ldap authentication failure
Abey Thomas
abeyth at gmail.com
Wed Apr 19 16:12:13 CEST 2006
Hi all,
I am facing problems with Ldap and freeradius on RedHat linux AS 4. I can
sucessfully authenticate with windows xp machines with freeradius local
"users" file and md5 using cisco 2950. Radtest is successful for the
ldapusers, but the radius -X shows "rlm_ldap: Attribute "User-Password" is
required for authentication. & modcall[authenticate]: module "ldap" returns
invalid for request 0"
Any help will be appreciated. Thanks
I am using the configuration file from the source file.
-------------------
[root at localhost ~]# cat /etc/raddb/radiusd.conf
prefix = /usr
exec_prefix = ${prefix}
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/radiusd.pid
user = radiusd
group = radiusd
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 0
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = no
log_auth = no
log_auth_badpass = no
log_auth_goodpass = no
# The program to execute to do concurrency checks.
#checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 0
status_server = no
}
proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf
$INCLUDE ${confdir}/clients.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
ldap {
server = "10.10.29.251"
#identity = "uid=freeradius,ou=admins,ou=radius,dc=mydomain,dc=com"
#identity = "cn=Manager,dc=example,dc=com"
#password = password
basedn = "ou=people,dc=example,dc=com"
#filter =
"(&(uid=%{Stripped-User-Name:-%{User-Name}})(objectclass=radiusprofile)"
start_tls = no
tls_mode = no
#default_profile =
"uid=dial,ou=profiles,ou=radius,dc=mydomain,dc=com"
#profile_attribute = "radiusProfileDn"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_cache_timeout = 120
ldap_cache_size = 0
ldap_connections_number = 10
#password_header = "{crypt}"
password_attribute = userPassword
#groupname_attribute = radiusGroupName
#groupmembership_filter =
"(&(uid=%{Stripped-User-Name:-%{User-Name}}))(objectclass=radiusProfile)"
#groupmembership_attribute = radiusGroupName
timeout = 3
timelimit = 5
net_timeout = 1
compare_check_items = no
#access_attr_used_for_allow = yes
}
realm suffix {
format = suffix
delimiter = "@"
}
preprocess {
huntgroups = ${confdir}/huntgroups
#hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
files {
usersfile = ${confdir}/users
#acctusersfile = ${confdir}/acct_users
compat = no
#use old style users
}
# regular detail files
detail detail1 {
detailfile =
${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
dirperm = 0755
}
# temp detail file to replicate to accountrad
detail detail2 {
detailfile= ${radacctdir}/detail-combined
detailperm = 0600
dirperm = 0755
locking = yes
}
acct_unique {
key = "User-Name, Acct-Session-Id,
NAS-IP-Address,Client-IP-Address, NAS-Port-Id"
}
#radutmp {
# filename = ${logdir}/radutmp
# perm = 0600
# callerid = "yes"
#}
#radutmp sradutmp {
# filename = ${logdir}/sradutmp
# perm = 0644
# callerid = "no"
#}
#attr_filter {
# attrsfile = ${confdir}/attrs
#}
# The "always" module is here for debugging purposes. Each
# instance simply returns the same result, always, without
# doing anything.
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
#
# The 'expression' module current has no configuration.
expr {
}
}
instantiate {
expr
}
authorize {
preprocess
suffix
files
ldap
}
authenticate {
authtype LDAP {
ldap
}
}
preacct {
preprocess
suffix
files
}
accounting {
acct_unique
detail1
detail2
#radutmp
#sradutmp
}
#session {
#radutmp
#}
#post-auth {
# Get an address from the IP Pool.
#main_pool
#}
----------------------------------------
The ldif file
dn: uid=ldapuser5,ou=People,dc=example,dc=com
uid: ldapuser5
cn: ldapuser5
userPassword: {crypt}$1$1jD47Q.o$o.Aqkoe/Z7au.phSO6ULW1
objectclass: radiusprofile
objectClass: account
#objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
radiusServiceType: Framed-User
radiusFramedProtocol: Ethernet
radiusFramedIPNetmask: 255.255.255.0
radiusFramedRouting: None
---------------------------------------------------------------------------------------------------------
Ready to process requests.
rad_recv: Access-Request packet from host 10.10.29.49:1812, id=61,
length=133
NAS-IP-Address = 10.10.29.49
NAS-Port = 50035
NAS-Port-Type = Ethernet
User-Name = "ldapuser5"
Called-Station-Id = "00-14-69-B1-DE-63"
Calling-Station-Id = "00-11-85-81-FE-9F"
Service-Type = Framed-User
Framed-MTU = 1500
EAP-Message = 0x0200000e016c6461707573657235
Message-Authenticator = 0xa87b5810daf6ae5596070a302b227a3a
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
rlm_realm: No '@' in User-Name = "ldapuser5", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
users: Matched DEFAULT at 153
users: Matched DEFAULT at 157
users: Matched DEFAULT at 175
users: Matched DEFAULT at 204
modcall[authorize]: module "files" returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for ldapuser5
radius_xlat: '(uid=ldapuser5)'
radius_xlat: 'ou=people,dc=example,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 10.10.29.251:389, authentication 0
rlm_ldap: bind as / to 10.10.29.251:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=people,dc=example,dc=com, with filter
(uid=ldapuser5)
rlm_ldap: Added password {crypt}$1$1jD47Q.o$o.Aqkoe/Z7au.phSO6ULW1 in check
items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusFramedRouting as Framed-Routing, value None & op=11
rlm_ldap: Adding radiusFramedIPNetmask as Framed-IP-Netmask, value
255.255.255.0 & op=11
rlm_ldap: Adding radiusFramedProtocol as Framed-Protocol, value Ethernet &
op=11
rlm_ldap: Adding radiusServiceType as Service-Type, value Framed-User &
op=11
rlm_ldap: user ldapuser5 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type LDAP
auth: type "LDAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authtype for request 0
rlm_ldap: - authenticate
rlm_ldap: Attribute "User-Password" is required for authentication.
modcall[authenticate]: module "ldap" returns invalid for request 0
modcall: group authtype returns invalid for request 0
auth: Failed to validate the user.
Sending Access-Reject of id 61 to 10.10.29.49:1812
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 61 with timestamp 44458f3a
Nothing to do. Sleeping until we see a request.
Abey Babu Thomas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20060419/3df7122b/attachment.html>
More information about the Freeradius-Users
mailing list