FreeRadius and Redundant LDAP Problems

Kory Wheatley wheakory at gmail.com
Thu Aug 12 21:06:57 CEST 2010 

Per your suggestions from the last email I checked and the:


Un-comment the "unix" entry from the "authorize" section of
raddb/sites-available/default

Was un-commented and below is the output from trying to authenticate a user
that is a member of the DialupFS group and does not have an account in
/etc/passwd.  For some reason it is falling though to PAP and saying "No
authenticate method (Auth-Type) configuration found for the request:".

This behavior only started when I tried to implement redundant ldap servers
and in the users file having DEFAULT LDAP Groups for each LDAP module.

If I do not use the redundant LDAP servers and just place both LDAP servers
in the LDAP module like this it works correctly:

server ="server1.somedomain.com, server2.somedomain.com"

Thanks for your help



rad_recv: Access-Request packet from host 127.0.0.1 port 52514, id=166,
length=60
        User-Name = "testuser1"

        User-Password = "testpassword"
        NAS-IP-Address = 127.0.0.1
        NAS-Port = 0
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "testuser1", looking up realm NULL

[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound

  [ldap-server1] Entering ldap_groupcmp()
[files]         expand: ou=people,o=test <http://isu.edu/>,o=isp ->
ou=people,o=test <http://isu.edu/>,o=isp
[files]         expand: %{Stripped-User-Name} ->
[files]         ... expanding second conditional
[files]         expand: %{User-Name} -> testuser1
[files]         expand: (uid=%{%{Stripped-User-Name}:-
%{User-Name}}) -> (uid=testuser1)

  [ldap-server1] ldap_get_conn: Checking Id: 0
  [ldap-server1] ldap_get_conn: Got Id: 0
  [ldap-server1] attempting LDAP reconnection
  [ldap-server1] (re)connect to
server1.somedomain.com:389<http://frank.isos.isu.edu:389/>,
authentication 0
  [ldap-server1] bind as uid=raduser, ou=people, o=test <http://isu.edu/>,
o=isp/testpassword to server1.somedomain.com:389<http://frank.isos.isu.edu:389/>

  [ldap-server1] waiting for bind result ...
  [ldap-server1] Bind was successful
  [ldap-server1] performing search in ou=people,o=test <http://isu.edu/>,o=isp,
with filter (uid=testuser1)

  [ldap-server1] ldap_release_conn: Release Id: 0
[files]         expand:
(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))
-> (|(&(objectClass=GroupOfNames)(member=uid\3dtestuser1\2cou\3dpeople\2co\
3dtest <http://3disu.edu/>
\2co\3disp))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3dtestuser1\2cou\3dpeople\2co\
3dtest <http://3disu.edu/>\2co\3disp)))

  [ldap-server1] ldap_get_conn: Checking Id: 0
  [ldap-server1] ldap_get_conn: Got Id: 0
  [ldap-server1] performing search in
cn=DialupFS,ou=Groups,o=test<http://isu.edu/>,o=isp,
with filter
(|(&(objectClass=GroupOfNames)(member=uid\3dtestuser1\2cou\3dpeople\2co\
3dtest <http://3disu.edu/>
\2co\3disp))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3dtestuser1\2cou\3dpeople\2co\
3dtest <http://3disu.edu/>\2co\3disp)))

[ldap-server1] ldap_release_conn: Release Id: 0
[files] users: Matched entry DEFAULT at line 166
++[files] returns ok
++- entering policy redundant {...}
[ldap-server1] performing user authorization for testuser1

[ldap-server1]  expand: %{Stripped-User-Name} ->
[ldap-server1]  ... expanding second conditional
[ldap-server1]  expand: %{User-Name} -> testuser1
[ldap-server1]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(uid=testuser1)

[ldap-server1]  expand: ou=people,o=test <http://isu.edu/>,o=isp ->
ou=people,o=test <http://isu.edu/>,o=isp
  [ldap-server1] ldap_get_conn: Checking Id: 0
  [ldap-server1] ldap_get_conn: Got Id: 0
  [ldap-server1] performing search in ou=people,o=test <http://isu.edu/>,o=isp,
with filter (uid=testuser1)

[ldap-server1] looking for check items in directory...
[ldap-server1] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that the
user is configured correctly?
[ldap-server1] user testuser1 authorized to use remote access
  [ldap rlm_ldap::ldap_groupcmp: User found in group
cn=DialupFS,ou=Groups,o=test <http://isu.edu/>,o=isp

 -server1] ldap_release_conn: Release Id: 0
+++[ldap-server1] returns ok
++- policy redundant returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication
may fail because of this.
++[pap] returns noop
No authenticate method (Auth-Type) configuration found for the
request:Rejecting the user

Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> testuser1

 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 166 to 127.0.0.1 port 52514

        Reply-Message = "FS User Authorized"
Waking up in 4.9 seconds.
Cleaning up request 0 ID 166 with timestamp +74
Ready to process requests.


On Thu, Aug 12, 2010 at 1:59 AM, Alan Buxey <A.L.M.Buxey at lboro.ac.uk> wrote:

> Hi,
> > I apologize for the inconvenience of sending the configuration files.  I
> thought sending more detail would help :-).  The below steps you provided
> still didn't work and ended with the same problem.  Again I apologize.
>
> ....radiusd -X ?
>
>
> we cannot help without this information
>
>
> alan
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100812/23c18ce5/attachment.html>

More information about the Freeradius-Users mailing list