Hi folk, I have Freeradius 2.1.1 and openldap 2.3.27-8 installed in 2 diff servers. My radius server is used to authenticate users from differents relams (lets say 8) against one ldap server. My ldap server has 8 different basedn which holds users from the realms. I want to use unlang to configure radiusd to use a specific ldap module configuration based on the realm of the user connected to the wireless network. Can I use unlang with (switch %{Realm}statement) to do so ? Thanks for any clues and help. -- Mustapha BOUIKHIF Service Systèmes d'Information CNRS - DR4 tel: +33 1 69 82 33 97 fax: +33 1 69 82 33 39
My radius server is used to authenticate users from differents relams (lets say 8) against one ldap server. My ldap server has 8 different basedn which holds users from the realms. I want to use unlang to configure radiusd to use a specific ldap module configuration based on the realm of the user connected to the wireless network. Can I use unlang with (switch %{Realm}statement) to do so ?
Yes. If you can put %{Realm} into your basedn configuration line you might not need to. Ivan Kalik Kalik informatika ISP
tnt@kalik.net a écrit :
My radius server is used to authenticate users from differents relams (lets say 8) against one ldap server. My ldap server has 8 different basedn which holds users from the realms. I want to use unlang to configure radiusd to use a specific ldap module configuration based on the realm of the user connected to the wireless network. Can I use unlang with (switch %{Realm}statement) to do so ?
Yes. If you can put %{Realm} into your basedn configuration line you might not need to.
Ivan Kalik Kalik informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks Ivan. but i can not put Realm variable in my basedn configuration line. I use unlang, here is my configuration radiusd.conf: modules { .............. ldap switch "%{Realm}" { case dr4.cnrs.fr { server = "ldapauth.cnrs-gif.fr" identity = "uid=Manager,ou=people,dc=dr4,dc=cnrs,dc=fr" password = xxxxx basedn = "ou=people,dc=dr4,dc=cnrs,dc=fr" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)" ..... } case lsce.ipsl.fr { server = "ldapauth.cnrs-gif.fr" identity = "uid=Manager,ou=people,dc=lsce,dc=ipsl,dc=fr" password = regif2 basedn = "ou=people,dc=lsce,dc=ipsl,dc=fr" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)" ........ } case { server = "ldapauth.cnrs-gif.fr" identity = "uid=Manager,ou=people,dc=dr4,dc=cnrs,dc=fr" password = regif2 basedn = "ou=people,dc=dr4,dc=cnrs,dc=fr" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)" ........... } authorize { ...... ldap ...... } But when I restarted radiusd, it shows errors initializing modules -ldap- What am I doing wrong ? thanks for any clues. -- Mustapha BOUIKHIF Service Systèmes d'Information CNRS - DR4 tel: +33 1 69 82 33 97 fax: +33 1 69 82 33 39
I use unlang, here is my configuration radiusd.conf:
modules {
...............
ldap switch "%{Realm}" { case dr4.cnrs.fr {
1. What version is this? Unlang works onl y in 2.x? ldap is not in radiusd.conf in that version any more. 2. unlang works in server not module configuration files. Create a temporary attribute to store basedn in raddb/dictionary file (lets say a string My-BaseDN). Than do this just before ldap in authorize: switch "%{Realm}" { case "dr4.cnrs.fr" { update control { My-BaseDN = "ou=people,dc=dr4,dc=cnrs,dc=fr" } } case ... } In ldap module configuration: ldap { server = "ldapauth.cnrs-gif.fr" identity = "uid=Manager,%{control:My-BaseDN}" password = whatever basedn = "%{control:My-BaseDN}" .. } If password also changes you will need another temp attribute (lets say My-Password) to update with My-BaseDN and to replace for "whatever". Ivan Kalik Kalik Informatika ISP
tnt@kalik.net a écrit :
I use unlang, here is my configuration radiusd.conf:
modules {
...............
