Integrate freeradius v1.1.6 and openLADP v2.3.32 for authorization and authentication
xuebin gong
robin_gong at yahoo.com
Thu May 24 19:48:04 CEST 2007
Thanks Pshem for your quick answer.
I expect answer like folowing
"rlm_ldap: user jjeep authorized succesfully
modcall[authorize]: module "ldap" returns ok"
... Request Access-Accept.
But I got
"rlm_ldap: object not found or got ambiguous search
result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns notfound
for request 0"
....... Request Access-Rejected.
What is wrong ? need help.
Thanks
Robin
Pshem Kowalczyk wrote:Freeradius expects exactly one
answer:
rlm_ldap: object not found or got ambiguous search
result
kind regards
Pshem
On 22/05/07, xuebin gong <robin_gong at yahoo.com> wrote:
> Hi, All,
>
> I am user and want to integrate freeradius v1.1.6
and
> openLADP v2.3.32 for authorization and
> authentication. Our operating system is Fedora 5
> Linux.
>
> (1)Install freeRadius-1.1.6
> After following the instruction of installation in
> http://wwww.freeradius.org,
> install freeRadius-1.1.6 on Fedora Linux 5, run
radius
> server in debug mode
>
> radiusd -X
> ......
> Module: Instantiated radutmp (radutmp)
> Listening on authentication *:1812
> Listening on accounting *:1813
> Ready to process requests.
>
> FreeRadius was installed succeefully.
>
> (2)Configure freeRadius-1.1.6
> (2.1) Configure radiusd.conf
> (2.1.1) LDAP module
> ldap{
> server = "10.0.0.118"
> identity = "cn=Manager,dc=mtcable,dc=net"
> password = mtncnl1970
> basedn = "dc=mtcable,dc=net"
> filter =
> "uid=%{Stripped-User-Name:-%{User-Name}}"
> start_tls = no
> dictionary_mapping =
> ${raddbdir}/ldap.attrmap
> ldap_connections_number = 5
> edir_account_policy_check=no
> timeout = 4
> timelimit = 3
> net_timeout = 1
> }
> (2.1.2) authorize module
> uncomment ldap line
>
> authorize{
> ......
> ldap
> ......
> }
>
> (2.1.3) authenticate module
> uncomment block ldap block:
>
> authenticate{
> ......
> Auth-Type LDAP {
> ldap
> }
> ......
> }
>
>
> (2.2) edit /usr/local/etc/raddb/users
> Uncomment the following lines:
>
> DEFAULT Auth-Type = LDAP
> Fall-Through = 1
>
> (3)Install openLDAP
> (4)Configure openLDAP
> (5)Add one LDAP entry for testing
>
> dn: uid=jjeep, ou=radius, rccd=AAA3140018f,
> dc=mtcable,dc=net
> userPassword:: aabbccdd
> cn: jeep
> uid: jjeep
> radiusAuthType: local
> radiusSimultaneousUse: 1
> homeDirectory: //
> objectClass: top
> objectClass: posixAccount
> objectClass: radiusprofile
> uidNumber: 7012
> gidNumber: 100
>
> After add this entry to LDAP, we reset the password
to
> "888888"
>
> (5)Test
> After run test command line
>
> radtest jjeep "888888" localhost 1 testing123
>
> The following is information from running Radiusd
-X:
>
> ......
> rad_recv: Access-Request packet from host
> 127.0.0.1:32771,
> id=192, length=57
> User-Name = "jjeep"
> User-Password = "888888"
> NAS-IP-Address = 255.255.255.255
> NAS-Port = 1
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 0
> modcall[authorize]: module "preprocess" returns ok
> for request 0
> modcall[authorize]: module "chap" returns noop for
> request 0
> modcall[authorize]: module "mschap" returns noop
for
> request 0
> rlm_realm: No '@' in User-Name = "jjeep", looking
up
> realm NULL
> rlm_realm: No such realm "NULL"
> modcall[authorize]: module "suffix" returns noop
for
> request 0
> rlm_eap: No EAP-Message, not doing EAP
> modcall[authorize]: module "eap" returns noop for
> request 0
> users: Matched entry DEFAULT at line 153
> modcall[authorize]: module "files" returns ok for
> request 0
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for jjeep
> radius_xlat: 'uid=jjeep'
> radius_xlat: 'dc=mtcable,dc=net'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to 10.0.0.118:389,
> authentication 0
> rlm_ldap: bind as
cn=Manager,dc=mtcable,dc=net/mtncnl1
>
> 970 to 10.0.0.118:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: performing search in dc=mtcable,dc=net,
with
>
> filter uid=jjeep
> rlm_ldap: object not found or got ambiguous search
> result
> rlm_ldap: search failed
> rlm_ldap: ldap_release_conn: Release Id: 0
> modcall[authorize]: module "ldap" returns notfound
> for req
> uest 0
> rlm_pap: WARNING! No "known good" password found for
> the use
> r. Authentication may fail because of this.
