I am running freeradius version 2.0.4 and using LDAP against Active Directory. When I have a single LDAP server setup my authentication works great. I am having trouble using the redundant ldap settings. Here is some config data ldap ad01 { server = ocdc01.overstock.com port = 389 identity = "CN=LDAP Bind,OU=Special,OU=OSTK_Accounts,DC=overstock,DC=com" password = xxxxxx basedn = OU=OSTK_Accounts,DC=overstock,DC=com filter = "(&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})(objectClass=person)) " ldap_connections_number = 5 timeout = 40 timelimit = 30 net_timeout = 10 tls { start_tls = no } dictionary_mapping = ${confdir}/ldap.attrmap edir_account_policy_check = no groupname_attribute = cn groupmembership_filter ="(|(&(objectClass=group)(member=%{control:Ldap-UserDn}))(&(objec tClass=top)(uniquemember=%{control:Ldap-UserDn})))" groupmembership_attribute = memberOf #ldap_debug = 0xFFFF } ldap ad02 { server = ocdc01.overstock.com port = 389 identity = "CN=LDAP Bind,OU=Special,OU=OSTK_Accounts,DC=overstock,DC=com" password = xxxxxx basedn = OU=OSTK_Accounts,DC=overstock,DC=com filter = "(&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})(objectClass=person)) " ldap_connections_number = 5 timeout = 40 timelimit = 30 net_timeout = 10 tls { start_tls = no } dictionary_mapping = ${confdir}/ldap.attrmap edir_account_policy_check = no groupname_attribute = cn groupmembership_filter ="(|(&(objectClass=group)(member=%{control:Ldap-UserDn}))(&(objec tClass=top)(uniquemember=%{control:Ldap-UserDn})))" groupmembership_attribute = memberOf #ldap_debug = 0xFFFF } instantiate { exec expr expiration logintime ldap ad01 ad02 } authorize { preprocess redundant { ad01 { fail = 1 ok = return } ad02 { fail = 1 ok = return } } files expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type LDAP { redundant { ad01 { fail = 1 ok = return } ad02 { fail = 1 ok = return } } } } DEFAULT Ldap-Group == "CN=g.acl.neteng,OU=Groups,OU=OSTK_Accounts,DC=overstock,DC=com" Auth-Type := Accept, Foundry-Privilege-Level = 0, Foundry-Command-String = *, Foundry-Command-Exception-Flag = 0, Foundry-INM-Privilege = 15, Fall-Through = No DEFAULT ad01-Ldap-Group == "CN=g.acl.neteng,OU=Groups,OU=OSTK_Accounts,DC=overstock,DC=com" Auth-Type := Accept, Foundry-Privilege-Level = 0, Foundry-Command-String = *, Foundry-Command-Exception-Flag = 0, Foundry-INM-Privilege = 15, Fall-Through = No DEFAULT ad02-Ldap-Group == "CN=g.acl.neteng,OU=Groups,OU=OSTK_Accounts,DC=overstock,DC=com" Auth-Type := Accept, Foundry-Privilege-Level = 0, Foundry-Command-String = *, Foundry-Command-Exception-Flag = 0, Foundry-INM-Privilege = 15, Fall-Through = No Here is some debug info rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Creating new attribute ad02-Ldap-Group rlm_ldap: Registering ldap_groupcmp for ad02-Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ad02 rlm_ldap: Over-riding set_auth_type, as there is no module ad02 listed in the "authenticate" section. rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Creating new attribute ad01-Ldap-Group rlm_ldap: Registering ldap_groupcmp for ad01-Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ad01 rlm_ldap: Over-riding set_auth_type, as there is no module ad01 listed in the "authenticate" section. auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Thanks Jason -- Jason Traeden Network Engineer Overstock.com 6350 South 3000 East Salt Lake City, UT 84121 jtraeden@overstock.com Desk 801-947-3889 Cell 801-699-1379
Jason Traeden wrote:
I am running freeradius version 2.0.4 and using LDAP against Active Directory. When I have a single LDAP server setup my authentication works great. I am having trouble using the redundant ldap settings. ... authenticate { ... Auth-Type LDAP {
If many people are setting redundant LDAP modules *inside* of Auth-Type LDAP, and *not* referencing the module elsewhere, that can be done. Try the attached patch. If it works, I'll commit it. Alan DeKok.
