Avoiding ldapsearch on LDAP authentication
MAEDA
maeda-freeradius at atusi.org
Tue Mar 21 06:29:22 CET 2006
Hello,
I'm running Freeradius 1.0.4 with OpenLDAP 2.2.29 on my Fedora Core 4
box and try to configure radiusd so that ldap_search is not performed
on authentication (i.e. just use ldap_bind for authentication). But
so far, I've got no success. Radiusd seems to perform search anyway.
I've read the document doc/rlm_ldap and followed the instruction, but
I couldn't get it working (I must be missing something).
I configured radiusd as follows:
In users:
DEFAULT Ldap-UserDn := `uid=%{User-Name},ou=people,dc=atusi,dc=org`,
Auth-Type = LDAP
In radiusd.conf:
modules {
ldap {
server = "localhost"
ldap_debug = 0xFFFF
# identity = "cn=admin,o=My Org,c=UA"
# password = mypass
basedn = "ou=people,dc=atusi,dc=org"
# filter =
"(uid=%{Stripped-User-Name:-%{User-Name}})"
# base_filter = "(objectclass=radiusprofile)"
start_tls = no
access_attr = "dialupAccess"
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
}
...
}
authorize {
preprocess
chap
mschap
suffix
eap
files
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
Auth-Type LDAP {
ldap
}
eap
}
# All other parts are left as default.
When I test my setup with:
(echo 'User-Name=mytestuser'; echo 'User-Password = mypassword') |
radclient -c 1 127.0.0.1 auth testing123
radiusd (run with -X option) says:
rad_recv: Access-Request packet from host 127.0.0.1:32791, id=183,
length=43
User-Name = "mytestuser"
User-Password = "mypassword"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "mytestuser", looking up realm
NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 0
users: Matched entry DEFAULT at line 214
modcall[authorize]: module "files" returns ok for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type LDAP
auth: type "LDAP"
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 0
rlm_ldap: - authenticate
rlm_ldap: login attempt by "mytestuser" with password "mypassword"
radius_xlat: '(uid=mytestuser)'
radius_xlat: 'ou=people,dc=atusi,dc=org'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as / to localhost:389
ldap_bind
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:389
ldap_new_socket: 6
ldap_prepare_socket: 6
ldap_connect_to_host: Trying 127.0.0.1:389
ldap_connect_timeout: fd: 6 tm: 1 async: 0
ldap_ndelay_on: 6
ldap_is_sock_ready: 6
ldap_ndelay_off: 6
ldap_open_defconn: successful
ldap_send_server_request
rlm_ldap: waiting for bind result ...
ldap_result msgid 1
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
wait4msg (timeout 4 sec, 0 usec), msgid 1
wait4msg continue, msgid 1, all 1
** Connections:
* host: localhost port: 389 (default)
refcnt: 2 status: Connected
last used: Tue Mar 21 13:31:12 2006
** Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
** Response Queue:
Empty
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
ldap_int_select
read1msg: msgid 1, all 1
ldap_read: message type bind msgid 1, original id 1
new result: res_errno: 0, res_error: <>, res_matched: <>
read1msg: 0 new referrals
read1msg: mark request completed, id = 1
request 1 done
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection
ldap_free_connection: refcnt 1
ldap_parse_result
ldap_msgfree
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=people,dc=atusi,dc=org, with filter
(uid=mytestuser)
ldap_search
put_filter: "(uid=mytestuser)"
put_filter: simple
put_simple_filter: "uid=mytestuser"
ldap_send_initial_request
ldap_send_server_request
ldap_result msgid 2
ldap_chkResponseList for msgid=2, all=1
ldap_chkResponseList returns NULL
wait4msg (timeout 4 sec, 0 usec), msgid 2
wait4msg continue, msgid 2, all 1
** Connections:
* host: localhost port: 389 (default)
refcnt: 2 status: Connected
last used: Tue Mar 21 13:31:12 2006
** Outstanding Requests:
* msgid 2, origid 2, status InProgress
outstanding referrals 0, parent count 0
** Response Queue:
Empty
ldap_chkResponseList for msgid=2, all=1
ldap_chkResponseList returns NULL
ldap_int_select
read1msg: msgid 2, all 1
ldap_read: message type search-result msgid 2, original id 2
new result: res_errno: 0, res_error: <>, res_matched: <>
read1msg: 0 new referrals
read1msg: mark request completed, id = 2
request 2 done
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 2, msgid 2)
ldap_free_connection
ldap_free_connection: refcnt 1
ldap_parse_result
rlm_ldap: object not found or got ambiguous search result
ldap_msgfree
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authenticate]: module "ldap" returns notfound for request 0
modcall: group Auth-Type returns notfound for request 0
auth: Failed to validate the user.
According to the log lines:
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as / to localhost:389
I guessed (by reading rlm_ldap.c) Ldap-UserDn valuepair is not passed
to
ldap_authenticate() for some reason.
I tried to write `Ldap-UserDn := ...' as reply item of the DEFAULT
entry
in users file but in that case radiusd says:
WARNING! Check item "Ldap-UserDn" ?found in reply item list for user
"DEFAULT". ?This attribute MUST go on the first line with the other
check items
and still got the same result.
I also tried in radiusd.conf:
modules {
ldap {
identity = "%{Ldap-UserDN}"
password = `%{User-Password}`
...
}
}
but these attributes are not xlated and passed to LDAP as they are.
Any clues would be greately appreciated.
More information about the Freeradius-Users
mailing list