I successfully configured freeradius (version 1.x Ubuntu) to use ldap on a localhost via WPA. I am trying to setup version 2.1 (Ubuntu) to use a remote ldap server now. The module loads fine and I made what I believed were the correct changes to connect to the remote server, but I have missed something. Is there a good doc for ldap authentication on a remote host? Raymond
Raymond Norton wrote:
I successfully configured freeradius (version 1.x Ubuntu) to use ldap on a localhost via WPA. I am trying to setup version 2.1 (Ubuntu) to use a remote ldap server now. The module loads fine and I made what I believed were the correct changes to connect to the remote server, but I have missed something. Is there a good doc for ldap authentication on a remote host?
Raymond
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html this is a good start point
Raymond Norton wrote:
I successfully configured freeradius (version 1.x Ubuntu) to use ldap on a localhost via WPA. I am trying to setup version 2.1 (Ubuntu) to use a remote ldap server now. The module loads fine and I made what I believed were the correct changes to connect to the remote server, but I have missed something.
So... what is going wrong?
Is there a good doc for ldap authentication on a remote host?
Type "ldap" into the search bar on wiki.freeradius.org. See doc/rlm_ldap, which comes with the server. Alan DeKok.
Hi, Maybe your problem be in your slapd.conf permissions (access to...). I had same problem, my ldap module loaded fine on freeradius server(debian lenny), but I got "accept-reject ..." error when I ran radtest command. I deleted my "access to ..." block for freeradius server directory in slapd.conf file on my remote openldap server, so I solved my problem. Raoufnezhad On Thu, Jun 24, 2010 at 12:22 PM, Alan DeKok <aland@deployingradius.com>wrote:
Raymond Norton wrote:
I successfully configured freeradius (version 1.x Ubuntu) to use ldap on a localhost via WPA. I am trying to setup version 2.1 (Ubuntu) to use a remote ldap server now. The module loads fine and I made what I believed were the correct changes to connect to the remote server, but I have missed something.
So... what is going wrong?
Is there a good doc for ldap authentication on a remote host?
Type "ldap" into the search bar on wiki.freeradius.org.
See doc/rlm_ldap, which comes with the server.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ldapsearch -x -b uid=billy,ou=People,dc=lctn,dc=org (on remote ldap server) Command successfully displays information on user. radtest raymond "password" 127.0.0.1 1 testing123 (on freeradius server) Displays local user info radtest billy "password" 127.0.0.1 1 testing123 (on freeradius server) displays: rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=2, lengt My config changes are as follows: /modules/ldap: (on remote ldap server) ldap { server = "10.10.3.1" basedn = "dc=lctn,dc=org" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" /etc/ldap/slapd.conf (on remote ldap server) Commented out access statements. #access to attrs=userPassword # by dn="cn=admin,dc=lctn,dc=org" write # by anonymous auth # by self write # by * none /freeradius/radiusd.conf (added ldap module) instantiate { exec expr ldap
So... what is going wrong?
Whoops... /modules/ldap is on the local freeradius server, not the the remote ldap server.
/modules/ldap: (on remote ldap server)
ldap {
server = "10.10.3.1" basedn = "dc=lctn,dc=org" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
/etc/ldap/slapd.conf (on remote ldap server)
Commented out access statements.
#access to attrs=userPassword # by dn="cn=admin,dc=lctn,dc=org" write # by anonymous auth # by self write # by * none
/freeradius/radiusd.conf (added ldap module)
instantiate {
exec
expr ldap
So... what is going wrong?
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 06/24/2010 10:18 AM, Raymond Norton wrote:
ldapsearch -x -b uid=billy,ou=People,dc=lctn,dc=org (on remote ldap server)
Command successfully displays information on user.
radtest raymond "password" 127.0.0.1 1 testing123 (on freeradius server)
Displays local user info
My config changes are as follows:
If you want people to help you then you have to include all the information, DO NOT provide snipets. Include the output of ldapsearch and the ENTIRE output of the freeradius debug output INCLUDING the section after it begins receiving requests. Do NOT include your freeradius config files, they are already in the debug output and the exact ones being used (sometimes folks think different config files are being used when they aren't). -- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/
The FAQ says to use radiusd -X> debug.txt for debug. I get the following: The program 'radiusd' can be found in the following packages: * radiusd-livingston * xtradius * yardradius Is there another way to launch debug mode in version 2.1?
