Freeradius with OpenLDAP (Suse Enterprise 10)
David W Bell
david at chaoscrypt.com
Mon Feb 11 16:49:25 CET 2008
Markus Krause wrote:
> Zitat von David W Bell <david at chaoscrypt.com>:
>
>> Markus Krause wrote:
>>> Zitat von David W Bell <david at chaoscrypt.com>:
>>>
>>>> LDAP is installed and working out of the box, having been set to be
>>>> used for authenication during the SUSE install.
>>>>
>>>> This is proven by the ability to log in to the box, both locally
>>>> and via SSH
>>>>
>>>> I installed freeRADIUS from the latest source and it is working also.
>>>>
>>>> freeRADIUS seems unable to find a password for the user during
>>>> Authenication.
>>>>
>>>> I issue the following on my workstation
>>>>
>>>> david at belld-ubuntu:~$ echo "User-Name = belld,Password=p455w0rd" |
>>>> radclient 212.95.255.242:1812 auth testing
>>>> Received response ID 99, code 3, length = 20
>>>>
>>>> And see the following from freeRADIUS Listening on authentication
>>>> address * port 1812
>>>> Listening on accounting address * port 1813
>>>> Ready to process requests.
>>>> rad_recv: Access-Request packet from host 212.95.252.25 port 20758,
>>>> id=99, length=45
>>>> User-Name = "belld"
>>>> User-Password = "p455w0rd"
>>>> +- entering group authorize
>>>> ++[preprocess] returns ok
>>>> ++[chap] returns noop
>>>> ++[mschap] returns noop
>>>> rlm_realm: No '@' in User-Name = "belld", looking up realm NULL
>>>> rlm_realm: No such realm "NULL"
>>>> ++[suffix] returns noop
>>>> rlm_eap: No EAP-Message, not doing EAP
>>>> ++[eap] returns noop
>>>> ++[unix] returns notfound
>>>> ++[files] returns noop
>>>> rlm_ldap: - authorize
>>>> rlm_ldap: performing user authorization for belld
>>>> WARNING: Deprecated conditional expansion ":-". See "man unlang"
>>>> for details
>>>> expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=belld)
>>>> expand: dc=dxi,dc=net -> dc=dxi,dc=net
>>>> rlm_ldap: ldap_get_conn: Checking Id: 0
>>>> rlm_ldap: ldap_get_conn: Got Id: 0
>>>> rlm_ldap: attempting LDAP reconnection
>>>> rlm_ldap: (re)connect to localhost:389, authentication 0
>>>> rlm_ldap: bind as cn=Administrator,dc=dxi,dc=net/trPic4n03 to
>>>> localhost:389
>>>> rlm_ldap: waiting for bind result ...
>>>> rlm_ldap: Bind was successful
>>>> rlm_ldap: performing search in dc=dxi,dc=net, with filter (uid=belld)
>>>> rlm_ldap: looking for check items in directory...
>>>> rlm_ldap: looking for reply items in directory...
>>>> WARNING: No "known good" password was found in LDAP. Are you sure
>>>> that
>>>> the user is configured correctly?
>>>> rlm_ldap: user belld authorized to use remote access
>>>> rlm_ldap: ldap_release_conn: Release Id: 0
>>>> ++[ldap] returns ok
>>>> ++[expiration] returns noop
>>>> ++[logintime] returns noop
>>>> rlm_pap: WARNING! No "known good" password found for the user.
>>>> Authentication may fail because of this.
>>>> ++[pap] returns noop
>>>> auth: No authenticate method (Auth-Type) configuration found for the
>>>> request: Rejecting the user
>>>> auth: Failed to validate the user.
>>>> Login incorrect: [belld/p455w0rd] (from client 212.95.252.25 port 0)
>>>> Found Post-Auth-Type Reject
>>>> +- entering group REJECT
>>>> expand: %{User-Name} -> belld
>>>> attr_filter: Matched entry DEFAULT at line 11
>>>> ++[attr_filter.access_reject] returns updated
>>>> Delaying reject of request 0 for 1 seconds
>>>> Going to the next request
>>>> Waking up in 0.9 seconds.
