freeradius with multiple ldap servers
Sambuddho Chakravarty
sc2516 at columbia.edu
Wed Jul 2 23:09:21 CEST 2008
Hello Alan
I made sure this time that rlm_ldap was compiled. Now the following is
the configuration
------/etc/raddb/modules/ldap-----------
ldap ldap1 {
server = "a.b.c.d"
...
}
ldap ldap2 {
server = "w.x.y.z"
...
}
-----/etc/raddb/radiusd.conf-----
authorize {
ldap1
ldap2
}
authenticate {
ldap1
ldap2
}
------------------------------------
When I execute /sbin/radiusd -X
It shows instantiating module ldap1 and module ldap2
....
Module: Instantiating ldap2
ldap ldap1 {
server = "a.b.c.d"
port = 389
....
Module: Instantiating ldap2
ldap ldap2 {
server = "w.x.y.z"
port = 389
....
When sending a radtest request using the following command (from the
same machine as one which is running the server)
$ radtest user "secret" localhost 2 testing123
I get ACCESS-REJECT reply from the sever.
On the server the logs show something like this
---------------------------------------------------
It shows binding to both LDAP servers one by one through something like
this :
rlm_ldap: performing user authorization for catch
WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch)
expand: ou=People,dc=example,dc=example ->
ou=People,dc=example,dc=example
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 30.0.0.2:389, authentication 0
rlm_ldap: bind as / to 30.0.0.2:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=People,dc=example,dc=example, with
filter (uid=catch)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap1] returns notfound
rlm_ldap: - authorize
rlm_ldap: performing user authorization for catch
WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch)
expand: ou=People,dc=example,dc=example ->
ou=People,dc=example,dc=example
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 10.0.0.1:389, authentication 0
rlm_ldap: bind as / to 10.0.0.1:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=People,dc=example,dc=example, with
filter (uid=catch)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap2] returns notfound
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
You can see it is attempting to search both databases but fails. If I
use a simple telnet or ssh to authenticate against the LDAP server it
logs in fine. LDAP client login against the LDAP server is otherwise
working fine. I know I have been bothering using trivial question. But
any help would be appreciated :-)
Thanks in advance.
Sambuddho
On Tue, 2008-07-01 at 22:33 +0200, Alan DeKok wrote:
> Sambuddho Chakravarty wrote:
> > This is exactly what I did . I forgot to put the separate module names
>
> The consistent problems you see make me think that the issue is more
> than "forgot".
>
> > And now when I try to start the server this is what the error I see :
> >
> >
> > server {
> > modules {
> > Module: Checking authenticate {...} for more modules to load
> > //etc/raddb/modules/ldap1[29]: Failed to link to module 'rlm_ldap':
>
> So.... was that module built? Apparently not...
>
> > When trying with a single server ,it matches the radius request against
> > rlm_pap and not rlm_ldap. I am confused.
>
> Perhaps reading the debug output (and that of "configure" and "make")
> would help.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list