Raymond Norton wrote:
The FAQ says to use radiusd -X> debug.txt for debug.
I get the following:
The program 'radiusd' can be found in the following packages: * radiusd-livingston * xtradius * yardradius
Is there another way to launch debug mode in version 2.1?
Your OS vendor likely installed it as "freeradius". Alan DeKok.
Yes, but when I try to use -X , it says: Usage: /etc/init.d/freeradius start|stop|restart|force-reload On 6/24/2010 10:18 AM, Alan DeKok wrote:
Raymond Norton wrote:
The FAQ says to use radiusd -X> debug.txt for debug.
I get the following:
The program 'radiusd' can be found in the following packages: * radiusd-livingston * xtradius * yardradius
Is there another way to launch debug mode in version 2.1?
Your OS vendor likely installed it as "freeradius".
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
That brings me back to my first post-no radiusd. On 6/24/2010 10:26 AM, Phil Mayers wrote:
On 24/06/10 16:23, Raymond Norton wrote:
Yes, but when I try to use -X , it says:
Usage: /etc/init.d/freeradius start|stop|restart|force-reload
That's the init script. Run the daemon directly:
/usr/sbin/radiusd -X - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Got debug working with /usr/sbin/freeradius -X On 6/24/2010 10:32 AM, Raymond Norton wrote:
That brings me back to my first post-no radiusd.
On 6/24/2010 10:26 AM, Phil Mayers wrote:
On 24/06/10 16:23, Raymond Norton wrote:
Yes, but when I try to use -X , it says:
Usage: /etc/init.d/freeradius start|stop|restart|force-reload
That's the init script. Run the daemon directly:
/usr/sbin/radiusd -X - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 24/06/10 16:32, Raymond Norton wrote:
That brings me back to my first post-no radiusd.
Well, maybe it's in a different location. What OS are you using? Have you queried the package manager for your OS to find the location of the binaries? If you didn't use a package manager, and installed from source, what locations did you ./configure with? /usr/local/sbin/radiusd is most likely. Have you tried "locate radiusd". Or "find / -name radiusd"? Or, run it from the init script, then do: pgrep radiusd ls -l /proc/$PID/exec These are all pretty basic Unix/Linux skills.
On 06/24/2010 11:32 AM, Raymond Norton wrote:
That brings me back to my first post-no radiusd.
What system are you working on? You said there was a /etc/init.d/freeradius init script. Look in it to see what it's invoking. /usr/sbin/freeradius by any chance? -- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/
Debug: FreeRADIUS Version 2.1.0, for host i486-pc-linux-gnu, built on Sep 17 2009 at 17:22:02 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/ldap.bck including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/inner-tunnel including dictionary file /etc/freeradius/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_ldap Module: Instantiating ldap ldap { server = "10.10.3.1" port = 389 password = "" identity = "" net_timeout = 1 timeout = 4 timelimit = 3 tls_mode = no start_tls = no tls_require_cert = "allow" tls { start_tls = no require_cert = "allow" } basedn = "dc=lctn,dc=org" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)" auto_header = no access_attr_used_for_allow = yes groupname_attribute = "cn" groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" dictionary_mapping = "/etc/freeradius/ldap.attrmap" ldap_debug = 0 ldap_connections_number = 5 compare_check_items = no do_xlat = yes edir_account_policy_check = no set_auth_type = yes } rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: Over-riding set_auth_type, as there is no module ldap listed in the "authenticate" section. rlm_ldap: reading ldap<->radius mappings from file /etc/freeradius/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message conns: 0x8400c28 Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Ignoring EAP-Type/tls because we do not have OpenSSL support. Ignoring EAP-Type/ttls because we do not have OpenSSL support. Ignoring EAP-Type/peap because we do not have OpenSSL support. Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" preproxy_usersfile = "/etc/freeradius/preproxy_users" compat = "no" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = "/etc/freeradius/attrs.access_reject" key = "%{User-Name}" } } } modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "/etc/freeradius/huntgroups" hints = "/etc/freeradius/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = "/etc/freeradius/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 48926, id=181, length=59 User-Name = "raymond" User-Password = "password" NAS-IP-Address = 127.0.1.1 NAS-Port = 1 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "raymond", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password "password" [pap] Using CRYPT encryption. [pap] User authenticated successfully ++[pap] returns ok +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 181 to 127.0.0.1 port 48926 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 181 with timestamp +13 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 50670, id=151, length=57 User-Name = "billy" User-Password = "password" NAS-IP-Address = 127.0.1.1 NAS-Port = 1 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "billy", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} expand: %{User-Name} -> billy attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 151 to 127.0.0.1 port 50670 Waking up in 4.9 seconds. ldapsearch on remote ldap server: root@relay-1:/etc/ldap# ldapsearch -x -b uid=billy,ou=People,dc=lctn,dc=org # extended LDIF # # LDAPv3 # base <uid=billy,ou=People,dc=lctn,dc=org> with scope sub # filter: (objectclass=*) # requesting: ALL # # billy, People, lctn.org dn: uid=billy,ou=People,dc=lctn,dc=org uid: billy cn: billy objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount shadowLastChange: 14294 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 1001 gidNumber: 1001 homeDirectory: /home/billy gecos: ,,, userPassword:: e1NIQX13ak83dXhlS3FYR0NFVlhPTEVzVUo4OW9DWFE9 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1
rad_recv: Access-Request packet from host 127.0.0.1 port 50670, id=151, length=57 User-Name = "billy" User-Password = "password" NAS-IP-Address = 127.0.1.1 NAS-Port = 1 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "billy", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop No authenticate method (Auth-Type) configuration found for the request:
The "ldap" module wasn't run there at all. You need to add "ldap" to the authorize section i.e.: authorize { # whatever else, then ldap } The "unix" module (i.e. look in /etc/passwd) *was* run, which is probably what you don't want.
I misunderstood the instructions. Made the change, and I see now that I am at least connecting to the ldap server, but still getting rejected. I changed the basedn to ou=People,dc=lctn,dc=org for this test. (ldapsearch is below) FreeRADIUS Version 2.1.0, for host i486-pc-linux-gnu, built on Sep 17 2009 at 17:22:02 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/ldap.bck including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/inner-tunnel including dictionary file /etc/freeradius/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_ldap Module: Instantiating ldap ldap { server = "10.10.3.1" port = 389 password = "" identity = "" net_timeout = 1 timeout = 4 timelimit = 3 tls_mode = no start_tls = no tls_require_cert = "allow" tls { start_tls = no require_cert = "allow" } basedn = "ou=People,dc=lctn,dc=org" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)" auto_header = no access_attr_used_for_allow = yes groupname_attribute = "cn" groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" dictionary_mapping = "/etc/freeradius/ldap.attrmap" ldap_debug = 0 ldap_connections_number = 5 compare_check_items = no do_xlat = yes edir_account_policy_check = no set_auth_type = yes } rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: Over-riding set_auth_type, as there is no module ldap listed in the "authenticate" section. rlm_ldap: reading ldap<->radius mappings from file /etc/freeradius/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message conns: 0x98d9d00 Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Ignoring EAP-Type/tls because we do not have OpenSSL support. Ignoring EAP-Type/ttls because we do not have OpenSSL support. Ignoring EAP-Type/peap because we do not have OpenSSL support. Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" preproxy_usersfile = "/etc/freeradius/preproxy_users" compat = "no" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = "/etc/freeradius/attrs.access_reject" key = "%{User-Name}" } } } modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "/etc/freeradius/huntgroups" hints = "/etc/freeradius/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = "/etc/freeradius/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 43614, id=16, length=57 User-Name = "billy" User-Password = "password" NAS-IP-Address = 127.0.1.1 NAS-Port = 1 +- entering group authorize {...