bind failed in LDAP authentication phase
Hy all, I am still doing tests with the rlm_ldap module and I have encountered with the following problem: In the authenticate phase the user replica try to bind to the LDAP server. But this attempts fails. However, in the access control section of the LDAP server, it has permission... I don´t know what I am doing wrong I have configured my LDAP server with the following control access. In the slapd.conf: access to * by self write by dn="cn=billing,ou=admins,ou=radius,dc=mydomain,dc=com" write by dn="cn=freeradius,ou=admins,ou=radius,dc=mydomain,dc=com" read by anonymous auth by * none ---------------------------------------- My users file: DEFAULT NAS-Port == 58, User-Profile := "uid=isdn,ou=profiles,ou=radius,dc=mydomain,dc=com" DEFAULT Auth-Type := Reject Reply-Message = "Llamse a servicio tecnico" ---------------------------------------- My directory: dn: dc=mydomain,dc=com objectclass: dcObject objectclass: organizationalUnit ou: Mydomain.com Radius dc: mydomain dn: ou=radius,dc=mydomain,dc=com objectclass: organizationalUnit ou: radius dn: ou=profiles,ou=radius,dc=mydomain,dc=com objectclass: organizationalUnit ou: profiles dn: ou=users,ou=radius,dc=mydomain,dc=com objectclass: organizationalUnit ou: users dn: ou=admins,ou=radius,dc=mydomain,dc=com objectclass: organizationalUnit ou: admins dn: uid=dial,ou=profiles,ou=radius,dc=mydomain,dc=com objectclass: radiusprofile uid: dial radiusServiceType: Framed-User radiusFramedProtocol: PPP radiusFramedIPNetmask: 255.255.255.0 radiusFramedRouting: None dn: uid=isdn,ou=profiles,ou=radius,dc=mydomain,dc=com objectclass: radiusprofile uid: isdn radiusServiceType: Framed-User radiusFramedProtocol: PPP radiusFramedIPNetmask: 255.255.254.0 radiusFramedRouting: None dn: uid=example,ou=users,ou=radius,dc=mydomain,dc=com objectclass: radiusprofile uid: example userPassword: test radiusGroupName: dial radiusGroupName: isdn dn: cn=freeradius,ou=admins,ou=radius,dc=mydomain,dc=com objectclass: person sn: freeradius cn: freeradius userPassword: freeradius dn: cn=billing,ou=admins,ou=radius,dc=mydomain,dc=com objectclass: person sn: billing cn: billing userPassword: billing dn: cn=replica,ou=admins,ou=radius,dc=mydomain,dc=com objectclass: person sn: replica cn: replica userPassword: replica ------------------------------------------------ My radiusd.conf: ldap { server = "localhost" identity = "cn=freeradius,ou=admins,ou=radius,dc=mydomain,dc=com" password = freeradius basedn = "ou=radius,dc=mydomain,dc=com" filter = "(&(sn=replica)(cn=%{Stripped-User-Name:-%{User-Name}}))" start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 10 password_attribute = userPassword groupname_attribute = radiusGroupName groupmembership_filter = "(&(uid=%{Stripped-User-Name:-%{User-Name}}))(objectclass=radiusProfile)" groupmembership_attribute = radiusGroupName timeout = 3 timelimit = 5 net_timeout = 1 } --------------------------- Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:39089, id=92, length=59 User-Name = "replica" User-Password = "replica" NAS-IP-Address = 10.95.4.93 NAS-Port = 58 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "replica", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 1 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for replica radius_xlat: '(&(sn=replica)(cn=replica))' radius_xlat: 'ou=radius,dc=mydomain,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=freeradius,ou=admins,ou=radius,dc=mydomain,dc=com/freeradius to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=radius,dc=mydomain,dc=com, with filter (&(sn=replica)(cn=replica)) rlm_ldap: performing search in uid=isdn,ou=profiles,ou=radius,dc=mydomain,dc=com, with filter (objectclass=radiusprofile) rlm_ldap: Adding radiusFramedRouting as Framed-Routing, value None & op=11 rlm_ldap: Adding radiusFramedIPNetmask as Framed-IP-Netmask, value 255.255.254.0 & op=11 rlm_ldap: Adding radiusFramedProtocol as Framed-Protocol, value PPP & op=11 rlm_ldap: Adding radiusServiceType as Service-Type, value Framed-User & op=11 rlm_ldap: Added password replica in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user replica authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_ldap: - authenticate rlm_ldap: login attempt by "replica" with password "replica" rlm_ldap: user DN: cn=replica,ou=admins,ou=radius,dc=mydomain,dc=com rlm_ldap: (re)connect to localhost:389, authentication 1 rlm_ldap: bind as cn=replica,ou=admins,ou=radius,dc=mydomain,dc=com/replica to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind failed with invalid credentials modcall[authenticate]: module "ldap" returns reject for request 0 modcall: group Auth-Type returns reject for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 92 to 127.0.0.1:39089 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 92 with timestamp 43e0b2db Nothing to do. Sleeping until we see a request. Any help is very appreciated Regards, Rafa
participants (1)
-
Rafael Roldán