Force Auth-Type
Markus Moeller
huaraz at moeller.plus.com
Wed Jan 23 23:12:02 CET 2008
Hi,
I am new to freeradius and try to authenticate users with pam and authorize
with ldap groups. I try to find a minimal configuration but have some
problems forcing the Auth-Type to be PAM.
I have radiusd.conf:
prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = ${prefix}/var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
db_dir = $(raddbdir)
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/radiusd.pid
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
listen {
ipaddr = *
port = 0
type = auth
}
listen {
ipaddr = *
port = 0
type = acct
}
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log {
destination = files
syslog_facility = daemon
file = ${logdir}/radius.log
stripped_names = no
auth = yes
auth_badpass = no
auth_goodpass = no
}
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
proxy_requests = no
$INCLUDE clients.conf
snmp = no
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
pam {
pam_auth = radiusd
}
ldap {
server = "192.168.2.1"
port = 636
identity = "uid=ldapadmin,ou=external,dc=example,dc=com"
password = controllme
basedn = "ou=external,dc=example,dc=com"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls_mode = yes
tls {
start_tls = no
cacertdir = /etc/certs
}
set_auth_type = no
}
detail {
detailfile =
${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
header = "%t"
suppress {
User-Password
}
}
detail auth_log {
detailfile =
${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d
detailperm = 0600
suppress {
User-Password
}
}
detail reply_log {
detailfile =
${radacctdir}/%{Client-IP-Address}/reply-detail-%Y%m%d
detailperm = 0600
}
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
}
}
$INCLUDE sites-enabled/
sites-enabled/default:
authorize {
auth_log
ldap
}
authenticate {
pam
}
preacct {
acct_unique
}
accounting {
detail
}
ldap.attrmap:
checkItem $GENERIC$ radiusCheckItem
replyItem $GENERIC$ radiusReplyItem
If I run radiusd-X I get:
rad_recv: Access-Request packet from host 127.0.0.1 port 63402, id=76,
length=58
User-Name = "fred"
User-Password = "hamster"
NAS-IP-Address = 192.168.1.1
NAS-Port = 0
+- entering group authorize
expand:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20080123
rlm_detail:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20080123
expand: %t -> Wed Jan 23 19:53:47 2008
++[auth_log] returns ok
rlm_ldap: - authorize
rlm_ldap: performing user authorization for fred
WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=fred)
expand: ou=external,dc=example,dc=com ->
ou=external,dc=example,dc=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: setting TLS CACert Directory to /etc/certs
rlm_ldap: starting SSL
rlm_ldap: (re)connect to 10.129.189.34:5636, authentication 0
rlm_ldap: bind as uid=ldapadmin,ou=external,dc=example,dc=com/controlme to
192.2.1.1:636
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=networks,ou=external,dc=example,dc=com,
with filter (uid=fred)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the
user is configured correctly?
rlm_ldap: user fred authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Login incorrect: [fred/hamster] (from client localhost port 0)
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 189 to 127.0.0.1 port 63418
Waking up in 4.9 seconds.
Cleaning up request 0 ID 189 with timestamp +3
Ready to process requests.
Only if I set set_auth_type = yes in radiusd.conf for ldap and change
authorize in default to:
Auth-Type LDAP {
pam
}
I get a successful login.
Is there any other way to force Auth-Type tp be PAM for all users ?
Is there also a way to disable the use of the ldap.attribute mapping as I
really don't need it ?
Thank you
Markus
More information about the Freeradius-Users
mailing list