} [ldap] performing user authorization for billy WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=billy) expand: ou=People,dc=lctn,dc=org -> ou=People,dc=lctn,dc=org rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 10.10.3.1:389, authentication 0 rlm_ldap: bind as / to 10.10.3.1:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=People,dc=lctn,dc=org, with filter (uid=billy) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user billy authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} expand: %{User-Name} -> billy attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 16 to 127.0.0.1 port 43614 Waking up in 4.9 seconds. Cleaning up request 0 ID 16 with timestamp +9 Ready to process requests. ldpasearch on remote ldap server: root@relay-1:/etc/ldap# ldapsearch -x -b uid=billy,ou=People,dc=lctn,dc=org # extended LDIF # # LDAPv3 # base <uid=billy,ou=People,dc=lctn,dc=org> with scope sub # filter: (objectclass=*) # requesting: ALL # # billy, People, lctn.org dn: uid=billy,ou=People,dc=lctn,dc=org uid: billy cn: billy objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount shadowLastChange: 14294 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 1001 gidNumber: 1001 homeDirectory: /home/billy gecos: ,,, userPassword:: e1NIQX13ak83dXhlS3FYR0NFVlhPTEVzVUo4OW9DWFE9 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1
On 06/24/2010 12:21 PM, Raymond Norton wrote:
[ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
You don't have the userPassword mapped in /etc/raddb/ldap.attrmap But even if you did, ldap has this: userPassword:: e1NIQX13ak83dXhlS3FYR0NFVlhPTEVzVUo4OW9DWFE9 and the request has this: User-Password = "password" They aren't the same are they? The LDAP entry looks like a hash, you'll have to figure out which kind. Note it does not contain a {hash} prefix so FreeRADIUS can't figure what kind of hash it is. You'll have to force that with the right radius attribute for userPassword in ldap.attrmap. But you better look at this: http://deployingradius.com/documents/protocols/compatibility.html and understand the consequences. -- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/
Thanks for the info. I'm not sure how to determine what to use in ldap.attrmap, but will see what I can figure out. One question though; before attempting this current setup, I installed freeradius_1.1.0-1ubuntu2.1_i386.deb and ldap on the same localhost.. radtest and authenticating via WPA worked perfectly using the same user credentials I am using today from my new radius server. The difference is the version and the fact the radius server is on a different box. What might need to be configured differently now that freeradius is on a seperate box? On 6/24/2010 11:33 AM, John Dennis wrote:
On 06/24/2010 12:21 PM, Raymond Norton wrote:
[ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
You don't have the userPassword mapped in /etc/raddb/ldap.attrmap
But even if you did, ldap has this:
userPassword:: e1NIQX13ak83dXhlS3FYR0NFVlhPTEVzVUo4OW9DWFE9
and the request has this:
User-Password = "password"
They aren't the same are they? The LDAP entry looks like a hash, you'll have to figure out which kind. Note it does not contain a {hash} prefix so FreeRADIUS can't figure what kind of hash it is. You'll have to force that with the right radius attribute for userPassword in ldap.attrmap.
But you better look at this:
http://deployingradius.com/documents/protocols/compatibility.html
and understand the consequences.
On 06/24/2010 02:04 PM, Raymond Norton wrote:
Thanks for the info. I'm not sure how to determine what to use in ldap.attrmap, but will see what I can figure out.
This issue has been covered a lot on this list, search the archives.
One question though; before attempting this current setup, I installed freeradius_1.1.0-1ubuntu2.1_i386.deb and ldap on the same localhost.. radtest and authenticating via WPA worked perfectly using the same user credentials I am using today from my new radius server. The difference is the version and the fact the radius server is on a different box. What might need to be configured differently now that freeradius is on a seperate box?
