FreeRadius and Redundant LDAP Problems
Kory Wheatley
wheakory at gmail.com
Wed Aug 11 21:41:33 CEST 2010
am trying to setup what I thought should be a fairly simple Freeradius
configuration but I am having problems.
Simply put I would like FreeRadius to authenticate against our LDAP servers
and look into a couple groups to see if the user is
authorized. I would also like to have redundant ldap servers so that if
one went down for maintenance or other reasons users could still
authenticate. I can get Freeradius to work with one LDAP server, but when I
try to implement the redundant I have not had any success.
According to the debug log, it is find the group the user belongs to
correctly, but instead of setting the Auth-Type to LDAP it
is setting it to PAP and rejecting. When I configure the system for one
LDAP server to Auth-Type is LDAP and everything works.
It is probably something simple that I am missing, and would appreciate any
suggestions.
I have included the debug log below and the configuration files, I have
removed all the comments out of the configuration
files to be under the 100k size restriction for the list.
Thanks
Output from request in debugging mode:
rad_recv: Access-Request packet from host 127.0.0.1 port 47611, id=245,
length=60
User-Name = "testuser"
User-Password = "testpassword"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns updated
[ldap-server1] Entering ldap_groupcmp()
[files] expand: ou=people,o=test,o=isp -> ou=people,o=test,o=isp
[files] expand: %{Stripped-User-Name} ->
[files] ... expanding second conditional
[files] expand: %{User-Name} -> testuser
[files] expand: (uid=%{%{Stripped-User-Name}:-
%{User-Name}}) -> (uid=testuser)
[ldap-server1] ldap_get_conn: Checking Id: 0
[ldap-server1] ldap_get_conn: Got Id: 0
[ldap-server1] attempting LDAP reconnection
[ldap-server1] (re)connect to ldapserver.somedomain.com:389,
authentication 0
[ldap-server1] bind as uid=testuser, ou=people, o=test, o=isp/testpassword
to ldapserver.somedomain.com:389
[ldap-server1] waiting for bind result ...
[ldap-server1] Bind was successful
[ldap-server1] performing search in ou=people,o=test,o=isp, with filter
(uid=testuser)
[ldap-server1] ldap_release_conn: Release Id: 0
[files] expand:
(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquem
ember=%{control:Ldap-UserDn}))) ->
(|(&(objectClass=GroupOfNames)(member=uid\3dtestuser\2cou\3dpeople\2co\3dtest\2co\3disp))(&(o
bjectClass=GroupOfUniqueNames)(uniquemember=uid\3dtestuser\2cou\3dpeople\2co\3dtest\2co\3disp)))
[ldap-server1] ldap_get_conn: Checking Id: 0
[ldap-server1] ldap_get_conn: Got Id: 0
[ldap-server1] performing search in cn=DialupFS,ou=Groups,o=test,o=isp,
with filter (|(&(objectClass=GroupOfNames)(member=uid\
3dtestuser\2cou\3dpeople\2co\3dtest\2co\3disp))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3dtestuser\2cou\3dpeople\2co\
3dtest\2co\3disp)))
rlm_ldap::ldap_groupcmp: User found in group
cn=DialupFS,ou=Groups,o=test,o=isp
[ldap-server1] ldap_release_conn: Release Id: 0
[files] users: Matched entry DEFAULT at line 166
++[files] returns ok
++- entering policy redundant {...}
[ldap-server1] performing user authorization for testuser
[ldap-server1] expand: %{Stripped-User-Name} ->
[ldap-server1] ... expanding second conditional
[ldap-server1] expand: %{User-Name} -> testuser
[ldap-server1] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(uid=testuser)
[ldap-server1] expand: ou=people,o=test,o=isp -> ou=people,o=test,o=isp
[ldap-server1] ldap_get_conn: Checking Id: 0
[ldap-server1] ldap_get_conn: Got Id: 0
[ldap-server1] performing search in ou=people,o=test,o=isp, with filter
(uid=testuser)
[ldap-server1] looking for check items in directory...
