Freeradius-Users Digest, Vol 39, Issue 18 topic 5: freeradius with multiple ldap servers
Sambuddho Chakravarty
sc2516 at columbia.edu
Thu Jul 3 22:49:50 CEST 2008
Hello
Some progress.
Added to ldap.attrmap
---------------------------
checkItem Crypt-Password userPassword
Added to modules/ldap
ldap ldap1{
....
identity = (root DN)
password = (password for the root DN)
password_header="{crypt}"
password_attribute=Crypt-Password
...
}
ldap ldap2{
....
identity = (root DN)
password = (password for the root DN)
password_header="{crypt}"
password_attribute=Crypt-Password
...
}
The radiusd attempts to connect to the correct LDAP server. However ,
the attempt fails with error in binding due to invalid credentials
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind failed with invalid credentials
The username and password supplied are nevertheless correct. Any hints
would be gratefully appreciated
Thanks
Sambuddho
On Thu, 2008-07-03 at 15:54 -0400, Sambuddho Chakravarty wrote:
> Hi Andy
> Thanks a lot. The problem is that I have a file named ldap
> inside /etc/raddb/modules directory and it has two ldap modules , ldap1
> and ldap2.
>
> ldap ldap1 {
> server = ....
> identity = .... (set the appropriate CN)
> password = password for the above CN
> basedn = "ou=People,dc=example,dc=com"
> ...
> }
>
>
> ldap ldap1 {
> server = ....
> identity = .... (set the appropriate CN)
> password = password for the above CN
> basedn = "ou=People,dc=example,dc=com"
> ...
> }
>
>
> The first server has a user named 'try' and the second one has one named
> 'catch'.
>
> When I try to perform authentication using radtest tool with the
> username and password (say for try ) , it searches it in the LDAP server
> which doesn't have it and doesn't search the one which actually has the
> username. When I try with username 'catch' , it finds the username and
> the password but then it goes into
>
> auth: type Local
>
> and fails.
> WARNING: Deprecated conditional expansion ":-". See "man unlang" for
> details
> expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch)
> expand: ou=People,dc=example,dc=com ->
> ou=People,dc=example,dc=com
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in ou=People,dc=example,dc=com, with filter
> (uid=catch)
> rlm_ldap: Added User-Password = $1$FYblmPWy$fmgebhCOLpHvhdECNP4EG0 in
> check items
> rlm_ldap: looking for check items in directory...
> rlm_ldap: looking for reply items in directory...
> rlm_ldap: user catch authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0
> ++[ldap2] returns ok
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> !!! Replacing User-Password in config items with
> Cleartext-Password. !!!
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> !!! Please update your configuration so that the "known
> good" !!!
> !!! clear text password is in Cleartext-Password, and not in
> User-Password. !!!
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> auth: type Local
> auth: user supplied User-Password does NOT match local User-Password
> auth: Failed to validate the user.
> Found Post-Auth-Type Reject
> +- entering group REJECT
> expand: %{User-Name} -> catch
> attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] returns updated
> Sending Access-Reject of id 48 to 127.0.0.1 port 1025
> Finished request 2.
> Going to the next request
> Waking up in 4.9 seconds.
> Cleaning up request 2 ID 48 with timestamp +39
> Ready to process requests.
>
> I know its trivial but I am now struggling with this for a long time.
> (Freeradius version : 2.05)
>
> Thanks
> Sambuddho
>
>
>
>
> On Thu, 2008-07-03 at 12:35 -0700, Andy An wrote:
> > Hi Sambuddho:
> >
> > I met similar problem a few weeks ago.
> > You need to set the ldap identity/password for your freeRadius server at modules/ldap:
> > e.g. mine is like:
> >
> > server = "ldap.xxx.ca"
> > identity = "cn=radius,ou=Applications,dc=xxx,dc=ca"
> > password = "password"
> > basedn = "ou=People,dc=xxx,dc=ca"
> >
> > The default setting is "read-only" anonymous search(i.e. without
> > identity/password setting) and it will fail because ldap server does not
> > allow anonymous search for other user's password.
> > Hope this is helpful.
> >
> > Andy
> >
> >
> > freeradius-users-request at lists.freeradius.org wrote:
> > > Send Freeradius-Users mailing list submissions to
> > > freeradius-users at lists.freeradius.org
> > >
> > > To subscribe or unsubscribe via the World Wide Web, visit
> > > http://lists.freeradius.org/mailman/listinfo/freeradius-users
> > > or, via email, send a message with subject or body 'help' to
> > > freeradius-users-request at lists.freeradius.org
> > >
> > > You can reach the person managing the list at
> > > freeradius-users-owner at lists.freeradius.org
> > >
> > > When replying, please edit your Subject line so it is more specific
> > > than "Re: Contents of Freeradius-Users digest..."
