Freeradius - LDAP Authenication

Simon Barnes simon.barnes at marymount.edu
Fri Aug 5 17:12:26 CEST 2005


Hi All,

 

I'm rather new to radius and especially freeradius. I have the following
need. Cisco VPN needs to authenticate users against a Radius server, which
in turn needs to proxy the user authentication to our Sun One Iplanet LDAP
server (running on another machine). I have the vpn talking successfully to
freeradius, but I cannot get the onward connection to the LDAP to work. I
have validated that the server running freeradius is able to talk to the
ldap by using ldapsearch.


The config I am using is based upon the ldap_howto.txt under /docs.

 

I have searched the mailing list but to no avail. 



 

Many Thanks in advance

 

Simon Barnes

 

What follows is the radiusd output and the radius.conf

 

Radiusd Output

 

bash-3.00# /usr/local/sbin/radiusd  -X -A 

Starting - reading configuration files ...

reread_config:  reading radiusd.conf

Config:   including file: /usr/local/etc/raddb/proxy.conf

Config:   including file: /usr/local/etc/raddb/clients.conf

 main: prefix = "/usr/local"

 main: localstatedir = "/usr/local/var"

 main: logdir = "/usr/local/var/log/radius"

 main: libdir = "/usr/local/lib"

 main: radacctdir = "/usr/local/var/log/radius/radacct"

 main: hostname_lookups = no

 main: max_request_time = 30

 main: cleanup_delay = 5

 main: max_requests = 512

 main: delete_blocked_requests = 0

 main: port = 0

 main: allow_core_dumps = no

 main: log_stripped_names = no

 main: log_file = "/usr/local/var/log/radius/radius.log"

 main: log_auth = no

 main: log_auth_badpass = no

 main: log_auth_goodpass = no

 main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"

 main: user = "(null)"

 main: group = "(null)"

 main: usercollide = no

 main: lower_user = "no"

 main: lower_pass = "no"

 main: nospace_user = "no"

 main: nospace_pass = "no"

 main: checkrad = "/usr/local/sbin/checkrad"

 main: proxy_requests = yes

 proxy: retry_delay = 5

 proxy: retry_count = 3

 proxy: synchronous = no

 proxy: default_fallback = yes

 proxy: dead_time = 120

 proxy: post_proxy_authorize = yes

 proxy: wake_all_if_all_dead = no

 security: max_attributes = 200

 security: reject_delay = 1

 security: status_server = no

 main: debug_level = 0

read_config_files:  reading dictionary

read_config_files:  reading naslist

Using deprecated naslist file.  Support for this will go away soon.

read_config_files:  reading clients

read_config_files:  reading realms

radiusd:  entering modules setup

Module: Library search path is /usr/local/lib

Module: Loaded expr 

Module: Instantiated expr (expr) 

Module: Loaded LDAP 

 ldap: server = "198.100.0.18"

 ldap: port = 389

 ldap: net_timeout = 1

 ldap: timeout = 4

 ldap: timelimit = 3

 ldap: identity = "cn=directory manager"

 ldap: tls_mode = no

 ldap: start_tls = no

 ldap: tls_cacertfile = "(null)"

 ldap: tls_cacertdir = "(null)"

 ldap: tls_certfile = "(null)"

 ldap: tls_keyfile = "(null)"

 ldap: tls_randfile = "(null)"

 ldap: tls_require_cert = "allow"

 ldap: password = "c0ntr01m3"

 ldap: basedn = "o=marymount.edu,o=marymount.edu"

 ldap: filter = "(&(objectClass=aRadiusAccount)(uid=%u))"

 ldap: base_filter = "(objectclass=radiusprofile)"

 ldap: default_profile = "(null)"

 ldap: profile_attribute = "(null)"

 ldap: password_header = "{clear}"

 ldap: password_attribute = "userPassword"

 ldap: access_attr = "(null)"

 ldap: groupname_attribute = "cn"

 ldap: groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupO
fUniqueNames)(uniquemember=%{Ldap-UserDn})))"

