Freeradius with ldap authentication
Hello before i ask this question, i already read and try the freeradius + ldap authentication from https://wiki.freeradius.org/protocol/LDAP and http://confluence.diamond.ac.uk/display/PAAUTH/Using+LDAP+as+authentication+.... But now i'm kinda stuck with that both documentation, because everytime i test the user in ldap (using radtest) i get "no DN found". I already check that the dn has properly set up (i'm using phpldapadmin to create user in ldap to make it easier). Here is the debug log : Tue Jun 27 05:54:40 2017 : Debug: (1) Received Access-Request Id 251 from 127.0.0.1:53093 to 127.0.0.1:1812 length 74 Tue Jun 27 05:54:41 2017 : Debug: (1) User-Name = "teke" Tue Jun 27 05:54:41 2017 : Debug: (1) User-Password = "xxx" Tue Jun 27 05:54:41 2017 : Debug: (1) NAS-IP-Address = 127.0.1.1 Tue Jun 27 05:54:41 2017 : Debug: (1) NAS-Port = 1812 Tue Jun 27 05:54:41 2017 : Debug: (1) Message-Authenticator = 0xef22ab207657169978bd2b65ef0f42c6 Tue Jun 27 05:54:41 2017 : Debug: (1) session-state: No State attribute Tue Jun 27 05:54:41 2017 : Debug: (1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default Tue Jun 27 05:54:41 2017 : Debug: (1) authorize { Tue Jun 27 05:54:41 2017 : Debug: (1) policy filter_username { Tue Jun 27 05:54:41 2017 : Debug: (1) if (&User-Name) { Tue Jun 27 05:54:41 2017 : Debug: (1) if (&User-Name) -> TRUE Tue Jun 27 05:54:41 2017 : Debug: (1) if (&User-Name) { Tue Jun 27 05:54:41 2017 : Debug: (1) if (&User-Name =~ /@[^@]*@/ ) { Tue Jun 27 05:54:41 2017 : Debug: No matches Tue Jun 27 05:54:41 2017 : Debug: (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE Tue Jun 27 05:54:41 2017 : Debug: (1) if (&User-Name =~ /\.\./ ) { Tue Jun 27 05:54:41 2017 : Debug: No matches Tue Jun 27 05:54:41 2017 : Debug: (1) if (&User-Name =~ /\.\./ ) -> FALSE Tue Jun 27 05:54:41 2017 : Debug: (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { Tue Jun 27 05:54:41 2017 : Debug: No matches Tue Jun 27 05:54:41 2017 : Debug: (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE Tue Jun 27 05:54:41 2017 : Debug: (1) if (&User-Name =~ /\.$/) { Tue Jun 27 05:54:41 2017 : Debug: No matches Tue Jun 27 05:54:41 2017 : Debug: (1) if (&User-Name =~ /\.$/) -> FALSE Tue Jun 27 05:54:41 2017 : Debug: (1) if (&User-Name =~ /@\./) { Tue Jun 27 05:54:41 2017 : Debug: No matches Tue Jun 27 05:54:41 2017 : Debug: (1) if (&User-Name =~ /@\./) -> FALSE Tue Jun 27 05:54:41 2017 : Debug: (1) } # if (&User-Name) = notfound Tue Jun 27 05:54:41 2017 : Debug: (1) } # policy filter_username = notfound Tue Jun 27 05:54:41 2017 : Debug: (1) modsingle[authorize]: calling preprocess (rlm_preprocess) Tue Jun 27 05:54:41 2017 : Debug: (1) modsingle[authorize]: returned from preprocess (rlm_preprocess) Tue Jun 27 05:54:41 2017 : Debug: (1) [preprocess] = ok Tue Jun 27 05:54:41 2017 : Debug: (1) modsingle[authorize]: calling chap (rlm_chap) Tue Jun 27 05:54:41 2017 : Debug: (1) modsingle[authorize]: returned from chap (rlm_chap) Tue Jun 27 05:54:41 2017 : Debug: (1) [chap] = noop Tue Jun 27 05:54:41 2017 : Debug: (1) modsingle[authorize]: calling mschap (rlm_mschap) Tue Jun 27 05:54:41 2017 : Debug: (1) modsingle[authorize]: returned from mschap (rlm_mschap) Tue Jun 27 05:54:41 2017 : Debug: (1) [mschap] = noop Tue Jun 