eDirectory Issues
Sayantan Bhowmick
sbhowmick at novell.com
Wed Jul 13 08:31:25 CEST 2005
Hi,
Comments inlined.
On Tue, 2005-07-12 at 11:15 -0700, jp at joshmp.com wrote:
> I appologize in advance, but I am new to FreeRADIUS and RADIUS in
general.
>
> Here is my setup:
> - Server with FreeRADIUS 1.0.4 --with-edir on FreeBSD 4.11
> - Server with NetWare 6.5.4
>
> Here is what I am trying to accomplish:
> - Get FreeRADIUS to authenticate VPN users (Cisco VPN Contentrator) to
LDAP
> database in NetWare tree.
>
> Here is what I DON'T want to do:
> - Mess with eDirectory (profiles, extending the schema, etc.)
>
> Basically, when this configuration is moved into production,
FreeRADIUS would
> authenticate users who IDs already exist in a complex, mature NetWare
eDir tree.
> I don't want to mess with Universal Passwords, extending the schema,
etc. I
> have already sucessfully configured the Cisco VPN Concentrator to
authenticate
> users using FreeRADIUS and the UNIX users list. However, I can't get
FreeRADIUS
> to successfully query the LDAP database on the NetWare server.
>
> I have been through Novell's documentation, but their docs include
building
> RADIUS profiles, extending the schema, etc. This is something that I
am not
> going to be able to do. I have also been up and down the web,
FreeRADIUS mail
> lists, docs, etc. I have found threads where it is mentioned that you
can get
> FreeRADIUS to authenticate users to a NetWare LDAP directory using
cleartext,
> but I have not been able to do this myself.
>
> I would like to take this in stages:
> 1. Succesfully query LDAP without security (with the assumption that
this would
> be the easiest first step).
The debug output shows that FreeRADIUS is already doing this,
> 2. Get FreeRADIUS to query LDAP securely.
This also can be configured.
>
> Below you will find the following:
> - Text from radiusd.conf file
> - Output from radiusd -X
> - Text from radius.log file
>
<- Snipped,....
> # Lightweight Directory Access Protocol (LDAP)
> #
> # This module definition allows you to use LDAP for
> # authorization and authentication (Auth-Type := LDAP)
> #
> # See doc/rlm_ldap for description of configuration options
> # and sample authorize{} and authenticate{} blocks
> ldap {
> server = "10.1.1.71"
> identity = "cn=admin,o=radius"
> password = pass
> basedn = "o=radius"
> filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
> base_filter = "(objectclass=radiusprofile)"
>
> # set this to 'yes' to use TLS encrypted connections
> # to the LDAP database by using the StartTLS extended
> # operation.
> # The StartTLS operation is supposed to be used with
normal
> # ldap connections instead of using ldaps (port 689)
connections
> start_tls = no
Set start_tls = yes for making a secure connection to eDirectory.
>
> # tls_cacertfile = /path/to/cacert.pem
Set the path to eDirectory CA cert here.
> # tls_cacertdir = /path/to/ca/dir/
> # tls_certfile = /path/to/radius.crt
> # tls_keyfile = /path/to/radius.key
> # tls_randfile = /path/to/rnd
> # tls_require_cert = "demand"
>
> # default_profile = "cn=radprofile,ou=dialup,o=My
Org,c=UA"
> # profile_attribute = "radiusProfileDn"
> # access_attr = "dialupAccess"
>
> # Mapping of RADIUS dictionary attributes to LDAP
> # directory attributes.
> dictionary_mapping = ${raddbdir}/ldap.attrmap
>
> ldap_connections_number = 5
>
> #
> # NOTICE: The password_header directive is NOT case
insensitive
> #
> # password_header = "{clear}"
> #
> # Set:
> password_attribute = nspmPassword
Set password_attribute to anything other than nspmPassword or
comment
out this attribute. This will make sure FreeRADIUS does not try to read
Universal Password.
> #
> # to get the user's password from a Novell eDirectory
> # backend. This will work *only if* freeRADIUS is
> # configured to build with --with-edir option.
> #
> #
> # The server can usually figure this out on its own,
and pull
> # the correct User-Password or NT-Password from the
database.
