Freeradius-Users Digest, Vol 39, Issue 18 topic 5: freeradius with multiple ldap servers
Andy An
andyan at eciad.ca
Thu Jul 3 21:35:54 CEST 2008
Hi Sambuddho:
I met similar problem a few weeks ago.
You need to set the ldap identity/password for your freeRadius server at modules/ldap:
e.g. mine is like:
server = "ldap.xxx.ca"
identity = "cn=radius,ou=Applications,dc=xxx,dc=ca"
password = "password"
basedn = "ou=People,dc=xxx,dc=ca"
The default setting is "read-only" anonymous search(i.e. without
identity/password setting) and it will fail because ldap server does not
allow anonymous search for other user's password.
Hope this is helpful.
Andy
freeradius-users-request at lists.freeradius.org wrote:
> Send Freeradius-Users mailing list submissions to
> freeradius-users at lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
> freeradius-users-request at lists.freeradius.org
>
> You can reach the person managing the list at
> freeradius-users-owner at lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
> 1. Re: =?UTF-8?Q?freeradius-proxy_+_PAP_works,
> _PEAP_and_the_rest_doesn=C2=B4t?= (uni at christiankraus.de)
> 2. Re: freeradius-proxy + PAP works, PEAP and the rest doesn?t
> (Alan DeKok)
> 3. Re: freeradius-proxy + PAP works, PEAP and the rest doesn?t
> (Ivan Kalik)
> 4. Re: sqlippool (Ivan Kalik)
> 5. Re: freeradius with multiple ldap servers (Sambuddho Chakravarty)
> 6.
> Re:=?UTF-8?Q?freeradius-proxy_+_PAP_works,_PEAP_and_the_rest_doesn=C2=B4t?=
> (A.L.M.Buxey at lboro.ac.uk)
>
>
> ------------------------------
>
> Message: 5
> Date: Thu, 03 Jul 2008 12:50:25 -0400
> From: Sambuddho Chakravarty <sc2516 at columbia.edu>
> Subject: Re: freeradius with multiple ldap servers
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Message-ID: <1215103825.8819.81.camel at insomniac>
> Content-Type: text/plain; charset=utf-8
>
> Hello Ivan
> But I don't have a field in the database by that name . The name of the
> field is "userPassword" . This is what the openLDAP migration scripts
> generated. Please let me know what mistake I am doing . Also , my
> question on failover. Is the failover used when the first LDAP server is
> down / unresponsive to connection attempts or when it is not able to
> authenticate (example bad username / password) ?
>
> Thanks
> Sambuddho
> On Thu, 2008-07-03 at 10:24 +0100, Ivan Kalik wrote:
>
>> Password (radius) attribute should be Crypt-Password not User-Password.
>>
>> Ivan Kalik
>> Kalik Informatika ISP
>>
>>
>> Dana 3/7/2008, "Sambuddho Chakravarty" <sc2516 at columbia.edu> pi?e:
>>
>>
>>> Hello
>>>
>>> I set the password_header to = {crypt} and password_attribute to
>>> "userPassword" (Thats the name of the field in the database). Now this
>>> is what the logs show,
>>>
>>> rlm_ldap: performing search in ou=People,dc=example,dc=com, with filter
>>> (uid=try)
>>> rlm_ldap: Added User-Password = $1$n48a7wCp$RfvlOx1pZgiVNfmMmA2xS. in
>>> check items
>>> rlm_ldap: looking for check items in directory...
>>> rlm_ldap: looking for reply items in directory...
>>> rlm_ldap: user try authorized to use remote access
>>> rlm_ldap: ldap_release_conn: Release Id: 0
>>> +++[ldap1] returns ok
>>> ++- policy redundant returns ok
>>> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>>> !!! Replacing User-Password in config items with
>>> Cleartext-Password. !!!
>>> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>>> !!! Please update your configuration so that the "known
>>> good" !!!
>>> !!! clear text password is in Cleartext-Password, and not in
>>> User-Password. !!!
>>> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>>> auth: type Local
>>> auth: user supplied User-Password does NOT match local User-Password
>>> auth: Failed to validate the user.
>>> Found Post-Auth-Type Reject
>>> +- entering group REJECT
>>> expand: %{User-Name} -> try
>>> attr_filter: Matched entry DEFAULT at line 11
>>>
>>>
>>>
>>> My guess is authorize{} worked but not authenticate {}. Also , I see
>>> both modules ldap1 and ldap2 being loaded but whenever I try to
>>> authenticate with the username/password that is found in ldap2 , the
>>> radius server never attempts to connect to the other LDAP server.
