Freeradius with OpenLDAP (Suse Enterprise 10)
David W Bell
david at chaoscrypt.com
Tue Feb 12 17:38:43 CET 2008
Markus Krause wrote:
> Zitat von David W Bell <david at chaoscrypt.com>:
>> Markus Krause wrote:
>>> Zitat von David W Bell <david at chaoscrypt.com>:
>>>
>>>> Markus Krause wrote:
>>>>> Zitat von David W Bell <david at chaoscrypt.com>:
>>>>>
>>>>>> LDAP is installed and working out of the box, having been set to be
>>>>>> used for authenication during the SUSE install.
>>>>>>
>>>>>> This is proven by the ability to log in to the box, both locally
>>>>>> and via SSH
>>>>>>
>>>>>> I installed freeRADIUS from the latest source and it is working
>>>>>> also.
>>>>>>
>>>>>> freeRADIUS seems unable to find a password for the user during
>>>>>> Authenication.
>>>>>>
>>>>>> I issue the following on my workstation
>>>>>>
>>>>>> david at belld-ubuntu:~$ echo "User-Name = belld,Password=p455w0rd" |
>>>>>> radclient 212.95.255.242:1812 auth testing
>>>>>> Received response ID 99, code 3, length = 20
>>>>>>
>>>>>> And see the following from freeRADIUS Listening on authentication
>>>>>> address * port 1812
>>>>>> Listening on accounting address * port 1813
>>>>>> Ready to process requests.
>>>>>> rad_recv: Access-Request packet from host 212.95.252.25 port 20758,
>>>>>> id=99, length=45
>>>>>> User-Name = "belld"
>>>>>> User-Password = "p455w0rd"
>>>>>> +- entering group authorize
>>>>>> ++[preprocess] returns ok
>>>>>> ++[chap] returns noop
>>>>>> ++[mschap] returns noop
>>>>>> rlm_realm: No '@' in User-Name = "belld", looking up realm NULL
>>>>>> rlm_realm: No such realm "NULL"
>>>>>> ++[suffix] returns noop
>>>>>> rlm_eap: No EAP-Message, not doing EAP
>>>>>> ++[eap] returns noop
>>>>>> ++[unix] returns notfound
>>>>>> ++[files] returns noop
>>>>>> rlm_ldap: - authorize
>>>>>> rlm_ldap: performing user authorization for belld
>>>>>> WARNING: Deprecated conditional expansion ":-". See "man
>>>>>> unlang" for details
>>>>>> expand: (uid=%{Stripped-User-Name:-%{User-Name}}) ->
>>>>>> (uid=belld)
>>>>>> expand: dc=dxi,dc=net -> dc=dxi,dc=net
>>>>>> rlm_ldap: ldap_get_conn: Checking Id: 0
>>>>>> rlm_ldap: ldap_get_conn: Got Id: 0
>>>>>> rlm_ldap: attempting LDAP reconnection
>>>>>> rlm_ldap: (re)connect to localhost:389, authentication 0
>>>>>> rlm_ldap: bind as cn=Administrator,dc=dxi,dc=net/trPic4n03 to
>>>>>> localhost:389
>>>>>> rlm_ldap: waiting for bind result ...
>>>>>> rlm_ldap: Bind was successful
>>>>>> rlm_ldap: performing search in dc=dxi,dc=net, with filter
>>>>>> (uid=belld)
>>>>>> rlm_ldap: looking for check items in directory...
>>>>>> rlm_ldap: looking for reply items in directory...
>>>>>> WARNING: No "known good" password was found in LDAP. Are you
>>>>>> sure that
>>>>>> the user is configured correctly?
>>>>>> rlm_ldap: user belld authorized to use remote access
>>>>>> rlm_ldap: ldap_release_conn: Release Id: 0
>>>>>> ++[ldap] returns ok
>>>>>> ++[expiration] returns noop
>>>>>> ++[logintime] returns noop
>>>>>> rlm_pap: WARNING! No "known good" password found for the user.
