LDAP auth in two sources

Vladimir Mendelevich menv at on-line.ru
Wed Nov 25 15:36:34 CET 2009


Hello!

radiusd: FreeRADIUS Version 1.1.3, for host
x86_64-redhat-linux-gnu, built on Apr 25 2007 at 09:04:23

I need to make an authorization of some RADIUS clients in
LDAP by RADIUS. Clients need only to check passwords. I can
check this in ONE LDAP server at a time without problems.
It's work fine. But i need some different.

I need to check user/password in TWO different LDAP server.
If ANY of LDAPs tell "password is ok" RADIUS must accept
this userid/passwd pair. Userlists in this two LDAP have
some overlap. Most (but not all) of the users presents in
BOTH of LDAP servers. Passwords between LDAP servers are
different.

With curent configuration i get this:

if username aren't found in first LDAP lets proceed to the
next
if username aren't found in second LDAP lets DENY access
if username is found in first LDAP and password is accepted
by first LDAP lets ALLOW access.
if username is found in first LDAP and password aren't
accepted by first LDAP lets DENY access.

RADIUS doesn't check password in the second LDAP server. I
know why but i doesn't know how to change this behavior.

this is how looks users:

---
LDAP1: uid=userid,o=org1
LDAP2: uid=userid,o=org2
---

As you can see organization is different in this two LDAP
servers.

I check this with "radtest" utility.


/etc/raddb/radiusd.conf

------------------
modules {
        ldap tam {
                server = "ldap1.ts"
                basedn = "o=org1"
                filter = "(uid=%{User-Name})"
                authtype = tam
                start_tls = no
                dictionary_mapping =
${raddbdir}/ldap.attrmap
                ldap_connections_number = 5
                timeout = 4
                timelimit = 3
                net_timeout = 1
                compare_check_items = no
                do_xlat = no
                access_attr_used_for_allow = no
                set_auth_type = yes
        }
        ldap lotus {
                server = "ldap2.ts"
                basedn = "o=org2"
                filter = "(uid=%{User-Name})"
                authtype = lotus
                start_tls = no
                dictionary_mapping =
${raddbdir}/ldap.attrmap
                ldap_connections_number = 5
                timeout = 4
                timelimit = 3
                net_timeout = 1
                compare_check_items = no
                do_xlat = no
                access_attr_used_for_allow = no
                set_auth_type = yes
        }
        radutmp {
                filename = ${logdir}/radutmp
                username = %{User-Name}
                case_sensitive = yes
                check_with_nas = yes
                perm = 0600
                callerid = "yes"
        }
       }
        detail {
                detailfile =
${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
                detailperm = 0600
                #suppress {
                        # User-Password
                #}
        }
}
authorize {
        group ldap {
                tam {
                        notfound = 1
                        noop= 2
                        fail = 3
                        reject = 4
                        ok = return
                }
                lotus {
                        notfound = 1
                        noop= 2
                        fail = 3
                        reject = 4
                        ok = return
                }
                handled
        }
}
authenticate {
        Auth-Type tam {
                tam {
                        notfound = 1
                        noop= 2
                        fail = 3
                        reject = 4
                        ok = return
                }
                handled
        }
        Auth-Type lotus {
                lotus {
                        notfound = 1
                        noop= 2
                        fail = 3
                        reject = 4
                        ok = return
                }
                handled

        }
}
--------------------------

logfiles:

user exist in LDAP1 and password is good in LDAP1
---
rad_recv: Access-Request packet from host
192.168.110.3:49867, id=21, length=64
User-Name = "vmendelevich"
User-Password = "11111111"
NAS-IP-Address = 192.168.110.3
NAS-Port = 10
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall: entering group ldap for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for vmendelevich
radius_xlat: '(uid=vmendelevich)'
radius_xlat: 'o=org1'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap1.ts:389, authentication 0
rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option
to allow
rlm_ldap: bind as / to ldap1.kmz.ts:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in o=org1, with filter
(uid=vmendelevich)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: Setting Auth-Type = tam
rlm_ldap: user vmendelevich authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "tam" returns ok for request 0
modcall: leaving group ldap (returns ok) for request 0
modcall: leaving group authorize (returns ok) for request 0
  rad_check_password: Found Auth-Type tam
auth: type "tam"
  Processing the authenticate section of radiusd.conf
modcall: entering group tam for request 0
rlm_ldap: - authenticate
rlm_ldap: login attempt by "vmendelevich" with password
"11111111"
rlm_ldap: user DN: uid=vmendelevich,o=org1
rlm_ldap: (re)connect to ldap1.ts:389, authentication 1
rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option
to allow
rlm_ldap: bind as uid=vmendelevich,o=org1/11111111 to
ldap1.ts:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: user vmendelevich authenticated succesfully
  modcall[authenticate]: module "tam" returns ok for
request 0
modcall: leaving group tam (returns ok) for request 0
Login OK: [vmendelevich] (from client VMendelevich port 10)
Sending Access-Accept of id 21 to 192.168.110.3 port 49867
Finished request 0
Going to the next request
----