> modcall[authorize]: module "pap" returns noop for
> request0
> modcall: leaving group authorize (returns ok) for
> request 0
> rad_check_password: Found Auth-Type LDAP
> auth: type "LDAP"
> Processing the authenticate section of
radiusd.conf
> modcall: entering group LDAP for request 0
> rlm_ldap: - authenticate
> rlm_ldap: login attempt by "jjeep" with password
> "888888"
> radius_xlat: 'uid=jjeep'
> radius_xlat: 'dc=mtcable,dc=net'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in dc=mtcable,dc=net,
with
>
> filter uid=jjeep
> rlm_ldap: object not found or got ambiguous search
> result
> rlm_ldap: ldap_release_conn: Release Id: 0
> modcall[authenticate]: module "ldap" returns
> notfound for
> request 0
> modcall: leaving group LDAP (returns notfound) for
> request 0
> auth: Failed to validate the user.
> Login incorrect (rlm_ldap: User not found): [jjeep]
> (from cl
> ient localhost port 1)
> Delaying request 0 for 1 seconds
> Finished request 0
> Going to the next request
>
> The following is logfile:
>
> ......
> May 17 12:09:13 dolphin slapd[2205]: conn=7 fd=17
> ACCEPT from IP=10.0.0.118:35564 (IP=0.0.0.0:389)
> May 17 12:09:13 dolphin slapd[2205]: conn=7 op=0
BIND
> dn="cn=Manager,dc=mtcable,dc=net" method=128
> May 17 12:09:13 dolphin slapd[2205]: conn=7 op=0
BIND
> dn="cn=Manager,dc=mtcable,dc=net" mech=SIMPLE ssf=0
> May 17 12:09:13 dolphin slapd[2205]: conn=7 op=0
> RESULT tag=97 err=0 text=
> May 17 12:09:13 dolphin slapd[2205]: conn=7 op=1
SRCH
> base="dc=mtcable,dc=net" scope=2 deref=0
> filter="(uid=jjeep)"
> May 17 12:09:13 dolphin slapd[2205]: conn=7 op=1
SRCH
> attr=radiusNASIpAddress radiusExpiration acctFlags
> ntPassword lmPassword radiusCallingStationId
> radiusCalledStationId radiusSimultaneousUse
> radiusAuthType radiusCheckItem radiusReplyMessage
> radiusLoginLATPort radiusPortLimit
> radiusFramedAppleTalkZone
radiusFramedAppleTalkNetwork
> radiusFramedAppleTalkLink radiusLoginLATGroup
> radiusLoginLATNode radiusLoginLATService
> radiusTerminationAction radiusIdleTimeout
> radiusSessionTimeout radiusClass
> radiusFramedIPXNetwork radiusCallbackId
> radiusCallbackNumber radiusLoginTCPPort
> radiusLoginService radiusLoginIPHost
> radiusFramedCompression radiusFramedMTU
radiusFilterId
> radiusFramedRouting radiusFramedRoute
> radiusFramedIPNetmask radiusFramedIPAddress
> radiusFramedProtocol radiusServiceType
radiusReplyItem
>
> May 17 12:09:13 dolphin slapd[2205]: conn=7 op=1
> SEARCH RESULT tag=101 err=0 nentries=3 text=
> May 17 12:09:13 dolphin slapd[2205]: conn=7 op=2
SRCH
> base="dc=mtcable,dc=net" scope=2 deref=0
> filter="(uid=jjeep)"
> May 17 12:09:13 dolphin slapd[2205]: conn=7 op=2
SRCH
> attr=uid
> May 17 12:09:13 dolphin slapd[2205]: conn=7 op=2
> SEARCH RESULT tag=101 err=0 nentries=3 text=
>
> It looks like LDAP search successfully and found 3
> entries, but redius server could not find any
objects.
>
> What is wrong with my integration?
>
> Thanks In Advanced
>
> Robin
____________________________________________________________________________________Take the Internet to Go: Yahoo!Go puts the Internet in your pocket: mail, news, photos & more.
http://mobile.yahoo.com/go?refer=1GNXIC
More information about the Freeradius-Users
mailing list