>>>>>> Authentication may fail because of this.
>>>>>> ++[pap] returns noop
>>>>>> auth: No authenticate method (Auth-Type) configuration found for the
>>>>>> request: Rejecting the user
>>>>>> auth: Failed to validate the user.
>>>>>> Login incorrect: [belld/p455w0rd] (from client 212.95.252.25 port 0)
>>>>>> Found Post-Auth-Type Reject
>>>>>> +- entering group REJECT
>>>>>> expand: %{User-Name} -> belld
>>>>>> attr_filter: Matched entry DEFAULT at line 11
>>>>>> ++[attr_filter.access_reject] returns updated
>>>>>> Delaying reject of request 0 for 1 seconds
>>>>>> Going to the next request
>>>>>> Waking up in 0.9 seconds.
>>>>>> Sending delayed reject for request 0
>>>>>> Sending Access-Reject of id 99 to 212.95.252.25 port 20758
>>>>>> Waking up in 4.9 seconds.
>>>>>>
>>>>>> What I cant work out is whether this is due to an LDAP or a RADIUS
>>>>>> config problem.
>>>>>>
>>>>>
>>>>> what is the result of the following commands (using a terminal):
>>>>> ldapsearch -x -h localhost -b "dc=dxi,dc=net" uid=belld
>>>>> ldapsearch -x -h localhost -b "dc=dxi,dc=net" -D
>>>>> "cn=Administrator,dc=dxi,dc=net" -w trPic4n03 uid=belld
>>>>>
>>>>> if they (especially the latter) do not return a value for the
>>>>> field "userPassword" the problem is on the LDAP side.
>>>>>
>>>>> markus
>>>>>
>>>>>
>>>>> ----------------------------------------------------------------------
>>>>>
>>>>> This message was sent using https://webmail.biochem.mpg.de
>>>>> If you encounter any problems please report to
>>>>> rz-linux at biochem.mpg.de
>>>>>
>>>>> ------------------------------------------------------------------------
>>>>> -
>>>>> List info/subscribe/unsubscribe? See
>>>>> http://www.freeradius.org/list/users.html
>>>> Thanks Markus.
>>>>
>>>> I thought of that - and had done the 1st search and HAD noticed there
>>>> was no LDAP password set
>>>>
>>>> # extended LDIF
>>>> #
>>>> # LDAPv3
>>>> # base <dc=dxi,dc=net> with scope subtree
>>>> # filter: uid=belld
>>>> # requesting: ALL
>>>> #
>>>>
>>>> # belld, people, dxi.net
>>>> dn: uid=belld,ou=people,dc=dxi,dc=net
>>>> cn: David Bell
>>>> gidNumber: 100
>>>> givenName: David
>>>> homeDirectory: /home/belld
>>>> loginShell: /bin/bash
>>>> objectClass: top
>>>> objectClass: posixAccount
>>>> objectClass: shadowAccount
>>>> objectClass: inetOrgPerson
>>>> shadowInactive: -1
>>>> shadowMax: 99999
>>>> shadowMin: 0
>>>> shadowWarning: 7
>>>> sn: Bell
>>>> uid: belld
>>>> uidNumber: 1000
>>>> shadowLastChange: 13920
>>>>
>>>> # search result
>>>> search: 2
>>>> result: 0 Success
>>>>
>>>> # numResponses: 2
>>>> # numEntries: 1
>>>> belld at trigger:~>
>>>>
>>>> I thought this was because LDAP was handing that aspect over to
>>>> something else but your second command shows a password.
