rlm_ldap wont authenticate

monish ar monish.ar at gmail.com
Mon Apr 3 21:21:26 CEST 2006 

I've tried to authenticate to an LDAP server through RADIUS using the
rlm_ldap module....
I'm using freeradius 1.1.0 with OpenLdap 2.1.8 with a bdb backend.
The problem is that rlm_ldap module binds successfully to an authentication
request in the authorization section, but fails to bind
when its tryin to authenticate.... log for RADIUS server is given below
along with the LDAP configuration... plz help me out


/** In the client terminal ,now i've tried to authenticate with user :
ldapuser*

[root at localhost ~]# radtest ldapuser ldapuser localhost 2 testing123

Sending Access-Request of id 119 to 127.0.0.1 port 1812

        User-Name = "ldapuser"

        User-Password = "ldapuser"

        NAS-IP-Address = 255.255.255.255

        NAS-Port = 2
rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=119, length=20 *
**
**

/*/ On the server side, response to ldapuser user authentication request...*

rad_recv: Access-Request packet from host 127.0.0.1:32769, id=119, length=60

        User-Name = "ldapuser"

        User-Password = "ldapuser"

        NAS-IP-Address = 255.255.255.255

        NAS-Port = 2

  Processing the authorize section of radiusd.conf

modcall: entering group authorize for request 0

  modcall[authorize]: module "preprocess" returns ok for request 0

radius_xlat:
'/usr/local//var/log/radius/radacct/127.0.0.1/auth-detail-20060403'

rlm_detail:
/usr/local//var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /usr/local//var/log/radius/radacct/127.0.0.1/auth-detail-20060403

  modcall[authorize]: module "auth_log" returns ok for request 0

  modcall[authorize]: module "chap" returns noop for request 0

  modcall[authorize]: module "mschap" returns noop for request 0

    rlm_realm: No '@' in User-Name = "ldapuser", looking up realm NULL

    rlm_realm: No such realm "NULL"

  modcall[authorize]: module "suffix" returns noop for request 0

  rlm_eap: No EAP-Message, not doing EAP

  modcall[authorize]: module "eap" returns noop for request 0

    users: Matched entry DEFAULT at line 152

    users: Matched entry DEFAULT at line 158

  modcall[authorize]: module "files" returns ok for request 0

rlm_ldap: - authorize

rlm_ldap: performing user authorization for ldapuser

radius_xlat:  '(uid=ldapuser)'

radius_xlat:  'ou=People,dc=example,dc=com'

rlm_ldap: ldap_get_conn: Checking Id: 0

rlm_ldap: ldap_get_conn: Got Id: 0

rlm_ldap: attempting LDAP reconnection

rlm_ldap: (re)connect to localhost:389, authentication 0

rlm_ldap: bind as / to localhost:389

rlm_ldap: waiting for bind result ...

rlm_ldap: Bind was successful

rlm_ldap: performing search in ou=People,dc=example,dc=com, with filter
(uid=ldapuser)

rlm_ldap: Added password {crypt}$1$nwby/I64$ORzJuBh4/Ec3c.FAt2oqV0 in check
items

rlm_ldap: looking for check items in directory...

rlm_ldap: looking for reply items in directory...

rlm_ldap: user ldapuser authorized to use remote access

rlm_ldap: ldap_release_conn: Release Id: 0

  modcall[authorize]: module "ldap" returns ok for request 0

modcall: leaving group authorize (returns ok) for request 0

  rad_check_password:  Found Auth-Type LDAP

auth: type "LDAP"

  Processing the authenticate section of radiusd.conf

modcall: entering group LDAP for request 0

rlm_ldap: - authenticate

rlm_ldap: login attempt by "ldapuser" with password "ldapuser"

rlm_ldap: user DN: uid=ldapuser,ou=People,dc=example,dc=com

rlm_ldap: (re)connect to localhost:389, authentication 1

rlm_ldap: bind as uid=ldapuser,ou=People,dc=example,dc=com/ldapuser to
localhost:389

rlm_ldap: waiting for bind result ...

rlm_ldap: Bind failed with invalid credentials

  modcall[authenticate]: module "ldap" returns reject for request 0

modcall: leaving group LDAP (returns reject) for request 0

auth: Failed to validate the user.

