Problems using freeradius with ldap

Sergio Belkin sbelki at palermo.edu
Mon Sep 3 22:42:37 CEST 2007


I have problem when in Fedora 4 (sadly in my job I cannot change this) using 
radtest against LDAP

Packages version: 
openldap-servers-2.2.29-1.FC4
openldap-clients-2.2.29-1.FC4
openldap-2.2.29-1.FC4
freeradius-1.0.4-1.FC4.1

This  is part of /etc/raddb/radiusd.conf:

ldap {
                server = "localhost"
                basedn = "ou=people,dc=mydomain,dc=com"
                filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
                dictionary_mapping = ${raddbdir}/ldap.attrmap
                ldap_connections_number = 5
                password_attribute = userPassword
(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)
(uniquemember=%{Ldap-UserDn})))"
                timeout = 4
                timelimit = 3
                net_timeout = 1
        }

authorize {
        chap
        mschap
        suffix
        eap
        files
        ldap
        checkval
}

And this a portion of /etc/raddb/users:
DEFAULT  Auth-Type = System
   Fall-Through = 1
DEFAULT  Auth-Type = LDAP
   Fall-Through = 1


I've appended the schemas in /etc/openldap/slapd.conf:
/usr/share/doc/freeradius-1.0.4/RADIUS-LDAPv3.schema
/usr/share/doc/freeradius-1.0.4/RADIUS-LDAP.schema

Well, when I issue radtest in debug mode I get:
radtest testuser sample  localhost  0  testing123
Sending Access-Request of id 88 to 127.0.0.1:1812
        User-Name = "testuser"
        User-Password = "sample"
        NAS-IP-Address = host.mydomain.com
        NAS-Port = 0
rad_recv: Access-Request packet from host 127.0.0.1:42077, id=88, length=58
        User-Name = "testuser"
        User-Password = "sample"
        NAS-IP-Address = 255.255.255.255
        NAS-Port = 0
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
  modcall[authorize]: module "preprocess" returns ok for request 2
  modcall[authorize]: module "chap" returns noop for request 2
  modcall[authorize]: module "mschap" returns noop for request 2
    rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 2
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 2
    users: Matched entry DEFAULT at line 152
    users: Matched entry DEFAULT at line 155
  modcall[authorize]: module "files" returns ok for request 2
rlm_ldap: - authorize
rlm_ldap: performing user authorization for testuser
radius_xlat:  '(uid=testuser)'
radius_xlat:  'ou=people,dc=mydomain,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=people,dc=mydomain,dc=com, with filter 
(uid=testuser)
rlm_ldap: Added password sample in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user testuser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 2
modcall: group authorize returns ok for request 2
  rad_check_password:  Found Auth-Type System
auth: type "System"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
  modcall[authenticate]: module "unix" returns notfound for request 2
modcall: group authenticate returns notfound for request 2
auth: Failed to validate the user.
Delaying request 2 for 1 seconds
Finished request 2
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 88 to 127.0.0.1:42077
Waking up in 4 seconds...
rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=88, length=20
17:20:33 [root at spike] /etc/raddb
$ --- Walking the entire request list ---
Cleaning up request 2 ID 88 with timestamp 46dc6c8f
Nothing to do.  Sleeping until we see a request.


Please could you lend me a hand to resolv this issue?
Thanks in advance!
-- 
Sergio Belkin
Comunicación e Internet




More information about the Freeradius-Users mailing list