freeradius with multiple ldap servers

Sambuddho Chakravarty sc2516 at columbia.edu
Thu Jul 3 18:50:25 CEST 2008


Hello Ivan
 But I don't have a field in the database by that name . The name of the
field is "userPassword" . This is what the openLDAP migration scripts
generated. Please let me know what mistake I am doing . Also , my
question on failover. Is the failover used when the first LDAP server is
down / unresponsive to connection attempts or when it is not able to
authenticate (example bad username / password)  ?

Thanks
Sambuddho
On Thu, 2008-07-03 at 10:24 +0100, Ivan Kalik wrote:
> Password (radius) attribute should be Crypt-Password not User-Password.
> 
> Ivan Kalik
> Kalik Informatika ISP
> 
> 
> Dana 3/7/2008, "Sambuddho Chakravarty" <sc2516 at columbia.edu> piše:
> 
> >Hello
> >
> >I set the password_header to = {crypt} and password_attribute to
> >"userPassword" (Thats the name of the field in the database). Now this
> >is what the logs show,
> >
> >rlm_ldap: performing search in ou=People,dc=example,dc=com, with filter
> >(uid=try)
> >rlm_ldap: Added User-Password = $1$n48a7wCp$RfvlOx1pZgiVNfmMmA2xS. in
> >check items
> >rlm_ldap: looking for check items in directory...
> >rlm_ldap: looking for reply items in directory...
> >rlm_ldap: user try authorized to use remote access
> >rlm_ldap: ldap_release_conn: Release Id: 0
> >+++[ldap1] returns ok
> >++- policy redundant returns ok
> >!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> >!!!    Replacing User-Password in config items with
> >Cleartext-Password.     !!!
> >!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> >!!! Please update your configuration so that the "known
> >good"               !!!
> >!!! clear text password is in Cleartext-Password, and not in
> >User-Password. !!!
> >!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> >auth: type Local
> >auth: user supplied User-Password does NOT match local User-Password
> >auth: Failed to validate the user.
> >  Found Post-Auth-Type Reject
> >+- entering group REJECT
> >        expand: %{User-Name} -> try
> > attr_filter: Matched entry DEFAULT at line 11
> >
> >
> >
> >My guess is authorize{}  worked but not authenticate {}. Also , I see
> >both modules ldap1 and ldap2 being loaded but whenever I try to
> >authenticate with the username/password that is found in ldap2 , the
> >radius server never attempts to connect to the other LDAP server.
> >Instead it search for the entries in the "ldap1"'s server only.
> >
> >Any suggestions ?
> >
> >Thanks
> >Sambuddho
> > 
> >
> >On Wed, 2008-07-02 at 23:45 +0100, Ivan Kalik wrote:
> >> http://wiki.freeradius.org/index.php/Rlm_ldap
> >> 
> >> See use of password_header and password_attribute.
> >> 
> >> Ivan Kalik
> >> Kalik Informatika ISP
> >> 
> >> 
> >> Dana 2/7/2008, "Sambuddho Chakravarty" <sc2516 at columbia.edu> piĹĄe:
> >> 
> >> >Hello
> >> > I think I know what the problem is. The radius server is looking up
> >> >using cleartext password , while the LDAP data base stores the hashed
> >> >passwords. How can I force the radiuse server to search for the password
> >> >as a hashed value (rather than searching for the clear-text value) ?
> >> >
> >> >Thanks
> >> >Sambuddho
> >> >On Wed, 2008-07-02 at 17:09 -0400, Sambuddho Chakravarty wrote:
> >> >> Hello Alan
> >> >>   I made sure this time that rlm_ldap was compiled. Now the following is
> >> >> the configuration
> >> >>
> >> >> ------/etc/raddb/modules/ldap-----------
> >> >>
> >> >> ldap ldap1 {
> >> >> 	server = "a.b.c.d"
> >> >> 	...
> >> >> 	}
> >> >>
> >> >> ldap ldap2 {
> >> >> 	server = "w.x.y.z"
> >> >> 	...
> >> >> 	}
> >> >>
> >> >> -----/etc/raddb/radiusd.conf-----
> >> >>
> >> >>
> >> >> authorize {
> >> >>        ldap1
> >> >>
> >> >>          ldap2
> >> >>
> >> >>         }
> >> >>
> >> >>    authenticate {
> >> >>         ldap1
> >> >>         ldap2
> >> >>         }
> >> >>
> >> >> ------------------------------------
> >> >>
> >> >> When I execute /sbin/radiusd -X
> >> >>
> >> >> It shows instantiating module ldap1 and module ldap2
> >> >>
> >> >> ....
> >> >>  Module: Instantiating ldap2
> >> >>   ldap ldap1 {
> >> >>         server = "a.b.c.d"
> >> >>         port = 389
> >> >> ....
> >> >>  Module: Instantiating ldap2
> >> >>   ldap ldap2 {
> >> >>         server = "w.x.y.z"
> >> >>         port = 389
> >> >> ....
