Freeradius with OpenLDAP (Suse Enterprise 10)
Markus Krause
krause at biochem.mpg.de
Tue Feb 12 22:33:54 CET 2008
Zitat von David W Bell <david at chaoscrypt.com>:
> Markus Krause wrote:
>> Zitat von David W Bell <david at chaoscrypt.com>:
>>> Markus Krause wrote:
>>>> Zitat von David W Bell <david at chaoscrypt.com>:
>>>>
>>>>> Markus Krause wrote:
>>>>>> Zitat von David W Bell <david at chaoscrypt.com>:
>>>>>>
>>>>>>> LDAP is installed and working out of the box, having been set to be
>>>>>>> used for authenication during the SUSE install.
>>>>>>>
>>>>>>> This is proven by the ability to log in to the box, both
>>>>>>> locally and via SSH
>>>>>>>
>>>>>>> I installed freeRADIUS from the latest source and it is working also.
>>>>>>>
>>>>>>> freeRADIUS seems unable to find a password for the user during
>>>>>>> Authenication.
>>>>>>>
>>>>>>> I issue the following on my workstation
>>>>>>>
>>>>>>> david at belld-ubuntu:~$ echo "User-Name = belld,Password=p455w0rd" |
>>>>>>> radclient 212.95.255.242:1812 auth testing
>>>>>>> Received response ID 99, code 3, length = 20
>>>>>>>
>>>>>>> And see the following from freeRADIUS Listening on authentication
>>>>>>> address * port 1812
>>>>>>> Listening on accounting address * port 1813
>>>>>>> Ready to process requests.
>>>>>>> rad_recv: Access-Request packet from host 212.95.252.25 port 20758,
>>>>>>> id=99, length=45
>>>>>>> User-Name = "belld"
>>>>>>> User-Password = "p455w0rd"
>>>>>>> +- entering group authorize
>>>>>>> ++[preprocess] returns ok
>>>>>>> ++[chap] returns noop
>>>>>>> ++[mschap] returns noop
>>>>>>> rlm_realm: No '@' in User-Name = "belld", looking up realm NULL
>>>>>>> rlm_realm: No such realm "NULL"
>>>>>>> ++[suffix] returns noop
>>>>>>> rlm_eap: No EAP-Message, not doing EAP
>>>>>>> ++[eap] returns noop
>>>>>>> ++[unix] returns notfound
>>>>>>> ++[files] returns noop
>>>>>>> rlm_ldap: - authorize
>>>>>>> rlm_ldap: performing user authorization for belld
>>>>>>> WARNING: Deprecated conditional expansion ":-". See "man
>>>>>>> unlang" for details
>>>>>>> expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=belld)
>>>>>>> expand: dc=dxi,dc=net -> dc=dxi,dc=net
>>>>>>> rlm_ldap: ldap_get_conn: Checking Id: 0
>>>>>>> rlm_ldap: ldap_get_conn: Got Id: 0
>>>>>>> rlm_ldap: attempting LDAP reconnection
>>>>>>> rlm_ldap: (re)connect to localhost:389, authentication 0
>>>>>>> rlm_ldap: bind as cn=Administrator,dc=dxi,dc=net/trPic4n03 to
>>>>>>> localhost:389
>>>>>>> rlm_ldap: waiting for bind result ...
>>>>>>> rlm_ldap: Bind was successful
>>>>>>> rlm_ldap: performing search in dc=dxi,dc=net, with filter (uid=belld)
>>>>>>> rlm_ldap: looking for check items in directory...
>>>>>>> rlm_ldap: looking for reply items in directory...
>>>>>>> WARNING: No "known good" password was found in LDAP. Are you sure that
>>>>>>> the user is configured correctly?
>>>>>>> rlm_ldap: user belld authorized to use remote access
>>>>>>> rlm_ldap: ldap_release_conn: Release Id: 0
>>>>>>> ++[ldap] returns ok
>>>>>>> ++[expiration] returns noop
>>>>>>> ++[logintime] returns noop
>>>>>>> rlm_pap: WARNING! No "known good" password found for the user.
>>>>>>> Authentication may fail because of this.
>>>>>>> ++[pap] returns noop
>>>>>>> auth: No authenticate method (Auth-Type) configuration found for the
>>>>>>> request: Rejecting the user
>>>>>>> auth: Failed to validate the user.
