I've tried to authenticate to an LDAP server through RADIUS using the rlm_ldap module.... I'm using freeradius 1.1.0 with OpenLdap 2.1.8 with a bdb backend. The problem is that rlm_ldap module binds successfully to an authentication request in the authorization section, but fails to bind when its tryin to authenticate.... log for RADIUS server is given below along with the LDAP configuration... plz help me out /** In the client terminal ,now i've tried to authenticate with user : ldapuser* [root@localhost ~]# radtest ldapuser ldapuser localhost 2 testing123 Sending Access-Request of id 119 to 127.0.0.1 port 1812 User-Name = "ldapuser" User-Password = "ldapuser" NAS-IP-Address = 255.255.255.255 NAS-Port = 2 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=119, length=20 * ** ** /*/ On the server side, response to ldapuser user authentication request...* rad_recv: Access-Request packet from host 127.0.0.1:32769, id=119, length=60 User-Name = "ldapuser" User-Password = "ldapuser" NAS-IP-Address = 255.255.255.255 NAS-Port = 2 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 radius_xlat: '/usr/local//var/log/radius/radacct/127.0.0.1/auth-detail-20060403' rlm_detail: /usr/local//var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local//var/log/radius/radacct/127.0.0.1/auth-detail-20060403 modcall[authorize]: module "auth_log" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "ldapuser", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 152 users: Matched entry DEFAULT at line 158 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for ldapuser radius_xlat: '(uid=ldapuser)' radius_xlat: 'ou=People,dc=example,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as / to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=People,dc=example,dc=com, with filter (uid=ldapuser) rlm_ldap: Added password {crypt}$1$nwby/I64$ORzJuBh4/Ec3c.FAt2oqV0 in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user ldapuser authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group LDAP for request 0 rlm_ldap: - authenticate rlm_ldap: login attempt by "ldapuser" with password "ldapuser" rlm_ldap: user DN: uid=ldapuser,ou=People,dc=example,dc=com rlm_ldap: (re)connect to localhost:389, authentication 1 rlm_ldap: bind as uid=ldapuser,ou=People,dc=example,dc=com/ldapuser to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind failed with invalid credentials modcall[authenticate]: module "ldap" returns reject for request 0 modcall: leaving group LDAP (returns reject) for request 0 auth: Failed to validate the user. Login incorrect (rlm_ldap: Bind as user failed): [ldapuser] (from client localhost port 2) Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 119 to 127.0.0.1 port 32769 Waking up in 4 seconds... *// THE CONFIGURATION DETAILS REQUIRED FOR RLM_LDAP AUTHENTICATION ARE BELOW * * * */* **example.com.ldif (base entries added to LDAP database)* * * Dn: dc=example,dc=com Objectclass: dcObject Objectclass : organization o: Example company dc: example * * dn: cn=manager,dc=example,dc=com objectclass: organizationalRole cn: manager dn: ou=people,dc=example,dc=com ou: people description: All people in the organization objectClass: dcObject objectClass: organizationalUnit dc: example * * * * */*** ldapuser.ldif (details of user account for authentication added to the LDAP database */* * * dn: uid=ldapuser,ou=People,dc=example,dc=com uid: ldapuser cn: ldapuser objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword: {crypt}$1$nwby/I64$ORzJuBh4/Ec3c.FAt2oqV0 shadowLastChange: 13238 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 503 gidNumber: 100 homeDirectory: /home/ldapuser /* *radiusd.conf (LDAP MODULE)* * * ldap { server = "localhost" # identity = "cn=admin,o=My Org,c=UA" # password = mypass basedn = "ou=People,dc=example,dc=com" password_attribute = "userPassword" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" # base_filter = "(objectclass=radiusprofile)" start_tls = no # tls_cacertfile = /path/to/cacert.pem # tls_cacertdir = /path/to/ca/dir/ # tls_certfile = /path/to/radius.crt # tls_keyfile = /path/to/radius.key # tls_randfile = /path/to/rnd # tls_require_cert = "demand" # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" # profile_attribute = "radiusProfileDn" # access_attr = "dialupAccess" # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 # compare_check_items = yes # do_xlat = yes # access_attr_used_for_allow = yes } authorize { chap mschap eap files ldap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } Unix Auth-Type LDAP { ldap } *Slapd.conf (ldap configuration)* * * include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/nis.schema pidfile /usr/local/var/slapd.pid argsfile /usr/local/var/slapd.args ####################################################################### # ldbm database definitions ####################################################################### database bdb suffix "dc=example,dc=com" rootdn "cn=manager,dc=example,dc=com" rootpw {SSHA}Rt9x/xGxM5e8+RpKbvTCWYT8POUEaKwA # Indices to maintain index cn,sn,uid pres,eq,approx,sub index objectClass eq
Hello, In your radiusd.conf: server = "localhost" identity = "cn=admin,o=My Org,c=UA" password = mypass basedn = "ou=People,dc=example,dc=com" password_attribute = "userPassword" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" make sure that you have the correct configuration for the variables listed above. If you do, and you still cannot authenticate a user, it may be that your ldap server is returning referrals to other servers. To avoid referrals, go to your ldap.conf in the freeradius server and add the line: *referrals no* Hope it helps, Natalia. On 4/3/06, monish ar <monish.ar@gmail.com> wrote:
I've tried to authenticate to an LDAP server through RADIUS using the rlm_ldap module.... I'm using freeradius 1.1.0 with OpenLdap 2.1.8 with a bdb backend. The problem is that rlm_ldap module binds successfully to an authentication request in the authorization section, but fails to bind when its tryin to authenticate.... log for RADIUS server is given below along with the LDAP configuration... plz help me out
/** In the client terminal ,now i've tried to authenticate with user : ldapuser*
[root@localhost ~]# radtest ldapuser ldapuser localhost 2 testing123
Sending Access-Request of id 119 to 127.0.0.1 port 1812
User-Name = "ldapuser"
User-Password = "ldapuser"
NAS-IP-Address = 255.255.255.255
NAS-Port = 2 rad_recv: Access-Reject packet from host 127.0.0.1:1812 , id=119, length=20 *** **
/*/ On the server side, response to ldapuser user authentication request...*
rad_recv: Access-Request packet from host 127.0.0.1:32769 , id=119, length=60
User-Name = "ldapuser"
User-Password = "ldapuser"
NAS-IP-Address = 255.255.255.255
NAS-Port = 2
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat: '/usr/local//var/log/radius/radacct/127.0.0.1/auth-detail-20060403'
rlm_detail: /usr/local//var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local//var/log/radius/radacct/127.0.0.1/auth-detail-20060403
modcall[authorize]: module "auth_log" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "ldapuser", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 0
users: Matched entry DEFAULT at line 152
users: Matched entry DEFAULT at line 158
modcall[authorize]: module "files" returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for ldapuser
radius_xlat: '(uid=ldapuser)'
radius_xlat: 'ou=People,dc=example,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as / to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=People,dc=example,dc=com, with filter (uid=ldapuser)
rlm_ldap: Added password {crypt}$1$nwby/I64$ORzJuBh4/Ec3c.FAt2oqV0 in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user ldapuser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type LDAP
auth: type "LDAP"
Processing the authenticate section of radiusd.conf
modcall: entering group LDAP for request 0
rlm_ldap: - authenticate
rlm_ldap: login attempt by "ldapuser" with password "ldapuser"
rlm_ldap: user DN: uid=ldapuser,ou=People,dc=example,dc=com
rlm_ldap: (re)connect to localhost:389, authentication 1
rlm_ldap: bind as uid=ldapuser,ou=People,dc=example,dc=com/ldapuser to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind failed with invalid credentials
modcall[authenticate]: module "ldap" returns reject for request 0
modcall: leaving group LDAP (returns reject) for request 0
auth: Failed to validate the user.
Login incorrect (rlm_ldap: Bind as user failed): [ldapuser] (from client localhost port 2)
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 119 to 127.0.0.1 port 32769
Waking up in 4 seconds...
*// THE CONFIGURATION DETAILS REQUIRED FOR RLM_LDAP AUTHENTICATION ARE BELOW*
* *
*/* **example.com.ldif (base entries added to LDAP database)*
* *
Dn: dc=example,dc=com
Objectclass: dcObject
Objectclass : organization
o: Example company
dc: example
* *
dn: cn=manager,dc=example,dc=com
objectclass: organizationalRole
cn: manager
dn: ou=people,dc=example,dc=com
ou: people
description: All people in the organization
objectClass: dcObject
objectClass: organizationalUnit
dc: example
* *
* *
*/*** ldapuser.ldif (details of user account for authentication added to the LDAP database */*
* *
dn: uid=ldapuser,ou=People,dc=example,dc=com
uid: ldapuser
cn: ldapuser
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$1$nwby/I64$ORzJuBh4/Ec3c.FAt2oqV0
shadowLastChange: 13238
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 503
gidNumber: 100
homeDirectory: /home/ldapuser
/* *radiusd.conf (LDAP MODULE)*
* *
ldap {
server = "localhost"
# identity = "cn=admin,o=My Org,c=UA"
# password = mypass
basedn = "ou=People,dc=example,dc=com"
password_attribute = "userPassword"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
# base_filter = "(objectclass=radiusprofile)"
start_tls = no
# tls_cacertfile = /path/to/cacert.pem
# tls_cacertdir = /path/to/ca/dir/
# tls_certfile = /path/to/radius.crt
# tls_keyfile = /path/to/radius.key
# tls_randfile = /path/to/rnd
# tls_require_cert = "demand"
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
# profile_attribute = "radiusProfileDn"
# access_attr = "dialupAccess"
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
# compare_check_items = yes
# do_xlat = yes
# access_attr_used_for_allow = yes
}
authorize {
chap
mschap
eap
files
ldap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
Unix
Auth-Type LDAP {
ldap
}
*Slapd.conf (ldap configuration)*
* *
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/nis.schema
pidfile /usr/local/var/slapd.pid
argsfile /usr/local/var/slapd.args
#######################################################################
# ldbm database definitions
#######################################################################
database bdb
suffix "dc=example,dc=com"
rootdn "cn=manager,dc=example,dc=com"
rootpw {SSHA}Rt9x/xGxM5e8+RpKbvTCWYT8POUEaKwA
# Indices to maintain
index cn,sn,uid pres,eq,approx,sub
index objectClass eq
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks Natalia, I've doubled checked the settings. It seems alright. And i'm just usin it on a single system,so no question about referrals. I really do appreciate ur help, thz a lot :)
participants (2)
-
monish ar -
Natalia Escalera