 ldap: groupmembership_attribute = "(null)"

 ldap: dictionary_mapping = "/usr/local/etc/raddb/ldap.attrmap"

 ldap: ldap_debug = 0

 ldap: ldap_connections_number = 5

 ldap: compare_check_items = no

 ldap: access_attr_used_for_allow = yes

 ldap: do_xlat = yes

rlm_ldap: Registering ldap_groupcmp for Ldap-Group

rlm_ldap: Registering ldap_xlat with xlat_name ldap

rlm_ldap: reading ldap<->radius mappings from file
/usr/local/etc/raddb/ldap.attrmap

rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$

rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$

rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type

rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use

rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id

rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id

rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password

rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password

rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT

rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration

rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type

rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol

rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address

rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask

rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route

rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing

rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id

rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU

rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression

rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host

rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service

rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port

rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number

rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id

rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network

rlm_ldap: LDAP radiusClass mapped to RADIUS Class

rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout

rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout

rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action

rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service

rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node

rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group

rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS
Framed-AppleTalk-Link

rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS
Framed-AppleTalk-Network

rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS
Framed-AppleTalk-Zone

rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit

rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port

conns: 0x788780

Module: Instantiated ldap (ldap) 

Module: Loaded preprocess 

 preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups"

 preprocess: hints = "/usr/local/etc/raddb/hints"

 preprocess: with_ascend_hack = no

 preprocess: ascend_channels_per_line = 23

 preprocess: with_ntdomain_hack = no

 preprocess: with_specialix_jetstream_hack = no

 preprocess: with_cisco_vsa_hack = no

Module: Instantiated preprocess (preprocess) 

Module: Loaded realm 

 realm: format = "suffix"

 realm: delimiter = "@"

 realm: ignore_default = no

 realm: ignore_null = no

Module: Instantiated realm (suffix) 

Listening on authentication *:1812

Listening on accounting *:1813

Listening on proxy *:1814

Ready to process requests.

rad_recv: Access-Request packet from host 38.118.63.2:1158, id=44, length=71

        User-Name = "testuser"

        User-Password = "******"

        Vendor-3076-Attr-32 = 0x00000004

        NAS-IP-Address = 38.118.63.2

        NAS-Port-Type = Virtual

  Processing the authorize section of radiusd.conf

modcall: entering group authorize for request 0

  modcall[authorize]: module "preprocess" returns ok for request 0

    rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL

    rlm_realm: Found realm "NULL"

    rlm_realm: Adding Stripped-User-Name = "testuser"

    rlm_realm: Proxying request from user testuser to realm NULL

    rlm_realm: Adding Realm = "NULL"

    rlm_realm: Authentication realm is LOCAL.

  modcall[authorize]: module "suffix" returns noop for request 0

rlm_ldap: - authorize

rlm_ldap: performing user authorization for testuser

radius_xlat:  '(&(objectClass=aRadiusAccount)(uid=testuser))'

radius_xlat:  'o=marymount.edu,o=marymount.edu'

rlm_ldap: ldap_get_conn: Checking Id: 0

rlm_ldap: ldap_get_conn: Got Id: 0

rlm_ldap: attempting LDAP reconnection

rlm_ldap: (re)connect to 198.100.0.18:389, authentication 0

rlm_ldap: bind as cn=account mgr/********* to 198.100.0.18:389

rlm_ldap: cn=directory manager bind to 198.100.0.18:389 failed: Can't
contact LDAP server

rlm_ldap: (re)connection attempt failed

rlm_ldap: search failed

rlm_ldap: ldap_release_conn: Release Id: 0

  modcall[authorize]: module "ldap" returns fail for request 0

modcall: group authorize returns fail for request 0

Finished request 0

Going to the next request

--- Walking the entire request list ---

Waking up in 6 seconds...

rad_recv: Access-Request packet from host 38.118.63.2:1158, id=44, length=71

Discarding duplicate request from client vpn:1158 - ID: 44

--- Walking the entire request list ---

Waking up in 2 seconds...