>>>>>>> Login incorrect: [belld/p455w0rd] (from client 212.95.252.25 port 0)
>>>>>>> Found Post-Auth-Type Reject
>>>>>>> +- entering group REJECT
>>>>>>> expand: %{User-Name} -> belld
>>>>>>> attr_filter: Matched entry DEFAULT at line 11
>>>>>>> ++[attr_filter.access_reject] returns updated
>>>>>>> Delaying reject of request 0 for 1 seconds
>>>>>>> Going to the next request
>>>>>>> Waking up in 0.9 seconds.
>>>>>>> Sending delayed reject for request 0
>>>>>>> Sending Access-Reject of id 99 to 212.95.252.25 port 20758
>>>>>>> Waking up in 4.9 seconds.
>>>>>>>
>>>>>>> What I cant work out is whether this is due to an LDAP or a RADIUS
>>>>>>> config problem.
>>>>>>>
>>>>>>
>>>>>> what is the result of the following commands (using a terminal):
>>>>>> ldapsearch -x -h localhost -b "dc=dxi,dc=net" uid=belld
>>>>>> ldapsearch -x -h localhost -b "dc=dxi,dc=net" -D
>>>>>> "cn=Administrator,dc=dxi,dc=net" -w trPic4n03 uid=belld
>>>>>>
>>>>>> if they (especially the latter) do not return a value for the
>>>>>> field "userPassword" the problem is on the LDAP side.
>>>>>>
>>>>>> markus
>>>>>>
>>>>>>
>>>>>> ----------------------------------------------------------------------
>>>>>> This message was sent using https://webmail.biochem.mpg.de
>>>>>> If you encounter any problems please report to rz-linux at biochem.mpg.de
>>>>>>
>>>>>> ------------------------------------------------------------------------
>>>>>> -
>>>>>> List info/subscribe/unsubscribe? See
>>>>>> http://www.freeradius.org/list/users.html
>>>>> Thanks Markus.
>>>>>
>>>>> I thought of that - and had done the 1st search and HAD noticed there
>>>>> was no LDAP password set
>>>>>
>>>>> # extended LDIF
>>>>> #
>>>>> # LDAPv3
>>>>> # base <dc=dxi,dc=net> with scope subtree
>>>>> # filter: uid=belld
>>>>> # requesting: ALL
>>>>> #
>>>>>
>>>>> # belld, people, dxi.net
>>>>> dn: uid=belld,ou=people,dc=dxi,dc=net
>>>>> cn: David Bell
>>>>> gidNumber: 100
>>>>> givenName: David
>>>>> homeDirectory: /home/belld
>>>>> loginShell: /bin/bash
>>>>> objectClass: top
>>>>> objectClass: posixAccount
>>>>> objectClass: shadowAccount
>>>>> objectClass: inetOrgPerson
>>>>> shadowInactive: -1
>>>>> shadowMax: 99999
>>>>> shadowMin: 0
>>>>> shadowWarning: 7
>>>>> sn: Bell
>>>>> uid: belld
>>>>> uidNumber: 1000
>>>>> shadowLastChange: 13920
>>>>>
>>>>> # search result
>>>>> search: 2
>>>>> result: 0 Success
>>>>>
>>>>> # numResponses: 2
>>>>> # numEntries: 1
>>>>> belld at trigger:~>
>>>>>
>>>>> I thought this was because LDAP was handing that aspect over to
>>>>> something else but your second command shows a password.
>>>>>
>>>>> belld at trigger:~> ldapsearch -x -h localhost -b "dc=dxi,dc=net" -D
>>>>> "cn=Administrator,dc=dxi,dc=net" -w trPic4n03 uid=belld
>>>>> # extended LDIF
>>>>> #
>>>>> # LDAPv3
>>>>> # base <dc=dxi,dc=net> with scope subtree
>>>>> # filter: uid=belld
>>>>> # requesting: ALL
>>>>> #
>>>>>
>>>>> # belld, people, dxi.net
>>>>> dn: uid=belld,ou=people,dc=dxi,dc=net
>>>>> cn: David Bell
>>>>> gidNumber: 100
>>>>> givenName: David
>>>>> homeDirectory: /home/belld
>>>>> loginShell: /bin/bash
>>>>> objectClass: top
>>>>> objectClass: posixAccount
>>>>> objectClass: shadowAccount
>>>>> objectClass: inetOrgPerson
>>>>> shadowInactive: -1
>>>>> shadowMax: 99999
>>>>> shadowMin: 0
>>>>> shadowWarning: 7
>>>>> sn: Bell
>>>>> uid: belld
>>>>> uidNumber: 1000
>>>>> userPassword:: e2NyeXB0fWUvMmlHZW9tWXJHTG8=
>>>>> shadowLastChange: 13920
>>>>>
>>>>> # search result
>>>>> search: 2
>>>>> result: 0 Success
>>>>>
>>>>> # numResponses: 2
>>>>> # numEntries: 1
>>>>> belld at trigger:~>
>>>>>
>>>>> Any further thoughts?
