freeradius with multiple ldap servers

Ivan Kalik tnt at kalik.net
Thu Jul 3 11:24:45 CEST 2008 

Password (radius) attribute should be Crypt-Password not User-Password.

Ivan Kalik
Kalik Informatika ISP


Dana 3/7/2008, "Sambuddho Chakravarty" <sc2516 at columbia.edu> piše:

>Hello
>
>I set the password_header to = {crypt} and password_attribute to
>"userPassword" (Thats the name of the field in the database). Now this
>is what the logs show,
>
>rlm_ldap: performing search in ou=People,dc=example,dc=com, with filter
>(uid=try)
>rlm_ldap: Added User-Password = $1$n48a7wCp$RfvlOx1pZgiVNfmMmA2xS. in
>check items
>rlm_ldap: looking for check items in directory...
>rlm_ldap: looking for reply items in directory...
>rlm_ldap: user try authorized to use remote access
>rlm_ldap: ldap_release_conn: Release Id: 0
>+++[ldap1] returns ok
>++- policy redundant returns ok
>!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>!!!    Replacing User-Password in config items with
>Cleartext-Password.     !!!
>!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>!!! Please update your configuration so that the "known
>good"               !!!
>!!! clear text password is in Cleartext-Password, and not in
>User-Password. !!!
>!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>auth: type Local
>auth: user supplied User-Password does NOT match local User-Password
>auth: Failed to validate the user.
>  Found Post-Auth-Type Reject
>+- entering group REJECT
>        expand: %{User-Name} -> try
> attr_filter: Matched entry DEFAULT at line 11
>
>
>
>My guess is authorize{}  worked but not authenticate {}. Also , I see
>both modules ldap1 and ldap2 being loaded but whenever I try to
>authenticate with the username/password that is found in ldap2 , the
>radius server never attempts to connect to the other LDAP server.
>Instead it search for the entries in the "ldap1"'s server only.
>
>Any suggestions ?
>
>Thanks
>Sambuddho
> 
>
>On Wed, 2008-07-02 at 23:45 +0100, Ivan Kalik wrote:
>> http://wiki.freeradius.org/index.php/Rlm_ldap
>> 
>> See use of password_header and password_attribute.
>> 
>> Ivan Kalik
>> Kalik Informatika ISP
>> 
>> 
>> Dana 2/7/2008, "Sambuddho Chakravarty" <sc2516 at columbia.edu> piĹĄe:
>> 
>> >Hello
>> > I think I know what the problem is. The radius server is looking up
>> >using cleartext password , while the LDAP data base stores the hashed
>> >passwords. How can I force the radiuse server to search for the password
>> >as a hashed value (rather than searching for the clear-text value) ?
>> >
>> >Thanks
>> >Sambuddho
>> >On Wed, 2008-07-02 at 17:09 -0400, Sambuddho Chakravarty wrote:
>> >> Hello Alan
>> >>   I made sure this time that rlm_ldap was compiled. Now the following is
>> >> the configuration
>> >>
>> >> ------/etc/raddb/modules/ldap-----------
>> >>
>> >> ldap ldap1 {
>> >> 	server = "a.b.c.d"
>> >> 	...
>> >> 	}
>> >>
>> >> ldap ldap2 {
>> >> 	server = "w.x.y.z"
>> >> 	...
>> >> 	}
>> >>
>> >> -----/etc/raddb/radiusd.conf-----
>> >>
>> >>
>> >> authorize {
>> >>        ldap1
>> >>
>> >>          ldap2
>> >>
>> >>         }
>> >>
>> >>    authenticate {
>> >>         ldap1
>> >>         ldap2
>> >>         }
>> >>
>> >> ------------------------------------
>> >>
>> >> When I execute /sbin/radiusd -X
>> >>
>> >> It shows instantiating module ldap1 and module ldap2
>> >>
>> >> ....
>> >>  Module: Instantiating ldap2
>> >>   ldap ldap1 {
>> >>         server = "a.b.c.d"
>> >>         port = 389
>> >> ....
>> >>  Module: Instantiating ldap2
>> >>   ldap ldap2 {
>> >>         server = "w.x.y.z"
>> >>         port = 389
>> >> ....
>> >>
>> >> When sending a radtest request using the following command (from the
>> >> same machine as one which is running the server)
>> >>
>> >> $ radtest user "secret" localhost 2 testing123
>> >>
>> >> I get ACCESS-REJECT reply from the sever.
