redundant LDAP server with free-radius

sumi thra sumi.techno at gmail.com
Thu Apr 27 08:51:31 CEST 2006


Hi All,

Please help me in fixing this issus.
Still im not able to fix it...

My access-request is not successed when i configure multiple ldap
instances.  I read the rlm_ldap document, according to that,

I have the following configuration in radiusd.conf

authorize {
               ...
               files
               redundant {
                                ldap_primary
                                ldap_secondary
                              }
              eap
          }

..
authenticate {
                 .....
                Auth-Type LDAP {
                                redundant {
                                              ldap_primary
                                              ldap_secondary
                                 }
                  }

...# primary ldap configuration
ldap ldap_primary {
                    server = 1.1.1.1
                     ....
    }

In my users file i have the following policy:
# Primary ldap server's group policy - accept

 DEFAULT ldap_primary-Ldap-Group == "ads-group1", Symbol-Wlan-Index =~
wlan1,Login-Time := "Any0000-2359"

#Primary ldap  server's group policy- reject

   DEFAULT ldap_primary-Ldap-Group == "ads-group1", Symbol-Wlan-Index =~
wlan2|wlan3|wlan4, Auth-Type := Reject

DEFAULT Auth-Type := Reject

Please find the logs below..
rad_recv: Access-Request packet from host 127.0.0.1:41256, id=85, length=277
        User-Name = "sumithra"
        Called-Station-Id = "00-A0-F8-BF-E9-BC:wlan1"
        Calling-Station-Id = "00-0F-3D-E9-A6-54"
        NAS-Port = 1
        NAS-Port-Type = Wireless-802.11
        Framed-MTU = 1400
        NAS-IP-Address = 127.0.0.1
        NAS-Identifier = "WS5100"
        Symbol-Wlan-Index = "wlan1"
        NAS-Port-Id = "WLAN1"
        Connect-Info = "CONNECT 54Mbps 802.11a"
        State = 0x3477b37e06e1959a106065fa6b552b46
        EAP-Message =
0x0205004715800000003d170301003865d55f3cd46e8f5b7036c78d38a3a9fc51dbdff5f8f256cedd0b1e3da150ed5a4f7f605fdced3725189e4836dc817af1cea9c7047ff1073e
        Message-Authenticator = 0x16f08ab431d475e4a824d796da35d410
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
  modcall[authorize]: module "preprocess" returns ok for request 5
  modcall[authorize]: module "chap" returns noop for request 5
  modcall[authorize]: module "mschap" returns noop for request 5
    rlm_realm: No '/' in User-Name = "sumithra", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix_oblic" returns noop for request 5
    rlm_realm: No '/' in User-Name = "sumithra", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "prefix_oblic" returns noop for request 5
    rlm_realm: No '@' in User-Name = "sumithra", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix_at" returns noop for request 5
    rlm_realm: No '@' in User-Name = "sumithra", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "prefix_at" returns noop for request 5
    rlm_realm: No '%' in User-Name = "sumithra", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix_percent" returns noop for request 5
    rlm_realm: No '%' in User-Name = "sumithra", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "prefix_percent" returns noop for request 5
rlm_ldap: Entering ldap_groupcmp()
radius_xlat:  'ou=123,dc=123,dc=123,dc=com'
radius_xlat:  '(sAMAccountName=sumithra)'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=123,dc=123,dc=123,dc=com, with filter
(sAMAccountName=sumithra)
rlm_ldap: ldap_release_conn: Release Id: 0
radius_xlat:
'(|(&(objectClass=GroupOfNames)(member=CN=sumithra,OU=123,DC=123,DC=123,DC=com))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN=sumithra,OU=123,DC=123,DC=123,DC=com)))'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=123,dc=123,dc=123,dc=com, with filter
(&(cn=ads-group1)(|(&(objectClass=GroupOfNames)(member=CN=sumithra,OU=123,DC=123,DC=123,DC=com))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN=sumithra,OU=123,DC=123,DC=123,DC=com))))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in CN=sumithra,OU=123,DC=123,DC=123,DC=com, with
filter (objectclass=*)
rlm_ldap::ldap_groupcmp: ldap_get_values() failed
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: Entering ldap_groupcmp()
radius_xlat:  'ou=123,dc=123,dc=123,dc=com'
radius_xlat:
'(|(&(objectClass=GroupOfNames)(member=CN=sumithra,OU=123,DC=123,DC=123,DC=com))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN=sumithra,OU=WIOS,DC=wios,DC=symbol,DC=com)))'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=123,dc=123,dc=123,dc=com, with filter
(&(cn=ads-group1)(|(&(objectClass=GroupOfNames)(member=CN=sumithra,OU=123,DC=123,DC=123,DC=com))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN=sumithra,OU=123,DC=123,DC=123,DC=com))))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in CN=sumithra,OU=123,DC=123,DC=123,DC=com, with
filter (objectclass=*)
rlm_ldap::ldap_groupcmp: ldap_get_values() failed
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "files" returns notfound for request 5
modcall: entering group redundant  for request 5
rlm_ldap: - authorize
rlm_ldap: performing user authorization for sumithra
radius_xlat:  '(sAMAccountName=sumithra)'
radius_xlat:  'ou=123,dc=123,dc=123,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=123,dc=123,dc=123,dc=com, with filter
(sAMAccountName=sumithra)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user sumithra authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap_primary" returns ok for request 5
modcall: leaving group redundant  (returns ok) for request 5
  rlm_eap: EAP packet type response id 5 length 71
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 5
modcall: leaving group authorize (returns updated) for request 5
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
  rlm_eap: Request not found in the list
rlm_eap: Either EAP-request timed out OR EAP-response to an unknown
EAP-request
  rlm_eap: Failed in handler
  modcall[authenticate]: module "eap" returns invalid for request 5
modcall: leaving group authenticate (returns invalid) for request 5
auth: Failed to validate the user.
Delaying request 5 for 1 seconds
Finished request 5
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 81 with timestamp 4450b417
Cleaning up request 1 ID 82 with timestamp 4450b417
Cleaning up request 2 ID 83 with timestamp 4450b417
Cleaning up request 3 ID 84 with timestamp 4450b417
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 85 to 127.0.0.1 port 41256
Waking up in 4 seconds...


Please reply me if you have any idea where the configuration is wrong.

Thanks in advance.

Regards
Sumithra




On 4/25/06, sumi thra <sumi.techno at gmail.com> wrote:
>
> Yes. i got it now.
>
> Thank you so much for your information. :-)
>
> Regards
> Sumi
>
>
> On 4/25/06, Alan DeKok < aland at nitros9.org> wrote:
> >
> > "sumi thra" < sumi.techno at gmail.com> wrote:
> > > 1. When i configure the free-radius to use redundant ldap, the radius
> > server
> > > contacts the secondary ldap server first.
> >
> >   It works for me.
> >
> >   And since you haven't posted the debugging output as suggested in
> > the README, FAQ, INSTALL, etc., my guess is you're doing something
> > else wrong that causes the problem.
> >
> > > 2. My users file has : DEFAULT LDAP-Group := "groupname1" some vendor
> > > specific attributes follows..
> > >                             DEFAULT LDAP-Group := "groupname2"  .....
> > >
> > >   Do i need to specify it as ldap_primary-LDAP-Group := "groupname1"
> >
> >   Did you read doc/rlm_ldap?
> >
> >   Alan DeKok.
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20060427/14e72493/attachment.html>


More information about the Freeradius-Users mailing list