FW: Problem when removing Auth-Type := Ldap in users file
cxu
cxu at unbsj.ca
Tue Feb 12 20:52:43 CET 2008
I made a progress on this issue. I added pap under Autz-Type Ldap1, as
below, and then Auth-Type was set to pap.
authorize {
preprocess
chap
mschap
suffix
eap
Autz-Type Ldap1 {
redundant-load-balance{
myldap
myldap2
}
pap # <-- the change
}
Autz-Type Web{
files
}
files
pap
}
The purpose of doing this is to make sure pap is the last module being
called during the authorization process.
My questions are,
1. Is this configuration right? Or is it a correct way to construct
Autz-Type?
2. Under what condition that ldap module will set Auth-Type to ldap?
Thanks!
Andrew
P.S.
In users file,
DEFAULT Called-Station-Id =~ ".*Guest at myu", Autz-Type := Ldap1
Fall-Through = no
Debug output,
rad_recv: Access-Request packet from host 192.168.1.113 port 20000, id=8,
length=98
User-Name = "tester"
Called-Station-Id = "00-1B-BA-A5-45-40:Guest at myu"
NAS-Port = 152
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "nortel"
NAS-IP-Address = 192.168.1.113
User-Password = "testing"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "tester", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
expand: %{Called-Station-Id} -> 00-1B-BA-A5-45-40:Guest at myu
expand: %{Called-Station-Id} -> 00-1B-BA-A5-45-40:Guest at myu
users: Matched entry DEFAULT at line 71
++[files] returns ok
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Autz-Type Ldap1
+- entering group Ldap1
++- entering redundant-load-balance group redundant-load-balance
rlm_ldap: - authorize
rlm_ldap: performing user authorization for tester
WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=tester)
expand: ou=people,dc=myu,dc=ca -> ou=people,dc=myu,dc=ca
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap2.myu.ca:389, authentication 0
rlm_ldap: setting TLS CACert File to /usr/local/etc/raddb/certs/myuCA.crt
rlm_ldap: setting TLS Require Cert to never
rlm_ldap: bind as uid=radius,dc=myu,dc=ca/PWD12345678 to ldap2.myu.ca:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=people,dc=myu,dc=ca, with filter
(uid=tester)
rlm_ldap: Added User-Password =
{SSHA}jSTYFonbXmIE6pReKdYUvq0RhxuhLUAT6FYcG== in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user tester authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
+++[myldap] returns ok
++- redundant-load-balance group redundant-load-balance returns ok
++[pap] returns updated
rad_check_password: Found Auth-Type
auth: type "PAP"
+- entering group PAP
rlm_pap: login attempt with password "testing"
rlm_pap: Using SSHA encryption.
rlm_pap: Normalizing SSHA1-Password from base64 encoding
rlm_pap: User authenticated successfully
++[pap] returns ok
Login OK: [tester] (from client myusj113 port 152)
Sending Access-Accept of id 8 to 192.168.1.113 port 20000
Finished request 0.
Going to the next request
Waking up in 0.9 seconds.
Waking up in 4.0 seconds.
Cleaning up request 0 ID 8 with timestamp +54
Ready to process requests.
_____
From: cxu [mailto:cxu at unbsj.ca]
Sent: Thursday, February 07, 2008 2:27 PM
To: 'freeradius-users at lists.freeradius.org'
Subject: Problem when removing Auth-Type := Ldap in users file
Hi,
I am testing the freeradius server, and try to clarify rules applied in
freeradius. In the following trials, I could not figure out how to make
Autz-Type Ldap1 in authorize section to correctly set Auth-Type used in
authentication without the help from "Auth-Type := Ldap1".
With the following entry in users file,
**************
DEFAULT Called-Station-Id =~ ".*Guest at myu", Autz-Type := Ldap1, Auth-Type :=
Ldap1
**************
the user authentication worked fine.
Below is the debug output.
**************
rad_recv: Access-Request packet from host 192.168.1.113 port 20000, id=19,
length=98
User-Name = "tester"
Called-Station-Id = "00-1B-BA-A5-45-40:Guest at myu"
NAS-Port = 189
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "nortel"
NAS-IP-Address = 192.168.1.113
User-Password = "testing"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "tester", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
expand: %{Called-Station-Id} -> 00-1B-BA-A5-45-40:Guest at myu
expand: %{Called-Station-Id} -> 00-1B-BA-A5-45-40:Guest at myu
users: Matched entry DEFAULT at line 70
++[files] returns ok
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Autz-Type Ldap1
+- entering group Ldap1
++- entering redundant-load-balance group redundant-load-balance
rlm_ldap: - authorize
rlm_ldap: performing user authorization for tester
WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=tester)
expand: ou=people,dc=myu,dc=ca -> ou=people,dc=myu,dc=ca
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap.myu.ca:389, authentication 0
rlm_ldap: setting TLS CACert File to /usr/local/etc/raddb/certs/unbCA.crt
rlm_ldap: setting TLS Require Cert to never
rlm_ldap: bind as uid=radius,dc=myu,dc=ca/PWD12345678 to ldap.myu.ca:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=people,dc=myu,dc=ca, with filter
(uid=tester)
rlm_ldap: Added User-Password =
{SSHA}jSTYFonbXmIE6pReKdYUvq0RhxuhLUAT6FYcG== in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user tester authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
+++[myldap2] returns ok
++- redundant-load-balance group redundant-load-balance returns ok
rad_check_password: Found Auth-Type Ldap1
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!
!!! Replacing User-Password in config items with Cleartext-Password.
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!
!!! Please update your configuration so that the "known good"
!!!
!!! clear text password is in Cleartext-Password, and not in User-Password.
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!
auth: type "Ldap1"
+- entering group Ldap1
++- entering redundant-load-balance group redundant-load-balance
rlm_ldap: - authenticate
rlm_ldap: login attempt by "tester" with password "testing"
rlm_ldap: user DN: uid=tester,ou=people,dc=myu,dc=ca
rlm_ldap: (re)connect to ldap.myu.ca:389, authentication 1
rlm_ldap: setting TLS CACert File to /usr/local/etc/raddb/certs/myuCA.crt
rlm_ldap: setting TLS Require Cert to never
rlm_ldap: bind as uid=tester,ou=people,dc=myu,dc=ca/testing to
ldap.myu.ca:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: user tester authenticated succesfully
+++[myldap2] returns ok
++- redundant-load-balance group redundant-load-balance returns ok
Login OK: [tester] (from client unbsj113 port 189)
Sending Access-Accept of id 19 to 192.168.1.113 port 20000
Finished request 0.
Going to the next request
Waking up in 0.8 seconds.
Waking up in 4.1 seconds.
Cleaning up request 0 ID 19 with timestamp +99
Ready to process requests.
**************
However when I removed Auth-Type := Ldap1 in the entry,
**************
DEFAULT Called-Station-Id =~ ".*Guest at myu", Autz-Type := Ldap1
**************
the user authentication failed. The Auth Type is set to Local instead of
Ldap.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080212/caa56eb3/attachment.html>
More information about the Freeradius-Users
mailing list