LDAP and Freeradius Bind problem

thomas hahusseau thomas.hahusseau at gmail.com
Mon May 29 11:35:14 CEST 2006 

oups forget a sample of radiusd.conf

# Uncomment it if you want to use ldap for authentication
    #
    # Note that this means "check plain-text password against
    # the ldap database", which means that EAP won't work,
    # as it does not supply a plain-text password.
    Auth-Type LDAP {
        ldap
    }


as you can authentifaction with LDAP is well activated

2006/5/29, thomas hahusseau <thomas.hahusseau at gmail.com>:
>
> Hello,
>
> I try to use Freeradius and OpenLDAP for authentification and I'be got
> some problems about binding.
>
> First of all OpenLDAP works well I'm able to connect to the database with
> anonymous connection and perform search in the database (no write access of
> course).
>
> freeRadius works well when the user and the password is directly inclued
> on the conf file "clients" but when i try radtest with a user wich is the
> LDAP database it doiesn't work here the command performed :
>
> radtest test 4886 localhost 1812 testing123
>
> an user with uid=test and password is already created in LDAP database.
>
> here is the freeradius output :
>
> modcall: leaving group authorize (returns ok) for request 0
>   rad_check_password:  Found Auth-Type LDAP
> auth: type "LDAP"
>   Processing the authenticate section of radiusd.conf
> modcall: entering group LDAP for request 0
> rlm_ldap: - authenticate
> rlm_ldap: login attempt by "test" with password "4886"
> radius_xlat:  '(uid=test)'
> radius_xlat:  'dc=dist,dc=demo,dc=net'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to localhost:389, authentication 0
> rlm_ldap: bind as / to localhost:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: performing search in dc=dist,dc=demo,dc=net, with filter
> (uid=test)
> rlm_ldap: ldap_release_conn: Release Id: 0
> rlm_ldap: user DN: uid=test,ou=utilisateurs,dc=dist,dc=demo,dc=net
> rlm_ldap: (re)connect to localhost:389, authentication 1
> rlm_ldap: bind as uid=test,ou=utilisateurs,dc=dist,dc=demo,dc=net/4886 to
> localhost:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind failed with invalid credentials
> rlm_ldap:
>   modcall[authenticate]: module "ldap" returns reject for request 0
> modcall: leaving group LDAP (returns reject) for request 0
> auth: Failed to validate the user.
> Login incorrect (rlm_ldap: Bind as user failed): [test/4886] (from client
> localhost port 1812)
> Delaying request 0 for 1 seconds
> Finished request 0
> Going to the next request
> --- Walking the entire request list ---
> Waking up in 1 seconds...
> --- Walking the entire request list ---
> Waking up in 1 seconds...
> --- Walking the entire request list ---
> Sending Access-Reject of id 89 to 127.0.0.1 port 32768
>        Reply-Message = ""
> Waking up in 4 seconds...
> --- Walking the entire request list ---
> Cleaning up request 0 ID 89 with timestamp 447ad91a
> Nothing to do.  Sleeping until we see a request.
>
> As you can the binding in anonymous mode works well and the search is
> performed and 1 result is found : test.utilisateurs.dist.demo.net
>
> But I don't understand why radius try to bind again with the LDAP server
> using account test.utilisateurs.demo.net
> Is there a mechanisme with LDAP authentification that I don't Understand ?
> According to me as soon as freeradius found in LDAP the user with the right
> password it should authorize acess.
>
> this is my radiusd.conf (samples)
>
> # Lightweight Directory Access Protocol (LDAP)
>     #
>     #  This module definition allows you to use LDAP for
>     #  authorization and authentication (Auth-Type := LDAP)
>     #
>     #  See doc/rlm_ldap for description of configuration options
>     #  and sample authorize{} and authenticate{} blocks
>     ldap {
>         server = localhost
>         port = 389
>         # identity = "cn=admin,dc=dist,dc=demo,dc=net"
>         # password = *********
>         basedn = "dc=dist,dc=demo,dc=net"
>         # filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
>         # base_filter = "(objectclass=radiusprofile)"
>
>         # set this to 'yes' to use TLS encrypted connections
>         # to the LDAP database by using the StartTLS extended
>         # operation.
>         # The StartTLS operation is supposed to be used with normal
>         # ldap connections instead of using ldaps (port 689) connections
>         start_tls = no
>
>         # tls_cacertfile    = /path/to/cacert.pem
>         # tls_cacertdir        = /path/to/ca/dir/
>         # tls_certfile        = /path/to/radius.crt
>         # tls_keyfile        = /path/to/radius.key
>         # tls_randfile        = /path/to/rnd
>         # tls_require_cert    = "demand"
>
>         # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
>         # profile_attribute = "radiusProfileDn"
>         access_attr = "uid"
>
>         # Mapping of RADIUS dictionary attributes to LDAP
>         # directory attributes.
>         dictionary_mapping = ${raddbdir}/ldap.attrmap
>
>         ldap_connections_number = 5
>
>         #
>         # NOTICE: The password_header directive is NOT case insensitive
>         #
>         # password_header = "{clear}"
>         #
>         # Set:
>         #    password_attribute = nspmPassword
>         #
>         # to get the user's password from a Novell eDirectory
>         # backend. This will work *only if* freeRADIUS is
>         # configured to build with --with-edir option.
>         #
>         #
>         #  The server can usually figure this out on its own, and pull
>         #  the correct User-Password or NT-Password from the database.
>         #
>         #  Note that NT-Passwords MUST be stored as a 32-digit hex
>         #  string, and MUST start off with "0x", such as:
>         #
>         #    0x000102030405060708090a0b0c0d0e0f
>         #
>         #  Without the leading "0x", NT-Passwords will not work.
>         #  This goes for NT-Passwords stored in SQL, too.
>         #
>         # password_attribute = userPassword
>         #
>         # Un-comment the following to disable Novell eDirectory account
>         # policy check and intruder detection. This will work *only if*
>         # FreeRADIUS is configured to build with --with-edir option.
>         #
>         # edir_account_policy_check=no
>         #
>         # groupname_attribute = cn
>         # groupmembership_filter =
> "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
>         # groupmembership_attribute = radiusGroupName
>         timeout = 4
>         timelimit = 3
>         net_timeout = 1
>         # compare_check_items = yes
>         # do_xlat = yes
>         # access_attr_used_for_allow = yes
>
>         #
>         #  By default, if the packet contains a User-Password,
>         #  and no other module is configured to handle the
>         #  authentication, the LDAP module sets itself to do
>         #  LDAP bind for authentication.
>         #
>         #  You can disable this behavior by setting the following
>         #  configuration entry to "no".
>         #
>         #  allowed values: {no, yes}
>         set_auth_type = no
> #        authtype= LDAP
>     }
>
>
> thank you for your help !!!!
>
> with regards
> Thomas
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20060529/4862b3e8/attachment.html>

More information about the Freeradius-Users mailing list