Freeradius with OpenLDAP (Suse Enterprise 10)

Markus Krause krause at biochem.mpg.de
Tue Feb 12 22:33:54 CET 2008


Zitat von David W Bell <david at chaoscrypt.com>:
> Markus Krause wrote:
>> Zitat von David W Bell <david at chaoscrypt.com>:
>>> Markus Krause wrote:
>>>> Zitat von David W Bell <david at chaoscrypt.com>:
>>>>
>>>>> Markus Krause wrote:
>>>>>> Zitat von David W Bell <david at chaoscrypt.com>:
>>>>>>
>>>>>>> LDAP is installed and working out of the box, having been set to be
>>>>>>> used for authenication during the SUSE install.
>>>>>>>
>>>>>>> This is proven by the ability to log in to the box, both   
>>>>>>> locally  and via SSH
>>>>>>>
>>>>>>> I installed freeRADIUS from the latest source and it is working also.
>>>>>>>
>>>>>>> freeRADIUS seems unable to find a password for the user during  
>>>>>>>    Authenication.
>>>>>>>
>>>>>>> I issue the following on my workstation
>>>>>>>
>>>>>>> david at belld-ubuntu:~$ echo "User-Name = belld,Password=p455w0rd" |
>>>>>>> radclient 212.95.255.242:1812 auth testing
>>>>>>> Received response ID 99, code 3, length = 20
>>>>>>>
>>>>>>> And see the following from freeRADIUS Listening on authentication
>>>>>>> address * port 1812
>>>>>>> Listening on accounting address * port 1813
>>>>>>> Ready to process requests.
>>>>>>> rad_recv: Access-Request packet from host 212.95.252.25 port 20758,
>>>>>>> id=99, length=45
>>>>>>>     User-Name = "belld"
>>>>>>>     User-Password = "p455w0rd"
>>>>>>> +- entering group authorize
>>>>>>> ++[preprocess] returns ok
>>>>>>> ++[chap] returns noop
>>>>>>> ++[mschap] returns noop
>>>>>>> rlm_realm: No '@' in User-Name = "belld", looking up realm NULL
>>>>>>> rlm_realm: No such realm "NULL"
>>>>>>> ++[suffix] returns noop
>>>>>>> rlm_eap: No EAP-Message, not doing EAP
>>>>>>> ++[eap] returns noop
>>>>>>> ++[unix] returns notfound
>>>>>>> ++[files] returns noop
>>>>>>> rlm_ldap: - authorize
>>>>>>> rlm_ldap: performing user authorization for belld
>>>>>>> WARNING: Deprecated conditional expansion ":-".  See "man    
>>>>>>> unlang"  for details
>>>>>>>     expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=belld)
>>>>>>>     expand: dc=dxi,dc=net -> dc=dxi,dc=net
>>>>>>> rlm_ldap: ldap_get_conn: Checking Id: 0
>>>>>>> rlm_ldap: ldap_get_conn: Got Id: 0
>>>>>>> rlm_ldap: attempting LDAP reconnection
>>>>>>> rlm_ldap: (re)connect to localhost:389, authentication 0
>>>>>>> rlm_ldap: bind as cn=Administrator,dc=dxi,dc=net/trPic4n03 to   
>>>>>>>  localhost:389
>>>>>>> rlm_ldap: waiting for bind result ...
>>>>>>> rlm_ldap: Bind was successful
>>>>>>> rlm_ldap: performing search in dc=dxi,dc=net, with filter (uid=belld)
>>>>>>> rlm_ldap: looking for check items in directory...
>>>>>>> rlm_ldap: looking for reply items in directory...
>>>>>>> WARNING: No "known good" password was found in LDAP.  Are you sure that
>>>>>>> the user is configured correctly?
>>>>>>> rlm_ldap: user belld authorized to use remote access
>>>>>>> rlm_ldap: ldap_release_conn: Release Id: 0
>>>>>>> ++[ldap] returns ok
>>>>>>> ++[expiration] returns noop
>>>>>>> ++[logintime] returns noop
>>>>>>> rlm_pap: WARNING! No "known good" password found for the user.
>>>>>>> Authentication may fail because of this.
>>>>>>> ++[pap] returns noop
>>>>>>> auth: No authenticate method (Auth-Type) configuration found for the
>>>>>>> request: Rejecting the user
>>>>>>> auth: Failed to validate the user.
>>>>>>> Login incorrect: [belld/p455w0rd] (from client 212.95.252.25 port 0)
>>>>>>> Found Post-Auth-Type Reject
>>>>>>> +- entering group REJECT
>>>>>>>     expand: %{User-Name} -> belld
>>>>>>> attr_filter: Matched entry DEFAULT at line 11
>>>>>>> ++[attr_filter.access_reject] returns updated
>>>>>>> Delaying reject of request 0 for 1 seconds
>>>>>>> Going to the next request
>>>>>>> Waking up in 0.9 seconds.
>>>>>>> Sending delayed reject for request 0
>>>>>>> Sending Access-Reject of id 99 to 212.95.252.25 port 20758
>>>>>>> Waking up in 4.9 seconds.
>>>>>>>
>>>>>>> What I cant work out is whether this is due to an LDAP or a RADIUS
>>>>>>> config problem.
>>>>>>>
>>>>>>
>>>>>> what is the result of the following commands (using a terminal):
>>>>>> ldapsearch -x -h localhost -b "dc=dxi,dc=net" uid=belld
>>>>>> ldapsearch -x -h localhost -b "dc=dxi,dc=net" -D     
>>>>>> "cn=Administrator,dc=dxi,dc=net" -w trPic4n03 uid=belld
>>>>>>
>>>>>> if they (especially the latter) do not return a value for the    
>>>>>> field  "userPassword" the problem is on the LDAP side.
>>>>>>
