Integrating FreeRadius and Openldap: rlm_ldap not found error
Syed Anwarul Hasan
syedanwarulhasan2007 at gmail.com
Wed Aug 27 11:23:11 CEST 2008
I have done the following changes in the files below to test FreeRadius
Server against a Openldap backend
.
*
1) /etc/raddb/modules/ldap*
ldap {
#
# Note that this needs to match the name in the LDAP
# server certificate, if you're using ldaps.
*server = "127.0.0.1"
identity = "cn=Administrator,dc=thales,dc=com"
password = thales
basedn = "dc=thales,dc=com"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
base_filter = "(objectclass=radiusprofile)"*
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
# profile_attribute = "radiusProfileDn"
*access_attr = "dialupAccess"*
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
*dictionary_mapping = ${confdir}/ldap.attrmap
* *password_attribute = userPassword
And also with no tls .
2) ldap.attrmap File with no changes.
*#
# Mapping of RADIUS dictionary attributes to LDAP directory attributes
# to be used by LDAP authentication and authorization module (rlm_ldap)
#
# Format:
# ItemType RADIUS-Attribute-Name ldapAttributeName [operator]
#
# Where:
# ItemType = checkItem or replyItem
# RADIUS-Attribute-Name = attribute name in RADIUS dictionary
# ldapAttributeName = attribute name in LDAP schema
# operator = optional, and may not be present.
# If not present, defaults to "==" for checkItems,
# and "=" for replyItems.
# If present, the operator here should be one
# of the same operators as defined in the "users"3
# file ("man users", or "man 5 users").
# If an operator is present in the value of the
# LDAP entry (i.e. ":=foo"), then it over-rides
# both the default, and any operator given here.
#
# If $GENERIC$ is specified as RADIUS-Attribute-Name, the line specifies
# a LDAP attribute which can be used to store any RADIUS
# attribute/value-pair in LDAP directory.
#
# You should edit this file to suit it to your needs.
#
checkItem $GENERIC$ radiusCheckItem
replyItem $GENERIC$ radiusReplyItem
checkItem Auth-Type radiusAuthType
checkItem Simultaneous-Use radiusSimultaneousUse
checkItem Called-Station-Id radiusCalledStationId
checkItem Calling-Station-Id radiusCallingStationId
checkItem LM-Password lmPassword
checkItem NT-Password ntPassword
checkItem LM-Password sambaLmPassword
checkItem NT-Password sambaNtPassword
checkItem SMB-Account-CTRL-TEXT acctFlags
checkItem Expiration radiusExpiration
checkItem NAS-IP-Address radiusNASIpAddress
replyItem Service-Type radiusServiceType
replyItem Framed-Protocol radiusFramedProtocol
replyItem Framed-IP-Address radiusFramedIPAddress
replyItem Framed-IP-Netmask radiusFramedIPNetmask
replyItem Framed-Route radiusFramedRoute
replyItem Framed-Routing radiusFramedRouting
replyItem Filter-Id radiusFilterId
replyItem Framed-MTU radiusFramedMTU
replyItem Framed-Compression radiusFramedCompression
replyItem Login-IP-Host radiusLoginIPHost
replyItem Login-Service radiusLoginService
replyItem Login-TCP-Port radiusLoginTCPPort
replyItem Callback-Number radiusCallbackNumber
replyItem Callback-Id radiusCallbackId
replyItem Framed-IPX-Network radiusFramedIPXNetwork
replyItem Class radiusClass
replyItem Session-Timeout radiusSessionTimeout
replyItem Idle-Timeout radiusIdleTimeout
replyItem Termination-Action radiusTerminationAction
replyItem Login-LAT-Service radiusLoginLATService
replyItem Login-LAT-Node radiusLoginLATNode
replyItem Login-LAT-Group radiusLoginLATGroup
replyItem Framed-AppleTalk-Link radiusFramedAppleTalkLink
replyItem Framed-AppleTalk-Network radiusFramedAppleTalkNetwork
replyItem Framed-AppleTalk-Zone radiusFramedAppleTalkZone
replyItem Port-Limit radiusPortLimit
replyItem Login-LAT-Port radiusLoginLATPort
replyItem Reply-Message radiusReplyMessage*
3) /etc/openldap/ldap.conf
#*
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example, dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
#TLS_REQCERT allow*
host localhost
base dc=thales,dc=com
4) /etc/openldap/slapd.conf
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/rfc2307bis.schema
include /etc/openldap/schema/yast.schema
include /etc/openldap/schema/RADIUS-LDAPv3.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
*pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args*
*# Load dynamic backend modules:
modulepath /usr/lib/openldap/modules
# moduleload back_ldap.la
# moduleload back_meta.la
# moduleload back_monitor.la
# moduleload back_perl.la
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access to user password
# Allow anonymous users to authenticate
# Allow read access to everything else
# Directives needed to implement policy:
access to dn.base=""
by * read
access to dn.base="cn=Subschema"
by * read
access to attrs=userPassword,userPKCS12
by self write
by * auth
access to attrs=shadowLastChange
by self write
by * read
access to *
by * read*
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#######################################################################
# BDB database definitions
#######################################################################
loglevel 0
allow bind_v2
database bdb
suffix "dc=thales,dc=com"
rootdn "cn=Administrator,dc=thales,dc=com"
rootpw "thales"
directory /var/lib/ldap
checkpoint 1024 5
cachesize 10000
index objectClass eq
And in /etc/raddb/sites-enabled/default file,
I have enabled ldap in 'Authorize and Authenticate Section'.
