Realms issues

EMP emp618 at internode.on.net
Thu May 21 07:33:17 CEST 2009


Hi all

I have an issue where i'm trying to use realms to determine what LDAP 
server to authenticate a user against. What seems to happen is that the 
realm in my users file is never matched and hence the authentication 
fails. Any help would be greatly appreciated.

My users file is -
DEFAULT Realm == "NULL", Auth-Type := ldap-default, Autz-Type := 
ldap-default
DEFAULT Realm == "test.com", Auth-Type :=test.com, Autz-Type := test.com
DEFAULT Auth-Type := Reject

my proxy.conf has the following -
realm test.com {
       type = radius
       authhost        = LOCAL
       accthost        = LOCAL
       nostrip
}
realm NULL {
       type            = radius
       authhost        = LOCAL
       accthost        = LOCAL
}
realm LOCAL {
       type            = radius
       authhost        = LOCAL
       accthost        = LOCAL
}

The radius.conf is -
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = ${localstatedir}/log/radius
raddbdir = /etc/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run
log_file = ${logdir}/radiusd.log
pidfile = ${run_dir}/radiusd.pid
user = radiusd
group = radiusd
libdir = /usr/lib/freeradius
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 256
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions     = yes
extended_expressions    = yes
log_stripped_names = yes
log_auth = yes
log_auth_badpass = yes
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
security {
       max_attributes = 200
       reject_delay = 1
       status_server = no
}
proxy_requests  = yes
$INCLUDE  ${confdir}/proxy.conf
$INCLUDE  ${confdir}/clients.conf
snmp    = no
thread pool {
       start_servers = 1
       max_servers = 4
       min_spare_servers = 1
       max_spare_servers = 3
       max_requests_per_server = 0
}
modules {
       pap {
               #auto_header = yes
encryption_scheme = crypt
       }
       chap {
               authtype = CHAP
       }
$INCLUDE ${confdir}/eap.conf
       mschap {
               authtype = MS-CHAP
use_mppe = yes
require_encryption = yes
require_strong = yes
authtype = MS-CHAP
#               with_ntdomain_hack = yes
       }
       files {
               usersfile = ${confdir}/users
               compat = no
       }
### Added
ldap test.com {
               server = "ldap1.test.com"
               #port = 389
               port = 636
               identity = "cn=xxxx"
               password = "xxx"
               basedn = "o=xxx"
               filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
               tls_mode        = yes
               tls_cacertfile         = /etc/raddb/certs/cert.b64
               tls_cacertdir          = /etc/raddb/certs/
               dictionary_mapping = ${raddbdir}/ldap.attrmap
               ldap_connections_number = 5
               edir_account_policy_check=no
               timeout = 4
               timelimit = 3
               net_timeout = 1
               set_auth_type = yes
               password_attribute = nspmPassword
       }
ldap ldap-default {
               server = "ldap1.test.com"
               #port = 389
               port = 636
               identity = "cn=xxxl"
               password = "xxx"
               basedn = "o=xxx"
               filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
               tls_mode        = yes
               tls_cacertfile         = /etc/raddb/certs/cert.b64
               tls_cacertdir          = /etc/raddb/certs/
               dictionary_mapping = ${raddbdir}/ldap.attrmap
               ldap_connections_number = 5
               edir_account_policy_check=no
               timeout = 4
               timelimit = 3
               net_timeout = 1
               set_auth_type = yes
password_attribute = nspmPassword
       }
### //

realm suffix {
               format = suffix
               delimiter = "@"
               ignore_default = no
               ignore_null = no
       }

}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
       Auth-Type MS-CHAP {
               mschap
       }
### Added
Auth-Type test.com {
test.com
}
       Auth-Type ldap-default {
              ldap-default
       }
### //
       eap

}

authorize {
       chap
       mschap
       eap
       files
### Added
       Autz-Type test.com {
        test.com
       }
       Autz-Type ldap-default {
        ldap-default
       }
### //
}

post-auth {
ldap-default
Post-Auth-Type REJECT {
ldap-default
}
}

I then see the following -

rad_recv: Access-Request packet from host xxx:40485, id=38, length=63
       User-Name = "auto at test.com"
       User-Password = "xx"
 Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
 modcall[authorize]: module "chap" returns noop for request 2
 modcall[authorize]: module "mschap" returns noop for request 2
 rlm_eap: No EAP-Message, not doing EAP
 modcall[authorize]: module "eap" returns noop for request 2
   users: Matched entry DEFAULT at line 9
 modcall[authorize]: module "files" returns ok for request 2
modcall: leaving group authorize (returns ok) for request 2
 rad_check_password:  Found Auth-Type Reject
 rad_check_password: Auth-Type = Reject, rejecting user
auth: Failed to validate the user.
Login incorrect: [auto at test.com/xxx] (from client xxx port 0)
 Found Post-Auth-Type
 Processing the post-auth section of radiusd.conf
modcall: entering group REJECT for request 2
 modcall[post-auth]: module "ldap-default" returns noop for request 2
modcall: leaving group REJECT (returns noop) for request 2
Delaying request 2 for 1 seconds
Finished request 2
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---









More information about the Freeradius-Users mailing list