>>>>>> markus
>>>>>>
>>>>>>
>>>>>> ----------------------------------------------------------------------   
>>>>>>    This message was sent using https://webmail.biochem.mpg.de
>>>>>> If you encounter any problems please report to rz-linux at biochem.mpg.de
>>>>>>
>>>>>> ------------------------------------------------------------------------   
>>>>>> -
>>>>>> List info/subscribe/unsubscribe? See     
>>>>>> http://www.freeradius.org/list/users.html
>>>>> Thanks Markus.
>>>>>
>>>>> I thought of that - and had done the 1st search and HAD noticed there
>>>>> was no LDAP password set
>>>>>
>>>>> # extended LDIF
>>>>> #
>>>>> # LDAPv3
>>>>> # base <dc=dxi,dc=net> with scope subtree
>>>>> # filter: uid=belld
>>>>> # requesting: ALL
>>>>> #
>>>>>
>>>>> # belld, people, dxi.net
>>>>> dn: uid=belld,ou=people,dc=dxi,dc=net
>>>>> cn: David Bell
>>>>> gidNumber: 100
>>>>> givenName: David
>>>>> homeDirectory: /home/belld
>>>>> loginShell: /bin/bash
>>>>> objectClass: top
>>>>> objectClass: posixAccount
>>>>> objectClass: shadowAccount
>>>>> objectClass: inetOrgPerson
>>>>> shadowInactive: -1
>>>>> shadowMax: 99999
>>>>> shadowMin: 0
>>>>> shadowWarning: 7
>>>>> sn: Bell
>>>>> uid: belld
>>>>> uidNumber: 1000
>>>>> shadowLastChange: 13920
>>>>>
>>>>> # search result
>>>>> search: 2
>>>>> result: 0 Success
>>>>>
>>>>> # numResponses: 2
>>>>> # numEntries: 1
>>>>> belld at trigger:~>
>>>>>
>>>>> I thought this was because LDAP was handing that aspect over to
>>>>> something else but your second command shows a password.
>>>>>
>>>>> belld at trigger:~> ldapsearch -x -h localhost -b "dc=dxi,dc=net" -D
>>>>> "cn=Administrator,dc=dxi,dc=net" -w trPic4n03 uid=belld
>>>>> # extended LDIF
>>>>> #
>>>>> # LDAPv3
>>>>> # base <dc=dxi,dc=net> with scope subtree
>>>>> # filter: uid=belld
>>>>> # requesting: ALL
>>>>> #
>>>>>
>>>>> # belld, people, dxi.net
>>>>> dn: uid=belld,ou=people,dc=dxi,dc=net
>>>>> cn: David Bell
>>>>> gidNumber: 100
>>>>> givenName: David
>>>>> homeDirectory: /home/belld
>>>>> loginShell: /bin/bash
>>>>> objectClass: top
>>>>> objectClass: posixAccount
>>>>> objectClass: shadowAccount
>>>>> objectClass: inetOrgPerson
>>>>> shadowInactive: -1
>>>>> shadowMax: 99999
>>>>> shadowMin: 0
>>>>> shadowWarning: 7
>>>>> sn: Bell
>>>>> uid: belld
>>>>> uidNumber: 1000
>>>>> userPassword:: e2NyeXB0fWUvMmlHZW9tWXJHTG8=
>>>>> shadowLastChange: 13920
>>>>>
>>>>> # search result
>>>>> search: 2
>>>>> result: 0 Success
>>>>>
>>>>> # numResponses: 2
>>>>> # numEntries: 1
>>>>> belld at trigger:~>
>>>>>
>>>>> Any further thoughts?
>>>>>
>>>>> David
>>>>
>>>> not showing a userPassword field using an anonymous bind (the   
>>>> first  command) as actually expected, as rootdn it should work. i  
>>>>  assume  the following command does reveal the userPassword as  
>>>> well:
>>>> ldapsearch -x -h localhost -b "dc=dxi,dc=net" -D     
>>>> "uid=belld,ou=people,dc=dxi,dc=net" -w p455w0rd uid=belld
>>>>
>>>> i am wondering why the debug output of the freeradius says your    
>>>> binding as administrator, if the command above works this should   
>>>>  not be necessary .. could you post your ldap section of your    
>>>> radiusd.conf?
>>>>
>>>> regards
>>>> markus
>>>>
>>>> ----------------------------------------------------------------------
>>>>    This message was sent using https://webmail.biochem.mpg.de
>>>> If you encounter any problems please report to rz-linux at biochem.mpg.de
>>>>
>>>> ------------------------------------------------------------------------ -
>>>> List info/subscribe/unsubscribe? See    
>>>> http://www.freeradius.org/list/users.html
>>> Config as requested - I did uncomment and configure the identity
>>> section - is this not required?
>>>
>>>       ldap {
>>>               #
>>>               #  Note that this needs to match the name in the LDAP
>>>               #  server certificate, if you're using ldaps.
>>>               server = "localhost"
>>>               identity = "cn=Administrator,dc=dxi,dc=net"
>>>               password = trPic4n03
>>>               basedn = "dc=dxi,dc=net"
>>>               filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
>>>               #base_filter = "(objectclass=radiusprofile)"
>>>
>>>               #  How many connections to keep open to the LDAP server.
>>>               #  This saves time over opening a new LDAP socket for
>>>               #  every authentication request.
>>>               ldap_connections_number = 5
>>>
>>>               # seconds to wait for LDAP query to finish. default: 20