> > >
> > >
> > > Today's Topics:
> > >
> > > 1. Re: =?UTF-8?Q?freeradius-proxy_+_PAP_works,
> > > _PEAP_and_the_rest_doesn=C2=B4t?= (uni at christiankraus.de)
> > > 2. Re: freeradius-proxy + PAP works, PEAP and the rest doesn?t
> > > (Alan DeKok)
> > > 3. Re: freeradius-proxy + PAP works, PEAP and the rest doesn?t
> > > (Ivan Kalik)
> > > 4. Re: sqlippool (Ivan Kalik)
> > > 5. Re: freeradius with multiple ldap servers (Sambuddho Chakravarty)
> > > 6.
> > > Re:=?UTF-8?Q?freeradius-proxy_+_PAP_works,_PEAP_and_the_rest_doesn=C2=B4t?=
> > > (A.L.M.Buxey at lboro.ac.uk)
> > >
> > >
> > > ------------------------------
> > >
> > > Message: 5
> > > Date: Thu, 03 Jul 2008 12:50:25 -0400
> > > From: Sambuddho Chakravarty <sc2516 at columbia.edu>
> > > Subject: Re: freeradius with multiple ldap servers
> > > To: FreeRadius users mailing list
> > > <freeradius-users at lists.freeradius.org>
> > > Message-ID: <1215103825.8819.81.camel at insomniac>
> > > Content-Type: text/plain; charset=utf-8
> > >
> > > Hello Ivan
> > > But I don't have a field in the database by that name . The name of the
> > > field is "userPassword" . This is what the openLDAP migration scripts
> > > generated. Please let me know what mistake I am doing . Also , my
> > > question on failover. Is the failover used when the first LDAP server is
> > > down / unresponsive to connection attempts or when it is not able to
> > > authenticate (example bad username / password) ?
> > >
> > > Thanks
> > > Sambuddho
> > > On Thu, 2008-07-03 at 10:24 +0100, Ivan Kalik wrote:
> > >
> > >> Password (radius) attribute should be Crypt-Password not User-Password.
> > >>
> > >> Ivan Kalik
> > >> Kalik Informatika ISP
> > >>
> > >>
> > >> Dana 3/7/2008, "Sambuddho Chakravarty" <sc2516 at columbia.edu> pi?e:
> > >>
> > >>
> > >>> Hello
> > >>>
> > >>> I set the password_header to = {crypt} and password_attribute to
> > >>> "userPassword" (Thats the name of the field in the database). Now this
> > >>> is what the logs show,
> > >>>
> > >>> rlm_ldap: performing search in ou=People,dc=example,dc=com, with filter
> > >>> (uid=try)
> > >>> rlm_ldap: Added User-Password = $1$n48a7wCp$RfvlOx1pZgiVNfmMmA2xS. in
> > >>> check items
> > >>> rlm_ldap: looking for check items in directory...
> > >>> rlm_ldap: looking for reply items in directory...
> > >>> rlm_ldap: user try authorized to use remote access
> > >>> rlm_ldap: ldap_release_conn: Release Id: 0
> > >>> +++[ldap1] returns ok
> > >>> ++- policy redundant returns ok
> > >>> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> > >>> !!! Replacing User-Password in config items with
> > >>> Cleartext-Password. !!!
> > >>> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> > >>> !!! Please update your configuration so that the "known
> > >>> good" !!!
> > >>> !!! clear text password is in Cleartext-Password, and not in
> > >>> User-Password. !!!
> > >>> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> > >>> auth: type Local
> > >>> auth: user supplied User-Password does NOT match local User-Password
> > >>> auth: Failed to validate the user.
> > >>> Found Post-Auth-Type Reject
> > >>> +- entering group REJECT
> > >>> expand: %{User-Name} -> try
> > >>> attr_filter: Matched entry DEFAULT at line 11
> > >>>
> > >>>
> > >>>
> > >>> My guess is authorize{} worked but not authenticate {}. Also , I see
> > >>> both modules ldap1 and ldap2 being loaded but whenever I try to
> > >>> authenticate with the username/password that is found in ldap2 , the
> > >>> radius server never attempts to connect to the other LDAP server.
> > >>> Instead it search for the entries in the "ldap1"'s server only.
> > >>>
> > >>> Any suggestions ?
> > >>>
> > >>> Thanks
> > >>> Sambuddho
> > >>>
> > >>>
> > >>> On Wed, 2008-07-02 at 23:45 +0100, Ivan Kalik wrote:
> > >>>
> > >>>> http://wiki.freeradius.org/index.php/Rlm_ldap
> > >>>>
> > >>>> See use of password_header and password_attribute.