Login incorrect (rlm_ldap: Bind as user failed): [ldapuser] (from client
localhost port 2)

Delaying request 0 for 1 seconds

Finished request 0

Going to the next request

--- Walking the entire request list ---

Waking up in 1 seconds...

--- Walking the entire request list ---

Waking up in 1 seconds...

--- Walking the entire request list ---

Sending Access-Reject of id 119 to 127.0.0.1 port 32769

Waking up in 4 seconds...



*// THE CONFIGURATION DETAILS REQUIRED FOR RLM_LDAP AUTHENTICATION ARE BELOW
*

* *

*/* **example.com.ldif (base entries added to LDAP database)*

* *

Dn: dc=example,dc=com

Objectclass: dcObject

Objectclass : organization

o: Example company

dc: example

* *

dn: cn=manager,dc=example,dc=com

objectclass: organizationalRole

cn: manager



dn: ou=people,dc=example,dc=com

ou: people

description: All people in the organization

objectClass: dcObject

objectClass: organizationalUnit

dc: example

* *

* *

*/*** ldapuser.ldif (details of user account for authentication added to the
LDAP database */*

* *

dn: uid=ldapuser,ou=People,dc=example,dc=com

uid: ldapuser

cn: ldapuser

objectClass: account

objectClass: posixAccount

objectClass: top

objectClass: shadowAccount

userPassword: {crypt}$1$nwby/I64$ORzJuBh4/Ec3c.FAt2oqV0

shadowLastChange: 13238

shadowMax: 99999

shadowWarning: 7

loginShell: /bin/bash

uidNumber: 503

gidNumber: 100

homeDirectory: /home/ldapuser



/* *radiusd.conf (LDAP MODULE)*

* *

ldap {

            server = "localhost"

            # identity = "cn=admin,o=My Org,c=UA"

            # password = mypass

            basedn = "ou=People,dc=example,dc=com"



            password_attribute = "userPassword"

            filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"

            # base_filter = "(objectclass=radiusprofile)"



          start_tls = no



            # tls_cacertfile  = /path/to/cacert.pem

            # tls_cacertdir         = /path/to/ca/dir/

            # tls_certfile          = /path/to/radius.crt

            # tls_keyfile           = /path/to/radius.key

            # tls_randfile          = /path/to/rnd

            # tls_require_cert      = "demand"



            # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"

            # profile_attribute = "radiusProfileDn"

            #  access_attr = "dialupAccess"



            # Mapping of RADIUS dictionary attributes to LDAP

            # directory attributes.

            dictionary_mapping = ${raddbdir}/ldap.attrmap



            ldap_connections_number = 5

            timeout = 4

            timelimit = 3



            net_timeout = 1

            # compare_check_items = yes

            # do_xlat = yes

            # access_attr_used_for_allow = yes



    }



authorize {

             chap

             mschap

             eap

             files

             ldap

          }



authenticate {



                 Auth-Type PAP {

                   pap

                 }



                 Auth-Type CHAP {

                   chap

                  }



                 Auth-Type MS-CHAP {

                    mschap

                  }



                 Unix



                 Auth-Type LDAP {

                   ldap

                  }



*Slapd.conf (ldap configuration)*

* *

include           /usr/local/etc/openldap/schema/core.schema

include           /usr/local/etc/openldap/schema/cosine.schema

include           /usr/local/etc/openldap/schema/nis.schema



pidfile           /usr/local/var/slapd.pid

argsfile          /usr/local/var/slapd.args



#######################################################################

# ldbm database definitions

#######################################################################



database          bdb

suffix            "dc=example,dc=com"

rootdn            "cn=manager,dc=example,dc=com"

rootpw          {SSHA}Rt9x/xGxM5e8+RpKbvTCWYT8POUEaKwA



# Indices to maintain

index cn,sn,uid pres,eq,approx,sub

index objectClass eq
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20060404/4ae44e68/attachment.html>

More information about the Freeradius-Users mailing list