Freeradius with OpenLDAP (Suse Enterprise 10)

Markus Krause krause at biochem.mpg.de
Mon Feb 11 16:14:03 CET 2008


Zitat von David W Bell <david at chaoscrypt.com>:

> Markus Krause wrote:
>> Zitat von David W Bell <david at chaoscrypt.com>:
>>
>>> LDAP is installed and working out of the box, having been set to be
>>> used for authenication during the SUSE install.
>>>
>>> This is proven by the ability to log in to the box, both locally   
>>> and via SSH
>>>
>>> I installed freeRADIUS from the latest source and it is working also.
>>>
>>> freeRADIUS seems unable to find a password for the user during   
>>> Authenication.
>>>
>>> I issue the following on my workstation
>>>
>>> david at belld-ubuntu:~$ echo "User-Name = belld,Password=p455w0rd" |
>>> radclient 212.95.255.242:1812 auth testing
>>> Received response ID 99, code 3, length = 20
>>>
>>> And see the following from freeRADIUS Listening on authentication
>>> address * port 1812
>>> Listening on accounting address * port 1813
>>> Ready to process requests.
>>> rad_recv: Access-Request packet from host 212.95.252.25 port 20758,
>>> id=99, length=45
>>>       User-Name = "belld"
>>>       User-Password = "p455w0rd"
>>> +- entering group authorize
>>> ++[preprocess] returns ok
>>> ++[chap] returns noop
>>> ++[mschap] returns noop
>>>   rlm_realm: No '@' in User-Name = "belld", looking up realm NULL
>>>   rlm_realm: No such realm "NULL"
>>> ++[suffix] returns noop
>>> rlm_eap: No EAP-Message, not doing EAP
>>> ++[eap] returns noop
>>> ++[unix] returns notfound
>>> ++[files] returns noop
>>> rlm_ldap: - authorize
>>> rlm_ldap: performing user authorization for belld
>>> WARNING: Deprecated conditional expansion ":-".  See "man unlang"   
>>> for details
>>>       expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=belld)
>>>       expand: dc=dxi,dc=net -> dc=dxi,dc=net
>>> rlm_ldap: ldap_get_conn: Checking Id: 0
>>> rlm_ldap: ldap_get_conn: Got Id: 0
>>> rlm_ldap: attempting LDAP reconnection
>>> rlm_ldap: (re)connect to localhost:389, authentication 0
>>> rlm_ldap: bind as cn=Administrator,dc=dxi,dc=net/trPic4n03 to localhost:389
>>> rlm_ldap: waiting for bind result ...
>>> rlm_ldap: Bind was successful
>>> rlm_ldap: performing search in dc=dxi,dc=net, with filter (uid=belld)
>>> rlm_ldap: looking for check items in directory...
>>> rlm_ldap: looking for reply items in directory...
>>> WARNING: No "known good" password was found in LDAP.  Are you sure that
>>> the user is configured correctly?
>>> rlm_ldap: user belld authorized to use remote access
>>> rlm_ldap: ldap_release_conn: Release Id: 0
>>> ++[ldap] returns ok
>>> ++[expiration] returns noop
>>> ++[logintime] returns noop
>>> rlm_pap: WARNING! No "known good" password found for the user.
>>> Authentication may fail because of this.
>>> ++[pap] returns noop
>>> auth: No authenticate method (Auth-Type) configuration found for the
>>> request: Rejecting the user
>>> auth: Failed to validate the user.
>>> Login incorrect: [belld/p455w0rd] (from client 212.95.252.25 port 0)
>>> Found Post-Auth-Type Reject
>>> +- entering group REJECT
>>>       expand: %{User-Name} -> belld
>>> attr_filter: Matched entry DEFAULT at line 11
>>> ++[attr_filter.access_reject] returns updated
>>> Delaying reject of request 0 for 1 seconds
>>> Going to the next request
>>> Waking up in 0.9 seconds.
>>> Sending delayed reject for request 0
>>> Sending Access-Reject of id 99 to 212.95.252.25 port 20758
>>> Waking up in 4.9 seconds.
>>>
>>> What I cant work out is whether this is due to an LDAP or a RADIUS
