freeradius-users@lists.freeradius.org
Hi listers [root@myhost ~]# uname -a OpenBSD myhost.mydomain.com 4.2 GENERIC#375 i386 [root@myhost ~]# [root@myhost ~]# pkg_info -A .... freeradius-1.1.6 RADIUS server implementation freeradius-ldap-1.1.6 freeradius ldap rlm addon .... [root@myhost ~]# [root@myhost ~]# radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf main: prefix = "/usr/local" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/local/lib/freeradius" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "_freeradius" main: group = "_freeradius" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib/freeradius Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" pap: auto_header = yes Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded LDAP ldap: server = "localhost" ldap: port = 389 ldap: net_timeout = 1 ldap: timeout = 4 ldap: timelimit = 3 ldap: identity = "cn=pam-ldap-checker,ou=pam-ldap,dc=mydomain,dc=com" ldap: tls_mode = no ldap: start_tls = no ldap: tls_cacertfile = "(null)" ldap: tls_cacertdir = "(null)" ldap: tls_certfile = "(null)" ldap: tls_keyfile = "(null)" ldap: tls_randfile = "(null)" ldap: tls_require_cert = "allow" ldap: password = "vaxico" ldap: basedn = "ou=pam-ldap,dc=mydomain,dc=com" ldap: filter = "(&(objectclass=posixAccount)(uid=%{Stripped-User-Name:-%{User-Name}}))" ldap: base_filter = "(objectclass=posixAccount)" ldap: default_profile = "(null)" ldap: profile_attribute = "(null)" ldap: password_header = "(null)" ldap: password_attribute = "userPassword" ldap: access_attr = "(null)" ldap: groupname_attribute = "cn" ldap: groupmembership_filter = "(&(memberUid=%{Stripped-User-Name:-%{User-Name}})(objectClass=posixGroup))" ldap: groupmembership_attribute = "(null)" ldap: dictionary_mapping = "/etc/raddb/ldap.attrmap" ldap: ldap_debug = 0 ldap: ldap_connections_number = 5 ldap: compare_check_items = yes ldap: access_attr_used_for_allow = yes ldap: do_xlat = yes ldap: set_auth_type = yes rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message conns: 0x7f11f800 Module: Instantiated ldap (ldap) Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/etc/raddb/huntgroups" preprocess: hints = "/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/etc/raddb/users" files: acctusersfile = "/etc/raddb/acct_users" files: preproxy_usersfile = "/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded detail detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. ----------------------------------- we use radius authentication on this openBSD server as workaround, because for openBSD no pam-(ldap) is available. here, all users, mail, ftp, yni are authenticated against openldap using various authentication methods (pam-ldap, pure ldap, courier-authlib with ldap, pure-ftpd with ldap, ...). the ldap-accounting-schemas we use are posixAccount and qmailControl/qmailUser. No radius schema so far. the radius authentication works fine, as far as password checking is concerned. The following radius-daemon output shows the login of a user cvs into the system. rad_recv: Access-Request packet from host 127.0.0.1:33886, id=44, length=39 User-Name = "cvs" User-Password = "xxxx" NAS-IP-Address = 200.200.200.200 NAS-Port = 3965 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for cvs radius_xlat: '(&(objectclass=posixAccount)(uid=cvs))' radius_xlat: 'ou=pam-ldap,dc=mydomain,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=pam-ldap-checker,ou=pam-ldap,dc=mydomain,dc=com/yyyy to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=pam-ldap,dc=mydomain,dc=com, with filter (&(objectclass=posixAccount)(uid=cvs)) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Setting Auth-Type = ldap rlm_ldap: user cvs authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type ldap auth: type "ldap" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_ldap: - authenticate modcall[authenticate]: module "ldap" returns invalid for request 0 modcall: leaving group authenticate (returns invalid) for request 0 auth: Failed to validate the user. Login incorrect (rlm_ldap: empty password supplied): [cvs] (from client localhost port 3965) Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... rad_recv: Access-Request packet from host 127.0.0.1:33886, id=44, length=39 Sending Access-Reject of id 44 to 127.0.0.1 port 33886 --- Walking the entire request list --- Waking up in 5 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 44 with timestamp 4756743a Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 127.0.0.1:27572, id=154, length=55 User-Name = "cvs" User-Password = "xxxx" NAS-IP-Address = 200.200.200.200 NAS-Port = 3965 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 rlm_ldap: - authorize rlm_ldap: performing user authorization for cvs radius_xlat: '(&(objectclass=posixAccount)(uid=cvs))' radius_xlat: 'ou=pam-ldap,dc=mydomain,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=pam-ldap,dc=mydomain,dc=com, with filter (&(objectclass=posixAccount)(uid=cvs)) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Setting Auth-Type = ldap rlm_ldap: user cvs authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 1 modcall: leaving group authorize (returns ok) for request 1 rad_check_password: Found Auth-Type ldap auth: type "ldap" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_ldap: - authenticate rlm_ldap: login attempt by "cvs" with password "xxxx" rlm_ldap: user DN: uid=cvs,ou=People,ou=pam-ldap,dc=mydomain,dc=com rlm_ldap: (re)connect to localhost:389, authentication 1 rlm_ldap: bind as uid=cvs,ou=People,ou=pam-ldap,dc=mydomain,dc=com/xxxx to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user cvs authenticated succesfully modcall[authenticate]: module "ldap" returns ok for request 1 modcall: leaving group authenticate (returns ok) for request 1 Login OK: [cvs] (from client localhost port 3965) Sending Access-Accept of id 154 to 127.0.0.1 port 27572 Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 154 with timestamp 47567442 Nothing to do. Sleeping until we see a request. ---------------------- BUT when this user is logged in, it has the following parameters: cvs@myhost -> id uid=10001(cvs) gid=102(users) groups=102(users) cvs@myhost -> all these id-parameters are from the local /etc/master.passwd file and not from the ldap directory. instead of (when logging in to the user cvs on a different server) i get the following (correct) id-parameters cvs@yourhost ~> id uid=1067(cvs) gid=100(users) groups=100(users),503(release2) cvs@yourhost ~> when i check the ldap-host log, i see, that not even an attempt is made to request session parameters from the ldap server. what do i where need to change? thanks for any advice suomi
radius wrote:
we use radius authentication on this openBSD server as workaround, because for openBSD no pam-(ldap) is available. here, all users, mail, ftp, yni are authenticated against openldap using various authentication methods (pam-ldap, pure ldap, courier-authlib with ldap, pure-ftpd with ldap, ...).
I presume you're using the OpenBSD PAM RADIUS module?
the radius authentication works fine, as far as password checking is concerned. The following radius-daemon output shows the login of a user cvs into the system. ... Sending Access-Accept of id 154 to 127.0.0.1 port 27572 Finished request 1
The reply is empty. So the user is allowed in, but with no configuration.
BUT when this user is logged in, it has the following parameters:
cvs@myhost -> id uid=10001(cvs) gid=102(users) groups=102(users) cvs@myhost ->
all these id-parameters are from the local /etc/master.passwd file and not from the ldap directory.
Did you tell OpenBSD to look in the LDAP directory for that configuration? If not, did you tell FreeRADIUS to look in LDAP for that configuration *and* return it in the Access-Accept? And even if FreeRADIUS returns that configuration in the Access-Accept, you have to check that the OpenBSD PAM RADIUS module supports those attributes. See the OpenBSD PAM RADIUS documentation for how to configure it.
instead of (when logging in to the user cvs on a different server) i get the following (correct) id-parameters
cvs@yourhost ~> id uid=1067(cvs) gid=100(users) groups=100(users),503(release2) cvs@yourhost ~>
So... look at the configuration for that system to see what it's doing.
when i check the ldap-host log, i see, that not even an attempt is made to request session parameters from the ldap server.
Yes... the FreeRADIUS debug log shows this, too.
what do i where need to change?
Look at the configuration for the working machine, and copy it to the machine that doesn't work. Alan DeKok.
Hi Alan thanks for immediate reply.
I presume you're using the OpenBSD PAM RADIUS module?
no, i installed freeradius-ldap, no openBSD PAM radius module that i knew. suomi Alan DeKok wrote:
radius wrote:
we use radius authentication on this openBSD server as workaround, because for openBSD no pam-(ldap) is available. here, all users, mail, ftp, yni are authenticated against openldap using various authentication methods (pam-ldap, pure ldap, courier-authlib with ldap, pure-ftpd with ldap, ...).