>>>> Sending delayed reject for request 0
>>>> Sending Access-Reject of id 99 to 212.95.252.25 port 20758
>>>> Waking up in 4.9 seconds.
>>>>
>>>> What I cant work out is whether this is due to an LDAP or a RADIUS
>>>> config problem.
>>>>
>>>
>>> what is the result of the following commands (using a terminal):
>>> ldapsearch -x -h localhost -b "dc=dxi,dc=net" uid=belld
>>> ldapsearch -x -h localhost -b "dc=dxi,dc=net" -D
>>> "cn=Administrator,dc=dxi,dc=net" -w trPic4n03 uid=belld
>>>
>>> if they (especially the latter) do not return a value for the field
>>> "userPassword" the problem is on the LDAP side.
>>>
>>> markus
>>>
>>>
>>> ----------------------------------------------------------------------
>>> This message was sent using https://webmail.biochem.mpg.de
>>> If you encounter any problems please report to rz-linux at biochem.mpg.de
>>>
>>> ------------------------------------------------------------------------
>>>
>>>
>>> -
>>> List info/subscribe/unsubscribe? See
>>> http://www.freeradius.org/list/users.html
>> Thanks Markus.
>>
>> I thought of that - and had done the 1st search and HAD noticed there
>> was no LDAP password set
>>
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <dc=dxi,dc=net> with scope subtree
>> # filter: uid=belld
>> # requesting: ALL
>> #
>>
>> # belld, people, dxi.net
>> dn: uid=belld,ou=people,dc=dxi,dc=net
>> cn: David Bell
>> gidNumber: 100
>> givenName: David
>> homeDirectory: /home/belld
>> loginShell: /bin/bash
>> objectClass: top
>> objectClass: posixAccount
>> objectClass: shadowAccount
>> objectClass: inetOrgPerson
>> shadowInactive: -1
>> shadowMax: 99999
>> shadowMin: 0
>> shadowWarning: 7
>> sn: Bell
>> uid: belld
>> uidNumber: 1000
>> shadowLastChange: 13920
>>
>> # search result
>> search: 2
>> result: 0 Success
>>
>> # numResponses: 2
>> # numEntries: 1
>> belld at trigger:~>
>>
>> I thought this was because LDAP was handing that aspect over to
>> something else but your second command shows a password.
>>
>> belld at trigger:~> ldapsearch -x -h localhost -b "dc=dxi,dc=net" -D
>> "cn=Administrator,dc=dxi,dc=net" -w trPic4n03 uid=belld
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <dc=dxi,dc=net> with scope subtree
>> # filter: uid=belld
>> # requesting: ALL
>> #
>>
>> # belld, people, dxi.net
>> dn: uid=belld,ou=people,dc=dxi,dc=net
>> cn: David Bell
>> gidNumber: 100
>> givenName: David
>> homeDirectory: /home/belld
>> loginShell: /bin/bash
>> objectClass: top
>> objectClass: posixAccount
>> objectClass: shadowAccount
>> objectClass: inetOrgPerson
>> shadowInactive: -1
>> shadowMax: 99999
>> shadowMin: 0
>> shadowWarning: 7
>> sn: Bell
>> uid: belld
>> uidNumber: 1000
>> userPassword:: e2NyeXB0fWUvMmlHZW9tWXJHTG8=
>> shadowLastChange: 13920
>>
>> # search result
>> search: 2
>> result: 0 Success
>>
>> # numResponses: 2
>> # numEntries: 1
>> belld at trigger:~>
>>
>> Any further thoughts?
