Need help for configuration - LDAP with custom files Failover

Dajka Tamás tdajka at geomant.com
Tue Oct 28 11:48:23 CET 2008


Now, the users file is empty, and still the same (%Authorization failed on the switch). The log:

++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
  rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++- entering policy redundant
rlm_ldap: - authorize
rlm_ldap: performing user authorization for myusername
        expand: (uid=%{User-Name}) -> (uid=myusername)
        expand: dc=mydomain,dc=hu -> dc=mydomain,dc=hu
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap.mydomain.hu:636, authentication 0
rlm_ldap: setting TLS mode to 1
rlm_ldap: setting TLS CACert File to /etc/ssl/mydomain.hu/ca/cacert.pem
rlm_ldap: setting TLS Require Cert to never
rlm_ldap: bind as / to ldap.mydomain.hu:636
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=mydomain,dc=hu, with filter (uid=myusername)
rlm_ldap: checking if remote access for viper is allowed by uid
rlm_ldap: No default NMAS login sequence
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that the user is configured correctly?
rlm_ldap: Setting Auth-Type = ldap
rlm_ldap: user viper authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
+++[ldap] returns ok
++- policy redundant returns ok
rlm_passwd: Added Cisco-AVPair: 'shell:priv-lvl=1' to reply_items
++[ciscoextra] returns ok
++[ciscogroup] returns notfound
  rad_check_password:  Found Auth-Type ldap
auth: type "LDAP"
+- entering group LDAP
rlm_ldap: - authenticate
rlm_ldap: login attempt by "myusername" with password "myldappasswd"
rlm_ldap: user DN: cn=myusername,ou=users,dc=mydomain,dc=hu
rlm_ldap: (re)connect to ldap.mydomain.hu:636, authentication 1
rlm_ldap: setting TLS mode to 1
rlm_ldap: setting TLS CACert File to /etc/ssl/mydomain.hu/ca/cacert.pem
rlm_ldap: setting TLS Require Cert to never
rlm_ldap: bind as cn=myusername,ou=users,dc=mydomain,dc=hu/mypassword to ldap.mydomain.hu:636
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: user myusername authenticated succesfully
++[ldap] returns ok
Login OK: [myusername/mypassword] (from client shortname port 1 cli myclientip)
Sending Access-Accept of id 142 to myswitchip port 1645
        Cisco-AVPair = "shell:priv-lvl=1"
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 142 with timestamp +9


Access-Accept, but still error on the switch (% Authorization failed.). As to my previous testing, not all the switches work, if the mentioned users file section (DEFAULT ...) is not present (I mean, authing against files,ciscopwd ). This is some Cisco error, but coudn't find any workaround.

Is it not possible to use somehow the users file, with DEAFULT entires and Fall-Through flags?

>>
>>The myusername is same in the ciscopwd file and in LDAP, but the passwords are different.

>Why??? That file should be for users that are not in ldap or as ldap
>backup (same user, same password, so when ldap server fails they can
>still connect).

The passwords are different just for testing. The ciscopws should act as backup, if ldap server failes.

Thanks,

           Tamas

________________________________________
Feladó: freeradius-users-bounces+tdajka=geomant.com at lists.freeradius.org [freeradius-users-bounces+tdajka=geomant.com at lists.freeradius.org], meghatalmazó: tnt at kalik.net [tnt at kalik.net]
Küldve: 2008. október 28. 11:25
Címzett: FreeRadius users mailing list
Tárgy: RE: Need help for configuration - LDAP with custom files Failover

>rad_recv: Access-Request packet from host myswitchip port 1645, id=139, length=80
>        NAS-IP-Address = myswitchip
>        NAS-Port = 1
>        NAS-Port-Type = Virtual
>        User-Name = "myusernamer"
>        Calling-Station-Id = "myclientip"
>        User-Password = "myvalid_ldap_password"
>+- entering group authorize
..
>++- entering policy redundant
>    users: Matched entry DEFAULT at line 11
>+++[files] returns ok
>++- policy redundant returns ok

OK. Your redundant section is not going to make much sense if you are
going to have matches on DEFAULT entries in files. files will always be
used while ldap and ciscopwd - never. On top of that you are setting
auth type ldap - remove files from redundant section and delete that
auth type entry from it.

>
>The myusername is same in the ciscopwd file and in LDAP, but the passwords are different.

Why??? That file should be for users that are not in ldap or as ldap
backup (same user, same password, so when ldap server fails they can
still connect).

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list