.29.49:1812, id=61, length=133 NAS-IP-Address = 10.10.29.49 NAS-Port = 50035 NAS-Port-Type = Ethernet User-Name = "ldapuser5" Called-Station-Id = "00-14-69-B1-DE-63" Calling-Station-Id = "00-11-85-81-FE-9F" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x0200000e016c6461707573657235 Message-Authenticator = 0xa87b5810daf6ae5596070a302b227a3a Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 rlm_realm: No '@' in User-Name = "ldapuser5", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 users: Matched DEFAULT at 153 users: Matched DEFAULT at 157 users: Matched DEFAULT at 175 users: Matched DEFAULT at 204 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for ldapuser5 radius_xlat: '(uid=ldapuser5)' radius_xlat: 'ou=people,dc=example,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 10.10.29.251:389, authentication 0 rlm_ldap: bind as / to 10.10.29.251:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=people,dc=example,dc=com, with filter (uid=ldapuser5) rlm_ldap: Added password {crypt}$1$1jD47Q.o$o.Aqkoe/Z7au.phSO6ULW1 in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusFramedRouting as Framed-Routing, value None & op=11 rlm_ldap: Adding radiusFramedIPNetmask as Framed-IP-Netmask, value 255.255.255.0 & op=11 rlm_ldap: Adding radiusFramedProtocol as Framed-Protocol, value Ethernet & op=11 rlm_ldap: Adding radiusServiceType as Service-Type, value Framed-User & op=11 rlm_ldap: user ldapuser5 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group authtype for request 0 rlm_ldap: - authenticate rlm_ldap: Attribute "User-Password" is required for authentication. modcall[authenticate]: module "ldap" returns invalid for request 0 modcall: group authtype returns invalid for request 0 auth: Failed to validate the user. Sending Access-Reject of id 61 to 10.10.29.49:1812 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 61 with timestamp 44458f3a Nothing to do. Sleeping until we see a request. Abey Babu Thomas
"Abey Thomas" <abeyth@gmail.com> wrote:
I am facing problems with Ldap and freeradius on RedHat linux AS 4. I can sucessfully authenticate with windows xp machines with freeradius local "users" file and md5 using cisco 2950. Radtest is successful for the ldapusers, but the radius -X shows "rlm_ldap: Attribute "User-Password" is required for authentication. & modcall[authenticate]: module "ldap" returns invalid for request 0"
See the list archives. You have told the server to use LDAP for authentication, and the server received an EAP request. LDAP servers don't do EAP.
I am using the configuration file from the source file.
No, you're not. You edited it to break it.
authorize { preprocess suffix files ldap }
Note: no EAP.
rad_recv: Access-Request packet from host 10.10.29.49:1812, id=61, length=133 ... EAP-Message = 0x0200000e016c6461707573657235
You sent the server an EAP message, but you previously told the server to NOT do EAP. What do you expect will happen? Use the default configuration files that come with 1.1.1. Change ONLY enough to configure the LDAP module. It WILL work. Alan DeKok.
participants (2)
-
Abey Thomas -
Alan DeKok