Avoiding ldapsearch on LDAP authentication

Natalia Escalera nescalera at gmail.com
Tue Mar 21 07:59:47 CET 2006 

Hello,

It is my understanding that Freeradius uses Ldap search in order to
authenticate users and that the Ldap bind is used to point to the
location where the search will be done at the Ldap server.

I am using FR 1.1.0 but I think it is similar configuration in your FR version.

#users file
       DEFAULT Auth-Type := LDAP
       Fall-Through = 1


>  rlm_ldap: object not found or got ambiguous search result
Check your basedn in raddiusd.conf

For debugging I recommend you to use Ethereal. It is very useful.

Natalia.

On 21 Mar 2006 14:29:22 +0900, MAEDA <maeda-freeradius at atusi.org> wrote:
> Hello,
>
> I'm running Freeradius 1.0.4 with OpenLDAP 2.2.29 on my Fedora Core 4
> box and try to configure radiusd so that ldap_search is not performed
> on authentication (i.e.  just use ldap_bind for authentication).  But
> so far, I've got no success.  Radiusd seems to perform search anyway.
>
> I've read the document doc/rlm_ldap and followed the instruction, but
> I couldn't get it working (I must be missing something).
>
> I configured radiusd as follows:
>
> In users:
>
>  DEFAULT Ldap-UserDn := `uid=%{User-Name},ou=people,dc=atusi,dc=org`,
>  Auth-Type = LDAP
>
> In radiusd.conf:
>  modules {
>
>         ldap {
>                 server = "localhost"
>                 ldap_debug = 0xFFFF
>                 # identity = "cn=admin,o=My Org,c=UA"
>                 # password = mypass
>                 basedn = "ou=people,dc=atusi,dc=org"
>                 # filter =
>                 "(uid=%{Stripped-User-Name:-%{User-Name}})"
>                 # base_filter = "(objectclass=radiusprofile)"
>
>                 start_tls = no
>
>                 access_attr = "dialupAccess"
>
>                 ldap_connections_number = 5
>                 timeout = 4
>                 timelimit = 3
>                 net_timeout = 1
>         }
>         ...
>  }
>
>  authorize {
>         preprocess
>         chap
>         mschap
>         suffix
>         eap
>         files
>  }
>
>  authenticate {
>         Auth-Type PAP {
>                 pap
>         }
>         Auth-Type CHAP {
>                 chap
>         }
>         Auth-Type MS-CHAP {
>                 mschap
>         }
>         Auth-Type LDAP {
>                 ldap
>         }
>         eap
>  }
>
>  # All other parts are left as default.
>
> When I test my setup with:
>  (echo 'User-Name=mytestuser'; echo 'User-Password = mypassword') |
>  radclient -c 1 127.0.0.1 auth  testing123
> radiusd (run with -X option) says:
>
>  rad_recv: Access-Request packet from host 127.0.0.1:32791, id=183,
>  length=43
>         User-Name = "mytestuser"
>         User-Password = "mypassword"
>   Processing the authorize section of radiusd.conf
>  modcall: entering group authorize for request 0
>   modcall[authorize]: module "preprocess" returns ok for request 0
>   modcall[authorize]: module "chap" returns noop for request 0
>   modcall[authorize]: module "mschap" returns noop for request 0
>     rlm_realm: No '@' in User-Name = "mytestuser", looking up realm
>  NULL
>     rlm_realm: No such realm "NULL"
>   modcall[authorize]: module "suffix" returns noop for request 0
>   rlm_eap: No EAP-Message, not doing EAP
>   modcall[authorize]: module "eap" returns noop for request 0
>     users: Matched entry DEFAULT at line 214
>   modcall[authorize]: module "files" returns ok for request 0
>  modcall: group authorize returns ok for request 0
>   rad_check_password:  Found Auth-Type LDAP
>  auth: type "LDAP"
>   Processing the authenticate section of radiusd.conf
>  modcall: entering group Auth-Type for request 0
>  rlm_ldap: - authenticate
>  rlm_ldap: login attempt by "mytestuser" with password "mypassword"
>  radius_xlat:  '(uid=mytestuser)'
>  radius_xlat:  'ou=people,dc=atusi,dc=org'
>  rlm_ldap: ldap_get_conn: Checking Id: 0
>  rlm_ldap: ldap_get_conn: Got Id: 0
>  rlm_ldap: attempting LDAP reconnection
>  rlm_ldap: (re)connect to localhost:389, authentication 0