ldap switch "%{Realm}" { case dr4.cnrs.fr {
1. What version is this? Unlang works onl y in 2.x? ldap is not in radiusd.conf in that version any more.
2. unlang works in server not module configuration files. Create a temporary attribute to store basedn in raddb/dictionary file (lets say a string My-BaseDN). Than do this just before ldap in authorize:
switch "%{Realm}" { case "dr4.cnrs.fr" { update control { My-BaseDN = "ou=people,dc=dr4,dc=cnrs,dc=fr" } } case ... }
In ldap module configuration:
ldap { server = "ldapauth.cnrs-gif.fr" identity = "uid=Manager,%{control:My-BaseDN}" password = whatever basedn = "%{control:My-BaseDN}" .. }
If password also changes you will need another temp attribute (lets say My-Password) to update with My-BaseDN and to replace for "whatever".
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks Ivan, but still doesn't work... In my /etc/raddb/dictionary file: ATTRIBUTE My-BaseDN 10 string radiusd.conf configured like you said (module ldap, authorize section) radiusd starts and logs says: Nov 17 15:13:31 localradius radiusd[8420]: Ready to process requests. Nov 17 15:13:39 localradius radiusd[8420]: rlm_ldap: uid=Manager,%{control:My-BaseDN} bind to ldapauth.cnrs-gif.fr:389 failed Invalid DN syntax Nov 17 15:13:39 localradius radiusd[8420]: rlm_ldap: (re)connection attempt failed radiusd can not replace the temporary attribute (My-BaseDN) with the correct value ... May be cause the ldap module is called before authorize section where My-BaseDN is defined ?? -- Mustapha BOUIKHIF Service Systèmes d'Information CNRS - DR4 tel: +33 1 69 82 33 97 fax: +33 1 69 82 33 39
In my /etc/raddb/dictionary file: ATTRIBUTE My-BaseDN 10 string
radiusd.conf configured like you said (module ldap, authorize section) radiusd starts and logs says:
freeradius version?
May be cause the ldap module is called before authorize section where My-BaseDN is defined ??
Why? In what section? Ivan Kalik Kalik Informatika ISP
tnt@kalik.net wrote:
In my /etc/raddb/dictionary file: ATTRIBUTE My-BaseDN 10 string
radiusd.conf configured like you said (module ldap, authorize section) radiusd starts and logs says:
freeradius version?
radiusd: FreeRADIUS Version 2.1.1, for host i686-pc-linux-gnu
May be cause the ldap module is called before authorize section where My-BaseDN is defined ??
Why? In what section?
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Mustapha BOUIKHIF Service Systèmes d'Information CNRS - DR4 tel: +33 1 69 82 33 97 fax: +33 1 69 82 33 39
radiusd: FreeRADIUS Version 2.1.1, for host i686-pc-linux-gnu
Then ldap is not in radiusd.conf. ldap is now in raddb/modules/ldap. authorize in not in radiusd.conf either. It's in raddb/sites-enabled/default. Are you trying to use new version with a copy of old radiusd.conf? Post the whole debug from server startup. Ivan Kalik Kalik Informatika ISP
tnt@kalik.net wrote:
radiusd: FreeRADIUS Version 2.1.1, for host i686-pc-linux-gnu
Then ldap is not in radiusd.conf. ldap is now in raddb/modules/ldap. authorize in not in radiusd.conf either. It's in raddb/sites-enabled/default. Are you trying to use new version with a copy of old radiusd.conf?