> > >>>>
> > >>>> Ivan Kalik
> > >>>> Kalik Informatika ISP
> > >>>>
> > >>>>
> > >>>> Dana 2/7/2008, "Sambuddho Chakravarty" <sc2516 at columbia.edu> pi??e:
> > >>>>
> > >>>>
> > >>>>> Hello
> > >>>>> I think I know what the problem is. The radius server is looking up
> > >>>>> using cleartext password , while the LDAP data base stores the hashed
> > >>>>> passwords. How can I force the radiuse server to search for the password
> > >>>>> as a hashed value (rather than searching for the clear-text value) ?
> > >>>>>
> > >>>>> Thanks
> > >>>>> Sambuddho
> > >>>>> On Wed, 2008-07-02 at 17:09 -0400, Sambuddho Chakravarty wrote:
> > >>>>>
> > >>>>>> Hello Alan
> > >>>>>> I made sure this time that rlm_ldap was compiled. Now the following is
> > >>>>>> the configuration
> > >>>>>>
> > >>>>>> ------/etc/raddb/modules/ldap-----------
> > >>>>>>
> > >>>>>> ldap ldap1 {
> > >>>>>> server = "a.b.c.d"
> > >>>>>> ...
> > >>>>>> }
> > >>>>>>
> > >>>>>> ldap ldap2 {
> > >>>>>> server = "w.x.y.z"
> > >>>>>> ...
> > >>>>>> }
> > >>>>>>
> > >>>>>> -----/etc/raddb/radiusd.conf-----
> > >>>>>>
> > >>>>>>
> > >>>>>> authorize {
> > >>>>>> ldap1
> > >>>>>>
> > >>>>>> ldap2
> > >>>>>>
> > >>>>>> }
> > >>>>>>
> > >>>>>> authenticate {
> > >>>>>> ldap1
> > >>>>>> ldap2
> > >>>>>> }
> > >>>>>>
> > >>>>>> ------------------------------------
> > >>>>>>
> > >>>>>> When I execute /sbin/radiusd -X
> > >>>>>>
> > >>>>>> It shows instantiating module ldap1 and module ldap2
> > >>>>>>
> > >>>>>> ....
> > >>>>>> Module: Instantiating ldap2
> > >>>>>> ldap ldap1 {
> > >>>>>> server = "a.b.c.d"
> > >>>>>> port = 389
> > >>>>>> ....
> > >>>>>> Module: Instantiating ldap2
> > >>>>>> ldap ldap2 {
> > >>>>>> server = "w.x.y.z"
> > >>>>>> port = 389
> > >>>>>> ....
> > >>>>>>
> > >>>>>> When sending a radtest request using the following command (from the
> > >>>>>> same machine as one which is running the server)
> > >>>>>>
> > >>>>>> $ radtest user "secret" localhost 2 testing123
> > >>>>>>
> > >>>>>> I get ACCESS-REJECT reply from the sever.
> > >>>>>>
> > >>>>>> On the server the logs show something like this
> > >>>>>> ---------------------------------------------------
> > >>>>>> It shows binding to both LDAP servers one by one through something like
> > >>>>>> this :
> > >>>>>>
> > >>>>>> rlm_ldap: performing user authorization for catch
> > >>>>>> WARNING: Deprecated conditional expansion ":-". See "man unlang" for
> > >>>>>> details
> > >>>>>> expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch)
> > >>>>>> expand: ou=People,dc=example,dc=example ->
> > >>>>>> ou=People,dc=example,dc=example
> > >>>>>> rlm_ldap: ldap_get_conn: Checking Id: 0
> > >>>>>> rlm_ldap: ldap_get_conn: Got Id: 0
> > >>>>>> rlm_ldap: attempting LDAP reconnection
> > >>>>>> rlm_ldap: (re)connect to 30.0.0.2:389, authentication 0
> > >>>>>> rlm_ldap: bind as / to 30.0.0.2:389
> > >>>>>> rlm_ldap: waiting for bind result ...
> > >>>>>> rlm_ldap: Bind was successful
> > >>>>>> rlm_ldap: performing search in ou=People,dc=example,dc=example, with
> > >>>>>> filter (uid=catch)
> > >>>>>> rlm_ldap: object not found or got ambiguous search result
> > >>>>>> rlm_ldap: search failed
> > >>>>>> rlm_ldap: ldap_release_conn: Release Id: 0
> > >>>>>> ++[ldap1] returns notfound
> > >>>>>> rlm_ldap: - authorize
> > >>>>>> rlm_ldap: performing user authorization for catch
> > >>>>>> WARNING: Deprecated conditional expansion ":-". See "man unlang" for
> > >>>>>> details
> > >>>>>> expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch)
> > >>>>>> expand: ou=People,dc=example,dc=example ->
> > >>>>>> ou=People,dc=example,dc=example
> > >>>>>> rlm_ldap: ldap_get_conn: Checking Id: 0
> > >>>>>> rlm_ldap: ldap_get_conn: Got Id: 0
> > >>>>>> rlm_ldap: attempting LDAP reconnection
> > >>>>>> rlm_ldap: (re)connect to 10.0.0.1:389, authentication 0
> > >>>>>> rlm_ldap: bind as / to 10.0.0.1:389
> > >>>>>> rlm_ldap: waiting for bind result ...
