Avoiding ldapsearch on LDAP authentication
Hello, I'm running Freeradius 1.0.4 with OpenLDAP 2.2.29 on my Fedora Core 4 box and try to configure radiusd so that ldap_search is not performed on authentication (i.e. just use ldap_bind for authentication). But so far, I've got no success. Radiusd seems to perform search anyway. I've read the document doc/rlm_ldap and followed the instruction, but I couldn't get it working (I must be missing something). I configured radiusd as follows: In users: DEFAULT Ldap-UserDn := `uid=%{User-Name},ou=people,dc=atusi,dc=org`, Auth-Type = LDAP In radiusd.conf: modules { ldap { server = "localhost" ldap_debug = 0xFFFF # identity = "cn=admin,o=My Org,c=UA" # password = mypass basedn = "ou=people,dc=atusi,dc=org" # filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" # base_filter = "(objectclass=radiusprofile)" start_tls = no access_attr = "dialupAccess" ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 } ... } authorize { preprocess chap mschap suffix eap files } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } Auth-Type LDAP { ldap } eap } # All other parts are left as default. When I test my setup with: (echo 'User-Name=mytestuser'; echo 'User-Password = mypassword') | radclient -c 1 127.0.0.1 auth testing123 radiusd (run with -X option) says: rad_recv: Access-Request packet from host 127.0.0.1:32791, id=183, length=43 User-Name = "mytestuser" User-Password = "mypassword" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "mytestuser", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 214 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_ldap: - authenticate rlm_ldap: login attempt by "mytestuser" with password "mypassword" radius_xlat: '(uid=mytestuser)' radius_xlat: 'ou=people,dc=atusi,dc=org' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as / to localhost:389 ldap_bind ldap_simple_bind ldap_sasl_bind ldap_send_initial_request ldap_new_connection ldap_int_open_connection ldap_connect_to_host: TCP localhost:389 ldap_new_socket: 6 ldap_prepare_socket: 6 ldap_connect_to_host: Trying 127.0.0.1:389 ldap_connect_timeout: fd: 6 tm: 1 async: 0 ldap_ndelay_on: 6 ldap_is_sock_ready: 6 ldap_ndelay_off: 6 ldap_open_defconn: successful ldap_send_server_request rlm_ldap: waiting for bind result ... ldap_result msgid 1 ldap_chkResponseList for msgid=1, all=1 ldap_chkResponseList returns NULL wait4msg (timeout 4 sec, 0 usec), msgid 1 wait4msg continue, msgid 1, all 1 ** Connections: * host: localhost port: 389 (default) refcnt: 2 status: Connected last used: Tue Mar 21 13:31:12 2006 ** Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ** Response Queue: Empty ldap_chkResponseList for msgid=1, all=1 ldap_chkResponseList returns NULL ldap_int_select read1msg: msgid 1, all 1 ldap_read: message type bind msgid 1, original id 1 new result: res_errno: 0, res_error: <>, res_matched: <> read1msg: 0 new referrals read1msg: mark request completed, id = 1 request 1 done res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_free_connection ldap_free_connection: refcnt 1 ldap_parse_result ldap_msgfree rlm_ldap: Bind was successful rlm_ldap: performing search in ou=people,dc=atusi,dc=org, with filter (uid=mytestuser) ldap_search put_filter: "(uid=mytestuser)" put_filter: simple put_simple_filter: "uid=mytestuser" ldap_send_initial_request ldap_send_server_request ldap_result msgid 2 ldap_chkResponseList for msgid=2, all=1 ldap_chkResponseList returns NULL wait4msg (timeout 4 sec, 0 usec), msgid 2 wait4msg continue, msgid 2, all 1 ** Connections: * host: localhost port: 389 (default) refcnt: 2 status: Connected last used: Tue Mar 21 13:31:12 2006 ** Outstanding Requests: * msgid 2, origid 2, status InProgress outstanding referrals 0, parent count 0 ** Response Queue: Empty ldap_chkResponseList for msgid=2, all=1 ldap_chkResponseList returns NULL ldap_int_select read1msg: msgid 2, all 1 ldap_read: message type search-result msgid 2, original id 2 new result: res_errno: 0, res_error: <>, res_matched: <> read1msg: 0 new referrals read1msg: mark request completed, id = 2 request 2 done res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 2, msgid 2) ldap_free_connection ldap_free_connection: refcnt 1 ldap_parse_result rlm_ldap: object not found or got ambiguous search result ldap_msgfree rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authenticate]: module "ldap" returns notfound for request 0 modcall: group Auth-Type returns notfound for request 0 auth: Failed to validate the user. According to the log lines: rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as / to localhost:389 I guessed (by reading rlm_ldap.c) Ldap-UserDn valuepair is not passed to ldap_authenticate() for some reason. I tried to write `Ldap-UserDn := ...' as reply item of the DEFAULT entry in users file but in that case radiusd says: WARNING! Check item "Ldap-UserDn" ?found in reply item list for user "DEFAULT". ?This attribute MUST go on the first line with the other check items and still got the same result. I also tried in radiusd.conf: modules { ldap { identity = "%{Ldap-UserDN}" password = `%{User-Password}` ... } } but these attributes are not xlated and passed to LDAP as they are. Any clues would be greately appreciated.