user doesn't exist in LDAP1, but exist in LDAP2 and
password is good in LDAP2
---
rad_recv: Access-Request packet from host
192.168.110.3:44439, id=108, length=57
User-Name = "aldap"
User-Password = "22222222"
NAS-IP-Address = 192.168.110.3
NAS-Port = 10
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall: entering group ldap for request 1
rlm_ldap: - authorize
rlm_ldap: performing user authorization for aldap
radius_xlat: '(uid=aldap)'
radius_xlat: 'o=tamknown'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=org1, with filter
(uid=aldap)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "tam" returns notfound for
request 1
rlm_ldap: - authorize
rlm_ldap: performing user authorization for aldap
radius_xlat: '(uid=aldap)'
radius_xlat: 'o=org2'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap2.ts:389, authentication 0
rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option
to allow
rlm_ldap: bind as cn=admin ldap,o=org2/22222222 to
ldap2.ts:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in o=org2, with filter
(uid=aldap)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: Setting Auth-Type = lotus
rlm_ldap: user aldap authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "lotus" returns ok for request
1
modcall: leaving group ldap (returns ok) for request 1
modcall: leaving group authorize (returns ok) for request 1
  rad_check_password: Found Auth-Type lotus
auth: type "lotus"
  Processing the authenticate section of radiusd.conf
modcall: entering group lotus for request 1
rlm_ldap: - authenticate
rlm_ldap: login attempt by "aldap" with password "22222222"
rlm_ldap: user DN: CN=Admin LDAP,O=org2
rlm_ldap: (re)connect to ldap2.ts:389, authentication 1
rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option
to allow
rlm_ldap: bind as CN=Admin LDAP,O=org2/22222222 to
ldap2.ts:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: user aldap authenticated succesfully
  modcall[authenticate]: module "lotus" returns ok for
request 1
modcall: leaving group lotus (returns ok) for request 1
Login OK: [aldap] (from client VMendelevich port 10)
Sending Access-Accept of id 108 to 192.168.110.3 port 44439
Finished request 1
Going to the next request
---

username exist in BOTH LDAP but password can be accepted
only by LDAP2
---
rad_recv: Access-Request packet from host
192.168.110.3:55540, id=92, length=64
User-Name = "vmendelevich"
User-Password = "33333333"
NAS-IP-Address = 192.168.110.3
NAS-Port = 10
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
modcall: entering group ldap for request 2
rlm_ldap: - authorize
rlm_ldap: performing user authorization for vmendelevich
radius_xlat: '(uid=vmendelevich)'
radius_xlat: 'o=org1'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=org1, with filter
(uid=vmendelevich)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: Setting Auth-Type = tam
rlm_ldap: user vmendelevich authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "tam" returns ok for request 2
modcall: leaving group ldap (returns ok) for request 2
modcall: leaving group authorize (returns ok) for request 2
  rad_check_password: Found Auth-Type tam
auth: type "tam"
  Processing the authenticate section of radiusd.conf
modcall: entering group tam for request 2
rlm_ldap: - authenticate
rlm_ldap: login attempt by "vmendelevich" with password
"33333333"
rlm_ldap: user DN: uid=vmendelevich,o=org1
rlm_ldap: (re)connect to ldap1.ts:389, authentication 1
rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option
to allow
rlm_ldap: bind as uid=vmendelevich,o=org1/33333333 to
ldap1.ts:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind failed with invalid credentials
  modcall[authenticate]: module "tam" returns reject for
request 2
  modcall[authenticate]: module "handled" returns handled
for request 2
modcall: leaving group tam (returns handled) for request 2
There was no response configured: rejecting request 2
Server rejecting request 2.
Finished request 2
Going to the next request
---

As i see i need to make something like "group" in
authentication section. But i don't see how. Please advice.
Thank you.

UIN:9244669
Phone:+7(495)727-0982 ext.4162



More information about the Freeradius-Users mailing list