>>>>
>>>> belld at trigger:~> ldapsearch -x -h localhost -b "dc=dxi,dc=net" -D
>>>> "cn=Administrator,dc=dxi,dc=net" -w trPic4n03 uid=belld
>>>> # extended LDIF
>>>> #
>>>> # LDAPv3
>>>> # base <dc=dxi,dc=net> with scope subtree
>>>> # filter: uid=belld
>>>> # requesting: ALL
>>>> #
>>>>
>>>> # belld, people, dxi.net
>>>> dn: uid=belld,ou=people,dc=dxi,dc=net
>>>> cn: David Bell
>>>> gidNumber: 100
>>>> givenName: David
>>>> homeDirectory: /home/belld
>>>> loginShell: /bin/bash
>>>> objectClass: top
>>>> objectClass: posixAccount
>>>> objectClass: shadowAccount
>>>> objectClass: inetOrgPerson
>>>> shadowInactive: -1
>>>> shadowMax: 99999
>>>> shadowMin: 0
>>>> shadowWarning: 7
>>>> sn: Bell
>>>> uid: belld
>>>> uidNumber: 1000
>>>> userPassword:: e2NyeXB0fWUvMmlHZW9tWXJHTG8=
>>>> shadowLastChange: 13920
>>>>
>>>> # search result
>>>> search: 2
>>>> result: 0 Success
>>>>
>>>> # numResponses: 2
>>>> # numEntries: 1
>>>> belld at trigger:~>
>>>>
>>>> Any further thoughts?
>>>>
>>>> David
>>>
>>> not showing a userPassword field using an anonymous bind (the first
>>> command) as actually expected, as rootdn it should work. i assume
>>> the following command does reveal the userPassword as well:
>>> ldapsearch -x -h localhost -b "dc=dxi,dc=net" -D
>>> "uid=belld,ou=people,dc=dxi,dc=net" -w p455w0rd uid=belld
>>>
>>> i am wondering why the debug output of the freeradius says your
>>> binding as administrator, if the command above works this should
>>> not be necessary .. could you post your ldap section of your
>>> radiusd.conf?
>>>
>>> regards
>>> markus
>>>
>>> ----------------------------------------------------------------------
>>> This message was sent using https://webmail.biochem.mpg.de
>>> If you encounter any problems please report to rz-linux at biochem.mpg.de
>>>
>>> ------------------------------------------------------------------------
>>>
>>>
>>> -
>>> List info/subscribe/unsubscribe? See
>>> http://www.freeradius.org/list/users.html
>> Config as requested - I did uncomment and configure the identity
>> section - is this not required?
>>
>> ldap {
>> #
>> # Note that this needs to match the name in the LDAP
>> # server certificate, if you're using ldaps.
>> server = "localhost"
>> identity = "cn=Administrator,dc=dxi,dc=net"
>> password = trPic4n03
>> basedn = "dc=dxi,dc=net"
>> filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
>> #base_filter = "(objectclass=radiusprofile)"
>>
>> # How many connections to keep open to the LDAP server.
>> # This saves time over opening a new LDAP socket for
>> # every authentication request.
>> ldap_connections_number = 5
>>
>> # seconds to wait for LDAP query to finish. default: 20
>> timeout = 4
>>
>> # seconds LDAP server has to process the query
>> (server-side
>> # time limit). default: 20
>> #
>> # LDAP_OPT_TIMELIMIT is set to this value.
>> timelimit = 3
>>
>> #
>> # seconds to wait for response of the server. (network
>> # failures) default: 10
>> #
>> # LDAP_OPT_NETWORK_TIMEOUT is set to this value.
>> net_timeout = 1
>> tls {
>> # Set this to 'yes' to use TLS encrypted
>> connections
>> # to the LDAP database by using the StartTLS
>> extended
>> # operation.
>> #
>> # The StartTLS operation is supposed to be
>> # used with normal ldap connections instead of
>> # using ldaps (port 689) connections
>> start_tls = no
>>
>> # cacertfile = /path/to/cacert.pem
>> # cacertdir = /path/to/ca/dir/
>> # certfile = /path/to/radius.crt
>> # keyfile = /path/to/radius.key
>> # randfile = /path/to/rnd
>>
>> # Certificate Verification requirements. Can
>> be:
>> # "never" (don't even bother trying)
>> # "allow" (try, but don't fail if the
>> cerificate
>> # can't be verified)
>> # "demand" (fail if the certificate
>> doesn't verify.)