[ldap-server1] sambaNtPassword -> NT-Password ==
0x4234354137334235383034463441323531343346353339333433413430363642
[ldap-server1] sambaLmPassword -> LM-Password ==
0x3036323444434332394538433236434346463137333635464146314646453839
[ldap-server1] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the
user is configured correctly?
[ldap-server1] user testuser authorized to use remote access
[ldap-server1] ldap_release_conn: Release Id: 0
+++[ldap-server1] returns ok
++- policy redundant returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing NT-Password from hex encoding
[pap] Normalizing LM-Password from hex encoding
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password "testpassword"
[pap] Using CRYPT encryption.
[pap] Passwords don't match
++[pap] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> testuser
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 245 to 127.0.0.1 port 47611
Reply-Message = "FS User Authorized"
Waking up in 4.9 seconds.
Cleaning up request 0 ID 245 with timestamp +48
Ready to process requests.
Default File:
authorize {
preprocess
chap
mschap
User File:
DEFAULT ldap-server1-Ldap-Group == "cn=DialupFS,ou=Groups,o=test,o=isp"
Reply-Message = "FS User Authorized"
DEFAULT ldap-server1-Ldap-Group == "cn=DialupST,ou=Groups,o=test,o=isp"
Reply-Message = "ST User Authorized"
DEFAULT ldap-server2-Ldap-Group == "cn=DialupFS,ou=Groups,o=test,o=isp"
Reply-Message = "FS User Authorized"
DEFAULT ldap-server2-Ldap-Group == "cn=DialupST,ou=Groups,o=test,o=isp"
Reply-Message = "ST User Authorized"
DEFAULT Auth-Type := Reject
Reply-Message = "User Not Authorized"
DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "CSLIP"
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "SLIP"
Framed-Protocol = SLIP
ldap module file:
ldap ldap-server1 {
server = "ldapserver.somedomain.com"
identity = "uid=raduser, ou=people, o=test, o=isp"
password = testpassword
basedn = "ou=people,o=test,o=isp"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = no
}
dictionary_mapping = ${confdir}/ldap.attrmap
edir_account_policy_check = no
groupname_attribute = cn
groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueName
s)(
uniquemember=%{control:Ldap-UserDn})))"
}
ldap ldap-server2 {
server = "ldapserver2.somedomain.com"
identity = "uid=raduser, ou=people, o=test, o=isp"
password = testpassword
basedn = "ou=people,o=test,o=isp"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = no
}
dictionary_mapping = ${confdir}/ldap.attrmap
edir_account_policy_check = no
groupname_attribute = cn
groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueName
s)(
uniquemember=%{control:Ldap-UserDn})))"
}
The radiusd.conf file:
prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = ${prefix}/var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
name = radiusd
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/${name}
db_dir = ${raddbdir}
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/${name}.pid
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
listen {
type = auth
ipaddr = *
port = 0
}
listen {
ipaddr = *
port = 0
type = acct
}
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log {
destination = files
file = ${logdir}/radius.log
syslog_facility = daemon
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
proxy_requests = yes
$INCLUDE proxy.conf
$INCLUDE clients.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
$INCLUDE ${confdir}/modules/
$INCLUDE eap.conf
}
instantiate {
exec
expr
ldap-server1
ldap-server2
expiration
logintime
}
$INCLUDE policy.conf
$INCLUDE sites-enabled/
suffix
eap {
ok = return
}
unix
files
redundant {
ldap-server1
ldap-server2
}
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
Auth-Type LDAP {
redundant {
ldap-server1
ldap-server2
}
}
eap
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
detail
unix
radutmp
attr_filter.accounting_response
}
session {
radutmp
}
post-auth {
exec
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
eap
}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100811/bb0e6326/attachment.html>
More information about the Freeradius-Users
mailing list