5) And this is my ldapsearch output to lists my directory contents in ldif.
# ldapsearch -x -h localhost objectclass=*
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: objectclass=*
# requesting: ALL
#
# thales.com
dn: dc=thales,dc=com
description: thales.Com, your trusted non-existent corporation.
dc: thales
o: thales.com
objectClass: top
objectClass: dcObject
objectClass: organization
# Users, thales.com
dn: ou=Users,dc=thales,dc=com
ou: Users
description: thales.com Users
objectClass: organizationalUnit
# Groups, thales.com
dn: ou=Groups,dc=thales,dc=com
ou: Groups
description: thales.Com Groups
objectClass: organizationalUnit
# System, thales.com
dn: ou=System,dc=thales,dc=com
ou: System
description: Special accounts used by software applications.
objectClass: organizationalUnit
# hasan, Users, thales.com
dn: uid=hasan,ou=Users,dc=thales,dc=com
ou: Users
uid: hasan
cn: hasan syed
sn: hasan
givenName: syed
displayName: Syed Hasan
title: Systems Integrator
description: Systems Integration and IT for thales.com
employeeType: Employee
departmentNumber: 001
employeeNumber: 001-08-98
mail: hasansyed at thales.com
mail: hasan at thales.com
roomNumber: 301
telephoneNumber: +1 555 555 4321
mobile: +1 555 555 6789
st: Alpes Maritimes
l: Cannes
street: 1234 Cicero Ave.
preferredLanguage: en-us,en-gb
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
# barbara, Users, thales.com
dn: uid=barbara,ou=Users,dc=thales,dc=com
ou: Users
uid: barbara
sn: Jensen
cn: Barbara Jensen
givenName: Barbara
displayName: Barbara Jensen
mail: barbara at thales.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
# LDAP Admins, Groups, thales.com
dn: cn=LDAP Admins,ou=Groups,dc=thales,dc=com
cn: LDAP Admins
ou: Groups
description: Users who are LDAP administrators
uniqueMember: uid=barbara,dc=thales,dc=com
uniqueMember: uid=hasan,dc=thales,dc=com
objectClass: groupOfUniqueNames
# people, thales.com
dn: ou=people,dc=thales,dc=com
objectClass: top
objectClass: organizationalUnit
ou: people
# group, thales.com
dn: ou=group,dc=thales,dc=com
objectClass: top
objectClass: organizationalUnit
ou: group
# grouptemplate, Users, thales.com
dn: cn=grouptemplate,ou=Users,dc=thales,dc=com
cn: grouptemplate
objectClass: top
objectClass: suseObjectTemplate
objectClass: suseGroupTemplate
suseNamingAttribute: cn
susePlugin: UsersPluginLDAPAll
# usertemplate, Users, thales.com
dn: cn=usertemplate,ou=Users,dc=thales,dc=com
cn: usertemplate
objectClass: top
objectClass: suseObjectTemplate
objectClass: suseUserTemplate
suseDefaultValue: homedirectory=/home/%uid
suseDefaultValue: loginshell=/bin/bash
suseNamingAttribute: uid
susePlugin: UsersPluginLDAPAll
# anwar, users, thales.com
dn: cn=anwar,ou=users,dc=thales,dc=com
cn: anwar
objectClass: top
objectClass: suseModuleConfiguration
objectClass: suseUserConfiguration
suseDefaultBase: ou=people,dc=thales,dc=com
suseDefaultTemplate: cn=usertemplate,ou=Users,dc=thales,dc=com
suseMaxPasswordLength: 8
suseMaxUniqueId: 60000
suseMinPasswordLength: 5
suseMinUniqueId: 1000
suseNextUniqueId: 1000
susePasswordHash: CRYPT
suseSearchFilter: objectclass=posixaccount
suseSkelDir: /etc/skel
# groupconfiguration, Users, thales.com
dn: cn=groupconfiguration,ou=Users,dc=thales,dc=com
cn: groupconfiguration
objectClass: top
objectClass: suseModuleConfiguration
objectClass: suseGroupConfiguration
suseDefaultBase: ou=group,dc=thales,dc=com
suseDefaultTemplate: cn=grouptemplate,ou=Users,dc=thales,dc=com
suseMaxUniqueId: 60000
suseMinUniqueId: 1000
suseNextUniqueId: 1000
suseSearchFilter: objectclass=posixgroup
# search result
search: 2
result: 0 Success
# numResponses: 14
# numEntries: 13
By this tree structure, In the users entry, I want to authenticate the uid
hasan with a user password 'thales' using radtest to check whether
FreeRadius can authenticate against Openldap backend.