>>> Instead it search for the entries in the "ldap1"'s server only.
>>>
>>> Any suggestions ?
>>>
>>> Thanks
>>> Sambuddho
>>>
>>>
>>> On Wed, 2008-07-02 at 23:45 +0100, Ivan Kalik wrote:
>>>
>>>> http://wiki.freeradius.org/index.php/Rlm_ldap
>>>>
>>>> See use of password_header and password_attribute.
>>>>
>>>> Ivan Kalik
>>>> Kalik Informatika ISP
>>>>
>>>>
>>>> Dana 2/7/2008, "Sambuddho Chakravarty" <sc2516 at columbia.edu> pi??e:
>>>>
>>>>
>>>>> Hello
>>>>> I think I know what the problem is. The radius server is looking up
>>>>> using cleartext password , while the LDAP data base stores the hashed
>>>>> passwords. How can I force the radiuse server to search for the password
>>>>> as a hashed value (rather than searching for the clear-text value) ?
>>>>>
>>>>> Thanks
>>>>> Sambuddho
>>>>> On Wed, 2008-07-02 at 17:09 -0400, Sambuddho Chakravarty wrote:
>>>>>
>>>>>> Hello Alan
>>>>>> I made sure this time that rlm_ldap was compiled. Now the following is
>>>>>> the configuration
>>>>>>
>>>>>> ------/etc/raddb/modules/ldap-----------
>>>>>>
>>>>>> ldap ldap1 {
>>>>>> server = "a.b.c.d"
>>>>>> ...
>>>>>> }
>>>>>>
>>>>>> ldap ldap2 {
>>>>>> server = "w.x.y.z"
>>>>>> ...
>>>>>> }
>>>>>>
>>>>>> -----/etc/raddb/radiusd.conf-----
>>>>>>
>>>>>>
>>>>>> authorize {
>>>>>> ldap1
>>>>>>
>>>>>> ldap2
>>>>>>
>>>>>> }
>>>>>>
>>>>>> authenticate {
>>>>>> ldap1
>>>>>> ldap2
>>>>>> }
>>>>>>
>>>>>> ------------------------------------
>>>>>>
>>>>>> When I execute /sbin/radiusd -X
>>>>>>
>>>>>> It shows instantiating module ldap1 and module ldap2
>>>>>>
>>>>>> ....
>>>>>> Module: Instantiating ldap2
>>>>>> ldap ldap1 {
>>>>>> server = "a.b.c.d"
>>>>>> port = 389
>>>>>> ....
>>>>>> Module: Instantiating ldap2
>>>>>> ldap ldap2 {
>>>>>> server = "w.x.y.z"
>>>>>> port = 389
>>>>>> ....
>>>>>>
>>>>>> When sending a radtest request using the following command (from the
>>>>>> same machine as one which is running the server)
>>>>>>
>>>>>> $ radtest user "secret" localhost 2 testing123
>>>>>>
>>>>>> I get ACCESS-REJECT reply from the sever.
>>>>>>
>>>>>> On the server the logs show something like this
>>>>>> ---------------------------------------------------
>>>>>> It shows binding to both LDAP servers one by one through something like
>>>>>> this :
>>>>>>
>>>>>> rlm_ldap: performing user authorization for catch
>>>>>> WARNING: Deprecated conditional expansion ":-". See "man unlang" for
>>>>>> details
>>>>>> expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch)
>>>>>> expand: ou=People,dc=example,dc=example ->
>>>>>> ou=People,dc=example,dc=example
>>>>>> rlm_ldap: ldap_get_conn: Checking Id: 0
>>>>>> rlm_ldap: ldap_get_conn: Got Id: 0
>>>>>> rlm_ldap: attempting LDAP reconnection
>>>>>> rlm_ldap: (re)connect to 30.0.0.2:389, authentication 0
>>>>>> rlm_ldap: bind as / to 30.0.0.2:389
>>>>>> rlm_ldap: waiting for bind result ...
