LDAP and Freeradius Bind problem
thomas hahusseau
thomas.hahusseau at gmail.com
Mon May 29 11:31:38 CEST 2006
Hello,
I try to use Freeradius and OpenLDAP for authentification and I'be got some
problems about binding.
First of all OpenLDAP works well I'm able to connect to the database with
anonymous connection and perform search in the database (no write access of
course).
freeRadius works well when the user and the password is directly inclued on
the conf file "clients" but when i try radtest with a user wich is the LDAP
database it doiesn't work here the command performed :
radtest test 4886 localhost 1812 testing123
an user with uid=test and password is already created in LDAP database.
here is the freeradius output :
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type LDAP
auth: type "LDAP"
Processing the authenticate section of radiusd.conf
modcall: entering group LDAP for request 0
rlm_ldap: - authenticate
rlm_ldap: login attempt by "test" with password "4886"
radius_xlat: '(uid=test)'
radius_xlat: 'dc=dist,dc=demo,dc=net'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as / to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=dist,dc=demo,dc=net, with filter
(uid=test)
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: user DN: uid=test,ou=utilisateurs,dc=dist,dc=demo,dc=net
rlm_ldap: (re)connect to localhost:389, authentication 1
rlm_ldap: bind as uid=test,ou=utilisateurs,dc=dist,dc=demo,dc=net/4886 to
localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind failed with invalid credentials
rlm_ldap:
modcall[authenticate]: module "ldap" returns reject for request 0
modcall: leaving group LDAP (returns reject) for request 0
auth: Failed to validate the user.
Login incorrect (rlm_ldap: Bind as user failed): [test/4886] (from client
localhost port 1812)
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 89 to 127.0.0.1 port 32768
Reply-Message = ""
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 89 with timestamp 447ad91a
Nothing to do. Sleeping until we see a request.
As you can the binding in anonymous mode works well and the search is
performed and 1 result is found : test.utilisateurs.dist.demo.net
But I don't understand why radius try to bind again with the LDAP server
using account test.utilisateurs.demo.net
Is there a mechanisme with LDAP authentification that I don't Understand ?
According to me as soon as freeradius found in LDAP the user with the right
password it should authorize acess.
this is my radiusd.conf (samples)
# Lightweight Directory Access Protocol (LDAP)
#
# This module definition allows you to use LDAP for
# authorization and authentication (Auth-Type := LDAP)
#
# See doc/rlm_ldap for description of configuration options
# and sample authorize{} and authenticate{} blocks
ldap {
server = localhost
port = 389
# identity = "cn=admin,dc=dist,dc=demo,dc=net"
# password = *********
basedn = "dc=dist,dc=demo,dc=net"
# filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
# base_filter = "(objectclass=radiusprofile)"
# set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
# The StartTLS operation is supposed to be used with normal
# ldap connections instead of using ldaps (port 689) connections
start_tls = no
# tls_cacertfile = /path/to/cacert.pem
# tls_cacertdir = /path/to/ca/dir/
# tls_certfile = /path/to/radius.crt
# tls_keyfile = /path/to/radius.key
# tls_randfile = /path/to/rnd
# tls_require_cert = "demand"
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
# profile_attribute = "radiusProfileDn"
access_attr = "uid"
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
#
# NOTICE: The password_header directive is NOT case insensitive
#
# password_header = "{clear}"
#
# Set:
# password_attribute = nspmPassword
#
# to get the user's password from a Novell eDirectory
# backend. This will work *only if* freeRADIUS is
# configured to build with --with-edir option.
#
#
# The server can usually figure this out on its own, and pull
# the correct User-Password or NT-Password from the database.
#
# Note that NT-Passwords MUST be stored as a 32-digit hex
# string, and MUST start off with "0x", such as:
#
# 0x000102030405060708090a0b0c0d0e0f
#
# Without the leading "0x", NT-Passwords will not work.
# This goes for NT-Passwords stored in SQL, too.
#
# password_attribute = userPassword
#
# Un-comment the following to disable Novell eDirectory account
# policy check and intruder detection. This will work *only if*
# FreeRADIUS is configured to build with --with-edir option.
#
# edir_account_policy_check=no
#
# groupname_attribute = cn
# groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
# groupmembership_attribute = radiusGroupName
timeout = 4
timelimit = 3
net_timeout = 1
# compare_check_items = yes
# do_xlat = yes
# access_attr_used_for_allow = yes
#
# By default, if the packet contains a User-Password,
# and no other module is configured to handle the
# authentication, the LDAP module sets itself to do
# LDAP bind for authentication.
#
# You can disable this behavior by setting the following
# configuration entry to "no".
#
# allowed values: {no, yes}
set_auth_type = no
# authtype= LDAP
}
thank you for your help !!!!
with regards
Thomas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20060529/d1441edc/attachment.html>
More information about the Freeradius-Users
mailing list