Hello, It is my understanding that Freeradius uses Ldap search in order to authenticate users and that the Ldap bind is used to point to the location where the search will be done at the Ldap server. I am using FR 1.1.0 but I think it is similar configuration in your FR version. #users file DEFAULT Auth-Type := LDAP Fall-Through = 1
rlm_ldap: object not found or got ambiguous search result Check your basedn in raddiusd.conf
For debugging I recommend you to use Ethereal. It is very useful. Natalia. On 21 Mar 2006 14:29:22 +0900, MAEDA <maeda-freeradius@atusi.org> wrote:
Hello,
I'm running Freeradius 1.0.4 with OpenLDAP 2.2.29 on my Fedora Core 4 box and try to configure radiusd so that ldap_search is not performed on authentication (i.e. just use ldap_bind for authentication). But so far, I've got no success. Radiusd seems to perform search anyway.
I've read the document doc/rlm_ldap and followed the instruction, but I couldn't get it working (I must be missing something).
I configured radiusd as follows:
In users:
DEFAULT Ldap-UserDn := `uid=%{User-Name},ou=people,dc=atusi,dc=org`, Auth-Type = LDAP
In radiusd.conf: modules {
ldap { server = "localhost" ldap_debug = 0xFFFF # identity = "cn=admin,o=My Org,c=UA" # password = mypass basedn = "ou=people,dc=atusi,dc=org" # filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" # base_filter = "(objectclass=radiusprofile)"
start_tls = no
access_attr = "dialupAccess"
ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 } ... }
authorize { preprocess chap mschap suffix eap files }
authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } Auth-Type LDAP { ldap } eap }
# All other parts are left as default.
When I test my setup with: (echo 'User-Name=mytestuser'; echo 'User-Password = mypassword') | radclient -c 1 127.0.0.1 auth testing123 radiusd (run with -X option) says:
rad_recv: Access-Request packet from host 127.0.0.1:32791, id=183, length=43 User-Name = "mytestuser" User-Password = "mypassword" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "mytestuser", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 214 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_ldap: - authenticate rlm_ldap: login attempt by "mytestuser" with password "mypassword" radius_xlat: '(uid=mytestuser)' radius_xlat: 'ou=people,dc=atusi,dc=org' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as / to localhost:389 ldap_bind ldap_simple_bind ldap_sasl_bind ldap_send_initial_request ldap_new_connection ldap_int_open_connection ldap_connect_to_host: TCP localhost:389 ldap_new_socket: 6 ldap_prepare_socket: 6 ldap_connect_to_host: Trying 127.0.0.1:389 ldap_connect_timeout: fd: 6 tm: 1 async: 0 ldap_ndelay_on: 6 ldap_is_sock_ready: 6 ldap_ndelay_off: 6 ldap_open_defconn: successful ldap_send_server_request rlm_ldap: waiting for bind result ... ldap_result msgid 1 ldap_chkResponseList for msgid=1, all=1 ldap_chkResponseList returns NULL wait4msg (timeout 4 sec, 0 usec), msgid 1 wait4msg continue, msgid 1, all 1 ** Connections: * host: localhost port: 389 (default) refcnt: 2 status: Connected last used: Tue Mar 21 13:31:12 2006
** Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ** Response Queue: Empty ldap_chkResponseList for msgid=1, all=1 ldap_chkResponseList returns NULL ldap_int_select read1msg: msgid 1, all 1 ldap_read: message type bind msgid 1, original id 1 new result: res_errno: 0, res_error: <>, res_matched: <> read1msg: 0 new referrals read1msg: mark request completed, id = 1 request 1 done res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_free_connection ldap_free_connection: refcnt 1 ldap_parse_result ldap_msgfree rlm_ldap: Bind was successful rlm_ldap: performing search in ou=people,dc=atusi,dc=org, with filter (uid=mytestuser) ldap_search put_filter: "(uid=mytestuser)" put_filter: simple put_simple_filter: "uid=mytestuser" ldap_send_initial_request ldap_send_server_request ldap_result msgid 2 ldap_chkResponseList for msgid=2, all=1 ldap_chkResponseList returns NULL wait4msg (timeout 4 sec, 0 usec), msgid 2 wait4msg continue, msgid 2, all 1 ** Connections: * host: localhost port: 389 (default) refcnt: 2 status: Connected last used: Tue Mar 21 13:31:12 2006
** Outstanding Requests: * msgid 2, origid 2, status InProgress outstanding referrals 0, parent count 0 ** Response Queue: Empty ldap_chkResponseList for msgid=2, all=1 ldap_chkResponseList returns NULL ldap_int_select read1msg: msgid 2, all 1 ldap_read: message type search-result msgid 2, original id 2 new result: res_errno: 0, res_error: <>, res_matched: <> read1msg: 0 new referrals read1msg: mark request completed, id = 2 request 2 done res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 2, msgid 2) ldap_free_connection ldap_free_connection: refcnt 1 ldap_parse_result rlm_ldap: object not found or got ambiguous search result ldap_msgfree rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authenticate]: module "ldap" returns notfound for request 0 modcall: group Auth-Type returns notfound for request 0 auth: Failed to validate the user.