> >> >>
> >> >> When sending a radtest request using the following command (from the
> >> >> same machine as one which is running the server)
> >> >>
> >> >> $ radtest user "secret" localhost 2 testing123
> >> >>
> >> >> I get ACCESS-REJECT reply from the sever.
> >> >>
> >> >> On the server the logs show something like this
> >> >> ---------------------------------------------------
> >> >> It shows binding to both LDAP servers one by one through something like
> >> >> this :
> >> >>
> >> >> rlm_ldap: performing user authorization for catch
> >> >> WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
> >> >> details
> >> >>         expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch)
> >> >>         expand: ou=People,dc=example,dc=example ->
> >> >> ou=People,dc=example,dc=example
> >> >> rlm_ldap: ldap_get_conn: Checking Id: 0
> >> >> rlm_ldap: ldap_get_conn: Got Id: 0
> >> >> rlm_ldap: attempting LDAP reconnection
> >> >> rlm_ldap: (re)connect to 30.0.0.2:389, authentication 0
> >> >> rlm_ldap: bind as / to 30.0.0.2:389
> >> >> rlm_ldap: waiting for bind result ...
> >> >> rlm_ldap: Bind was successful
> >> >> rlm_ldap: performing search in ou=People,dc=example,dc=example, with
> >> >> filter (uid=catch)
> >> >> rlm_ldap: object not found or got ambiguous search result
> >> >> rlm_ldap: search failed
> >> >> rlm_ldap: ldap_release_conn: Release Id: 0
> >> >> ++[ldap1] returns notfound
> >> >> rlm_ldap: - authorize
> >> >> rlm_ldap: performing user authorization for catch
> >> >> WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
> >> >> details
> >> >>         expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch)
> >> >>         expand: ou=People,dc=example,dc=example ->
> >> >> ou=People,dc=example,dc=example
> >> >> rlm_ldap: ldap_get_conn: Checking Id: 0
> >> >> rlm_ldap: ldap_get_conn: Got Id: 0
> >> >> rlm_ldap: attempting LDAP reconnection
> >> >> rlm_ldap: (re)connect to 10.0.0.1:389, authentication 0
> >> >> rlm_ldap: bind as / to 10.0.0.1:389
> >> >> rlm_ldap: waiting for bind result ...
> >> >> rlm_ldap: Bind was successful
> >> >> rlm_ldap: performing search in ou=People,dc=example,dc=example, with
> >> >> filter (uid=catch)
> >> >> rlm_ldap: object not found or got ambiguous search result
> >> >> rlm_ldap: search failed
> >> >> rlm_ldap: ldap_release_conn: Release Id: 0
> >> >> ++[ldap2] returns notfound
> >> >>
> >> >> auth: No authenticate method (Auth-Type) configuration found for the
> >> >> request: Rejecting the user
> >> >> auth: Failed to validate the user.
> >> >>
> >> >> You can see it is attempting to search both databases but fails. If I
> >> >> use a simple telnet or ssh to authenticate against the LDAP server it
> >> >> logs in fine. LDAP client login against the LDAP server is otherwise
> >> >> working fine. I know I have been bothering using trivial question. But
> >> >> any help would be appreciated :-)
> >> >>
> >> >> Thanks in advance.
> >> >> Sambuddho
> >> >>
> >> >>
> >> >>
> >> >> On Tue, 2008-07-01 at 22:33 +0200, Alan DeKok wrote:
> >> >> > Sambuddho Chakravarty wrote:
> >> >> > >  This is exactly what I did . I forgot to put the separate module names
> >> >> >
> >> >> >   The consistent problems you see make me think that the issue is more
> >> >> > than "forgot".
> >> >> >
> >> >> > > And now when I try to start the server this is what the error I see :
> >> >> > >
> >> >> > >
> >> >> > > server {
> >> >> > >  modules {
> >> >> > >  Module: Checking authenticate {...} for more modules to load
> >> >> > > //etc/raddb/modules/ldap1[29]: Failed to link to module 'rlm_ldap':
> >> >> >
> >> >> >   So.... was that module built?  Apparently not...
> >> >> >
> >> >> > > When trying with a single server ,it matches the radius request against
> >> >> > > rlm_pap and not rlm_ldap. I am confused.
> >> >> >
> >> >> >   Perhaps reading the debug output (and that of "configure" and "make")
> >> >> > would help.
> >> >> >
> >> >> >   Alan DeKok.
> >> >> > -
> >> >> > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> >> >>
> >> >> -
> >> >> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> >> >
> >> >-
> >> >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/usershtml
> >> >
> >> >
> >> 
> >> -
> >> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> >
> >-
> >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list