>>> config problem.
>>>
>>
>> what is the result of the following commands (using a terminal):
>>  ldapsearch -x -h localhost -b "dc=dxi,dc=net" uid=belld
>>  ldapsearch -x -h localhost -b "dc=dxi,dc=net" -D   
>> "cn=Administrator,dc=dxi,dc=net" -w trPic4n03 uid=belld
>>
>> if they (especially the latter) do not return a value for the field  
>>  "userPassword" the problem is on the LDAP side.
>>
>> markus
>>
>>
>> ----------------------------------------------------------------------
>>     This message was sent using https://webmail.biochem.mpg.de
>> If you encounter any problems please report to rz-linux at biochem.mpg.de
>>
>> ------------------------------------------------------------------------
>>
>> -
>> List info/subscribe/unsubscribe? See   
>> http://www.freeradius.org/list/users.html
> Thanks Markus.
>
> I thought of that - and had done the 1st search and HAD noticed there
> was no LDAP password set
>
> # extended LDIF
> #
> # LDAPv3
> # base <dc=dxi,dc=net> with scope subtree
> # filter: uid=belld
> # requesting: ALL
> #
>
> # belld, people, dxi.net
> dn: uid=belld,ou=people,dc=dxi,dc=net
> cn: David Bell
> gidNumber: 100
> givenName: David
> homeDirectory: /home/belld
> loginShell: /bin/bash
> objectClass: top
> objectClass: posixAccount
> objectClass: shadowAccount
> objectClass: inetOrgPerson
> shadowInactive: -1
> shadowMax: 99999
> shadowMin: 0
> shadowWarning: 7
> sn: Bell
> uid: belld
> uidNumber: 1000
> shadowLastChange: 13920
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
> belld at trigger:~>
>
> I thought this was because LDAP was handing that aspect over to
> something else but your second command shows a password.
>
> belld at trigger:~> ldapsearch -x -h localhost -b "dc=dxi,dc=net" -D
> "cn=Administrator,dc=dxi,dc=net" -w trPic4n03 uid=belld
> # extended LDIF
> #
> # LDAPv3
> # base <dc=dxi,dc=net> with scope subtree
> # filter: uid=belld
> # requesting: ALL
> #
>
> # belld, people, dxi.net
> dn: uid=belld,ou=people,dc=dxi,dc=net
> cn: David Bell
> gidNumber: 100
> givenName: David
> homeDirectory: /home/belld
> loginShell: /bin/bash
> objectClass: top
> objectClass: posixAccount
> objectClass: shadowAccount
> objectClass: inetOrgPerson
> shadowInactive: -1
> shadowMax: 99999
> shadowMin: 0
> shadowWarning: 7
> sn: Bell
> uid: belld
> uidNumber: 1000
> userPassword:: e2NyeXB0fWUvMmlHZW9tWXJHTG8=
> shadowLastChange: 13920
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
> belld at trigger:~>
>
> Any further thoughts?
>
> David

not showing a userPassword field using an anonymous bind (the first  
command) as actually expected, as rootdn it should work. i assume the  
following command does reveal the userPassword as well:
   ldapsearch -x -h localhost -b "dc=dxi,dc=net" -D   
"uid=belld,ou=people,dc=dxi,dc=net" -w p455w0rd uid=belld

i am wondering why the debug output of the freeradius says your  
binding as administrator, if the command above works this should not  
be necessary .. could you post your ldap section of your radiusd.conf?

regards
   markus

----------------------------------------------------------------------
      This message was sent using https://webmail.biochem.mpg.de
If you encounter any problems please report to rz-linux at biochem.mpg.de

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3966 bytes
Desc: S/MIME krytographische Unterschrift
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080211/ee9f9777/attachment.bin>


More information about the Freeradius-Users mailing list