>>>>>
>>>>> David
>>>>
>>>> not showing a userPassword field using an anonymous bind (the
>>>> first command) as actually expected, as rootdn it should work. i
>>>> assume the following command does reveal the userPassword as
>>>> well:
>>>> ldapsearch -x -h localhost -b "dc=dxi,dc=net" -D
>>>> "uid=belld,ou=people,dc=dxi,dc=net" -w p455w0rd uid=belld
>>>>
>>>> i am wondering why the debug output of the freeradius says your
>>>> binding as administrator, if the command above works this should
>>>> not be necessary .. could you post your ldap section of your
>>>> radiusd.conf?
>>>>
>>>> regards
>>>> markus
>>>>
>>>> ----------------------------------------------------------------------
>>>> This message was sent using https://webmail.biochem.mpg.de
>>>> If you encounter any problems please report to rz-linux at biochem.mpg.de
>>>>
>>>> ------------------------------------------------------------------------ -
>>>> List info/subscribe/unsubscribe? See
>>>> http://www.freeradius.org/list/users.html
>>> Config as requested - I did uncomment and configure the identity
>>> section - is this not required?
>>>
>>> ldap {
>>> #
>>> # Note that this needs to match the name in the LDAP
>>> # server certificate, if you're using ldaps.
>>> server = "localhost"
>>> identity = "cn=Administrator,dc=dxi,dc=net"
>>> password = trPic4n03
>>> basedn = "dc=dxi,dc=net"
>>> filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
>>> #base_filter = "(objectclass=radiusprofile)"
>>>
>>> # How many connections to keep open to the LDAP server.
>>> # This saves time over opening a new LDAP socket for
>>> # every authentication request.
>>> ldap_connections_number = 5
>>>
>>> # seconds to wait for LDAP query to finish. default: 20
>>> timeout = 4
>>>
>>> # seconds LDAP server has to process the query (server-side
>>> # time limit). default: 20
>>> #
>>> # LDAP_OPT_TIMELIMIT is set to this value.
>>> timelimit = 3
>>>
>>> #
>>> # seconds to wait for response of the server. (network
>>> # failures) default: 10
>>> #
>>> # LDAP_OPT_NETWORK_TIMEOUT is set to this value.
>>> net_timeout = 1
>>> tls {
>>> # Set this to 'yes' to use TLS encrypted connections
>>> # to the LDAP database by using the StartTLS extended
>>> # operation.
>>> #
>>> # The StartTLS operation is supposed to be
>>> # used with normal ldap connections instead of
>>> # using ldaps (port 689) connections
>>> start_tls = no
>>>
>>> # cacertfile = /path/to/cacert.pem
>>> # cacertdir = /path/to/ca/dir/
>>> # certfile = /path/to/radius.crt
>>> # keyfile = /path/to/radius.key
>>> # randfile = /path/to/rnd
>>>
>>> # Certificate Verification requirements. Can be:
>>> # "never" (don't even bother trying)
>>> # "allow" (try, but don't fail if the cerificate
>>> # can't be verified)
>>> # "demand" (fail if the certificate
>>> doesn't verify.)
>>> #
>>> # The default is "allow"
>>> # require_cert = "demand"
>>> }
>>>
>>> # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
>>> # profile_attribute = "radiusProfileDn"
>>> # access_attr = "dialupAccess"
>>>
>>> # Mapping of RADIUS dictionary attributes to LDAP
>>> # directory attributes.
>>> dictionary_mapping = ${confdir}/ldap.attrmap
>>>
>>> # Set password_attribute = nspmPassword to get the
>>> # user's password from a Novell eDirectory
>>> # backend. This will work ONLY IF FreeRADIUS has been
>>> # built with the --with-edir configure option.
>>> #
>>> # password_attribute = userPassword
>>>
>>> # Un-comment the following to disable Novell
>>> # eDirectory account policy check and intruder
>>> # detection. This will work *only if* FreeRADIUS is
>>> # configured to build with --with-edir option.
>>> #
>>> edir_account_policy_check = no
>>>
>>> #
>>> # Group membership checking. Disabled by default.
