Hi, Comments inlined. On Tue, 2005-07-12 at 11:15 -0700, jp@joshmp.com wrote:
I appologize in advance, but I am new to FreeRADIUS and RADIUS in general.
Here is my setup: - Server with FreeRADIUS 1.0.4 --with-edir on FreeBSD 4.11 - Server with NetWare 6.5.4
Here is what I am trying to accomplish: - Get FreeRADIUS to authenticate VPN users (Cisco VPN Contentrator) to LDAP database in NetWare tree.
Here is what I DON'T want to do: - Mess with eDirectory (profiles, extending the schema, etc.)
Basically, when this configuration is moved into production, FreeRADIUS would authenticate users who IDs already exist in a complex, mature NetWare eDir tree. I don't want to mess with Universal Passwords, extending the schema, etc. I have already sucessfully configured the Cisco VPN Concentrator to authenticate users using FreeRADIUS and the UNIX users list. However, I can't get FreeRADIUS to successfully query the LDAP database on the NetWare server.
I have been through Novell's documentation, but their docs include building RADIUS profiles, extending the schema, etc. This is something that I am not going to be able to do. I have also been up and down the web, FreeRADIUS mail lists, docs, etc. I have found threads where it is mentioned that you can get FreeRADIUS to authenticate users to a NetWare LDAP directory using cleartext, but I have not been able to do this myself.
I would like to take this in stages: 1. Succesfully query LDAP without security (with the assumption that this would be the easiest first step). The debug output shows that FreeRADIUS is already doing this, 2. Get FreeRADIUS to query LDAP securely. This also can be configured.
Below you will find the following: - Text from radiusd.conf file - Output from radiusd -X - Text from radius.log file
<- Snipped,....
# Lightweight Directory Access Protocol (LDAP) # # This module definition allows you to use LDAP for # authorization and authentication (Auth-Type := LDAP) # # See doc/rlm_ldap for description of configuration options # and sample authorize{} and authenticate{} blocks ldap { server = "10.1.1.71" identity = "cn=admin,o=radius" password = pass basedn = "o=radius" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)"
# set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS
extended
# operation. # The StartTLS operation is supposed to be used with
normal
# ldap connections instead of using ldaps (port 689)
connections
start_tls = no
Set start_tls = yes for making a secure connection to eDirectory.
# tls_cacertfile = /path/to/cacert.pem
Set the path to eDirectory CA cert here.
# tls_cacertdir = /path/to/ca/dir/ # tls_certfile = /path/to/radius.crt # tls_keyfile = /path/to/radius.key # tls_randfile = /path/to/rnd # tls_require_cert = "demand"
# default_profile = "cn=radprofile,ou=dialup,o=My
Org,c=UA"
# profile_attribute = "radiusProfileDn" # access_attr = "dialupAccess"
# Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
# # NOTICE: The password_header directive is NOT case
insensitive
# # password_header = "{clear}" # # Set: password_attribute = nspmPassword
Set password_attribute to anything other than nspmPassword or comment out this attribute. This will make sure FreeRADIUS does not try to read Universal Password.
# # to get the user's password from a Novell
eDirectory
# backend. This will work *only if* freeRADIUS is # configured to build with --with-edir option. # # # The server can usually figure this out on its
own, and pull
# the correct User-Password or NT-Password from the
database.
# # Note that NT-Passwords MUST be stored as a
32-digit hex
# string, and MUST start off with "0x", such as: # # 0x000102030405060708090a0b0c0d0e0f # # Without the leading "0x", NT-Passwords will not
work.
# This goes for NT-Passwords stored in SQL, too. # # password_attribute = userPassword # # Un-comment the following to disable Novell
eDirectory account
# policy check and intruder detection. This will
work *only if*
# FreeRADIUS is configured to build with --with-edir
option.
# edir_account_policy_check=yes # # groupname_attribute = cn # groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
# groupmembership_attribute = radiusGroupName timeout = 4 timelimit = 3 net_timeout = 1 # compare_check_items = yes # do_xlat = yes # access_attr_used_for_allow = yes }
<-Snipped....
Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:2302, id=75, length=57 User-Name = "admin" User-Password = "pass" NAS-IP-Address = 255.255.255.255 NAS-Port = 10 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "admin", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 152 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for admin radius_xlat: '(uid=admin)' radius_xlat: 'o=radius' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 10.1.1.71:389, authentication 0 rlm_ldap: bind as cn=admin,o=radius/pass to 10.1.1.71:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in o=radius, with filter (uid=admin) As you can see FreeRADIUS is already querying eDirectory for user information. rlm_ldap: Error reading Universal Password.Return Code = 80 See comments on password_attribute. rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user admin authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type System The Auth-Type is set to System. I reckon this is done by one of the default entries in users file. What is the authentication mechanism you want to use? If you want to use authentication methods like CHAP, MS-CHAP, EAP etc you will have to enable Universal Password. However if you just want to authenticate against eDirectory with plain text password then you need not read Universal Password. You must enable the ldap module in the authenticate section. auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 modcall[authenticate]: module "unix" returns notfound for request 0 modcall: group authenticate returns notfound for request 0 auth: Failed to validate the user. Processing the post-auth section of radiusd.conf modcall: entering group Post-Auth-Type for request 0 modcall[post-auth]: module "ldap" returns noop for request 0 modcall: group Post-Auth-Type returns noop for request 0 Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 75 to 127.0.0.1:2302 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 75 with timestamp 42d39d5d Nothing to do. Sleeping until we see a request. -----END RADIUSD DEBUG-----
The line that I find disturbing is the "error reading Universal Password" line. I assume that I must edit my config in some way so that FreeRADIUS is not attempting to read a Universal Password, or somehow tells NLDAP not to send a Universal Password.
Hope this helps. Get back to me in case you have any further queries. -Sayantan.
participants (1)
-
Sayantan Bhowmick