how to enable ldap during authentication
Hi, I am using version 2.0.2-pre I would like to use ldap for freeradius authentication. I couldn't find anything on web about this topic. I have ldap module in the authorize section in my default virtual server. I see in the debug that ldap module returns ok during authorization please point me what do I have to do to use ldap olso for authentication is it enough to put ldap invocation in authentication section? below debug from authorization thanks a lot for any help! regards -tomasz rlm_ldap: waiting for bind result ... request 1 done rlm_ldap: Bind was successful rlm_ldap: performing search in ou=Touki,ou=People,dc=touk,dc=pl, with filter (mail=tzl@touk.pl) request 2 done rlm_ldap: Added User-Password = {MD5}SNNMxdM+Zfvr//0yEp0DuA== in check items rlm_ldap: looking for check items in directory... rlm_ldap: LDAP attribute userPassword as RADIUS attribute Cleartext-Password == "{MD5}SNNMxdM+Zfvr//0yEp0DuA==" rlm_ldap: looking for reply items in directory... rlm_ldap: user tzl authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok
Hi,
I am using version 2.0.2-pre I would like to use ldap for freeradius authentication. I couldn't find anything on web about this topic. I have ldap module in the authorize section in my default virtual server. I see in the debug that ldap module returns ok during authorization please point me what do I have to do to use ldap olso for authentication
is it enough to put ldap invocation in authentication section? below debug from authorization
you cant use LDAP to authenticate if its not in the authenticate section. alan
Uncomment ldap in authenticate section. Ivan Kalik Kalik Informatika ISP Dana 23/1/2008, "Tomasz Zieleniewski" <tzieleniewski@gmail.com> piše:
Hi,
I am using version 2.0.2-pre I would like to use ldap for freeradius authentication. I couldn't find anything on web about this topic. I have ldap module in the authorize section in my default virtual server. I see in the debug that ldap module returns ok during authorization please point me what do I have to do to use ldap olso for authentication
is it enough to put ldap invocation in authentication section? below debug from authorization
thanks a lot for any help! regards -tomasz
rlm_ldap: waiting for bind result ... request 1 done rlm_ldap: Bind was successful rlm_ldap: performing search in ou=Touki,ou=People,dc=touk,dc=pl, with filter (mail=tzl@touk.pl) request 2 done rlm_ldap: Added User-Password = {MD5}SNNMxdM+Zfvr//0yEp0DuA== in check items rlm_ldap: looking for check items in directory... rlm_ldap: LDAP attribute userPassword as RADIUS attribute Cleartext-Password == "{MD5}SNNMxdM+Zfvr//0yEp0DuA==" rlm_ldap: looking for reply items in directory... rlm_ldap: user tzl authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok
Hi Still something is wrong. I have the following authorize section: authorize { preprocess auth_req_log suffix sql ldap } I tried such authenticate sections: authenticate { Auth-Type LDAP { ldap } Auth-Type Digest { digest } Auth-Type PAP { pap } } authenticate { ldap } all the time I receive failed authentication, what do I miss here? hu Jan 24 09:40:35 2008 : Debug: rlm_ldap: - authorize Thu Jan 24 09:40:35 2008 : Debug: rlm_ldap: performing user authorization for tzl Thu Jan 24 09:40:35 2008 : Debug: expand: (mail=%u@touk.pl) -> (mail= tzl@touk.pl) Thu Jan 24 09:40:35 2008 : Debug: expand: ou=Touki,ou=People,dc=touk,dc=pl -> ou=Touki,ou=People,dc=touk,dc=pl Thu Jan 24 09:40:35 2008 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0 Thu Jan 24 09:40:35 2008 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0 Thu Jan 24 09:40:35 2008 : Debug: rlm_ldap: performing search in ou=Touki,ou=People,dc=touk,dc=pl, with filter (mail=tzl@touk.pl) request 5 done Thu Jan 24 09:40:35 2008 : Debug: rlm_ldap: Added User-Password = {MD5}SNNMxdM+Zfvr//0yEp0DuA== in check items Thu Jan 24 09:40:35 2008 : Debug: rlm_ldap: looking for check items in directory... Thu Jan 24 09:40:35 2008 : Debug: rlm_ldap: LDAP attribute userPassword as RADIUS attribute Cleartext-Password == "{MD5}SNNMxdM+Zfvr//0yEp0DuA==" Thu Jan 24 09:40:35 2008 : Debug: rlm_ldap: looking for reply items in directory... Thu Jan 24 09:40:35 2008 : Debug: rlm_ldap: user tzl authorized to use remote access Thu Jan 24 09:40:35 2008 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Thu Jan 24 09:40:35 2008 : Debug: modsingle[authorize]: returned from ldap (rlm_ldap) for request 3 Thu Jan 24 09:40:35 2008 : Debug: ++[ldap] returns ok Thu Jan 24 09:40:35 2008 : Debug: auth: type Local Thu Jan 24 09:40:35 2008 : Debug: auth: user supplied User-Password does NOT match local User-Password Thu Jan 24 09:40:35 2008 : Debug: auth: Failed to validate the user. Thu Jan 24 09:40:35 2008 : Auth: Login incorrect: [tzl/somepass] (from client localhost port 0) Thu Jan 24 09:40:35 2008 : Debug: Found Post-Auth-Type Reject Thu Jan 24 09:40:35 2008 : Debug: +- entering group REJECT Thu Jan 24 09:40:35 2008 : Debug: modsingle[post-auth]: calling attr_filter.access_reject (rlm_attr_filter) for request 3 Thu Jan 24 09:40:35 2008 : Debug: expand: %{User-Name} -> tzl Thu Jan 24 09:40:35 2008 : Debug: attr_filter: Matched entry DEFAULT at line 11 Thu Jan 24 09:40:35 2008 : Debug: modsingle[post-auth]: returned from attr_filter.access_reject (rlm_attr_filter) for request 3 Thu Jan 24 09:40:35 2008 : Debug: ++[attr_filter.access_reject] returns updated regards tomasz 2008/1/23 <tnt@kalik.co.yu>:
Uncomment ldap in authenticate section.
