Freeradius and LDAP : to be continued

christophe.gravier at univ-st-etienne.fr christophe.gravier at univ-st-etienne.fr
Wed Dec 14 22:17:55 CET 2005 

> Christophe Gravier <christophe.gravier at univ-st-etienne.fr>wrote:
>> Removing the ldap entry, radtest no longer works of course.
>
>  Did you put "ldap" in the "authorize" section?  That would allow
> radtest to work, as I said.

Yes, I did like we said:
- did put ldap (it was already indeed) in authorize section.
- did remove ldap from authenticate (since ldap will only be a "password
storage").
>
>> rlm_ldap: looking for check items in directory...
>
>  Can you say which LDAP server you're using?

ist-guizay:/root# /usr/sbin/slapd -V
@(#) $OpenLDAP: slapd 2.2.26 (Oct 31 2005 09:10:53) $

This is slapd package on current debian testing tree. This is a v3
openldap server, if I am right.
If I make slapd log things and then observe I've got on a freeradius request:
Dec 14 21:48:03 ist-guizay slapd[31741]: conn=2 fd=10 ACCEPT from
IP=161.3.50.125:1490 (IP=0.0.0.0:389)Dec 14 21:48:03 ist-guizay slapd[31741]: conn=2 op=0 BIND dn="" method=128
Dec 14 21:48:03 ist-guizay slapd[31741]: conn=2 op=0 RESULT tag=97 err=0
text=Dec 14 21:48:03 ist-guizay slapd[31741]: conn=2 op=1 SRCH
base="ou=person,o=istase,c=fr" scope=2 deref=0
filter="(uid=gravier.christophe)"Dec 14 21:48:03 ist-guizay slapd[31741]: conn=2 op=1 SRCH
attr=radiusExpiration acctFlags ntPassword lmPassword
radiusCallingStationId radiusCalledStationId radiusSimultaneousUse eap
userPassword radiusCheckItem radiusLoginLATPort radiusPortLimit
radiusFramedAppleTalkZone radiusFramedAppleTalkNetwork
radiusFramedAppleTalkLink radiusLoginLATGroup radiusLoginLATNode
radiusLoginLATService radiusTerminationAction radiusIdleTimeout
radiusSessionTimeout radiusClass radiusFramedIPXNetwork radiusCallbackId
radiusCallbackNumber radiusLoginTCPPort radiusLoginService
radiusLoginIPHost radiusFramedCompression radiusFramedMTU radiusFilterId
radiusFramedRouting radiusFramedRoute radiusFramedIPNetmask
radiusFramedIPAddress radiusFramedProtocol radiusServiceType
radiusReplyItem userPasswordDec 14 21:50:47 ist-guizay slapd[31741]: <= bdb_equality_candidates: (uid)
index_param failed (18)Dec 14 21:50:47 ist-guizay slapd[31741]: conn=2 op=2 SEARCH RESULT tag=101
err=0 nentries=1 text=

Whaou .. person doesn't have all those attributes on my schema.
(note that this search got a result: nentries = 1 !)

I edited /etc/freeradius/ldap.attr, so that now the trace is a little more
correct:
Dec 14 21:55:27 ist-guizay slapd[31741]: conn=76 op=2 SRCH
base="ou=person,o=istase,c=fr" scope=2 deref=0
filter="(uid=gravier.christophe)"Dec 14 21:55:27 ist-guizay slapd[31741]: conn=76 op=2 SRCH attr=userPassword
Dec 14 21:55:27 ist-guizay slapd[31741]: <= bdb_equality_candidates: (uid)
index_param failed (18)Dec 14 21:55:27 ist-guizay slapd[31741]: conn=76 op=2 SEARCH RESULT
tag=101 err=0 nentries=1 text=
(please ignore the bdb_equality_candidates).

I thought this has to do with the policy regarding access to userPassword
field, so I gave full rights for a test via slapd.access.con: still not
good. (that sounds ok since if it was a read/write/search/auth problem, I
would had seen it in the slapd logging).
I think it is OK with ldap because "nentries = 1" for the search (it
finnds me). The problem should be for freeradius to use that password to
match it against the one given by the user.

For autorize and authenticate I have:

authorize {
preprocess
chap
mschap
suffix
files
ldap
}


authenticate {
Auth-Type PAP {
   pap
}
unix
eap
}

As I said, I think this is freeradius related since openldap log that it
finds the userPassword for the given user and scope.
But I can't set freeradius in a more verbose mode to understand the problem.

I still receive:
(...)
rlm_ldap: - authorize
rlm_ldap: performing user authorization for gravier.christophe
radius_xlat:  '(uid=gravier.christophe)'
radius_xlat:  'ou=person,o=istase,c=fr'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ist-guizay.univ-st-etienne.fr:389, authentication 0
rlm_ldap: bind as / to ist-guizay.univ-st-etienne.fr:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=person,o=istase,c=fr, with filter
(uid=gravier.christophe)rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding userPassword as User-Password, value { & op=11
rlm_ldap: user gravier.christophe authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 0
modcall: group authorize returns ok for request 0
  rad_check_password:  Found Auth-Type LDAP
auth: type "LDAP"
  ERROR: Unknown value specified for Auth-Type.  Cannot perform requested
  action.auth: Failed to validate the user.

When running /usr/sbin/freeradius -X -f

>
>  It is NOT returning the User-Password attribute.  My previous
> message said that the goal was for the ldap module to return the
> password in the "authorize" section.
>
>  Make that work.  radtest will work, and then everything else will
> work.
>
>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list