Post the whole debug from server startup.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Here is the debug of radiusd (attached file) -- Mustapha BOUIKHIF Service Systèmes d'Information CNRS - DR4 tel: +33 1 69 82 33 97 fax: +33 1 69 82 33 39 FreeRADIUS Version 2.1.1, for host i686-pc-linux-gnu, built on Oct 10 2008 at 15:47:23 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/acctlog.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/inner-tunnel including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/localradius-cnrs-gif.fr group = radiusd user = radiusd including dictionary file /etc/raddb/dictionary main { prefix = "/usr/local" localstatedir = "/usr/local/var" logdir = "/usr/local/var/log/radius" libdir = "/usr/local/lib" radacctdir = "/usr/local/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = "/usr/local/var/run/radiusd/radiusd.pid" checkrad = "/usr/local/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = yes auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } client 127.0.0.1 { require_message_authenticator = no secret = "testing123" shortname = "localhost" } client 157.136.121.63 { require_message_authenticator = no secret = "sharedsecret" shortname = "wolf" virtual_server = "localradius.cnrs-gif.fr" } client 157.136.124.22 { require_message_authenticator = no secret = "together" shortname = "radius" virtual_server = "localradius.cnrs-gif.fr" } client 157.136.121.70 { require_message_authenticator = no secret = "testing123" shortname = "bouikxp" virtual_server = "localradius.cnrs-gif.fr" } client 157.136.122.19 { require_message_authenticator = no secret = "wifisecret" shortname = "mx8" virtual_server = "localradius.cnrs-gif.fr" } client 157.136.122.46 { require_message_authenticator = no secret = "wifisecret" shortname = "MX200" virtual_server = "localradius.cnrs-gif.fr" } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = yes dead_time = 0 wake_all_if_all_dead = no } realm cnrs-gif.fr { authhost = LOCAL accthost = LOCAL } realm dr4.cnrs.fr { authhost = LOCAL accthost = LOCAL } realm LOCAL { authhost = LOCAL accthost = LOCAL } realm DEFAULT { nostrip authhost = radius.cnrs-gif.fr:1812 accthost = radius.cnrs-gif.fr:1813 secret = together } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_expr Module: Instantiating expr } radiusd: #### Loading Virtual Servers #### server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = yes } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = yes with_ntdomain_hack = yes } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "ttls" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/raddb/certs/localradius.cnrs-gif.fr.key" certificate_file = "/etc/raddb/certs/localradius.cnrs-gif.fr.pem" CA_file = "/etc/raddb/certs/ca-cnrs/cacnrs-root.pem" private_key_password = "openssl" dh_file = "/etc/raddb/certs/dh" random_file = "/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no check_cert_cn = "%{User-Name}" cipher_list = "DEFAULT" check_cert_issuer = "/C=FR/O=CNRS/CN=CNRS-Standard" } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = yes use_tunneled_reply = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = yes proxy_tunneled_request_as_eap = yes } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Instantiating ntdomain realm ntdomain { format = "prefix" delimiter = "\" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "/etc/raddb/users" acctusersfile = "/etc/raddb/acct_users" preproxy_usersfile = "/etc/raddb/preproxy_users" compat = "no" key = "%{Stripped-User-Name:-%{User-Name}}" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = "/usr/local/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating post_proxy_log detail post_proxy_log { detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/post-proxy-detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Checking post-auth {...} for more modules to load Module: Instantiating reply_log detail reply_log { detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } } } server localradius.cnrs-gif.fr { modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "/etc/raddb/huntgroups" hints = "/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Instantiating auth_log detail auth_log { detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_ldap Module: Instantiating ldap ldap { server = "ldapauth.cnrs-gif.fr" port = 389 password = "sirc2" identity = "uid=Manager,%{control:My-BaseDN}" net_timeout = 1 timeout = 4 timelimit = 3 tls_mode = no start_tls = no tls_require_cert = "allow" tls { start_tls = no require_cert = "allow" } basedn = "%{control:My-BaseDN}" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)" password_attribute = "userPassword" auto_header = yes access_attr_used_for_allow = no groupname_attribute = "radiusGroupName" groupmembership_filter = "(&(uid=%{Stripped-User-Name:-%{User-Name}})" groupmembership_attribute = "radiusGroupName" dictionary_mapping = "/etc/raddb/ldap.attrmap" ldap_debug = 0 ldap_connections_number = 10 compare_check_items = no do_xlat = yes set_auth_type = yes } rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: Over-riding set_auth_type, as there is no module ldap listed in the "authenticate" section. rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP sambaLMPassword mapped to RADIUS LM-Password rlm_ldap: LDAP userPassword mapped to RADIUS NT-Password rlm_ldap: LDAP sambaAcctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-ID rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Trapeze-VLAN-Name rlm_ldap: LDAP radiusGroupName mapped to RADIUS Group-Name conns: 0x95a1828 Module: Checking preacct {...} for more modules to load Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Instantiating detail1 detail detail1 { detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating detail2 detail detail2 { detailfile = "/usr/local/var/log/radius/radacct/detail-combined" header = "%t" detailperm = 384 dirperm = 493 locking = yes log_packet_header = no } Module: Instantiating pre_proxy_log detail pre_proxy_log { detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_acctlog Module: Instantiating acctlog acctlog { acctlog_update = "" acctlog_start = "Connect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address})" acctlog_stop = "Disconnect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address}) Session-Time %{Acct-Session-Time} seconds" acctlog_on = "NAS %C (%{NAS-IP-Address}) just came online" acctlog_off = "NAS %C (%{NAS-IP-Address}) just went offline" } Module: Checking pre-proxy {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } } modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Checking preacct {...} for more modules to load Module: Checking accounting {...} for more modules to load Module: Checking pre-proxy {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 157.136.124.22 port 1814, id=97, length=139 User-Name = "anonymous@dr4.cnrs.fr" NAS-IP-Address = 157.136.124.22 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "cnrs-gif" EAP-Message = 0x0200001a01616e6f6e796d6f7573406472342e636e72732e6672 Message-Authenticator = 0xb271d1a69250a71b3e19d4f61b7f9f2e Proxy-State = 0x30 server localradius.cnrs-gif.fr { +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/157.136.124.22/auth-detail-20081117 [auth_log] /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/157.136.124.22/auth-detail-20081117 [auth_log] expand: %t -> Mon Nov 17 17:42:02 2008 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "dr4.cnrs.fr" for User-Name = "anonymous@dr4.cnrs.fr" [suffix] Found realm "dr4.cnrs.fr" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "dr4.cnrs.fr" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [ntdomain] Request already proxied. Ignoring. ++[ntdomain] returns ok [files] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [files] expand: %{Stripped-User-Name:-%{User-Name}} -> anonymous ++[files] returns noop [eap] EAP packet type response id 0 length 26 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated expand: %{Realm} -> dr4.cnrs.fr ++- entering switch %{Realm} {...} +++- entering case dr4.cnrs.fr {...} ++++[control] returns updated +++- case dr4.cnrs.fr returns updated ++- switch %{Realm} returns updated [ldap] performing user authorization for anonymous [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=anonymous) [ldap] expand: %{control:My-BaseDN} -> ou\3dpeople\2cdc\3ddr4\2cdc\3dcnrs\2cdc\3dfr rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldapauth.cnrs-gif.fr:389, authentication 0 rlm_ldap: bind as uid=Manager,%{control:My-BaseDN}/sirc2 to ldapauth.cnrs-gif.fr:389 rlm_ldap: waiting for bind result ... rlm_ldap: uid=Manager,%{control:My-BaseDN} bind to ldapauth.cnrs-gif.fr:389 failed Invalid DN syntax rlm_ldap: (re)connection attempt failed [ldap] search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns fail Invalid user: [anonymous@dr4.cnrs.fr] (from client radius port 0 cli 02-00-00-00-00-01) } # server localradius.cnrs-gif.fr Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 97 to 157.136.124.22 port 1814 Proxy-State = 0x30 Waking up in 4.9 seconds.
On Nov 17, 2008, at 8:50 AM, Mustapha Bouikhif wrote:
tnt@kalik.net wrote:
radiusd: FreeRADIUS Version 2.1.1, for host i686-pc-linux-gnu
Then ldap is not in radiusd.conf. ldap is now in raddb/modules/ldap. authorize in not in radiusd.conf either. It's in raddb/sites-enabled/default. Are you trying to use new version with a copy of old radiusd.conf?