>  rlm_ldap: bind as / to localhost:389
>  ldap_bind
>  ldap_simple_bind
>  ldap_sasl_bind
>  ldap_send_initial_request
>  ldap_new_connection
>  ldap_int_open_connection
>  ldap_connect_to_host: TCP localhost:389
>  ldap_new_socket: 6
>  ldap_prepare_socket: 6
>  ldap_connect_to_host: Trying 127.0.0.1:389
>  ldap_connect_timeout: fd: 6 tm: 1 async: 0
>  ldap_ndelay_on: 6
>  ldap_is_sock_ready: 6
>  ldap_ndelay_off: 6
>  ldap_open_defconn: successful
>  ldap_send_server_request
>  rlm_ldap: waiting for bind result ...
>  ldap_result msgid 1
>  ldap_chkResponseList for msgid=1, all=1
>  ldap_chkResponseList returns NULL
>  wait4msg (timeout 4 sec, 0 usec), msgid 1
>  wait4msg continue, msgid 1, all 1
>  ** Connections:
>  * host: localhost  port: 389  (default)
>   refcnt: 2  status: Connected
>   last used: Tue Mar 21 13:31:12 2006
>
>  ** Outstanding Requests:
>  * msgid 1,  origid 1, status InProgress
>    outstanding referrals 0, parent count 0
>  ** Response Queue:
>    Empty
>  ldap_chkResponseList for msgid=1, all=1
>  ldap_chkResponseList returns NULL
>  ldap_int_select
>  read1msg: msgid 1, all 1
>  ldap_read: message type bind msgid 1, original id 1
>  new result:  res_errno: 0, res_error: <>, res_matched: <>
>  read1msg:  0 new referrals
>  read1msg:  mark request completed, id = 1
>  request 1 done
>  res_errno: 0, res_error: <>, res_matched: <>
>  ldap_free_request (origid 1, msgid 1)
>  ldap_free_connection
>  ldap_free_connection: refcnt 1
>  ldap_parse_result
>  ldap_msgfree
>  rlm_ldap: Bind was successful
>  rlm_ldap: performing search in ou=people,dc=atusi,dc=org, with filter
> (uid=mytestuser)
>  ldap_search
>  put_filter: "(uid=mytestuser)"
>  put_filter: simple
>  put_simple_filter: "uid=mytestuser"
>  ldap_send_initial_request
>  ldap_send_server_request
>  ldap_result msgid 2
>  ldap_chkResponseList for msgid=2, all=1
>  ldap_chkResponseList returns NULL
>  wait4msg (timeout 4 sec, 0 usec), msgid 2
>  wait4msg continue, msgid 2, all 1
>  ** Connections:
>  * host: localhost  port: 389  (default)
>   refcnt: 2  status: Connected
>   last used: Tue Mar 21 13:31:12 2006
>
>  ** Outstanding Requests:
>  * msgid 2,  origid 2, status InProgress
>    outstanding referrals 0, parent count 0
>  ** Response Queue:
>    Empty
>  ldap_chkResponseList for msgid=2, all=1
>  ldap_chkResponseList returns NULL
>  ldap_int_select
>  read1msg: msgid 2, all 1
>  ldap_read: message type search-result msgid 2, original id 2
>  new result:  res_errno: 0, res_error: <>, res_matched: <>
>  read1msg:  0 new referrals
>  read1msg:  mark request completed, id = 2
>  request 2 done
>  res_errno: 0, res_error: <>, res_matched: <>
>  ldap_free_request (origid 2, msgid 2)
>  ldap_free_connection
>  ldap_free_connection: refcnt 1
>  ldap_parse_result
>  rlm_ldap: object not found or got ambiguous search result
>  ldap_msgfree
>  rlm_ldap: ldap_release_conn: Release Id: 0
>   modcall[authenticate]: module "ldap" returns notfound for request 0
>  modcall: group Auth-Type returns notfound for request 0
>  auth: Failed to validate the user.
>
> According to the log lines:
>  rlm_ldap: (re)connect to localhost:389, authentication 0
>  rlm_ldap: bind as / to localhost:389
> I guessed (by reading rlm_ldap.c) Ldap-UserDn valuepair is not passed
>  to
> ldap_authenticate() for some reason.
>
> I tried to write `Ldap-UserDn := ...' as reply item of the DEFAULT
> entry
> in users file but in that case radiusd says:
>  WARNING! Check item "Ldap-UserDn" ?found in reply item list for user
> "DEFAULT". ?This attribute MUST go on the first line with the other
> check items
> and still got the same result.
>
> I also tried in radiusd.conf:
>   modules {
>      ldap {
>           identity = "%{Ldap-UserDN}"
>           password = `%{User-Password}`
>           ...
>      }
>   }
> but these attributes are not xlated and passed to LDAP as they are.
>
> Any clues would be greately appreciated.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

More information about the Freeradius-Users mailing list