User-Name Authorization Problem in ldap module
Syed Anwarul Hasan
syedanwarulhasan2007 at gmail.com
Wed Sep 17 16:39:00 CEST 2008
Dear Alan,Ivan and all,
I am having the Problem in rlm_ldap module in FreeRadius.
I am doing a MD5 based Authentication with a Windows XP Supplicant and a
Alcatel Switch acting as Authenticator and FreeRadius2.0.5 build as Front
end and OpenLDAP 2.3.32 as backend.
When a Request is received the *FreeRadius rlm_ldap module is not able to
Authorize the User-Name in Authorize section.*
But when I tried with* radtest it was able to Authorize and bind the
identity with server. and authorized password.
I am unable to find the problem.
Please comment in this regard.
SYED
Debugged output with RADIUS Access Request received from Authenticator:*
rad_recv: Access-Request packet from host 192.168.1.2 port 1026, id=23,
length=118
User-Name = "hasan"
NAS-IP-Address = 192.168.1.2
State = 0xd2721542d2731113194d83152fbd73d0
NAS-Port = 1003
Calling-Station-Id = "000fb0ba868d"
EAP-Message =
0x0201001b0410aa93c55c3f5fb6f41369d77838fad2a2686173616e
Message-Authenticator = 0x6525206bdea6b09c81a5a3252e515782
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "hasan", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 1 length 27
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
rlm_ldap: - authorize
*rlm_ldap: Attribute "User-Name" is required for authorization.*
*++[ldap] returns noop*
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/md5
rlm_eap: processing type md5
rlm_eap_md5: Cleartext-Password is required for EAP-MD5 authentication
rlm_eap: Handler failed in EAP/md5
rlm_eap: Failed in EAP select
++[eap] returns invalid
auth: Failed to validate the user.
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> hasan
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Sending Access-Reject of id 23 to 192.168.1.2 port 1026
EAP-Message = 0x04010004
Message-Authenticator = 0x00000000000000000000000000000000
Finished request 1.
Going to the next request
Debugged o/p with radtest:
radtest hasan password 192.168.1.131 10 testing123
*rlm_ldap: - authorize
rlm_ldap: performing user authorization for password
WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=hasan)
expand: dc=thales,dc=com -> dc=thales,dc=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as cn=Administrator,dc=thales,dc=com/thales to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=thales,dc=com, with filter (uid=hasan)
rlm_ldap: checking if remote access for password is allowed by uid
rlm_ldap: Added User-Password = password in check items
rlm_ldap: No default NMAS login sequence
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user password authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0*
++[ldap] returns ok
expiration] returns noop
++[logintime] returns noop
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> hasan
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Sending Access-Reject of id 27 to 192.168.1.131 port 1068
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080917/a03f5ff3/attachment.html>
More information about the Freeradius-Users
mailing list