> #
> # Note that NT-Passwords MUST be stored as a 32-digit
hex
> # string, and MUST start off with "0x", such as:
> #
> # 0x000102030405060708090a0b0c0d0e0f
> #
> # Without the leading "0x", NT-Passwords will not
work.
> # This goes for NT-Passwords stored in SQL, too.
> #
> # password_attribute = userPassword
> #
> # Un-comment the following to disable Novell
eDirectory account
> # policy check and intruder detection. This will work
*only if*
> # FreeRADIUS is configured to build with --with-edir
option.
> #
> edir_account_policy_check=yes
> #
> # groupname_attribute = cn
> # groupmembership_filter =
>
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
> # groupmembership_attribute = radiusGroupName
> timeout = 4
> timelimit = 3
> net_timeout = 1
> # compare_check_items = yes
> # do_xlat = yes
> # access_attr_used_for_allow = yes
> }
>
<-Snipped....
> Ready to process requests.
> rad_recv: Access-Request packet from host 127.0.0.1:2302, id=75,
length=57
> User-Name = "admin"
> User-Password = "pass"
> NAS-IP-Address = 255.255.255.255
> NAS-Port = 10
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 0
> modcall[authorize]: module "preprocess" returns ok for request 0
> modcall[authorize]: module "chap" returns noop for request 0
> modcall[authorize]: module "mschap" returns noop for request 0
> rlm_realm: No '@' in User-Name = "admin", looking up realm NULL
> rlm_realm: No such realm "NULL"
> modcall[authorize]: module "suffix" returns noop for request 0
> rlm_eap: No EAP-Message, not doing EAP
> modcall[authorize]: module "eap" returns noop for request 0
> users: Matched entry DEFAULT at line 152
> modcall[authorize]: module "files" returns ok for request 0
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for admin
> radius_xlat: '(uid=admin)'
> radius_xlat: 'o=radius'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to 10.1.1.71:389, authentication 0
> rlm_ldap: bind as cn=admin,o=radius/pass to 10.1.1.71:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: performing search in o=radius, with filter (uid=admin)
As you can see FreeRADIUS is already querying eDirectory for user
information.
> rlm_ldap: Error reading Universal Password.Return Code = 80
See comments on password_attribute.
> rlm_ldap: looking for check items in directory...
> rlm_ldap: looking for reply items in directory...
> rlm_ldap: user admin authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0
> modcall[authorize]: module "ldap" returns ok for request 0
> modcall: group authorize returns ok for request 0
> rad_check_password: Found Auth-Type System
The Auth-Type is set to System. I reckon this is done by one of
the
default entries in users file. What is the authentication mechanism you
want to use? If you want to use authentication methods like CHAP,
MS-CHAP, EAP etc you will have to enable Universal Password. However if
you just want to authenticate against eDirectory with plain text
password then you need not read Universal Password. You must enable the
ldap module in the authenticate section.
> auth: type "System"
> Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 0
> modcall[authenticate]: module "unix" returns notfound for request 0
> modcall: group authenticate returns notfound for request 0
> auth: Failed to validate the user.
> Processing the post-auth section of radiusd.conf
> modcall: entering group Post-Auth-Type for request 0
> modcall[post-auth]: module "ldap" returns noop for request 0
> modcall: group Post-Auth-Type returns noop for request 0
> Delaying request 0 for 1 seconds
> Finished request 0
> Going to the next request
> --- Walking the entire request list ---
> Waking up in 1 seconds...
> --- Walking the entire request list ---
> Waking up in 1 seconds...
> --- Walking the entire request list ---
> Sending Access-Reject of id 75 to 127.0.0.1:2302
> Waking up in 4 seconds...
> --- Walking the entire request list ---
> Cleaning up request 0 ID 75 with timestamp 42d39d5d
> Nothing to do. Sleeping until we see a request.
> -----END RADIUSD DEBUG-----
>
> The line that I find disturbing is the "error reading Universal
Password" line.
> I assume that I must edit my config in some way so that FreeRADIUS is
not
> attempting to read a Universal Password, or somehow tells NLDAP not to
send a
> Universal Password.
Hope this helps.
Get back to me in case you have any further queries.
-Sayantan.
More information about the Freeradius-Users
mailing list