>>>>>> rlm_ldap: Bind was successful
>>>>>> rlm_ldap: performing search in ou=People,dc=example,dc=example, with
>>>>>> filter (uid=catch)
>>>>>> rlm_ldap: object not found or got ambiguous search result
>>>>>> rlm_ldap: search failed
>>>>>> rlm_ldap: ldap_release_conn: Release Id: 0
>>>>>> ++[ldap1] returns notfound
>>>>>> rlm_ldap: - authorize
>>>>>> rlm_ldap: performing user authorization for catch
>>>>>> WARNING: Deprecated conditional expansion ":-". See "man unlang" for
>>>>>> details
>>>>>> expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch)
>>>>>> expand: ou=People,dc=example,dc=example ->
>>>>>> ou=People,dc=example,dc=example
>>>>>> rlm_ldap: ldap_get_conn: Checking Id: 0
>>>>>> rlm_ldap: ldap_get_conn: Got Id: 0
>>>>>> rlm_ldap: attempting LDAP reconnection
>>>>>> rlm_ldap: (re)connect to 10.0.0.1:389, authentication 0
>>>>>> rlm_ldap: bind as / to 10.0.0.1:389
>>>>>> rlm_ldap: waiting for bind result ...
>>>>>> rlm_ldap: Bind was successful
>>>>>> rlm_ldap: performing search in ou=People,dc=example,dc=example, with
>>>>>> filter (uid=catch)
>>>>>> rlm_ldap: object not found or got ambiguous search result
>>>>>> rlm_ldap: search failed
>>>>>> rlm_ldap: ldap_release_conn: Release Id: 0
>>>>>> ++[ldap2] returns notfound
>>>>>>
>>>>>> auth: No authenticate method (Auth-Type) configuration found for the
>>>>>> request: Rejecting the user
>>>>>> auth: Failed to validate the user.
>>>>>>
>>>>>> You can see it is attempting to search both databases but fails. If I
>>>>>> use a simple telnet or ssh to authenticate against the LDAP server it
>>>>>> logs in fine. LDAP client login against the LDAP server is otherwise
>>>>>> working fine. I know I have been bothering using trivial question. But
>>>>>> any help would be appreciated :-)
>>>>>>
>>>>>> Thanks in advance.
>>>>>> Sambuddho
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Tue, 2008-07-01 at 22:33 +0200, Alan DeKok wrote:
>>>>>>
>>>>>>> Sambuddho Chakravarty wrote:
>>>>>>>
>>>>>>>> This is exactly what I did . I forgot to put the separate module names
>>>>>>>>
>>>>>>> The consistent problems you see make me think that the issue is more
>>>>>>> than "forgot".
>>>>>>>
>>>>>>>
>>>>>>>> And now when I try to start the server this is what the error I see :
>>>>>>>>
>>>>>>>>
>>>>>>>> server {
>>>>>>>> modules {
>>>>>>>> Module: Checking authenticate {...} for more modules to load
>>>>>>>> //etc/raddb/modules/ldap1[29]: Failed to link to module 'rlm_ldap':
>>>>>>>>
>>>>>>> So.... was that module built? Apparently not...
>>>>>>>
>>>>>>>
>>>>>>>> When trying with a single server ,it matches the radius request against
>>>>>>>> rlm_pap and not rlm_ldap. I am confused.
>>>>>>>>
>>>>>>> Perhaps reading the debug output (and that of "configure" and "make")
>>>>>>> would help.
>>>>>>>
>>>>>>> Alan DeKok.
>>>>>>> -
>>>>>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>>>>>>
>>>>>> -
>>>>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>>>>>
>>>>> -
>>>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/usershtml
>>>>>
>>>>>
>>>>>
>>>> -
>>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>>>
>>> -
>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>
>
>
>
> ------------------------------
>
> Message: 6
> Date: Thu, 3 Jul 2008 18:00:35 +0100
> From: A.L.M.Buxey at lboro.ac.uk
> Subject:
> Re:=?UTF-8?Q?freeradius-proxy_+_PAP_works,_PEAP_and_the_rest_doesn=C2=B4t?=
>
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Message-ID: <20080703170035.GA14834 at lboro.ac.uk>
> Content-Type: text/plain; charset=us-ascii
>
> hi,
>
> if you really are using freeradius as a proxy, as you stated,
> then you dont need certificates...as the system will JUST
> proxy. if you mean you want to terminate EAP on your
> freeradius, then please dont call it a proxy. get the
> terminology correct.
>
> what did you do wrong?
>
> well, since 1.1.7 and 2.0.5 need completely different configs,
> i doubt you could make the same mistake twice...you CANT use a 1.1.7
> config on a 2.0.5 box.
>
> from what i can see, the daemon is clearly telling you something
> is wrong with your DH stuff. read eap.conf properly. get rid
> of that error. thats your primary task.
>
> alan
>
>
> ------------------------------
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
> End of Freeradius-Users Digest, Vol 39, Issue 18
> ************************************************
>
>
More information about the Freeradius-Users
mailing list