On 5/2/08 9:45 AM, "Alan DeKok" <aland@deployingradius.com> wrote:
Jason Traeden wrote:
I am running freeradius version 2.0.4 and using LDAP against Active Directory. When I have a single LDAP server setup my authentication works great. I am having trouble using the redundant ldap settings. ... authenticate { ... Auth-Type LDAP {
If many people are setting redundant LDAP modules *inside* of Auth-Type LDAP, and *not* referencing the module elsewhere, that can be done.
Try the attached patch. If it works, I'll commit it.
Alan DeKok. Index: src/modules/rlm_ldap/rlm_ldap.c =================================================================== RCS file: /source/radiusd/src/modules/rlm_ldap/rlm_ldap.c,v retrieving revision 1.194 diff -u -r1.194 rlm_ldap.c --- src/modules/rlm_ldap/rlm_ldap.c 17 Apr 2008 07:59:21 -0000 1.194 +++ src/modules/rlm_ldap/rlm_ldap.c 2 May 2008 15:49:06 -0000 @@ -456,6 +456,12 @@ */ if (inst->set_auth_type) { DICT_VALUE *dv = dict_valbyname(PW_AUTH_TYPE, xlat_name); + + /* + * No section of *my* name, but maybe there's an + * LDAP section... + */ + if (!dv) dv = dict_valbyname(PW_AUTH_TYPE, "LDAP"); if (!dv) { DEBUG2("rlm_ldap: Over-riding set_auth_type, as there is no module %s listed in the \"authenticate\" section.", xlat_name); inst->set_auth_type = 0; - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ok I patched my box with this ldap.c.diff and I still have the same results. Thanks Jason
That did not work ether. Is there a better way to achieve ldap redundancy? I have attached the log output from when I started radiusd -X and the login failure. Thanks Jason On 5/2/08 11:45 AM, "Alan DeKok" <aland@deployingradius.com> wrote:
Jason Traeden wrote: ..
Ok I patched my box with this ldap.c.diff and I still have the same results.
Hmm... the same error messages?
Try this. I think this one should work...
Alan DeKok. Index: src/modules/rlm_ldap/rlm_ldap.c =================================================================== RCS file: /source/radiusd/src/modules/rlm_ldap/rlm_ldap.c,v retrieving revision 1.194 diff -u -r1.194 rlm_ldap.c --- src/modules/rlm_ldap/rlm_ldap.c 17 Apr 2008 07:59:21 -0000 1.194 +++ src/modules/rlm_ldap/rlm_ldap.c 2 May 2008 17:49:49 -0000 @@ -160,6 +160,7 @@ #endif int ldap_debug; /* Debug flag for LDAP SDK */ char *xlat_name; /* name used to xlat */ + char *auth_type; char *tls_cacertfile; char *tls_cacertdir; char *tls_certfile; @@ -456,9 +457,17 @@ */ if (inst->set_auth_type) { DICT_VALUE *dv = dict_valbyname(PW_AUTH_TYPE, xlat_name); + + /* + * No section of *my* name, but maybe there's an + * LDAP section... + */ + if (!dv) dv = dict_valbyname(PW_AUTH_TYPE, "LDAP"); if (!dv) { DEBUG2("rlm_ldap: Over-riding set_auth_type, as there is no module %s listed in the \"authenticate\" section.", xlat_name); inst->set_auth_type = 0; + } else { + inst->auth_type = dv->name; /* doesn't change on HUP */ } } /* else no need to look up the value */
@@ -1696,8 +1705,8 @@ request->password && (request->password->attribute == PW_USER_PASSWORD) && !added_known_password) { - pairadd(check_pairs, pairmake("Auth-Type", inst->xlat_name, T_OP_EQ)); - DEBUG("rlm_ldap: Setting Auth-Type = %s", inst->xlat_name); + pairadd(check_pairs, pairmake("Auth-Type", inst->auth_type, T_OP_EQ)); + DEBUG("rlm_ldap: Setting Auth-Type = %s", inst->auth_type); }
DEBUG("rlm_ldap: user %s authorized to use remote access", - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Jason Traeden wrote:
That did not work ether. Is there a better way to achieve ldap redundancy?