>>
>> David
>
> not showing a userPassword field using an anonymous bind (the first
> command) as actually expected, as rootdn it should work. i assume the
> following command does reveal the userPassword as well:
> ldapsearch -x -h localhost -b "dc=dxi,dc=net" -D
> "uid=belld,ou=people,dc=dxi,dc=net" -w p455w0rd uid=belld
>
> i am wondering why the debug output of the freeradius says your
> binding as administrator, if the command above works this should not
> be necessary .. could you post your ldap section of your radiusd.conf?
>
> regards
> markus
>
> ----------------------------------------------------------------------
> This message was sent using https://webmail.biochem.mpg.de
> If you encounter any problems please report to rz-linux at biochem.mpg.de
>
> ------------------------------------------------------------------------
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Config as requested - I did uncomment and configure the identity section
- is this not required?
ldap {
#
# Note that this needs to match the name in the LDAP
# server certificate, if you're using ldaps.
server = "localhost"
identity = "cn=Administrator,dc=dxi,dc=net"
password = trPic4n03
basedn = "dc=dxi,dc=net"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
#base_filter = "(objectclass=radiusprofile)"
# How many connections to keep open to the LDAP server.
# This saves time over opening a new LDAP socket for
# every authentication request.
ldap_connections_number = 5
# seconds to wait for LDAP query to finish. default: 20
timeout = 4
# seconds LDAP server has to process the query (server-side
# time limit). default: 20
#
# LDAP_OPT_TIMELIMIT is set to this value.
timelimit = 3
#
# seconds to wait for response of the server. (network
# failures) default: 10
#
# LDAP_OPT_NETWORK_TIMEOUT is set to this value.
net_timeout = 1
tls {
# Set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS
extended
# operation.
#
# The StartTLS operation is supposed to be
# used with normal ldap connections instead of
# using ldaps (port 689) connections
start_tls = no
# cacertfile = /path/to/cacert.pem
# cacertdir = /path/to/ca/dir/
# certfile = /path/to/radius.crt
# keyfile = /path/to/radius.key
# randfile = /path/to/rnd
# Certificate Verification requirements. Can be:
# "never" (don't even bother trying)
# "allow" (try, but don't fail if the cerificate
# can't be verified)
# "demand" (fail if the certificate doesn't
verify.)
#
# The default is "allow"
# require_cert = "demand"
}
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
# profile_attribute = "radiusProfileDn"
# access_attr = "dialupAccess"
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${confdir}/ldap.attrmap
# Set password_attribute = nspmPassword to get the
# user's password from a Novell eDirectory
# backend. This will work ONLY IF FreeRADIUS has been
# built with the --with-edir configure option.
#
# password_attribute = userPassword
# Un-comment the following to disable Novell
# eDirectory account policy check and intruder
# detection. This will work *only if* FreeRADIUS is
# configured to build with --with-edir option.
#
edir_account_policy_check = no
#
# Group membership checking. Disabled by default.
#
# groupname_attribute = cn
# groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
# groupmembership_attribute = radiusGroupName
# compare_check_items = yes
# do_xlat = yes
# access_attr_used_for_allow = yes #
# By default, if the packet contains a User-Password,
# and no other module is configured to handle the
# authentication, the LDAP module sets itself to do
# LDAP bind for authentication.
#
# THIS WILL ONLY WORK FOR PAP AUTHENTICATION.
#
# THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP).
#
# You can disable this behavior by setting the following
# configuration entry to "no".
#
# allowed values: {no, yes}
# set_auth_type = yes
# ldap_debug: debug flag for LDAP SDK
# (see OpenLDAP documentation). Set this to enable
# huge amounts of LDAP debugging on the screen.
# You should only use this if you are an LDAP expert.
#
# default: 0x0000 (no debugging messages)
# Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
#ldap_debug = 0x0028
}
#
# This subsection configures the tls related items
# that control how FreeRADIUS connects to an LDAP
# server. It contains all of the "tls_*" configuration
# entries used in older versions of FreeRADIUS. Those
# configuration entries can still be used, but we recommend
# using these.
#
More information about the Freeradius-Users
mailing list