LDAP and Freeradius Bind problem

thomas hahusseau thomas.hahusseau at gmail.com
Mon May 29 11:31:38 CEST 2006


I try to use Freeradius and OpenLDAP for authentification and I'be got some
problems about binding.

First of all OpenLDAP works well I'm able to connect to the database with
anonymous connection and perform search in the database (no write access of

freeRadius works well when the user and the password is directly inclued on
the conf file "clients" but when i try radtest with a user wich is the LDAP
database it doiesn't work here the command performed :

radtest test 4886 localhost 1812 testing123

an user with uid=test and password is already created in LDAP database.

here is the freeradius output :

modcall: leaving group authorize (returns ok) for request 0
  rad_check_password:  Found Auth-Type LDAP
auth: type "LDAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group LDAP for request 0
rlm_ldap: - authenticate
rlm_ldap: login attempt by "test" with password "4886"
radius_xlat:  '(uid=test)'
radius_xlat:  'dc=dist,dc=demo,dc=net'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as / to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=dist,dc=demo,dc=net, with filter
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: user DN: uid=test,ou=utilisateurs,dc=dist,dc=demo,dc=net
rlm_ldap: (re)connect to localhost:389, authentication 1
rlm_ldap: bind as uid=test,ou=utilisateurs,dc=dist,dc=demo,dc=net/4886 to
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind failed with invalid credentials
  modcall[authenticate]: module "ldap" returns reject for request 0
modcall: leaving group LDAP (returns reject) for request 0
auth: Failed to validate the user.
Login incorrect (rlm_ldap: Bind as user failed): [test/4886] (from client
localhost port 1812)
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 89 to port 32768
       Reply-Message = ""
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 89 with timestamp 447ad91a
Nothing to do.  Sleeping until we see a request.

As you can the binding in anonymous mode works well and the search is
performed and 1 result is found : test.utilisateurs.dist.demo.net

But I don't understand why radius try to bind again with the LDAP server
using account test.utilisateurs.demo.net
Is there a mechanisme with LDAP authentification that I don't Understand ?
According to me as soon as freeradius found in LDAP the user with the right
password it should authorize acess.

this is my radiusd.conf (samples)

# Lightweight Directory Access Protocol (LDAP)
    #  This module definition allows you to use LDAP for
    #  authorization and authentication (Auth-Type := LDAP)
    #  See doc/rlm_ldap for description of configuration options
    #  and sample authorize{} and authenticate{} blocks
    ldap {
        server = localhost
        port = 389
        # identity = "cn=admin,dc=dist,dc=demo,dc=net"
        # password = *********
        basedn = "dc=dist,dc=demo,dc=net"
        # filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
        # base_filter = "(objectclass=radiusprofile)"

        # set this to 'yes' to use TLS encrypted connections
        # to the LDAP database by using the StartTLS extended
        # operation.
        # The StartTLS operation is supposed to be used with normal
        # ldap connections instead of using ldaps (port 689) connections
        start_tls = no

        # tls_cacertfile    = /path/to/cacert.pem
        # tls_cacertdir        = /path/to/ca/dir/
        # tls_certfile        = /path/to/radius.crt
        # tls_keyfile        = /path/to/radius.key
        # tls_randfile        = /path/to/rnd
        # tls_require_cert    = "demand"

        # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
        # profile_attribute = "radiusProfileDn"
        access_attr = "uid"

        # Mapping of RADIUS dictionary attributes to LDAP
        # directory attributes.
        dictionary_mapping = ${raddbdir}/ldap.attrmap

        ldap_connections_number = 5

        # NOTICE: The password_header directive is NOT case insensitive
        # password_header = "{clear}"
        # Set:
        #    password_attribute = nspmPassword
        # to get the user's password from a Novell eDirectory
        # backend. This will work *only if* freeRADIUS is
        # configured to build with --with-edir option.
        #  The server can usually figure this out on its own, and pull
        #  the correct User-Password or NT-Password from the database.
        #  Note that NT-Passwords MUST be stored as a 32-digit hex
        #  string, and MUST start off with "0x", such as:
        #    0x000102030405060708090a0b0c0d0e0f
        #  Without the leading "0x", NT-Passwords will not work.
        #  This goes for NT-Passwords stored in SQL, too.
        # password_attribute = userPassword
        # Un-comment the following to disable Novell eDirectory account
        # policy check and intruder detection. This will work *only if*
        # FreeRADIUS is configured to build with --with-edir option.
        # edir_account_policy_check=no
        # groupname_attribute = cn
        # groupmembership_filter =
        # groupmembership_attribute = radiusGroupName
        timeout = 4
        timelimit = 3
        net_timeout = 1
        # compare_check_items = yes
        # do_xlat = yes
        # access_attr_used_for_allow = yes

        #  By default, if the packet contains a User-Password,
        #  and no other module is configured to handle the
        #  authentication, the LDAP module sets itself to do
        #  LDAP bind for authentication.
        #  You can disable this behavior by setting the following
        #  configuration entry to "no".
        #  allowed values: {no, yes}
        set_auth_type = no
#        authtype= LDAP

thank you for your help !!!!

with regards
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20060529/d1441edc/attachment.html>

More information about the Freeradius-Users mailing list