I presume you're using the OpenBSD PAM RADIUS module?
the radius authentication works fine, as far as password checking is concerned. The following radius-daemon output shows the login of a user cvs into the system. ... Sending Access-Accept of id 154 to 127.0.0.1 port 27572 Finished request 1
The reply is empty. So the user is allowed in, but with no configuration.
BUT when this user is logged in, it has the following parameters:
cvs@myhost -> id uid=10001(cvs) gid=102(users) groups=102(users) cvs@myhost ->
all these id-parameters are from the local /etc/master.passwd file and not from the ldap directory.
Did you tell OpenBSD to look in the LDAP directory for that configuration? If not, did you tell FreeRADIUS to look in LDAP for that configuration *and* return it in the Access-Accept? And even if FreeRADIUS returns that configuration in the Access-Accept, you have to check that the OpenBSD PAM RADIUS module supports those attributes.
See the OpenBSD PAM RADIUS documentation for how to configure it.
instead of (when logging in to the user cvs on a different server) i get the following (correct) id-parameters
cvs@yourhost ~> id uid=1067(cvs) gid=100(users) groups=100(users),503(release2) cvs@yourhost ~>
So... look at the configuration for that system to see what it's doing.
when i check the ldap-host log, i see, that not even an attempt is made to request session parameters from the ldap server.
Yes... the FreeRADIUS debug log shows this, too.
what do i where need to change?
Look at the configuration for the working machine, and copy it to the machine that doesn't work.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius wrote:
I presume you're using the OpenBSD PAM RADIUS module?
no, i installed freeradius-ldap, no openBSD PAM radius module that i knew.
Then how are you doing OpenBSD RADIUS login? Can you say? Please also follow my advice to compare the configurations on the two systems. The solution to the problem likely lies there. Alan DeKok.
Hi Alan these are the radius-packages installed on that machine: [root@myhost ~]# pkg_info -A |grep -i radius freeradius-1.1.6 RADIUS server implementation freeradius-ldap-1.1.6 freeradius ldap rlm addon [root@myhost ~]# and these are the ldap-packages installed on it: [root@myhost ~]# pkg_info -A |grep -i ldap freeradius-ldap-1.1.6 freeradius ldap rlm addon openldap-client-2.3.33 Open source LDAP software (client) openldap-server-2.3.33p1-bdb Open source LDAP software (server) [root@myhost ~]# I will follow your advice thanks again suomi Alan DeKok wrote:
radius wrote:
I presume you're using the OpenBSD PAM RADIUS module? no, i installed freeradius-ldap, no openBSD PAM radius module that i knew.
Then how are you doing OpenBSD RADIUS login? Can you say?
Please also follow my advice to compare the configurations on the two systems. The solution to the problem likely lies there.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi, I am running free radius and with radauth , radauth sending a packet for authanetication reqest, But freeradius discarding the packet due to size is more tha 4096.. I am unable to understand what to do.. Any body can help me...? Thank you in advance .. Thank you, Satyanarayna reddy mendaddula, Tata Elxsi Ltd,White field ,Hoody-1, Emp no--6185, Mb no - 9341311577 Email:- satyanarayanam@tataelxsi.co.in Help ever ,,,, Hurt never.... The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments contained in it. Contact your Administrator for further information.
satyanarayanam wrote:
I am running free radius and with radauth , radauth sending a packet for authanetication reqest, But freeradius discarding the packet due to size is more tha 4096..
The client is broken, and is not following the RADIUS specification. There are very few reasons to send 4K of data in any RADIUS packet. Alan DeKok.
Hi, I am running sucessfully freeraduis with raduth-freeradius know it is working fine but only taking USERNAME-root PASSWD-root123 why not others i am changing this in clients.conf file also but working with only this ... Please tell me what to do.. Thank you inadvance Thank you, Satyanarayna reddy mendaddula, Tata Elxsi Ltd,White field ,Hoody-1, Emp no--6185, Mb no - 9341311577 Email:- satyanarayanam@tataelxsi.co.in Help ever ,,,, Hurt never.... The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments contained in it. Contact your Administrator for further information.
participants (3)
-
Alan DeKok -
radius -
satyanarayanam