>>> #
>>> # groupname_attribute = cn
>>> # groupmembership_filter =
>>> "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" # groupmembership_attribute =
>>> radiusGroupName
>>>
>>> # compare_check_items = yes
>>> # do_xlat = yes
>>> # access_attr_used_for_allow = yes #
>>> # By default, if the packet contains a User-Password,
>>> # and no other module is configured to handle the
>>> # authentication, the LDAP module sets itself to do
>>> # LDAP bind for authentication.
>>> #
>>> # THIS WILL ONLY WORK FOR PAP AUTHENTICATION.
>>> #
>>> # THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP).
>>> #
>>> # You can disable this behavior by setting the following
>>> # configuration entry to "no".
>>> #
>>> # allowed values: {no, yes}
>>> # set_auth_type = yes
>>>
>>> # ldap_debug: debug flag for LDAP SDK
>>> # (see OpenLDAP documentation). Set this to enable
>>> # huge amounts of LDAP debugging on the screen.
>>> # You should only use this if you are an LDAP expert.
>>> #
>>> # default: 0x0000 (no debugging messages)
>>> # Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
>>> #ldap_debug = 0x0028
>>> }
>>>
>>>
>>>
>>>
>>> #
>>> # This subsection configures the tls related items
>>> # that control how FreeRADIUS connects to an LDAP
>>> # server. It contains all of the "tls_*" configuration
>>> # entries used in older versions of FreeRADIUS. Those
>>> # configuration entries can still be used, but we recommend
>>> # using these.
>>> #
>>>
>>>
>>>
>>
>> afaik the identity values has to be configured, if you are using
>> the ldap part for more than binding ("check if a password is
>> correct") e.g. for use with PEAP as the radius server then needs
>> access to possibly protected fields like sambalmpassword.
>>
>> what happens/changes if you comment out identity and password?
>> (regarding debug etc.)
>>
>> m.
>>
>>
>>
>> ----------------------------------------------------------------------
>> This message was sent using https://webmail.biochem.mpg.de
>> If you encounter any problems please report to rz-linux at biochem.mpg.de
>>
>> ------------------------------------------------------------------------
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
> With the identity/password section commented out it is still the same
> Listening on authentication address * port 1812
> Listening on accounting address * port 1813
> Ready to process requests.
> rad_recv: Access-Request packet from host 212.95.252.25 port 31542,
> id=208, length=45
> User-Name = "belld"
> User-Password = "p455w0rd"
> +- entering group authorize
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> rlm_realm: No '@' in User-Name = "belld", looking up realm NULL
> rlm_realm: No such realm "NULL"
> ++[suffix] returns noop
> rlm_eap: No EAP-Message, not doing EAP
> ++[eap] returns noop
> ++[unix] returns notfound
> ++[files] returns noop
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for belld
> WARNING: Deprecated conditional expansion ":-". See "man unlang" for details
> expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=belld)
> expand: dc=dxi,dc=net -> dc=dxi,dc=net
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to localhost:389, authentication 0
> rlm_ldap: bind as / to localhost:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: performing search in dc=dxi,dc=net, with filter (uid=belld)
> rlm_ldap: looking for check items in directory...
> rlm_ldap: looking for reply items in directory...
> WARNING: No "known good" password was found in LDAP. Are you sure that
> the user is configured correctly?
> rlm_ldap: user belld authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0
> ++[ldap] returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> rlm_pap: WARNING! No "known good" password found for the user.
> Authentication may fail because of this.
> ++[pap] returns noop
> auth: No authenticate method (Auth-Type) configuration found for the
> request: Rejecting the user
> auth: Failed to validate the user.
> Login incorrect: [belld/p455w0rd] (from client 212.95.252.25 port 0)
> Found Post-Auth-Type Reject
> +- entering group REJECT
> expand: %{User-Name} -> belld
> attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] returns updated
> Delaying reject of request 0 for 1 seconds
> Going to the next request
> Waking up in 0.9 seconds.
> Sending delayed reject for request 0
> Sending Access-Reject of id 208 to 212.95.252.25 port 31542
> Waking up in 4.9 seconds.
> Cleaning up request 0 ID 208 with timestamp +3
> Ready to process requests.
>
> Anything else you can suggest poking at ?
>
> Thanks again for your time
>
hmm, i'll test this tomorrow on my (virtual) testing machine (it is
running sles10sp1) and post my config and log output, maybe this
reveals something...
regards
markus
----------------------------------------------------------------------
This message was sent using https://webmail.biochem.mpg.de
If you encounter any problems please report to rz-linux at biochem.mpg.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3966 bytes
Desc: S/MIME krytographische Unterschrift
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080212/4d3288d3/attachment.bin>
More information about the Freeradius-Users
mailing list