ldap authentication failure

Abey Thomas abeyth at gmail.com
Wed Apr 19 16:12:13 CEST 2006


Hi all,

I am facing problems with Ldap and freeradius on RedHat linux AS 4. I can
sucessfully authenticate with windows xp machines with freeradius local
"users" file and md5  using cisco 2950. Radtest is successful for the
ldapusers, but the radius -X shows "rlm_ldap: Attribute "User-Password" is
required for authentication. & modcall[authenticate]: module "ldap" returns
invalid for request 0"

Any help will be appreciated. Thanks

I am using the configuration file from the source file.
-------------------
[root at localhost ~]# cat /etc/raddb/radiusd.conf
prefix = /usr
exec_prefix = ${prefix}
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct

confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd

log_file = ${logdir}/radius.log

libdir = /usr/lib/freeradius

pidfile = ${run_dir}/radiusd.pid


user = radiusd
group = radiusd

max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 0
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions     = yes
extended_expressions    = yes
log_stripped_names = no
log_auth = no
log_auth_badpass = no
log_auth_goodpass = no

#  The program to execute to do concurrency checks.
#checkrad = ${sbindir}/checkrad

security {
        max_attributes = 200
        reject_delay = 0
        status_server = no
}

proxy_requests  = yes
$INCLUDE  ${confdir}/proxy.conf

$INCLUDE  ${confdir}/clients.conf

thread pool {
        start_servers = 5
        max_servers = 32
        min_spare_servers = 3
        max_spare_servers = 10
        max_requests_per_server = 0
}

modules {

        ldap {
        server = "10.10.29.251"
        #identity = "uid=freeradius,ou=admins,ou=radius,dc=mydomain,dc=com"
        #identity = "cn=Manager,dc=example,dc=com"
        #password = password
        basedn = "ou=people,dc=example,dc=com"
        #filter =
"(&(uid=%{Stripped-User-Name:-%{User-Name}})(objectclass=radiusprofile)"
        start_tls = no
        tls_mode = no
        #default_profile =
"uid=dial,ou=profiles,ou=radius,dc=mydomain,dc=com"
        #profile_attribute = "radiusProfileDn"
        dictionary_mapping = ${raddbdir}/ldap.attrmap
        ldap_cache_timeout = 120
        ldap_cache_size = 0
        ldap_connections_number = 10
        #password_header = "{crypt}"
        password_attribute = userPassword
        #groupname_attribute = radiusGroupName
        #groupmembership_filter =
"(&(uid=%{Stripped-User-Name:-%{User-Name}}))(objectclass=radiusProfile)"
        #groupmembership_attribute = radiusGroupName
        timeout = 3
        timelimit = 5
        net_timeout = 1
        compare_check_items = no
        #access_attr_used_for_allow = yes
        }

        realm suffix {
                format = suffix
                delimiter = "@"
        }

        preprocess {
                huntgroups = ${confdir}/huntgroups
                #hints = ${confdir}/hints
                with_ascend_hack = no
                ascend_channels_per_line = 23
                with_ntdomain_hack = no
                with_specialix_jetstream_hack = no
                with_cisco_vsa_hack = no
        }

        files {
                usersfile = ${confdir}/users
                #acctusersfile = ${confdir}/acct_users
                compat = no
                #use old style users
        }
        # regular detail files
        detail detail1 {
                detailfile =
${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
                detailperm = 0600
                dirperm = 0755
        }
        # temp detail file to replicate to accountrad
        detail detail2 {
                detailfile= ${radacctdir}/detail-combined
                detailperm = 0600
                dirperm = 0755
                locking = yes
        }

        acct_unique {
                key = "User-Name, Acct-Session-Id,
NAS-IP-Address,Client-IP-Address, NAS-Port-Id"
        }


        #radutmp {
        #       filename = ${logdir}/radutmp
        #       perm = 0600
        #       callerid = "yes"
        #}

