Freeradius with OpenLDAP (Suse Enterprise 10)

David W Bell david at chaoscrypt.com
Mon Feb 11 14:56:24 CET 2008


Markus Krause wrote:
> Zitat von David W Bell <david at chaoscrypt.com>:
>
>> LDAP is installed and working out of the box, having been set to be
>> used for authenication during the SUSE install.
>>
>> This is proven by the ability to log in to the box, both locally and 
>> via SSH
>>
>> I installed freeRADIUS from the latest source and it is working also.
>>
>> freeRADIUS seems unable to find a password for the user during 
>> Authenication.
>>
>> I issue the following on my workstation
>>
>> david at belld-ubuntu:~$ echo "User-Name = belld,Password=p455w0rd" |
>> radclient 212.95.255.242:1812 auth testing
>> Received response ID 99, code 3, length = 20
>>
>> And see the following from freeRADIUS Listening on authentication
>> address * port 1812
>> Listening on accounting address * port 1813
>> Ready to process requests.
>> rad_recv: Access-Request packet from host 212.95.252.25 port 20758,
>> id=99, length=45
>>        User-Name = "belld"
>>        User-Password = "p455w0rd"
>> +- entering group authorize
>> ++[preprocess] returns ok
>> ++[chap] returns noop
>> ++[mschap] returns noop
>>    rlm_realm: No '@' in User-Name = "belld", looking up realm NULL
>>    rlm_realm: No such realm "NULL"
>> ++[suffix] returns noop
>>  rlm_eap: No EAP-Message, not doing EAP
>> ++[eap] returns noop
>> ++[unix] returns notfound
>> ++[files] returns noop
>> rlm_ldap: - authorize
>> rlm_ldap: performing user authorization for belld
>> WARNING: Deprecated conditional expansion ":-".  See "man unlang" for 
>> details
>>        expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=belld)
>>        expand: dc=dxi,dc=net -> dc=dxi,dc=net
>> rlm_ldap: ldap_get_conn: Checking Id: 0
>> rlm_ldap: ldap_get_conn: Got Id: 0
>> rlm_ldap: attempting LDAP reconnection
>> rlm_ldap: (re)connect to localhost:389, authentication 0
>> rlm_ldap: bind as cn=Administrator,dc=dxi,dc=net/trPic4n03 to 
>> localhost:389
>> rlm_ldap: waiting for bind result ...
>> rlm_ldap: Bind was successful
>> rlm_ldap: performing search in dc=dxi,dc=net, with filter (uid=belld)
>> rlm_ldap: looking for check items in directory...
>> rlm_ldap: looking for reply items in directory...
>> WARNING: No "known good" password was found in LDAP.  Are you sure that
>> the user is configured correctly?
>> rlm_ldap: user belld authorized to use remote access
>> rlm_ldap: ldap_release_conn: Release Id: 0
>> ++[ldap] returns ok
>> ++[expiration] returns noop
>> ++[logintime] returns noop
>> rlm_pap: WARNING! No "known good" password found for the user.
>> Authentication may fail because of this.
>> ++[pap] returns noop
>> auth: No authenticate method (Auth-Type) configuration found for the
>> request: Rejecting the user
>> auth: Failed to validate the user.
>> Login incorrect: [belld/p455w0rd] (from client 212.95.252.25 port 0)
>>  Found Post-Auth-Type Reject
>> +- entering group REJECT
>>        expand: %{User-Name} -> belld
>> attr_filter: Matched entry DEFAULT at line 11
>> ++[attr_filter.access_reject] returns updated
>> Delaying reject of request 0 for 1 seconds
>> Going to the next request
>> Waking up in 0.9 seconds.
>> Sending delayed reject for request 0
>> Sending Access-Reject of id 99 to 212.95.252.25 port 20758
>> Waking up in 4.9 seconds.
>>
>> What I cant work out is whether this is due to an LDAP or a RADIUS
>> config problem.
>>
>
> what is the result of the following commands (using a terminal):
>   ldapsearch -x -h localhost -b "dc=dxi,dc=net" uid=belld
>   ldapsearch -x -h localhost -b "dc=dxi,dc=net" -D 
> "cn=Administrator,dc=dxi,dc=net" -w trPic4n03 uid=belld
>
> if they (especially the latter) do not return a value for the field 
> "userPassword" the problem is on the LDAP side.
>
> markus
>
>
> ----------------------------------------------------------------------
>      This message was sent using https://webmail.biochem.mpg.de
> If you encounter any problems please report to rz-linux at biochem.mpg.de
>
> ------------------------------------------------------------------------
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks Markus.

I thought of that - and had done the 1st search and HAD noticed there 
was no LDAP password set

# extended LDIF
#
# LDAPv3
# base <dc=dxi,dc=net> with scope subtree
# filter: uid=belld
# requesting: ALL
#

# belld, people, dxi.net
dn: uid=belld,ou=people,dc=dxi,dc=net
cn: David Bell
gidNumber: 100
givenName: David
homeDirectory: /home/belld
loginShell: /bin/bash
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
shadowInactive: -1
shadowMax: 99999
shadowMin: 0
shadowWarning: 7
sn: Bell
uid: belld
uidNumber: 1000
shadowLastChange: 13920

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
belld at trigger:~>

I thought this was because LDAP was handing that aspect over to 
something else but your second command shows a password.

belld at trigger:~> ldapsearch -x -h localhost -b "dc=dxi,dc=net" -D 
"cn=Administrator,dc=dxi,dc=net" -w trPic4n03 uid=belld
# extended LDIF
#
# LDAPv3
# base <dc=dxi,dc=net> with scope subtree
# filter: uid=belld
# requesting: ALL
#

# belld, people, dxi.net
dn: uid=belld,ou=people,dc=dxi,dc=net
cn: David Bell
gidNumber: 100
givenName: David
homeDirectory: /home/belld
loginShell: /bin/bash
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
shadowInactive: -1
shadowMax: 99999
shadowMin: 0
shadowWarning: 7
sn: Bell
uid: belld
uidNumber: 1000
userPassword:: e2NyeXB0fWUvMmlHZW9tWXJHTG8=
shadowLastChange: 13920

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
belld at trigger:~>

Any further thoughts?

David









More information about the Freeradius-Users mailing list