Ivan Kalik Kalik Informatika ISP
Dana 23/1/2008, "Tomasz Zieleniewski" <tzieleniewski@gmail.com> piše:
Hi,
I am using version 2.0.2-pre I would like to use ldap for freeradius authentication. I couldn't find anything on web about this topic. I have ldap module in the authorize section in my default virtual server. I see in the debug that ldap module returns ok during authorization please point me what do I have to do to use ldap olso for authentication
is it enough to put ldap invocation in authentication section? below debug from authorization
thanks a lot for any help! regards -tomasz
rlm_ldap: waiting for bind result ... request 1 done rlm_ldap: Bind was successful rlm_ldap: performing search in ou=Touki,ou=People,dc=touk,dc=pl, with filter (mail=tzl@touk.pl) request 2 done rlm_ldap: Added User-Password = {MD5}SNNMxdM+Zfvr//0yEp0DuA== in check items rlm_ldap: looking for check items in directory... rlm_ldap: LDAP attribute userPassword as RADIUS attribute Cleartext-Password == "{MD5}SNNMxdM+Zfvr//0yEp0DuA==" rlm_ldap: looking for reply items in directory... rlm_ldap: user tzl authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Tomasz Zieleniewski wrote:
Still something is wrong.
I have the following authorize section: ...
In which the default configuration has been massively changed. I'm not sure where else to document this: If you are not clear on how the server works, then DO NOT CHANGE THE DEFAULT CONFIGURATION. If the configuration you've created doesn't work, then it's clear that there's something missing. In that case, follow the instructions in the "man" page for how to create a working configuration. ...
Thu Jan 24 09:40:35 2008 : Debug: ++[ldap] returns ok Thu Jan 24 09:40:35 2008 : Debug: auth: type Local
Something in your local changes has set "Auth-Type := Local". Can you please explain WHY you're doing that, WHERE you found documentation saying that it was a good idea, and WHAT you think it's doing? The documentation that comes with 2.0 tries very hard to explain that setting "Auth-Type" is almost always wrong. Is there somewhere else we need to document this? In addition, you're mapping a hashed password to a clear-text password:
Thu Jan 24 09:40:35 2008 : Debug: rlm_ldap: LDAP attribute userPassword as RADIUS attribute Cleartext-Password == "{MD5}SNNMxdM+Zfvr//0yEp0DuA=="
Again, this is NOT in the default configuration, and WILL NOT WORK. Start off with the default configuration. Configure the "ldap" module, and un-comment it from the "authorize" section. Your tests SHOULD work. Alan DeKok.
On Jan 24, 2008 9:59 AM, Alan DeKok <aland@deployingradius.com> wrote:
Tomasz Zieleniewski wrote:
Still something is wrong.
I have the following authorize section: ...
In which the default configuration has been massively changed.
I'm not sure where else to document this: If you are not clear on how the server works, then DO NOT CHANGE THE DEFAULT CONFIGURATION.
If the configuration you've created doesn't work, then it's clear that there's something missing. In that case, follow the instructions in the "man" page for how to create a working configuration. ...
Thu Jan 24 09:40:35 2008 : Debug: ++[ldap] returns ok Thu Jan 24 09:40:35 2008 : Debug: auth: type Local
Something in your local changes has set "Auth-Type := Local".
I didn't set it explicit. I don't know what caused setting Auth-Type to Local!!!!!! But I found my error. The problem was in ldap I didn't have Auth-Type Set in radius and I used old config from docs directory which didn't have set_auth_type parameter.
Can you please explain WHY you're doing that, WHERE you found documentation saying that it was a good idea, and WHAT you think it's doing?
The documentation that comes with 2.0 tries very hard to explain that setting "Auth-Type" is almost always wrong. Is there somewhere else we need to document this?
In addition, you're mapping a hashed password to a clear-text password:
Thu Jan 24 09:40:35 2008 : Debug: rlm_ldap: LDAP attribute userPassword as RADIUS attribute Cleartext-Password == "{MD5}SNNMxdM+Zfvr//0yEp0DuA=="
Again, this is NOT in the default configuration, and WILL NOT WORK.
Similar problem my LDAP server return hashed passwords instead of plain-text i added additional parameter in LDAP which solved the issue.
Start off with the default configuration. Configure the "ldap" module, and un-comment it from the "authorize" section. Your tests SHOULD work.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Tomasz Zieleniewski wrote:
I didn't set it explicit. I don't know what caused setting Auth-Type to Local!!!!!! But I found my error. The problem was in ldap I didn't have Auth-Type Set in radius and I used old config from docs directory which didn't have set_auth_type parameter.
OK.
Similar problem my LDAP server return hashed passwords instead of plain-text i added additional parameter in LDAP which solved the issue.
If you map the hashed password to "Password-With-Header", and add the "pap" module to the "authorize" section, it should work, too. Alan DeKok.
participants (4)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
tnt@kalik.co.yu -
Tomasz Zieleniewski