        #radutmp sradutmp {
        #       filename = ${logdir}/sradutmp
        #       perm = 0644
        #       callerid = "no"
        #}

        #attr_filter {
        #       attrsfile = ${confdir}/attrs
        #}


        # The "always" module is here for debugging purposes. Each
        # instance simply returns the same result, always, without
        # doing anything.
        always fail {
                rcode = fail
        }
        always reject {
                rcode = reject
        }
        always ok {
                rcode = ok
                simulcount = 0
                mpp = no
        }

        #
        #  The 'expression' module current has no configuration.
        expr {
        }

}

instantiate {
        expr
}

authorize {
        preprocess
        suffix
        files
        ldap
}

authenticate {
        authtype LDAP {
                ldap
        }
}

preacct {
        preprocess
        suffix
        files
}

accounting {
        acct_unique
        detail1
        detail2
        #radutmp
        #sradutmp
}


#session {
        #radutmp
#}

#post-auth {
          #  Get an address from the IP Pool.
          #main_pool
#}
----------------------------------------
The ldif file
dn: uid=ldapuser5,ou=People,dc=example,dc=com
uid: ldapuser5
cn: ldapuser5
userPassword: {crypt}$1$1jD47Q.o$o.Aqkoe/Z7au.phSO6ULW1
objectclass: radiusprofile
objectClass: account
#objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
radiusServiceType: Framed-User
radiusFramedProtocol: Ethernet
radiusFramedIPNetmask: 255.255.255.0
radiusFramedRouting: None
---------------------------------------------------------------------------------------------------------



Ready to process requests.
rad_recv: Access-Request packet from host 10.10.29.49:1812, id=61,
length=133
        NAS-IP-Address = 10.10.29.49
        NAS-Port = 50035
        NAS-Port-Type = Ethernet
        User-Name = "ldapuser5"
        Called-Station-Id = "00-14-69-B1-DE-63"
        Calling-Station-Id = "00-11-85-81-FE-9F"
        Service-Type = Framed-User
        Framed-MTU = 1500
        EAP-Message = 0x0200000e016c6461707573657235
        Message-Authenticator = 0xa87b5810daf6ae5596070a302b227a3a
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
    rlm_realm: No '@' in User-Name = "ldapuser5", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 0
    users: Matched DEFAULT at 153
    users: Matched DEFAULT at 157
    users: Matched DEFAULT at 175
    users: Matched DEFAULT at 204
  modcall[authorize]: module "files" returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for ldapuser5
radius_xlat:  '(uid=ldapuser5)'
radius_xlat:  'ou=people,dc=example,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 10.10.29.251:389, authentication 0
rlm_ldap: bind as / to 10.10.29.251:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=people,dc=example,dc=com, with filter
(uid=ldapuser5)
rlm_ldap: Added password {crypt}$1$1jD47Q.o$o.Aqkoe/Z7au.phSO6ULW1 in check
items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusFramedRouting as Framed-Routing, value None & op=11
rlm_ldap: Adding radiusFramedIPNetmask as Framed-IP-Netmask, value
255.255.255.0 & op=11
rlm_ldap: Adding radiusFramedProtocol as Framed-Protocol, value Ethernet &
op=11
rlm_ldap: Adding radiusServiceType as Service-Type, value Framed-User &
op=11
rlm_ldap: user ldapuser5 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 0
modcall: group authorize returns ok for request 0
  rad_check_password:  Found Auth-Type LDAP
auth: type "LDAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authtype for request 0
rlm_ldap: - authenticate
rlm_ldap: Attribute "User-Password" is required for authentication.
  modcall[authenticate]: module "ldap" returns invalid for request 0
modcall: group authtype returns invalid for request 0
auth: Failed to validate the user.
Sending Access-Reject of id 61 to 10.10.29.49:1812
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 61 with timestamp 44458f3a
Nothing to do.  Sleeping until we see a request.


Abey Babu Thomas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20060419/3df7122b/attachment.html>


More information about the Freeradius-Users mailing list