Post the whole debug from server startup.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Here is the debug of radiusd (attached file) rlm_ldap: bind as uid=Manager,%{control:My-BaseDN}/sirc2 to ldapauth.cnrs-gif.fr:389 rlm_ldap: waiting for bind result ... rlm_ldap: uid=Manager,%{control:My-BaseDN} bind to ldapauth.cnrs- gif.fr:389 failed Invalid DN syntax rlm_ldap: (re)connection attempt failed
It is my understanding that few of the ldap configuration parameters are variable-expanded at bind and search time. I had no luck getting basedn to expand, but filter expands okay. I ended up defining different LDAP modules with the different basedn settings I needed and used unlang to call the proper one: ldap ldap-basedn1 { basedn = ou=org1 ... } ldap ldap-basedn2 { basedn = ou=org2 ... } authorize { switch "%{Realm}" { case realm1 { ... ldap-basedn1 } case realm2 { ... ldap-basedn2 } } No, it is not as elegant as I'd like, but basedn doesn't expand so I felt I had no choice. It works.
Here is the debug of radiusd (attached file)
You are playing a dangerous game by reusing an old radiusd.conf.
[ldap] expand: %{control:My-BaseDN} -> ou\3dpeople\2cdc\3ddr4\2cdc\3dcnrs\2cdc\3dfr
basedn expansion went well.
rlm_ldap: bind as uid=Manager,%{control:My-BaseDN}/sirc2 to ldapauth.cnrs-gif.fr:389
But identity didn't. It looks like you will have to create 8 ldap instances and switch between them: switch "%{Realm}" { case "domain1" { ldap1} case ... } This should go instead of ldap in authorize. Ivan Kalik Kalik Informatika ISP
tnt@kalik.net wrote:
Here is the debug of radiusd (attached file)
You are playing a dangerous game by reusing an old radiusd.conf.
[ldap] expand: %{control:My-BaseDN} -> ou\3dpeople\2cdc\3ddr4\2cdc\3dcnrs\2cdc\3dfr
basedn expansion went well.
rlm_ldap: bind as uid=Manager,%{control:My-BaseDN}/sirc2 to ldapauth.cnrs-gif.fr:389
But identity didn't.
It looks like you will have to create 8 ldap instances and switch between them:
switch "%{Realm}" { case "domain1" { ldap1} case ... }
This should go instead of ldap in authorize.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks Ivan & Alan. It works by defining multiple ldap in my config. -- Mustapha BOUIKHIF Service Systèmes d'Information CNRS - DR4 tel: +33 1 69 82 33 97 fax: +33 1 69 82 33 39
man unlang Ken On Tue, Nov 18, 2008 at 01:51:11PM +0100, Edgar Fu? wrote:
switch "%{Realm}" { case "domain1" { I'm admittedly feeling totally stupid, but is this syntax documented anywhere?
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Would be nice if this was documented somewhere on the Website. Or am I simply too stupid to find the documentation?
http://freeradius.org/radiusd/man/unlang.html Ivan Kalik Kalik Informatika ISP
Edgar Fuß wrote:
man unlang Oh, this seems to be new in 2.x.
Would be nice if this was documented somewhere on the Website. Or am I simply too stupid to find the documentation?
See the comments at the top of "radiusd.conf". It *is* documented, if you read the configuration files. Alan DeKok.
Mustapha Bouikhif wrote:
Thanks Ivan, but still doesn't work... In my /etc/raddb/dictionary file: ATTRIBUTE My-BaseDN 10 string
Don't do that. READ the comments in the raddb/dictionary file. They tell you how to create a local attribute that DOESN'T break the server. Alan DeKok.
Alan DeKok a écrit :
Mustapha Bouikhif wrote:
Thanks Ivan, but still doesn't work... In my /etc/raddb/dictionary file: ATTRIBUTE My-BaseDN 10 string
Don't do that.
Do you mean "10" . the number picked should be between 3000 and 4000 ?
READ the comments in the raddb/dictionary file. They tell you how to create a local attribute that DOESN'T break the server.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Mustapha BOUIKHIF Service Systèmes d'Information CNRS - DR4 tel: +33 1 69 82 33 97 fax: +33 1 69 82 33 39
participants (6)
-
Alan DeKok -
Chris -
Edgar Fuß -
Kenneth Marshall -
Mustapha Bouikhif -
tnt@kalik.net