>> >>
>> >> On the server the logs show something like this
>> >> ---------------------------------------------------
>> >> It shows binding to both LDAP servers one by one through something like
>> >> this :
>> >>
>> >> rlm_ldap: performing user authorization for catch
>> >> WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
>> >> details
>> >>         expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch)
>> >>         expand: ou=People,dc=example,dc=example ->
>> >> ou=People,dc=example,dc=example
>> >> rlm_ldap: ldap_get_conn: Checking Id: 0
>> >> rlm_ldap: ldap_get_conn: Got Id: 0
>> >> rlm_ldap: attempting LDAP reconnection
>> >> rlm_ldap: (re)connect to 30.0.0.2:389, authentication 0
>> >> rlm_ldap: bind as / to 30.0.0.2:389
>> >> rlm_ldap: waiting for bind result ...
>> >> rlm_ldap: Bind was successful
>> >> rlm_ldap: performing search in ou=People,dc=example,dc=example, with
>> >> filter (uid=catch)
>> >> rlm_ldap: object not found or got ambiguous search result
>> >> rlm_ldap: search failed
>> >> rlm_ldap: ldap_release_conn: Release Id: 0
>> >> ++[ldap1] returns notfound
>> >> rlm_ldap: - authorize
>> >> rlm_ldap: performing user authorization for catch
>> >> WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
>> >> details
>> >>         expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch)
>> >>         expand: ou=People,dc=example,dc=example ->
>> >> ou=People,dc=example,dc=example
>> >> rlm_ldap: ldap_get_conn: Checking Id: 0
>> >> rlm_ldap: ldap_get_conn: Got Id: 0
>> >> rlm_ldap: attempting LDAP reconnection
>> >> rlm_ldap: (re)connect to 10.0.0.1:389, authentication 0
>> >> rlm_ldap: bind as / to 10.0.0.1:389
>> >> rlm_ldap: waiting for bind result ...
>> >> rlm_ldap: Bind was successful
>> >> rlm_ldap: performing search in ou=People,dc=example,dc=example, with
>> >> filter (uid=catch)
>> >> rlm_ldap: object not found or got ambiguous search result
>> >> rlm_ldap: search failed
>> >> rlm_ldap: ldap_release_conn: Release Id: 0
>> >> ++[ldap2] returns notfound
>> >>
>> >> auth: No authenticate method (Auth-Type) configuration found for the
>> >> request: Rejecting the user
>> >> auth: Failed to validate the user.
>> >>
>> >> You can see it is attempting to search both databases but fails. If I
>> >> use a simple telnet or ssh to authenticate against the LDAP server it
>> >> logs in fine. LDAP client login against the LDAP server is otherwise
>> >> working fine. I know I have been bothering using trivial question. But
>> >> any help would be appreciated :-)
>> >>
>> >> Thanks in advance.
>> >> Sambuddho
>> >>
>> >>
>> >>
>> >> On Tue, 2008-07-01 at 22:33 +0200, Alan DeKok wrote:
>> >> > Sambuddho Chakravarty wrote:
>> >> > >  This is exactly what I did . I forgot to put the separate module names
>> >> >
>> >> >   The consistent problems you see make me think that the issue is more
>> >> > than "forgot".
>> >> >
>> >> > > And now when I try to start the server this is what the error I see :
>> >> > >
>> >> > >
>> >> > > server {
>> >> > >  modules {
>> >> > >  Module: Checking authenticate {...} for more modules to load
>> >> > > //etc/raddb/modules/ldap1[29]: Failed to link to module 'rlm_ldap':
>> >> >
>> >> >   So.... was that module built?  Apparently not...
>> >> >
>> >> > > When trying with a single server ,it matches the radius request against
>> >> > > rlm_pap and not rlm_ldap. I am confused.
>> >> >
>> >> >   Perhaps reading the debug output (and that of "configure" and "make")
>> >> > would help.
>> >> >
>> >> >   Alan DeKok.
>> >> > -
>> >> > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>> >>
>> >> -
>> >> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>> >
>> >-
>> >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/usershtml
>> >
>> >
>> 
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list