using ldap, sql and pam for user authentification

Markus Krause krause at biochem.mpg.de
Wed Nov 2 13:45:14 CET 2005 

hi all!

i want to configure the freeradius server (1.0.5) to use ldap, sql and pam as
source for user authentification. i only get the first two to work at the same
time (ldap and sql) but not together with pam.

if i use this in /etc/raddb/users:
##### users
wlan    Auth-Type = EAP
testuser       Auth-Type := Local, User-Password == "secret"
------

all user in ldap and sql (and of course the "testusers" in the "users" file) can
be authorized, but if users in pam can not, radiusd says:
##### radiusd debug output
auth: No authenticate method (Auth-Type) configuration found for the request:
Rejecting the user
auth: Failed to validate the user.
-----

with the following in /etc/raddb/users:
##### users
DEFAULT Auth-Type = Pam
        Fall-Through = Yes
wlan    Auth-Type = EAP
testuser       Auth-Type := Local, User-Password == "secret"
-----
users in pam get an access-accept message, but not those in ldap and sql (nor
the "testuser" in "users".

the debug output for a user in sql says:
##### radiusd debug output (only "important parts" as i assume)
modcall: entering group authorize for request 6
  modcall[authorize]: module "preprocess" returns ok for request 6
    users: Matched entry DEFAULT at line 1
  modcall[authorize]: module "files" returns ok for request 6
rlm_ldap: - authorize
rlm_ldap: performing user authorization for nig49594
radius_xlat:  '(uid=nig49594)'
radius_xlat:  'dc=mogli,dc=de'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=mogli,dc=de, with filter (uid=nig49594)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns notfound for request 6
radius_xlat:  'nig49594'
rlm_sql (sql): sql_set_user escaped user --> 'nig49594'
[snipp sql queries]
rlm_sql (sql): Released sql socket id: 2
  modcall[authorize]: module "sql" returns ok for request 6
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: (Check item - counter) is greater than zero
rlm_sqlcounter: Authorized user nig49594, check_item=1, counter=0
rlm_sqlcounter: Sent Reply-Item for user nig49594, Type=Session-Timeout, value=1
  modcall[authorize]: module "onedayaccounts" returns ok for request 6
modcall: group authorize returns ok for request 6
  rad_check_password:  Found Auth-Type Pam
auth: type "PAM"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
pam_pass: using pamauth string <radiusd> for pam.conf lookup
pam_pass: function pam_authenticate FAILED for <nig49594>. Reason: User not
known to the underlying authentication module
  modcall[authenticate]: module "pam" returns reject for request 6
modcall: group authenticate returns reject for request 6
auth: Failed to validate the user.
-----

same for an ldap user:
##### radiusd debug output (snipped again)
rlm_ldap: - authorize
rlm_ldap: performing user authorization for ldapuser
radius_xlat:  '(uid=ldapuser)'
radius_xlat:  'dc=mogli,dc=de'
[snipp]
rlm_ldap: user ldapuser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 0
radius_xlat:  'ldapuser'
rlm_sql (sql): sql_set_user escaped user --> 'ldapuser'
[snipp]
rlm_sql (sql): User ldapuser not found in radcheck
rlm_sql (sql): User ldapuser not found in radgroupcheck
rlm_sql (sql): User not found
rlm_sql (sql): Released sql socket id: 4
  modcall[authorize]: module "sql" returns notfound for request 0
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
  modcall[authorize]: module "onedayaccounts" returns noop for request 0
modcall: group authorize returns ok for request 0
  rad_check_password:  Found Auth-Type Pam
auth: type "PAM"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
pam_pass: using pamauth string <radiusd> for pam.conf lookup
pam_pass: function pam_authenticate FAILED for <ldapuser>. Reason: User not
known to the underlying authentication module
  modcall[authenticate]: module "pam" returns reject for request 0
modcall: group authenticate returns reject for request 0
auth: Failed to validate the user.
Login incorrect: [ldapuser] (from client wlan port 0)
-----

it seems that the pam returns "reject" if a user is not found by pam, sql and
ldap reutrn "nofound".

how can i set up the pam part to return "notfound" and not overwrite the "ok"
request by the other modules?

thanx in advance for your help!
 regards
   markus


--
Markus Krause                           email: krause at biochem.mpg.de
Computing Center                        Tel.: 089 - 89 40 85 99
Group Lottspeich / Proteomics           Fax.: 089 - 89 40 85 98

---------------------------------------------------------------------
     This message was sent using https://webmail.biochem.mpg.de
If you encounter any problems please report to rz-linux at biochem.mpg.de

More information about the Freeradius-Users mailing list