freeradius with multiple ldap servers

Ivan Kalik tnt at kalik.net
Thu Jul 3 00:45:10 CEST 2008 

http://wiki.freeradius.org/index.php/Rlm_ldap

See use of password_header and password_attribute.

Ivan Kalik
Kalik Informatika ISP


Dana 2/7/2008, "Sambuddho Chakravarty" <sc2516 at columbia.edu> piše:

>Hello
> I think I know what the problem is. The radius server is looking up
>using cleartext password , while the LDAP data base stores the hashed
>passwords. How can I force the radiuse server to search for the password
>as a hashed value (rather than searching for the clear-text value) ?
>
>Thanks
>Sambuddho
>On Wed, 2008-07-02 at 17:09 -0400, Sambuddho Chakravarty wrote:
>> Hello Alan
>>   I made sure this time that rlm_ldap was compiled. Now the following is
>> the configuration
>>
>> ------/etc/raddb/modules/ldap-----------
>>
>> ldap ldap1 {
>> 	server = "a.b.c.d"
>> 	...
>> 	}
>>
>> ldap ldap2 {
>> 	server = "w.x.y.z"
>> 	...
>> 	}
>>
>> -----/etc/raddb/radiusd.conf-----
>>
>>
>> authorize {
>>        ldap1
>>
>>          ldap2
>>
>>         }
>>
>>    authenticate {
>>         ldap1
>>         ldap2
>>         }
>>
>> ------------------------------------
>>
>> When I execute /sbin/radiusd -X
>>
>> It shows instantiating module ldap1 and module ldap2
>>
>> ....
>>  Module: Instantiating ldap2
>>   ldap ldap1 {
>>         server = "a.b.c.d"
>>         port = 389
>> ....
>>  Module: Instantiating ldap2
>>   ldap ldap2 {
>>         server = "w.x.y.z"
>>         port = 389
>> ....
>>
>> When sending a radtest request using the following command (from the
>> same machine as one which is running the server)
>>
>> $ radtest user "secret" localhost 2 testing123
>>
>> I get ACCESS-REJECT reply from the sever.
>>
>> On the server the logs show something like this
>> ---------------------------------------------------
>> It shows binding to both LDAP servers one by one through something like
>> this :
>>
>> rlm_ldap: performing user authorization for catch
>> WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
>> details
>>         expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch)
>>         expand: ou=People,dc=example,dc=example ->
>> ou=People,dc=example,dc=example
>> rlm_ldap: ldap_get_conn: Checking Id: 0
>> rlm_ldap: ldap_get_conn: Got Id: 0
>> rlm_ldap: attempting LDAP reconnection
>> rlm_ldap: (re)connect to 30.0.0.2:389, authentication 0
>> rlm_ldap: bind as / to 30.0.0.2:389
>> rlm_ldap: waiting for bind result ...
>> rlm_ldap: Bind was successful
>> rlm_ldap: performing search in ou=People,dc=example,dc=example, with
>> filter (uid=catch)
>> rlm_ldap: object not found or got ambiguous search result
>> rlm_ldap: search failed
>> rlm_ldap: ldap_release_conn: Release Id: 0
>> ++[ldap1] returns notfound
>> rlm_ldap: - authorize
>> rlm_ldap: performing user authorization for catch
>> WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
>> details
>>         expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch)
>>         expand: ou=People,dc=example,dc=example ->
>> ou=People,dc=example,dc=example
>> rlm_ldap: ldap_get_conn: Checking Id: 0
>> rlm_ldap: ldap_get_conn: Got Id: 0
>> rlm_ldap: attempting LDAP reconnection
>> rlm_ldap: (re)connect to 10.0.0.1:389, authentication 0
>> rlm_ldap: bind as / to 10.0.0.1:389
>> rlm_ldap: waiting for bind result ...
>> rlm_ldap: Bind was successful
>> rlm_ldap: performing search in ou=People,dc=example,dc=example, with
>> filter (uid=catch)
>> rlm_ldap: object not found or got ambiguous search result
>> rlm_ldap: search failed
>> rlm_ldap: ldap_release_conn: Release Id: 0
>> ++[ldap2] returns notfound
>>
>> auth: No authenticate method (Auth-Type) configuration found for the
>> request: Rejecting the user
>> auth: Failed to validate the user.
>>
>> You can see it is attempting to search both databases but fails. If I
>> use a simple telnet or ssh to authenticate against the LDAP server it
>> logs in fine. LDAP client login against the LDAP server is otherwise
>> working fine. I know I have been bothering using trivial question. But
>> any help would be appreciated :-)
>>
>> Thanks in advance.
>> Sambuddho
>>
>>
>>
>> On Tue, 2008-07-01 at 22:33 +0200, Alan DeKok wrote:
>> > Sambuddho Chakravarty wrote:
>> > >  This is exactly what I did . I forgot to put the separate module names
>> >
>> >   The consistent problems you see make me think that the issue is more
>> > than "forgot".
>> >
>> > > And now when I try to start the server this is what the error I see :
>> > >
>> > >
>> > > server {
>> > >  modules {
>> > >  Module: Checking authenticate {...} for more modules to load
>> > > //etc/raddb/modules/ldap1[29]: Failed to link to module 'rlm_ldap':
>> >
>> >   So.... was that module built?  Apparently not...
>> >
>> > > When trying with a single server ,it matches the radius request against
>> > > rlm_pap and not rlm_ldap. I am confused.
>> >
>> >   Perhaps reading the debug output (and that of "configure" and "make")
>> > would help.
>> >
>> >   Alan DeKok.
>> > -
>> > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>

More information about the Freeradius-Users mailing list