--- Walking the entire request list ---

Cleaning up request 0 ID 44 with timestamp 42f37a00

Nothing to do.  Sleeping until we see a request.

 

 

 

Radius.conf

 

prefix = /usr/local

exec_prefix = ${prefix}

sysconfdir = ${prefix}/etc

localstatedir = ${prefix}/var

sbindir = ${exec_prefix}/sbin

logdir = ${localstatedir}/log/radius

raddbdir = ${sysconfdir}/raddb

radacctdir = ${logdir}/radacct

 

#  Location of config and logfiles.

confdir = ${raddbdir}

run_dir = ${localstatedir}/run/radiusd

log_file = ${logdir}/radius.log

libdir = ${exec_prefix}/lib

pidfile = ${run_dir}/radiusd.pid

 

#user = nobody

#group = nobody

 

max_request_time = 30

delete_blocked_requests = no

cleanup_delay = 5

max_requests = 512 

bind_address = *

port = 0

hostname_lookups = no

allow_core_dumps = no

regular_expressions     = yes

extended_expressions    = yes

log_stripped_names = no

log_auth = no

log_auth_badpass = no

log_auth_goodpass = no

usercollide = no

lower_user = no

lower_pass = no

nospace_user = no

nospace_pass = no

 

#  The program to execute to do concurrency checks.

checkrad = ${sbindir}/checkrad

 

security {

        max_attributes = 200

        reject_delay = 1

        status_server = no

}

 

proxy_requests  = yes

$INCLUDE  ${confdir}/proxy.conf

 

$INCLUDE  ${confdir}/clients.conf

 

thread pool {

        start_servers = 5

        max_servers = 32

        min_spare_servers = 3

        max_spare_servers = 10

        max_requests_per_server = 0

}

 

modules {

        

        ldap {

                server = "198.100.0.18"

                identity = "cn=account mgr"

                password = ********* 

                basedn = "o=marymount.edu,o=marymount.edu"

                #filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"

                #filter   = "(posixAccount)(uid=%u))"

                filter = "(&(objectClass=aRadiusAccount)(uid=%u))"

                # base_filter = "(objectclass=radiusprofile)"

 

                start_tls = no

                # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"

                # profile_attribute = "radiusProfileDn"

                #access_attr = "dialupAccess"

                dictionary_mapping = ${raddbdir}/ldap.attrmap

                ldap_connections_number = 5

                password_header = "{clear}"

                 password_attribute = userPassword

                # groupname_attribute = cn

                # groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(obje

ctClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"

                # groupmembership_attribute = radiusGroupName

                timeout = 4

                timelimit = 3

                net_timeout = 1

                compare_check_items = no

                # access_attr_used_for_allow = yes

        }

 

 

        realm suffix {

                format = suffix

                delimiter = "@"

                ignore_default = no

                ignore_null = no

        }

 

        preprocess {

                huntgroups = ${confdir}/huntgroups

                hints = ${confdir}/hints

                with_ascend_hack = no

                ascend_channels_per_line = 23

                with_ntdomain_hack = no

                with_specialix_jetstream_hack = no

                with_cisco_vsa_hack = no

        }

        

        files {

                usersfile = ${confdir}/users

                acctusersfile = ${confdir}/acct_users

                preproxy_usersfile = ${confdir}/preproxy_users

                compat = no

        }

 

        always fail {

                rcode = fail

        }

        always reject {

                rcode = reject

        }

        always ok {

                rcode = ok

                simulcount = 0

                mpp = no

        }

 

        expr {

        }

}

instantiate {

        expr

}

        

authorize {

        preprocess

        suffix

        ldap

}

 

authenticate {

        authtype LDAP {

                        ldap

        }

}

preacct {

        preprocess

        suffix

}

 

accounting {

        #radutmp

        #sradutmp

 

}

 

 

 

Simon Barnes

System Administrator

Marymount University

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20050805/e696c04f/attachment.html>


More information about the Freeradius-Users mailing list