Force Auth-Type = LDAP. But it would be best to have this required in as few situations as possible.
I have attached the log output from when I started radiusd -X and the login failure.
rlm_ldap: Over-riding set_auth_type, as there is no module ldap listed in the "authenticate" section. So... you don't have: authenticate { ... Auth-Type LDAP { redundant { ad01 ad02 } } ... } Alan DeKok.
On 5/2/08 12:45 PM, "Alan DeKok" <aland@deployingradius.com> wrote:
Jason Traeden wrote:
That did not work ether. Is there a better way to achieve ldap redundancy?
Force Auth-Type = LDAP. But it would be best to have this required in as few situations as possible.
I have attached the log output from when I started radiusd -X and the login failure.
rlm_ldap: Over-riding set_auth_type, as there is no module ldap listed in the "authenticate" section.
So... you don't have:
authenticate { ... Auth-Type LDAP { redundant { ad01 ad02 } } ... } So I do have the authenticate section authenticate { Auth-Type LDAP { redundant { ad01 ad02 } }
And I still get the following errors rlm_ldap: Over-riding set_auth_type, as there is no module ad02 listed in the "authenticate" section. rlm_ldap: Over-riding set_auth_type, as there is no module ad01 listed in the "authenticate" section. It is acting like the modules ad01 and ad02 are not loading right. Thanks Jason
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Jason Traeden wrote: ...
So I do have the authenticate section authenticate { ... And I still get the following errors rlm_ldap: Over-riding set_auth_type, as there is no module ad02 listed in the "authenticate" section.
That I can almost understand. But it *also* giving the same complaint about "no module ldap...", which *is* listed.
rlm_ldap: Over-riding set_auth_type, as there is no module ad01 listed in the "authenticate" section.
It is acting like the modules ad01 and ad02 are not loading right.
Yes. Give me some time to set up a local LDAP system, and I'll test it myself... Alan DeKok.
Ok, I got it working using the second patch you sent out rlm_ldap.c.diff and the following config it works. authorize { redundant { ad01 { fail = 1 ok = return } ad02 { fail = 1 ok = return } } files } authenticate { Auth-Type LDAP { redundant { ad01 { fail = 1 ok = return } ad02 { fail = 1 ok = return } } } } DEFAULT Ldap-Group == "CN=g.acl.neteng,OU=Groups,OU=OSTK_Accounts,DC=overstock,DC=com" Auth-Type := Accept, What I found that was causing the errors rlm_ldap: Over-riding set_auth_type, as there is no module ad02 listed in the "authenticate" section. Was in my users files I was using DEFAULT ad02-Ldap-Group == ..... And I was instantiate the module ad02 Once I stopped instantiate module ad02 and only uses Ldap-Group == .... Along with the second patch it worked. Will this patch get incorporated in future releases? Thanks for all your help. Jason -- Jason Traeden Network Engineer Overstock.com 6350 South 3000 East Salt Lake City, UT 84121 jtraeden@overstock.com Desk 801-947-3889 Cell 801-699-1379 On 5/3/08 2:13 AM, "Alan DeKok" <aland@deployingradius.com> wrote:
Jason Traeden wrote: ...
So I do have the authenticate section authenticate { ... And I still get the following errors rlm_ldap: Over-riding set_auth_type, as there is no module ad02 listed in the "authenticate" section.
That I can almost understand. But it *also* giving the same complaint about "no module ldap...", which *is* listed.
rlm_ldap: Over-riding set_auth_type, as there is no module ad01 listed in the "authenticate" section.
It is acting like the modules ad01 and ad02 are not loading right.
Yes. Give me some time to set up a local LDAP system, and I'll test it myself...
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Alan DeKok -
Jason Traeden