27 05:54:41 2017 : Debug: (1) modsingle[authorize]: calling digest (rlm_digest) Tue Jun 27 05:54:41 2017 : Debug: (1) modsingle[authorize]: returned from digest (rlm_digest) Tue Jun 27 05:54:41 2017 : Debug: (1) [digest] = noop Tue Jun 27 05:54:41 2017 : Debug: (1) modsingle[authorize]: calling suffix (rlm_realm) Tue Jun 27 05:54:41 2017 : Debug: (1) suffix: Checking for suffix after "@" Tue Jun 27 05:54:41 2017 : Debug: (1) suffix: No '@' in User-Name = "teke", looking up realm NULL Tue Jun 27 05:54:41 2017 : Debug: (1) suffix: No such realm "NULL" Tue Jun 27 05:54:41 2017 : Debug: (1) modsingle[authorize]: returned from suffix (rlm_realm) Tue Jun 27 05:54:41 2017 : Debug: (1) [suffix] = noop Tue Jun 27 05:54:41 2017 : Debug: (1) modsingle[authorize]: calling eap (rlm_eap) Tue Jun 27 05:54:41 2017 : Debug: (1) eap: No EAP-Message, not doing EAP Tue Jun 27 05:54:41 2017 : Debug: (1) modsingle[authorize]: returned from eap (rlm_eap) Tue Jun 27 05:54:41 2017 : Debug: (1) [eap] = noop Tue Jun 27 05:54:41 2017 : Debug: (1) modsingle[authorize]: calling files (rlm_files) Tue Jun 27 05:54:41 2017 : Debug: (1) modsingle[authorize]: returned from files (rlm_files) Tue Jun 27 05:54:41 2017 : Debug: (1) [files] = noop Tue Jun 27 05:54:41 2017 : Debug: (1) modsingle[authorize]: calling ldap (rlm_ldap) Tue Jun 27 05:54:41 2017 : Info: rlm_ldap (ldap): Closing connection (1): Hit idle_timeout, was idle for 118721 seconds Tue Jun 27 05:54:41 2017 : Debug: rlm_ldap: Closing libldap handle 0x558ba43988d0 Tue Jun 27 05:54:42 2017 : Info: rlm_ldap (ldap): Closing connection (2): Hit idle_timeout, was idle for 118721 seconds Tue Jun 27 05:54:42 2017 : Debug: rlm_ldap: Closing libldap handle 0x558ba439cf90 Tue Jun 27 05:54:42 2017 : Info: rlm_ldap (ldap): Closing connection (3): Hit idle_timeout, was idle for 118721 seconds Tue Jun 27 05:54:42 2017 : Debug: rlm_ldap: Closing libldap handle 0x558ba438f2e0 Tue Jun 27 05:54:42 2017 : Info: rlm_ldap (ldap): Closing connection (4): Hit idle_timeout, was idle for 118721 seconds Tue Jun 27 05:54:42 2017 : Debug: rlm_ldap (ldap): You probably need to lower "min" Tue Jun 27 05:54:42 2017 : Debug: rlm_ldap: Closing libldap handle 0x558ba4392d70 Tue Jun 27 05:54:42 2017 : Info: rlm_ldap (ldap): Closing connection (0): Hit idle_timeout, was idle for 118711 seconds Tue Jun 27 05:54:42 2017 : Debug: rlm_ldap (ldap): You probably need to lower "min" Tue Jun 27 05:54:42 2017 : Debug: rlm_ldap: Closing libldap handle 0x558ba44fefb0 Tue Jun 27 05:54:42 2017 : Info: rlm_ldap (ldap): Closing connection (5): Hit idle_timeout, was idle for 118711 seconds Tue Jun 27 05:54:42 2017 : Debug: rlm_ldap (ldap): You probably need to lower "min" Tue Jun 27 05:54:42 2017 : Debug: rlm_ldap: Closing libldap handle 0x558ba439f860 Tue Jun 27 05:54:42 2017 : Debug: rlm_ldap (ldap): 0 of 0 connections in use. You may need to increase "spare" Tue Jun 27 05:54:42 2017 : Info: rlm_ldap (ldap): Opening additional connection (6), 1 of 32 pending slots used Tue Jun 27 05:54:42 2017 : Debug: rlm_ldap (ldap): Connecting to ldap://localhost:389 Tue Jun 27 05:54:42 2017 : Debug: rlm_ldap (ldap): New libldap handle 0x558ba438e620 Tue Jun 27 05:54:42 2017 : Debug: rlm_ldap (ldap): Waiting for bind result... Tue Jun 27 05:54:43 2017 : Debug: rlm_ldap (ldap): Bind successful Tue Jun 27 05:54:43 2017 : Debug: rlm_ldap (ldap): Reserved connection (6) Tue Jun 27 05:54:43 2017 : Debug: (1) ldap: EXPAND TMPL XLAT Tue Jun 27 05:54:43 2017 : Debug: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) Tue Jun 27 05:54:43 2017 : Debug: Parsed xlat tree: Tue Jun 27 05:54:43 2017 : Debug: literal --> (uid= Tue Jun 27 05:54:43 2017 : Debug: if { Tue Jun 27 05:54:43 2017 : Debug: attribute --> Stripped-User-Name Tue Jun 27 05:54:43 2017 : Debug: } Tue Jun 27 05:54:43 2017 : Debug: else { Tue Jun 27 05:54:43 2017 : Debug: attribute --> User-Name Tue Jun 27 05:54:43 2017 : Debug: } Tue Jun 27 05:54:43 2017 : Debug: literal --> ) Tue Jun 27 05:54:43 2017 : Debug: (1) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) Tue Jun 27 05:54:43 2017 : Debug: (1) ldap: --> (uid=teke) Tue Jun 27 05:54:43 2017 : Debug: (1) ldap: EXPAND TMPL LITERAL Tue Jun 27 05:54:43 2017 : Debug: (1) ldap: Performing search in "" with filter "(uid=teke)", scope "sub" Tue Jun 27 05:54:43 2017 : Debug: (1) ldap: Waiting for search result... Tue Jun 27 05:54:43 2017 : Debug: (1) ldap: The specified DN wasn't found Tue Jun 27 05:54:43 2017 : Debug: (1) ldap: Search returned no results Tue Jun 27 05:54:43 2017 : Debug: rlm_ldap (ldap): Released connection (6) Tue Jun 27 05:54:43 2017 : Info: rlm_ldap (ldap): Need 2 more connections to reach 10 spares Tue Jun 27 05:54:43 2017 : Info: rlm_ldap (ldap): Opening additional connection (7), 1 of 31 pending slots used Tue Jun 27 05:54:43 2017 : Debug: rlm_ldap (ldap): Connecting to ldap://localhost:389 Tue Jun 27 05:54:43 2017 : Debug: rlm_ldap (ldap): New libldap handle 0x558ba439b660 Tue Jun 27 05:54:43 2017 : Debug: rlm_ldap (ldap): Waiting for bind result... Tue Jun 27 05:54:43 2017 : Debug: rlm_ldap (ldap): Bind successful Tue Jun 27 05:54:43 2017 : Debug: (1) modsingle[authorize]: returned from ldap (rlm_ldap) Tue Jun 27 05:54:43 2017 : Debug: (1) [ldap] = notfound Tue Jun 27 05:54:43 2017 : Debug: (1) } # authorize = notfound Tue Jun 27 05:54:43 2017 : ERROR: (1) No Auth-Type found: rejecting the user via Post-Auth-Type = Reject Tue Jun 27 05:54:43 2017 : Debug: (1) Failed to authenticate the user Tue Jun 27 05:54:43 2017 : Debug: (1) Using Post-Auth-Type Reject Tue Jun 27 05:54:43 2017 : Debug: (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default Tue Jun 27 05:54:43 2017 : Debug: (1) Post-Auth-Type REJECT { Tue Jun 27 05:54:43 2017 : Debug: (1) modsingle[post-auth]: calling attr_filter.access_reject (rlm_attr_filter) Tue Jun 27 05:54:43 2017 : Debug: %{User-Name} Tue Jun 27 05:54:43 2017 : Debug: Parsed xlat tree: Tue Jun 27 05:54:43 2017 : Debug: attribute --> User-Name Tue Jun 27 05:54:43 2017 : Debug: (1) attr_filter.access_reject: EXPAND %{User-Name} Tue Jun 27 05:54:43 2017 : Debug: (1) attr_filter.access_reject: --> teke Tue Jun 27 05:54:43 2017 : Debug: (1) attr_filter.access_reject: Matched entry DEFAULT at line 11 Tue Jun 27 05:54:43 2017 : Debug: (1) modsingle[post-auth]: returned from attr_filter.access_reject (rlm_attr_filter) Tue Jun 27 05:54:43 2017 : Debug: (1) [attr_filter.access_reject] = updated Tue Jun 27 05:54:43 2017 : Debug: (1) modsingle[post-auth]: calling eap (rlm_eap) Tue Jun 27 05:54:43 2017 : Debug: (1) eap: Request didn't contain