Possible LDAP issue

John Ellin john at 4ccompany.com
Thu May 31 17:52:28 CEST 2007 

Installed and configured FreeRADIUS and fired it up:
(lines prefixed v are server messages, lines prefixed ^ are client messages)

[root at hagrid ~]# radiusd -x
v Starting - reading configuration files ...
v Module: Loaded exec
v rlm_exec: Wait=yes but no output defined. Did you mean output=none?
v Module: Instantiated exec (exec)
v Module: Loaded expr
v Module: Instantiated expr (expr)
v Module: Loaded PAP
v Module: Instantiated pap (pap)
v Module: Loaded CHAP
v Module: Instantiated chap (chap)
v Module: Loaded MS-CHAP
v Module: Instantiated mschap (mschap)
v Module: Loaded System
v Module: Instantiated unix (unix)
v Module: Loaded LDAP
v rlm_ldap: Registering ldap_groupcmp for Ldap-Group
v rlm_ldap: Registering ldap_xlat with xlat_name ldap
v rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap
v [...]
v conns: 0x8125160
v Module: Instantiated ldap (ldap)
v Module: Loaded eap
v rlm_eap: Loaded and initialized type md5
v rlm_eap: Loaded and initialized type leap
v rlm_eap: Loaded and initialized type gtc
v rlm_eap: Loaded and initialized type mschapv2
v Module: Instantiated eap (eap)
v Module: Loaded preprocess
v Module: Instantiated preprocess (preprocess)
v Module: Loaded realm
v Module: Instantiated realm (suffix)
v Module: Loaded files
v Module: Instantiated files (files)
v Module: Loaded Acct-Unique-Session-Id
v Module: Instantiated acct_unique (acct_unique)
v Module: Loaded detail
v Module: Instantiated detail (detail)
v Module: Loaded radutmp
v Module: Instantiated radutmp (radutmp)
v Module: Instantiated detail (reply_log)
v Initializing the thread pool...
v Listening on authentication 192.168.0.16:1812
v Listening on authentication 127.0.0.1:1812
v Listening on accounting 192.168.0.16:1813
v Listening on accounting 127.0.0.1:1813
v Listening on proxy *:1814
v Ready to process requests.


This user is defined in the raddb/users file:

[root at hagrid ~]# radtest testuser secret 192.168.0.16 10 hashpass
^ Sending Access-Request of id 158 to 192.168.0.16:1812
^         User-Name = "testuser"
^         User-Password = "secret"
^         NAS-IP-Address = hagrid.4ccompany.com
^         NAS-Port = 10

v rad_recv: Access-Request packet from host 192.168.0.16:35308, id=158, 
length=60
v         User-Name = "testuser"
v         User-Password = "secret"
v         NAS-IP-Address = 255.255.255.255
v         NAS-Port = 10
v rlm_ldap: - authorize
v rlm_ldap: performing user authorization for testuser
v rlm_ldap: ldap_get_conn: Checking Id: 0
v rlm_ldap: ldap_get_conn: Got Id: 0
v rlm_ldap: (re)connect to hagrid.4ccompany.com:389, authentication 0
v rlm_ldap: bind as / to hagrid.4ccompany.com:389
v rlm_ldap: waiting for bind result ...
v rlm_ldap: Bind was successful
v rlm_ldap: object not found or got ambiguous search result
v rlm_ldap: search failed
v rlm_ldap: ldap_release_conn: Release Id: 0
v Sending Access-Accept of id 158 to 192.168.0.16:35308

^ rad_recv: Access-Accept packet from host 192.168.0.16:1812, id=158, 
length=20


This user is in LDAP (user id & passwords changed for obvious reasons):

[root at hagrid ~]# radtest hansolo imnottelling 192.168.0.16 10 hashpass
^ Sending Access-Request of id 172 to 192.168.0.16:1812
^         User-Name = "hansolo"
^         User-Password = "imnottelling"
^         NAS-IP-Address = hagrid.4ccompany.com
^         NAS-Port = 10

v rad_recv: Access-Request packet from host 192.168.0.16:35308, id=172, 
length=56
v         User-Name = "hansolo"
v         User-Password = "imnottelling"
v         NAS-IP-Address = 255.255.255.255
v         NAS-Port = 10
v rlm_ldap: - authorize
v rlm_ldap: performing user authorization for hansolo
v rlm_ldap: ldap_get_conn: Checking Id: 0
v rlm_ldap: ldap_get_conn: Got Id: 0
v rlm_ldap: checking if remote access for hansolo is allowed by dialupAccess
v rlm_ldap: looking for check items in directory...
v rlm_ldap: looking for reply items in directory...
v rlm_ldap: user hansolo authorized to use remote access
v rlm_ldap: ldap_release_conn: Release Id: 0

for(i=0;i<9;++i)
{
^ Re-sending Access-Request of id 172 to 192.168.0.16:1812
^         User-Name = "hansolo"
^         User-Password = "some hash of imnottelling"
^         NAS-IP-Address = hagrid.4ccompany.com
^         NAS-Port = 10

v rad_recv: Access-Request packet from host 192.168.0.16:35308, id=172, 
length=56
v Discarding duplicate request from client macnab:35308 - ID: 172 due to 
unfinished request 1
}

^ radclient: no response from server for ID 172

v WARNING: Unresponsive child (id 3072723888) for request 1

As you can see, everything works fine for a radius specific user, but it 
grinds to a halt for a user declared in LDAP.

Any pointers would be greatly appreciated.

-- 

 Best regards,
 jona.

Where a calculator on the ENIAC is equipped with 18,000 vacuum tubes and 
weighs 30 tons, computers in the future may have only 1,000 vacuum tubes and 
weigh only 1 1/2 tons.
 --- Popular Mechanics, March 1949

More information about the Freeradius-Users mailing list