one RADIUS server per realm setup

Wm. Josiah Erikson wjerikson at hampshire.edu
Fri Jan 25 19:28:20 CET 2008 

I see. I can, indeed, remove Auth-Type := LDAP from the users file and 
it still works. Cool!

However, the behavior described in the documentation is not what I'm 
seeing, and I'm still getting (contrary to what I said in my previous 
email) authorization requests not being proxied, even though I have, in 
my authorize section, the "suffix" directive previous to "files" and 
"ldap", which is where I check the LDAP group....

If my realm is @hampshire.edu, everything works as I want it to, because 
it doesn't proxy. But when I try to authenticate as a fake user in my 
test proxy realm (I just want to see it try to proxy), it looks in the 
local LDAP database! Huh? It says it's preparing to proxy 
<authentication>, as it should... how do I make it either proxy 
authorization as well, or skip authorization for non-local domains? How 
should I go about this?

I must be misunderstanding something. I don't want it to do anything 
locally if I've set it to proxy! I get the following relevant output 
from freeradius -X:

Listening on authentication address * port 1812
Listening on accounting address * port 1813
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 34022, id=118, 
length=66
        User-Name = "dude at testdomain.edu"
        User-Password = "passwowrd"
        NAS-IP-Address = 172.20.66.104
        NAS-Port = 1
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: Looking up realm "testdomain.edu" for User-Name = 
"dude at testdomain.edu"
    rlm_realm: Found realm "testdomain.edu"
    rlm_realm: Adding Stripped-User-Name = "dude"
    rlm_realm: Proxying request from user dude to realm testdomain.edu
    rlm_realm: Adding Realm = "testdomain.edu"
    rlm_realm: Preparing to proxy authentication request to realm 
"testdomain.edu"
++[suffix] returns updated
++[unix] returns notfound
rlm_ldap: Entering ldap_groupcmp()
        expand: dc=hampshire, dc=edu -> dc=hampshire, dc=edu
        expand: (uid=%{Stripped-User-Name}) -> (uid=dude)
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap.hampshire.edu:389, authentication 0
rlm_ldap: bind as uid=tu, ou=account, dc=hampshire, dc=edu/tp to 
ldap.hampshire.edu:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=hampshire, dc=edu, with filter (uid=dude)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap::ldap_groupcmp: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: Entering ldap_groupcmp()
        expand: dc=hampshire, dc=edu -> dc=hampshire, dc=edu
        expand: (uid=%{Stripped-User-Name}) -> (uid=dude)
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=hampshire, dc=edu, with filter (uid=dude)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap::ldap_groupcmp: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: Entering ldap_groupcmp()
        expand: dc=hampshire, dc=edu -> dc=hampshire, dc=edu
        expand: (uid=%{Stripped-User-Name}) -> (uid=dude)
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=hampshire, dc=edu, with filter (uid=dude)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap::ldap_groupcmp: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
    users: Matched entry DEFAULT at line 219
++[files] returns ok
rlm_ldap: - authorize
rlm_ldap: performing user authorization for dude
        expand: (uid=%{Stripped-User-Name}) -> (uid=dude)
        expand: dc=hampshire, dc=edu -> dc=hampshire, dc=edu
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=hampshire, dc=edu, with filter (uid=dude)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns notfound
  Found Post-Auth-Type Reject
+- entering group REJECT
        expand: %{User-Name} -> dude at testdomain.edu
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 118 to 127.0.0.1 port 34022
        Reply-Message = "Only current faculty, staff or students are 
allowed to log in."
Waking up in 4.9 seconds.
Cleaning up request 0 ID 118 with timestamp +2
Ready to process requests.



Alan DeKok wrote:
> Wm. Josiah Erikson wrote:
>   
>>        #  Setting "Auth-Type = LDAP" is ALMOST ALWAYS WRONG.  We
>>        #  really can't emphasize this enough.
>>
>> Uh. OK. That's exactly what I'm doing, and it's working :) 
>>     
>
>   Then it works.  It's fine.
>
>   That message is for the majority of people who force LDAP to be used
> for authentication, and the wonder why EAP doesn't work.
>
>   Remember: LDAP is a database.  It's not an authentication server.
>
>   
>> However, is there a better way to do this that I'm not understanding?
>> Why shouldn't I set Auth-Type := LDAP ?
>>     
>
>   You probably don't need to set it.  If you simply deleted that from
> the "users" file, your configuration would probably still work.
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

More information about the Freeradius-Users mailing list