I hope you didn't just copy 1.x configuration over to 2.x, they aren't compatible. I see from your debug output you're running 2.1.0 but the current version is 2.1.9. To the best of my knowledge 2.1.9 is available as pre-built binaries for all the major distributions. The behavior you're seeing has nothing to do with whether the ldap server is on the same host as the radius server.
No. This is a new install. Nothing has been copied over. Thanks for the pointers. I will keep working at it.
I hope you didn't just copy 1.x configuration over to 2.x, they aren't compatible.
I see from your debug output you're running 2.1.0 but the current version is 2.1.9. To the best of my knowledge 2.1.9 is available as pre-built binaries for all the major distributions.
The behavior you're seeing has nothing to do with whether the ldap server is on the same host as the radius server.
On Thu, Jun 24, 2010 at 12:33:10PM -0400, John Dennis wrote:
But even if you did, ldap has this:
userPassword:: e1NIQX13ak83dXhlS3FYR0NFVlhPTEVzVUo4OW9DWFE9
They aren't the same are they? The LDAP entry looks like a hash, you'll have to figure out which kind. Note it does not contain a {hash} prefix so FreeRADIUS can't figure what kind of hash it is.
No, the two colons in ldapsearch output just indicate that the attribute value is MIME-encoded. It can be decoded for example with: % echo e1NIQX13ak83dXhlS3FYR0NFVlhPTEVzVUo4OW9DWFE9 | mimencode -u {SHA}wjO7uxeKqXGCEVXOLEsUJ89oCXQ= % echo e1NIQX13ak83dXhlS3FYR0NFVlhPTEVzVUo4OW9DWFE9 | perl -e 'use MIME::Base64; print decode_base64(<>);' {SHA}wjO7uxeKqXGCEVXOLEsUJ89oCXQ= -- 2. That which causes joy or happiness.
I have been reading and looking at similar post non-stop and have an idea what is wrong, but am not sure how to fix it. I understand there may be a need to map ldap and radius attributes and I have found a couple examples, but I am not entirely sure what the changes should be. It seems the other problem may be the authentication being used., maybe a combination of both. I would guess I'm about one or two config changes from getting this to work. The ldap user I am trying to authenticate was created via: ./migrate_group.pl and # ldapadd on the ldap server Not sure if that helps identify the changes I need to make??? On 6/24/2010 3:21 PM, Josip Rodin wrote:
On Thu, Jun 24, 2010 at 12:33:10PM -0400, John Dennis wrote:
But even if you did, ldap has this:
userPassword:: e1NIQX13ak83dXhlS3FYR0NFVlhPTEVzVUo4OW9DWFE9
They aren't the same are they? The LDAP entry looks like a hash, you'll have to figure out which kind. Note it does not contain a {hash} prefix so FreeRADIUS can't figure what kind of hash it is.
No, the two colons in ldapsearch output just indicate that the attribute value is MIME-encoded. It can be decoded for example with:
% echo e1NIQX13ak83dXhlS3FYR0NFVlhPTEVzVUo4OW9DWFE9 | mimencode -u {SHA}wjO7uxeKqXGCEVXOLEsUJ89oCXQ= % echo e1NIQX13ak83dXhlS3FYR0NFVlhPTEVzVUo4OW9DWFE9 | perl -e 'use MIME::Base64; print decode_base64(<>);' {SHA}wjO7uxeKqXGCEVXOLEsUJ89oCXQ=
Raymond Norton wrote:
I have been reading and looking at similar post non-stop and have an idea what is wrong, but am not sure how to fix it.
Sorry... but the symptoms here are clear. Many, many, posts, full of confused "what do I do now" questions. It's not that hard. Stop fighting it, and simplify it instead.
Not sure if that helps identify the changes I need to make???
Configure a user in LDAP. Ensure that the LDAP database has their *plain text* password. Check that "ldapsearch" returns the *plain text* password. Install FreeRADIUS, using the *default configuration*. Configure FreeRADIUS to point to the LDAP server. Try PAP authentication. It *will* work. Alan DeKok.