> > >>>>>> rlm_ldap: Bind was successful
> > >>>>>> rlm_ldap: performing search in ou=People,dc=example,dc=example, with
> > >>>>>> filter (uid=catch)
> > >>>>>> rlm_ldap: object not found or got ambiguous search result
> > >>>>>> rlm_ldap: search failed
> > >>>>>> rlm_ldap: ldap_release_conn: Release Id: 0
> > >>>>>> ++[ldap2] returns notfound
> > >>>>>>
> > >>>>>> auth: No authenticate method (Auth-Type) configuration found for the
> > >>>>>> request: Rejecting the user
> > >>>>>> auth: Failed to validate the user.
> > >>>>>>
> > >>>>>> You can see it is attempting to search both databases but fails. If I
> > >>>>>> use a simple telnet or ssh to authenticate against the LDAP server it
> > >>>>>> logs in fine. LDAP client login against the LDAP server is otherwise
> > >>>>>> working fine. I know I have been bothering using trivial question. But
> > >>>>>> any help would be appreciated :-)
> > >>>>>>
> > >>>>>> Thanks in advance.
> > >>>>>> Sambuddho
> > >>>>>>
> > >>>>>>
> > >>>>>>
> > >>>>>> On Tue, 2008-07-01 at 22:33 +0200, Alan DeKok wrote:
> > >>>>>>
> > >>>>>>> Sambuddho Chakravarty wrote:
> > >>>>>>>
> > >>>>>>>> This is exactly what I did . I forgot to put the separate module names
> > >>>>>>>>
> > >>>>>>> The consistent problems you see make me think that the issue is more
> > >>>>>>> than "forgot".
> > >>>>>>>
> > >>>>>>>
> > >>>>>>>> And now when I try to start the server this is what the error I see :
> > >>>>>>>>
> > >>>>>>>>
> > >>>>>>>> server {
> > >>>>>>>> modules {
> > >>>>>>>> Module: Checking authenticate {...} for more modules to load
> > >>>>>>>> //etc/raddb/modules/ldap1[29]: Failed to link to module 'rlm_ldap':
> > >>>>>>>>
> > >>>>>>> So.... was that module built? Apparently not...
> > >>>>>>>
> > >>>>>>>
> > >>>>>>>> When trying with a single server ,it matches the radius request against
> > >>>>>>>> rlm_pap and not rlm_ldap. I am confused.
> > >>>>>>>>
> > >>>>>>> Perhaps reading the debug output (and that of "configure" and "make")
> > >>>>>>> would help.
> > >>>>>>>
> > >>>>>>> Alan DeKok.
> > >>>>>>> -
> > >>>>>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> > >>>>>>>
> > >>>>>> -
> > >>>>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> > >>>>>>
> > >>>>> -
> > >>>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/usershtml
> > >>>>>
> > >>>>>
> > >>>>>
> > >>>> -
> > >>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> > >>>>
> > >>> -
> > >>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> > >>>
> > >> -
> > >> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> > >>
> > >
> > >
> > >
> > > ------------------------------
> > >
> > > Message: 6
> > > Date: Thu, 3 Jul 2008 18:00:35 +0100
> > > From: A.L.M.Buxey at lboro.ac.uk
> > > Subject:
> > > Re:=?UTF-8?Q?freeradius-proxy_+_PAP_works,_PEAP_and_the_rest_doesn=C2=B4t?=
> > >
> > > To: FreeRadius users mailing list
> > > <freeradius-users at lists.freeradius.org>
> > > Message-ID: <20080703170035.GA14834 at lboro.ac.uk>
> > > Content-Type: text/plain; charset=us-ascii
> > >
> > > hi,
> > >
> > > if you really are using freeradius as a proxy, as you stated,
> > > then you dont need certificates...as the system will JUST
> > > proxy. if you mean you want to terminate EAP on your
> > > freeradius, then please dont call it a proxy. get the
> > > terminology correct.
> > >
> > > what did you do wrong?
> > >
> > > well, since 1.1.7 and 2.0.5 need completely different configs,
> > > i doubt you could make the same mistake twice...you CANT use a 1.1.7
> > > config on a 2.0.5 box.
> > >
> > > from what i can see, the daemon is clearly telling you something
> > > is wrong with your DH stuff. read eap.conf properly. get rid
> > > of that error. thats your primary task.
> > >
> > > alan
> > >
> > >
> > > ------------------------------
> > >
> > > -
> > > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> > >
> > >
> > > End of Freeradius-Users Digest, Vol 39, Issue 18
> > > ************************************************
> > >
> > >
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list