According to the log lines: rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as / to localhost:389 I guessed (by reading rlm_ldap.c) Ldap-UserDn valuepair is not passed to ldap_authenticate() for some reason.
I tried to write `Ldap-UserDn := ...' as reply item of the DEFAULT entry in users file but in that case radiusd says: WARNING! Check item "Ldap-UserDn" ?found in reply item list for user "DEFAULT". ?This attribute MUST go on the first line with the other check items and still got the same result.
I also tried in radiusd.conf: modules { ldap { identity = "%{Ldap-UserDN}" password = `%{User-Password}` ... } } but these attributes are not xlated and passed to LDAP as they are.
Any clues would be greately appreciated. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks for the reply. On 3/21/06, Natalia Escalera <nescalera@gmail.com> wrote:
It is my understanding that Freeradius uses Ldap search in order to authenticate users and that the Ldap bind is used to point to the location where the search will be done at the Ldap server.
Well, I'll quote from doc/rlm_ldap: : When rlm_ldap has found the DN corresponding to the username provided in the : access-request (all this happens in the authorize section) it will add an : Ldap-UserDN attribute in the check items list containing that DN. The attribute : will be searched for in the authenticate section and if present will be used for : authentication (ldap bind with the user DN/password). Otherwise a search will : be performed to find the user dn. If the administrator wishes to use rlm_ldap : only for authentication or does not wish to populate the identity,password : configuration attributes he can set this attribute by other means and avoid the : ldap search completely. For instance it can be set through the users file in the : authorize section: : : DEFAULT Ldap-UserDN := `uid=%{User-Name},ou=people,dc=company,dc=com` So, my understanding is that: 1. For authentication, Ldap-UserDn must be filled. If bind with that DN succeeds, authentication succeeds. 2. Ldap-UserDn can be filled in authorization phase, either via ldap search, or in users file (like in the document above). In the source file rlm_ldap.c, in the function ldap_authenticate(), if pairfind(request->packet->vps, PW_LDAP_USERDN) returns non-NULL, FR does no search and try ldap_connect with the DN found. If ldap_connect succeeeds, ldap_authenticate returns ok. (vps means `value pairs' that represents list of variable-value pairs, I guess.) If pairfind() returns NULL, FR invokes perform_search() using DN, password, and filter given in radiusd.conf, and search for user DN. So far, so good. What I don't understand is that why Ldap-UserDn I wrote in users file is not passed to ldap_authenticate() (i.e. why pairfind() returns NULL).
rlm_ldap: object not found or got ambiguous search result Check your basedn in raddiusd.conf
Thanks, but I think the error is because FR binds anonymously. (And I don't want to allow anonymous search for LDAP directory). --maeda
Hello all, I had inserted some debugging trace in FR-1.1.0 source and I think I finally figured out the probelm. But I'm not sure how to fix it. The problem is ldap_authenticate() does not look at check items (nor reply items) set in users file. So seting Ldap-UserDn in users file causes no effect at all. I have made a patch (against 1.1.0 source). But since I'm very new (~1week) to Freeradius, I'm not sure this is the correct way to fix the problem. Anyway, I'll enclose the patch. (Is this more appropriate in freeradius-dev list?) --maeda
participants (3)
-
MAEDA -
MAEDA Atusi -
Natalia Escalera