It happens that way when you're new sometimes :) The last couple posts helped. I am now able to get an "Accept" message when connecting with the rootdn user. Working on getting other users to authenticate now. Thanks for your patience and help. Raymond On 6/24/2010 3:57 PM, Alan DeKok wrote:
Raymond Norton wrote:
I have been reading and looking at similar post non-stop and have an idea what is wrong, but am not sure how to fix it.
Sorry... but the symptoms here are clear. Many, many, posts, full of confused "what do I do now" questions.
It's not that hard. Stop fighting it, and simplify it instead.
Not sure if that helps identify the changes I need to make???
Configure a user in LDAP.
Ensure that the LDAP database has their *plain text* password.
Check that "ldapsearch" returns the *plain text* password.
Install FreeRADIUS, using the *default configuration*.
Configure FreeRADIUS to point to the LDAP server.
Try PAP authentication.
It *will* work.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Got things working (yeah!) Had to reset the users password with ldappassword. For some reason freeradius couldn't read what was exported to the ldif file. Once I changed passwords with ldappassword, radtest and WPA worked perfectly. Also had to comment out this line in /etc/ldap/slapd.conf: #access to attrs=userPassword Thanks for the help
On Fri, Jun 25, 2010 at 05:54:38PM -0500, Raymond Norton wrote:
Got things working (yeah!)
Had to reset the users password with ldappassword. For some reason freeradius couldn't read what was exported to the ldif file. Once I changed passwords with ldappassword, radtest and WPA worked perfectly.
Also had to comment out this line in /etc/ldap/slapd.conf:
#access to attrs=userPassword
This is what happens when people mess with passwords... now who knows who else can read them. -- 2. That which causes joy or happiness.
On 06/25/2010 06:54 PM, Raymond Norton wrote:
Got things working (yeah!)
Had to reset the users password with ldappassword. For some reason freeradius couldn't read what was exported to the ldif file. Once I changed passwords with ldappassword, radtest and WPA worked perfectly.
Also had to comment out this line in /etc/ldap/slapd.conf:
#access to attrs=userPassword
That's very scary. You really want passwords protected by an ACL, otherwise they're available to the world. This link gives some examples on ACL protection of the userPassword attribute, I'm sure there is other documentation. http://www.zytrax.com/books/ldap/ch6/ -- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/
On 24/06/10 17:33, John Dennis wrote:
On 06/24/2010 12:21 PM, Raymond Norton wrote:
[ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
You don't have the userPassword mapped in /etc/raddb/ldap.attrmap
But even if you did, ldap has this:
userPassword:: e1NIQX13ak83dXhlS3FYR0NFVlhPTEVzVUo4OW9DWFE9
:: => base64-encoded i.e. above is equivalent to: userPassword: {SHA}wjO7uxeKqXGCEVXOLEsUJ89oCXQ= ...and is merely an LDIF convention.
On Thu, Jun 24, 2010 at 11:21:47AM -0500, Raymond Norton wrote:
I misunderstood the instructions. Made the change, and I see now that I am at least connecting to the ldap server, but still getting rejected.
[ldap] performing user authorization for billy ++[ldap] returns ok No authenticate method (Auth-Type) configuration found for the request:
You use PAP, and have ldap in authorize, but not in authenticate. You likely want the latter, too. authenticate { [...] Auth-Type LDAP { ldap } [...] } This will perform an authenticated bind on the LDAP server using the supplied password, which is probably what you want.
ldpasearch on remote ldap server: root@relay-1:/etc/ldap# ldapsearch -x -b uid=billy,ou=People,dc=lctn,dc=org
On that note, the above would be the equivalent of this: ldapsearch -x -b ou=People,dc=lctn,dc=org -D uid=billy,ou=People,dc=lctn,dc=org -W ...and passing in the User-Password attribute value as the password. -- 2. That which causes joy or happiness.
participants (7)
-
Alan DeKok -
John Dennis -
Josip Rodin -
Marzieh Raoufnezhad -
Phil Mayers -
Raymond Norton -
Riccardo Veraldi