>>>               timeout = 4
>>>
>>>               #  seconds LDAP server has to process the query (server-side
>>>               #  time limit). default: 20
>>>               #
>>>               #  LDAP_OPT_TIMELIMIT is set to this value.
>>>               timelimit = 3
>>>
>>>               #
>>>               #  seconds to wait for response of the server. (network
>>>               #   failures) default: 10
>>>               #
>>>               #  LDAP_OPT_NETWORK_TIMEOUT is set to this value.
>>>               net_timeout = 1
>>>               tls {
>>>                       # Set this to 'yes' to use TLS encrypted connections
>>>                       # to the LDAP database by using the StartTLS extended
>>>                       # operation.
>>>                       #
>>>                       # The StartTLS operation is supposed to be
>>>                       # used with normal ldap connections instead of
>>>                       # using ldaps (port 689) connections
>>>                       start_tls = no
>>>
>>>                       # cacertfile    = /path/to/cacert.pem
>>>                       # cacertdir             = /path/to/ca/dir/
>>>                       # certfile              = /path/to/radius.crt
>>>                       # keyfile               = /path/to/radius.key
>>>                       # randfile              = /path/to/rnd
>>>
>>>                       #  Certificate Verification requirements.  Can be:
>>>                       #    "never" (don't even bother trying)
>>>                       #    "allow" (try, but don't fail if the cerificate
>>>                       #               can't be verified)
>>>                       #    "demand" (fail if the certificate    
>>> doesn't verify.)
>>>                       #
>>>                       #       The default is "allow"
>>>                       # require_cert  = "demand"
>>>               }
>>>
>>>               # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
>>>               # profile_attribute = "radiusProfileDn"
>>>               # access_attr = "dialupAccess"
>>>
>>>               # Mapping of RADIUS dictionary attributes to LDAP
>>>               # directory attributes.
>>>               dictionary_mapping = ${confdir}/ldap.attrmap
>>>
>>>               #  Set password_attribute = nspmPassword to get the
>>>               #  user's password from a Novell eDirectory
>>>               #  backend. This will work ONLY IF FreeRADIUS has been
>>>               #  built with the --with-edir configure option.
>>>               #
>>>               # password_attribute = userPassword
>>>
>>>               #  Un-comment the following to disable Novell
>>>               #  eDirectory account policy check and intruder
>>>               #  detection. This will work *only if* FreeRADIUS is
>>>               #  configured to build with --with-edir option.
>>>               #
>>>               edir_account_policy_check = no
>>>
>>>               #
>>>               #  Group membership checking.  Disabled by default.
>>>               #
>>>               # groupname_attribute = cn
>>>               # groupmembership_filter =
>>> "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"                # groupmembership_attribute =   
>>> radiusGroupName
>>>
>>>               # compare_check_items = yes
>>>               # do_xlat = yes
>>>               # access_attr_used_for_allow = yes                #
>>>               #  By default, if the packet contains a User-Password,
>>>               #  and no other module is configured to handle the
>>>               #  authentication, the LDAP module sets itself to do
>>>               #  LDAP bind for authentication.
>>>               #
>>>               #  THIS WILL ONLY WORK FOR PAP AUTHENTICATION.
>>>               #
>>>               #  THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP).
>>>               #
>>>               #  You can disable this behavior by setting the following
>>>               #  configuration entry to "no".
>>>               #
>>>               #  allowed values: {no, yes}
>>>               # set_auth_type = yes
>>>
>>>               #  ldap_debug: debug flag for LDAP SDK
>>>               #  (see OpenLDAP documentation).  Set this to enable
>>>               #  huge amounts of LDAP debugging on the screen.
>>>               #  You should only use this if you are an LDAP expert.
>>>               #
>>>               #       default: 0x0000 (no debugging messages)
