Hi all I have an issue where i'm trying to use realms to determine what LDAP server to authenticate a user against. What seems to happen is that the realm in my users file is never matched and hence the authentication fails. Any help would be greatly appreciated. My users file is - DEFAULT Realm == "NULL", Auth-Type := ldap-default, Autz-Type := ldap-default DEFAULT Realm == "test.com", Auth-Type :=test.com, Autz-Type := test.com DEFAULT Auth-Type := Reject my proxy.conf has the following - realm test.com { type = radius authhost = LOCAL accthost = LOCAL nostrip } realm NULL { type = radius authhost = LOCAL accthost = LOCAL } realm LOCAL { type = radius authhost = LOCAL accthost = LOCAL } The radius.conf is - prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = /usr/sbin logdir = ${localstatedir}/log/radius raddbdir = /etc/raddb radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run log_file = ${logdir}/radiusd.log pidfile = ${run_dir}/radiusd.pid user = radiusd group = radiusd libdir = /usr/lib/freeradius max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 256 bind_address = * port = 0 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log_stripped_names = yes log_auth = yes log_auth_badpass = yes log_auth_goodpass = no usercollide = no lower_user = no lower_pass = no nospace_user = no nospace_pass = no security { max_attributes = 200 reject_delay = 1 status_server = no } proxy_requests = yes $INCLUDE ${confdir}/proxy.conf $INCLUDE ${confdir}/clients.conf snmp = no thread pool { start_servers = 1 max_servers = 4 min_spare_servers = 1 max_spare_servers = 3 max_requests_per_server = 0 } modules { pap { #auto_header = yes encryption_scheme = crypt } chap { authtype = CHAP } $INCLUDE ${confdir}/eap.conf mschap { authtype = MS-CHAP use_mppe = yes require_encryption = yes require_strong = yes authtype = MS-CHAP # with_ntdomain_hack = yes } files { usersfile = ${confdir}/users compat = no } ### Added ldap test.com { server = "ldap1.test.com" #port = 389 port = 636 identity = "cn=xxxx" password = "xxx" basedn = "o=xxx" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" tls_mode = yes tls_cacertfile = /etc/raddb/certs/cert.b64 tls_cacertdir = /etc/raddb/certs/ dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 edir_account_policy_check=no timeout = 4 timelimit = 3 net_timeout = 1 set_auth_type = yes password_attribute = nspmPassword } ldap ldap-default { server = "ldap1.test.com" #port = 389 port = 636 identity = "cn=xxxl" password = "xxx" basedn = "o=xxx" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" tls_mode = yes tls_cacertfile = /etc/raddb/certs/cert.b64 tls_cacertdir = /etc/raddb/certs/ dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 edir_account_policy_check=no timeout = 4 timelimit = 3 net_timeout = 1 set_auth_type = yes password_attribute = nspmPassword } ### // realm suffix { format = suffix delimiter = "@" ignore_default = no ignore_null = no } } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } ### Added Auth-Type test.com { test.com } Auth-Type ldap-default { ldap-default } ### // eap } authorize { chap mschap eap files ### Added Autz-Type test.com { test.com } Autz-Type ldap-default { ldap-default } ### // } post-auth { ldap-default Post-Auth-Type REJECT { ldap-default } } I then see the following - rad_recv: Access-Request packet from host xxx:40485, id=38, length=63 User-Name = "auto@test.com" User-Password = "xx" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "chap" returns noop for request 2 modcall[authorize]: module "mschap" returns noop for request 2 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 2 users: Matched entry DEFAULT at line 9 modcall[authorize]: module "files" returns ok for request 2 modcall: leaving group authorize (returns ok) for request 2 rad_check_password: Found Auth-Type Reject rad_check_password: Auth-Type = Reject, rejecting user auth: Failed to validate the user. Login incorrect: [auto@test.com/xxx] (from client xxx port 0) Found Post-Auth-Type Processing the post-auth section of radiusd.conf modcall: entering group REJECT for request 2 modcall[post-auth]: module "ldap-default" returns noop for request 2 modcall: leaving group REJECT (returns noop) for request 2 Delaying request 2 for 1 seconds Finished request 2 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list ---
I have an issue where i'm trying to use realms to determine what LDAP server to authenticate a user against. What seems to happen is that the realm in my users file is never matched and hence the authentication fails. Any help would be greatly appreciated.
...
authorize { chap mschap eap files ### Added Autz-Type test.com { test.com } Autz-Type ldap-default { ldap-default } ### // } ...
You removed suffix. If you added things to default configuration - it would of worked. Butchering the configuration like this is an easy way to get in trouble. Start with the default configuration; add things you need to add; when it works, remove things you think you don't need one by one cheking that everything still works - if you remove something vital you will know straight away. Ivan Kalik Kalik Informatika ISP
participants (2)
-
EMP -
Ivan Kalik