LDAP and attributes from user file.
Cliff Becker
cbecker at nteg.net
Sun Jul 26 05:07:51 CEST 2009
OK. I'm stuck. I don't understand what I am doing wrong.
I have installed freeradius with version 2.1.1-6.1 for SLE 10 SP2.
I fumbled my way through LDAP authentication to edirectory (probably in all the wrong ways I'm sure).
The issue I have now is that the attributes I set in the user file:
DEFAULT Huntgroup-Name == WirelessGear, Ldap-Group == "cn=WirelessAllowed,o=integrity"
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = 10
The attributes are not included in the Access-Accept when using radtest or a XP workstation using the Novell 802.1x client.
Below is the debug:
rad_recv: Access-Request packet from host 10.1.0.24 port 32888, id=30, length=59
User-Name = "testuser"
User-Password = "password"
NAS-IP-Address = 10.1.0.24
NAS-Port = 0
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.1.0.24/auth-detail-20090725
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.1.0.24/auth-detail-20090725
[auth_log] expand: %t -> Sat Jul 25 08:20:43 2009
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
[ldap] performing user authorization for testuser
[ldap] expand: %{Stripped-User-Name} ->
[ldap] expand: %{User-Name} -> testuser
[ldap] expand: (cn=%{%{Stripped-User-Name}:-%{User-Name}}) -> (cn=testuser)
[ldap] expand: o=integrity -> o=integrity
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to oes1.nteg.net:389, authentication 0
rlm_ldap: setting TLS CACert File to /etc/raddb/certs/rootder.b64
rlm_ldap: starting TLS
rlm_ldap: bind as cn=ldapuser,o=integrity/ldappass to oes1.nteg.net:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in o=integrity, with filter (cn=testuser)
[ldap] Added the eDirectory password password in check items as Cleartext-Password
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
[ldap] user testuser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
WARNING: Please update your configuration, and remove 'Auth-Type = Local'
WARNING: Use the PAP or CHAP modules instead.
User-Password in the request is correct.
+- entering group post-auth {...}
[reply_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d -> /var/log/radius/radacct/10.1.0.24/reply-detail-20090725
[reply_log] /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /var/log/radius/radacct/10.1.0.24/reply-detail-20090725
[reply_log] expand: %t -> Sat Jul 25 08:20:43 2009
++[reply_log] returns ok
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to oes1.nteg.net:389, authentication 0
rlm_ldap: setting TLS CACert File to /etc/raddb/certs/rootder.b64
rlm_ldap: starting TLS
rlm_ldap: bind as cn=testuser,o=integrity/password to oes1.nteg.net:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[exec] returns noop
Sending Access-Accept of id 30 to 10.1.0.24 port 32888
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 30 with timestamp +27
Ready to process requests.
However when I use an XP client and no Novell client or ntradping I see the attributes and I am assigned the correct VLAN
Here is the debug below:
rad_recv: Access-Request packet from host 10.1.0.5 port 1541, id=6, length=48
User-Name = "testuser"
CHAP-Password = 0xa734db980a0367669cce38acbf8badf1bc
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.1.0.5/auth-detail-20090725
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.1.0.5/auth-detail-20090725
[auth_log] expand: %t -> Sat Jul 25 08:18:16 2009
++[auth_log] returns ok
[chap] Setting 'Auth-Type := CHAP'
++[chap] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
rlm_ldap: Entering ldap_groupcmp()
[files] expand: o=integrity -> o=integrity
[files] expand: %{Stripped-User-Name} ->
[files] expand: %{User-Name} -> testuser
[files] expand: (cn=%{%{Stripped-User-Name}:-%{User-Name}}) -> (cn=testuser)
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to oes1.nteg.net:389, authentication 0
rlm_ldap: setting TLS CACert File to /etc/raddb/certs/rootder.b64
rlm_ldap: starting TLS
rlm_ldap: bind as cn=ldapuser,o=integrity/ldappass to oes1.nteg.net:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in o=integrity, with filter (cn=testuser)
rlm_ldap: ldap_release_conn: Release Id: 0
[files] expand: (|(&(objectClass=GroupOfNames)(member=%{check:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{check:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=cn\3dtestuser\2co\3dintegrity))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dtestuser\2co\3dintegrity)))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in cn=WirelessDisabled,o=integrity, with filter (|(&(objectClass=GroupOfNames)(member=cn\3dtestuser\2co\3dintegrity))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dtestuser\2co\3dintegrity)))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap::ldap_groupcmp: Group cn=WirelessDisabled,o=integrity not found or user is not a member.
rlm_ldap: Entering ldap_groupcmp()
[files] expand: o=integrity -> o=integrity
[files] expand: (|(&(objectClass=GroupOfNames)(member=%{check:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{check:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=cn\3dtestuser\2co\3dintegrity))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dtestuser\2co\3dintegrity)))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in cn=WirelessAllowed,o=integrity, with filter (|(&(objectClass=GroupOfNames)(member=cn\3dtestuser\2co\3dintegrity))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dtestuser\2co\3dintegrity)))
rlm_ldap::ldap_groupcmp: User found in group cn=WirelessAllowed,o=integrity
rlm_ldap: ldap_release_conn: Release Id: 0
[files] users: Matched entry DEFAULT at line 4
++[files] returns ok
[ldap] performing user authorization for testuser
[ldap] expand: %{Stripped-User-Name} ->
[ldap] expand: %{User-Name} -> testuser
[ldap] expand: (cn=%{%{Stripped-User-Name}:-%{User-Name}}) -> (cn=testuser)
[ldap] expand: o=integrity -> o=integrity
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=integrity, with filter (cn=testuser)
[ldap] Added the eDirectory password password in check items as Cleartext-Password
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
[ldap] user testuser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = CHAP
+- entering group CHAP {...}
[chap] login attempt by "testuser" with CHAP password
[chap] Using clear text password "password" for user testuser authentication.
[chap] chap user testuser authenticated succesfully
++[chap] returns ok
+- entering group post-auth {...}
[reply_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d -> /var/log/radius/radacct/10.1.0.5/reply-detail-20090725
[reply_log] /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /var/log/radius/radacct/10.1.0.5/reply-detail-20090725
[reply_log] expand: %t -> Sat Jul 25 08:18:16 2009
++[reply_log] returns ok
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to oes1.nteg.net:389, authentication 0
rlm_ldap: setting TLS CACert File to /etc/raddb/certs/rootder.b64
rlm_ldap: starting TLS
rlm_ldap: bind as cn=testuser,o=integrity/password to oes1.nteg.net:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[exec] returns noop
Sending Access-Accept of id 6 to 10.1.0.5 port 1541
Service-Type = Login-User
Tunnel-Type:0 == VLAN
Tunnel-Medium-Type:0 == IEEE-802
Tunnel-Private-Group-Id:0 == "10"
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 6 with timestamp +9
Ready to process requests.
I will not even pretend to know what I am doing wrong.
I don't understand why I receive the following errors as well:
WARNING: Please update your configuration, and remove 'Auth-Type = Local'
WARNING: Use the PAP or CHAP modules instead.
This is all that is in the users file and I cannot find Auth-Type = Local in any other file:
DEFAULT Huntgroup-Name == WirelessGear, Ldap-Group == "cn=WirelessAllowed,o=integrity"
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = 10
Thank you in advance for your time and patience.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090725/fcce815c/attachment.html>
More information about the Freeradius-Users
mailing list