an EAP-Message, not inserting EAP-Failure Tue Jun 27 05:54:43 2017 : Debug: (1) modsingle[post-auth]: returned from eap (rlm_eap) Tue Jun 27 05:54:43 2017 : Debug: (1) [eap] = noop Tue Jun 27 05:54:43 2017 : Debug: (1) policy remove_reply_message_if_eap { Tue Jun 27 05:54:43 2017 : Debug: (1) if (&reply:EAP-Message && &reply:Reply-Message) { Tue Jun 27 05:54:43 2017 : Debug: (1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE Tue Jun 27 05:54:43 2017 : Debug: (1) else { Tue Jun 27 05:54:43 2017 : Debug: (1) modsingle[post-auth]: calling noop (rlm_always) Tue Jun 27 05:54:43 2017 : Debug: (1) modsingle[post-auth]: returned from noop (rlm_always) Tue Jun 27 05:54:43 2017 : Debug: (1) [noop] = noop Tue Jun 27 05:54:43 2017 : Debug: (1) } # else = noop Tue Jun 27 05:54:43 2017 : Debug: (1) } # policy remove_reply_message_if_eap = noop Tue Jun 27 05:54:43 2017 : Debug: (1) } # Post-Auth-Type REJECT = updated Tue Jun 27 05:54:43 2017 : Debug: (1) Delaying response for 1.000000 seconds Tue Jun 27 05:54:43 2017 : Debug: Waking up in 0.9 seconds. Tue Jun 27 05:54:44 2017 : Debug: (1) Sending delayed response Tue Jun 27 05:54:44 2017 : Debug: (1) Sent Access-Reject Id 251 from 127.0.0.1:1812 to 127.0.0.1:53093 length 20 Tue Jun 27 05:54:44 2017 : Debug: Waking up in 3.9 seconds. Tue Jun 27 05:54:48 2017 : Debug: (1) Cleaning up request packet ID 251 with timestamp +118720 Any kind of help, documentation recommendation would help. thankyou!
Hello before i ask this question, i already read and try the freeradius + ldap authentication from https://wiki.freeradius.org/protocol/LDAP and http://confluence.diamond.ac.uk/display/PAAUTH/Using+LDAP+as+authenticatio n+source. But now i'm kinda stuck with that both documentation, because everytime i test the user in ldap (using radtest) i get "no DN found". I already check that the dn has properly set up (i'm using phpldapadmin to create user in
If you get 'no DN found', then you need to tweak the LDAP search parameters to search for your user correctly. The documentation only covers FreeRADIUS and the LDAP module specifically, *not* how you set up your LDAP or where your user resides.
Tue Jun 27 05:54:43 2017 : Debug: rlm_ldap (ldap): Bind successful Tue Jun 27 05:54:43 2017 : Debug: rlm_ldap (ldap): Reserved connection (6) Tue Jun 27 05:54:43 2017 : Debug: (1) ldap: EXPAND TMPL XLAT Tue Jun 27 05:54:43 2017 : Debug: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) Tue Jun 27 05:54:43 2017 : Debug: (1) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) Tue Jun 27 05:54:43 2017 : Debug: (1) ldap: --> (uid=teke) Tue Jun 27 05:54:43 2017 : Debug: (1) ldap: EXPAND TMPL LITERAL Tue Jun 27 05:54:43 2017 : Debug: (1) ldap: Performing search in "" with
Use something like 'ldapsearch' to search the LDAP for your user. Right here it says it's searching in "" (i.e. In an empty organisation location)... Does your LDAP require something like an ou (organisational unit), or a dn (domain name), I.e. 'dn=myorg,dn=org'? Figure this out with ldapsearch, then fix your FreeRADIUS ldap configuration accordingly. Then try again with your authentication. Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc¹s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
participants (2)
-
Fatih Naufal -
Stefan Paetow