Using the command, radtest hasan thales 192.168.1.131 1 testing123
And when I have done the above changes for OpenLdap and FreeRadius
Integration.
And Started FreeRadius Server using radiusd -X command.
Please help me in this regard.
SYED
Stagiare,Thales
6) I got this Output in which the errors is failed to link rlm_ldap module .
*FreeRADIUS Version 2.0.5, for host i686-pc-linux-gnu, built on Jul 21 2008
at 15:35:42
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including configuration file /usr/local/etc/raddb/snmp.conf
including files in directory /usr/local/etc/raddb/modules/
including configuration file /usr/local/etc/raddb/modules/policy
including configuration file /usr/local/etc/raddb/modules/acct_unique
including configuration file /usr/local/etc/raddb/modules/unix
including configuration file /usr/local/etc/raddb/modules/chap
including configuration file /usr/local/etc/raddb/modules/preprocess
including configuration file /usr/local/etc/raddb/modules/expiration
including configuration file /usr/local/etc/raddb/modules/mac2vlan
including configuration file /usr/local/etc/raddb/modules/mschap
including configuration file /usr/local/etc/raddb/modules/ippool
including configuration file /usr/local/etc/raddb/modules/files
including configuration file /usr/local/etc/raddb/modules/krb5
including configuration file /usr/local/etc/raddb/modules/passwd
including configuration file /usr/local/etc/raddb/modules/radutmp
including configuration file /usr/local/etc/raddb/modules/attr_rewrite
including configuration file /usr/local/etc/raddb/modules/echo
including configuration file /usr/local/etc/raddb/modules/etc_group
including configuration file /usr/local/etc/raddb/modules/pap
including configuration file /usr/local/etc/raddb/modules/realm
including configuration file /usr/local/etc/raddb/modules/pam
including configuration file /usr/local/etc/raddb/modules/always
including configuration file /usr/local/etc/raddb/modules/exec
including configuration file /usr/local/etc/raddb/modules/logintime
including configuration file /usr/local/etc/raddb/modules/sql_log
including configuration file /usr/local/etc/raddb/modules/smbpasswd
including configuration file /usr/local/etc/raddb/modules/sradutmp
including configuration file /usr/local/etc/raddb/modules/counter
including configuration file /usr/local/etc/raddb/modules/ldap
including configuration file /usr/local/etc/raddb/modules/expr
including configuration file /usr/local/etc/raddb/modules/attr_filter
including configuration file /usr/local/etc/raddb/modules/checkval
including configuration file /usr/local/etc/raddb/modules/digest
including configuration file /usr/local/etc/raddb/modules/detail
including configuration file /usr/local/etc/raddb/modules/detail.log
including configuration file /usr/local/etc/raddb/modules/mac2ip
including configuration file /usr/local/etc/raddb/eap.conf
including configuration file /usr/local/etc/raddb/sql.conf
including configuration file /usr/local/etc/raddb/sql/mysql/dialup.conf
including configuration file /usr/local/etc/raddb/sql/mysql/counter.conf
including configuration file /usr/local/etc/raddb/policy.conf
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/default
including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
including dictionary file /usr/local/etc/raddb/dictionary
main {
prefix = "/usr/local"
localstatedir = "/usr/local/var"
logdir = "/usr/local/var/log/radius"
libdir = "/usr/local/lib"
radacctdir = "/usr/local/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
checkrad = "/usr/local/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
}
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_check = "none"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server inner-tunnel {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Linked to module rlm_mschap
Module: Instantiating mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
}
Module: Linked to module rlm_unix
Module: Instantiating unix
unix {
radwtmp = "/usr/local/var/log/radius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating eap
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
rlm_eap: Ignoring EAP-Type/tls because we do not have OpenSSL support.
rlm_eap: Ignoring EAP-Type/ttls because we do not have OpenSSL support.
rlm_eap: Ignoring EAP-Type/peap because we do not have OpenSSL support.
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_realm
Module: Instantiating suffix
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating files
files {
usersfile = "/usr/local/etc/raddb/users"
acctusersfile = "/usr/local/etc/raddb/acct_users"
preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
compat = "no"
}
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating radutmp
radutmp {
filename = "/usr/local/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Linked to module rlm_attr_filter
Module: Instantiating attr_filter.access_reject
attr_filter attr_filter.access_reject {
attrsfile = "/usr/local/etc/raddb/attrs.access_reject"
key = "%{User-Name}"
}
}
}
server {
modules {
Module: Checking authenticate {...} for more modules to load
/*usr/local/etc/raddb/modules/ldap[29]: Failed to link to module 'rlm_ldap':
rlm_ldap.so: cannot open shared object file: No such file or directory
/usr/local/etc/raddb/sites-enabled/default[275]: Failed to find module
"ldap".
/usr/local/etc/raddb/sites-enabled/default[275]: Failed to parse "ldap"
entry.
}
}*
* Errors initializing modules*
*
*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080827/1486161b/attachment.html>
More information about the Freeradius-Users
mailing list