>>>               #       Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
>>>               #ldap_debug = 0x0028
>>>       }
>>>
>>>
>>>
>>>
>>>               #
>>>               #  This subsection configures the tls related items
>>>               #  that control how FreeRADIUS connects to an LDAP
>>>               #  server.  It contains all of the "tls_*" configuration
>>>               #  entries used in older versions of FreeRADIUS.  Those
>>>               #  configuration entries can still be used, but we recommend
>>>               #  using these.
>>>               #
>>>
>>>
>>>
>>
>> afaik the identity values has to be configured, if you are using   
>> the ldap part for more than binding ("check if a password is   
>> correct") e.g. for use with PEAP as the radius server then needs   
>> access to possibly protected fields like sambalmpassword.
>>
>> what happens/changes if you comment out identity and password?   
>> (regarding debug  etc.)
>>
>> m.
>>
>>
>>
>> ----------------------------------------------------------------------
>>     This message was sent using https://webmail.biochem.mpg.de
>> If you encounter any problems please report to rz-linux at biochem.mpg.de
>>
>> ------------------------------------------------------------------------
>>
>> -
>> List info/subscribe/unsubscribe? See   
>> http://www.freeradius.org/list/users.html
> With the identity/password section commented out it is still the same
> Listening on authentication address * port 1812
> Listening on accounting address * port 1813
> Ready to process requests.
> rad_recv: Access-Request packet from host 212.95.252.25 port 31542,
> id=208, length=45
>        User-Name = "belld"
>        User-Password = "p455w0rd"
> +- entering group authorize
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
>    rlm_realm: No '@' in User-Name = "belld", looking up realm NULL
>    rlm_realm: No such realm "NULL"
> ++[suffix] returns noop
>  rlm_eap: No EAP-Message, not doing EAP
> ++[eap] returns noop
> ++[unix] returns notfound
> ++[files] returns noop
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for belld
> WARNING: Deprecated conditional expansion ":-".  See "man unlang" for details
>        expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=belld)
>        expand: dc=dxi,dc=net -> dc=dxi,dc=net
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to localhost:389, authentication 0
> rlm_ldap: bind as / to localhost:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: performing search in dc=dxi,dc=net, with filter (uid=belld)
> rlm_ldap: looking for check items in directory...
> rlm_ldap: looking for reply items in directory...
> WARNING: No "known good" password was found in LDAP.  Are you sure that
> the user is configured correctly?
> rlm_ldap: user belld authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0
> ++[ldap] returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> rlm_pap: WARNING! No "known good" password found for the user.
> Authentication may fail because of this.
> ++[pap] returns noop
> auth: No authenticate method (Auth-Type) configuration found for the
> request: Rejecting the user
> auth: Failed to validate the user.
> Login incorrect: [belld/p455w0rd] (from client 212.95.252.25 port 0)
>  Found Post-Auth-Type Reject
> +- entering group REJECT
>        expand: %{User-Name} -> belld
> attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] returns updated
> Delaying reject of request 0 for 1 seconds
> Going to the next request
> Waking up in 0.9 seconds.
> Sending delayed reject for request 0
> Sending Access-Reject of id 208 to 212.95.252.25 port 31542
> Waking up in 4.9 seconds.
> Cleaning up request 0 ID 208 with timestamp +3
> Ready to process requests.
>
> Anything else you can suggest poking at ?
>
> Thanks again for your time
>

hmm, i'll test this tomorrow on my (virtual) testing machine (it is  
running sles10sp1) and post my config and log output, maybe this  
reveals something...

regards
   markus

----------------------------------------------------------------------
      This message was sent using https://webmail.biochem.mpg.de
If you encounter any problems please report to rz-linux at biochem.mpg.de

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3966 bytes
Desc: S/MIME krytographische Unterschrift
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080212/4d3288d3/attachment.bin>


More information about the Freeradius-Users mailing list