>> #
>> # The default is "allow"
>> # require_cert = "demand"
>> }
>>
>> # default_profile = "cn=radprofile,ou=dialup,o=My
>> Org,c=UA"
>> # profile_attribute = "radiusProfileDn"
>> # access_attr = "dialupAccess"
>>
>> # Mapping of RADIUS dictionary attributes to LDAP
>> # directory attributes.
>> dictionary_mapping = ${confdir}/ldap.attrmap
>>
>> # Set password_attribute = nspmPassword to get the
>> # user's password from a Novell eDirectory
>> # backend. This will work ONLY IF FreeRADIUS has been
>> # built with the --with-edir configure option.
>> #
>> # password_attribute = userPassword
>>
>> # Un-comment the following to disable Novell
>> # eDirectory account policy check and intruder
>> # detection. This will work *only if* FreeRADIUS is
>> # configured to build with --with-edir option.
>> #
>> edir_account_policy_check = no
>>
>> #
>> # Group membership checking. Disabled by default.
>> #
>> # groupname_attribute = cn
>> # groupmembership_filter =
>> "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
>>
>> # groupmembership_attribute = radiusGroupName
>>
>> # compare_check_items = yes
>> # do_xlat = yes
>> # access_attr_used_for_allow = yes #
>> # By default, if the packet contains a User-Password,
>> # and no other module is configured to handle the
>> # authentication, the LDAP module sets itself to do
>> # LDAP bind for authentication.
>> #
>> # THIS WILL ONLY WORK FOR PAP AUTHENTICATION.
>> #
>> # THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP).
>> #
>> # You can disable this behavior by setting the following
>> # configuration entry to "no".
>> #
>> # allowed values: {no, yes}
>> # set_auth_type = yes
>>
>> # ldap_debug: debug flag for LDAP SDK
>> # (see OpenLDAP documentation). Set this to enable
>> # huge amounts of LDAP debugging on the screen.
>> # You should only use this if you are an LDAP expert.
>> #
>> # default: 0x0000 (no debugging messages)
>> # Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
>> #ldap_debug = 0x0028
>> }
>>
>>
>>
>>
>> #
>> # This subsection configures the tls related items
>> # that control how FreeRADIUS connects to an LDAP
>> # server. It contains all of the "tls_*" configuration
>> # entries used in older versions of FreeRADIUS. Those
>> # configuration entries can still be used, but we
>> recommend
>> # using these.
>> #
>>
>>
>>
>
> afaik the identity values has to be configured, if you are using the
> ldap part for more than binding ("check if a password is correct")
> e.g. for use with PEAP as the radius server then needs access to
> possibly protected fields like sambalmpassword.
>
> what happens/changes if you comment out identity and password?
> (regarding debug etc.)
>
> m.
>
>
>
> ----------------------------------------------------------------------
> This message was sent using https://webmail.biochem.mpg.de
> If you encounter any problems please report to rz-linux at biochem.mpg.de
>
> ------------------------------------------------------------------------
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
With the identity/password section commented out it is still the same
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Ready to process requests.
rad_recv: Access-Request packet from host 212.95.252.25 port 31542,
id=208, length=45
User-Name = "belld"
User-Password = "p455w0rd"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "belld", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
rlm_ldap: - authorize
rlm_ldap: performing user authorization for belld
WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=belld)
expand: dc=dxi,dc=net -> dc=dxi,dc=net
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as / to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=dxi,dc=net, with filter (uid=belld)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that
the user is configured correctly?
rlm_ldap: user belld authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Login incorrect: [belld/p455w0rd] (from client 212.95.252.25 port 0)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> belld
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 208 to 212.95.252.25 port 31542
Waking up in 4.9 seconds.
Cleaning up request 0 ID 208 with timestamp +3
Ready to process requests.
Anything else you can suggest poking at ?
Thanks again for your time
More information about the Freeradius-Users
mailing list