FreeRadius and Redundant LDAP Problems
Kory Wheatley
wheakory at gmail.com
Fri Aug 13 23:45:00 CEST 2010
Per your suggestions from the last email I checked and the:
Un-comment the "unix" entry from the "authorize" section of
raddb/sites-available/default
Was un-commented and below is the output from trying to authenticate a user
that is a member of the DialupFS group and does not have an account in
/etc/passwd. For some reason it is falling though to PAP and saying "No
authenticate method (Auth-Type) configuration found for the request:".
This behavior only started when I tried to implement redundant ldap servers
and in the users file having DEFAULT LDAP Groups for each LDAP module.
If I do not use the redundant LDAP servers and just place both LDAP servers
in the LDAP module like this it works correctly:
server ="server1.somedomain.com, server2.somedomain.com"
Thanks for your help
rad_recv: Access-Request packet from host 127.0.0.1 port 52514, id=166,
length=60
User-Name = "testuser1"
User-Password = "testpassword"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "testuser1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[ldap-server1] Entering ldap_groupcmp()
[files] expand: ou=people,o=test <http://isu.edu/>,o=isp ->
ou=people,o=test <http://isu.edu/>,o=isp
[files] expand: %{Stripped-User-Name} ->
[files] ... expanding second conditional
[files] expand: %{User-Name} -> testuser1
[files] expand: (uid=%{%{Stripped-User-Name}:-
%{User-Name}}) -> (uid=testuser1)
[ldap-server1] ldap_get_conn: Checking Id: 0
[ldap-server1] ldap_get_conn: Got Id: 0
[ldap-server1] attempting LDAP reconnection
[ldap-server1] (re)connect to
server1.somedomain.com:389<http://frank.isos.isu.edu:389/>,
authentication 0
[ldap-server1] bind as uid=raduser, ou=people, o=test <http://isu.edu/>,
o=isp/testpassword to server1.somedomain.com:389<http://frank.isos.isu.edu:389/>
[ldap-server1] waiting for bind result ...
[ldap-server1] Bind was successful
[ldap-server1] performing search in ou=people,o=test <http://isu.edu/>,o=isp,
with filter (uid=testuser1)
[ldap-server1] ldap_release_conn: Release Id: 0
[files] expand:
(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))
-> (|(&(objectClass=GroupOfNames)(member=uid\3dtestuser1\2cou\3dpeople\2co\
3dtest <http://3disu.edu/>
\2co\3disp))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3dtestuser1\2cou\3dpeople\2co\
3dtest <http://3disu.edu/>\2co\3disp)))
[ldap-server1] ldap_get_conn: Checking Id: 0
[ldap-server1] ldap_get_conn: Got Id: 0
[ldap-server1] performing search in
cn=DialupFS,ou=Groups,o=test<http://isu.edu/>,o=isp,
with filter
(|(&(objectClass=GroupOfNames)(member=uid\3dtestuser1\2cou\3dpeople\2co\
3dtest <http://3disu.edu/>
\2co\3disp))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3dtestuser1\2cou\3dpeople\2co\
3dtest <http://3disu.edu/>\2co\3disp)))
[ldap-server1] ldap_release_conn: Release Id: 0
[files] users: Matched entry DEFAULT at line 166
++[files] returns ok
++- entering policy redundant {...}
[ldap-server1] performing user authorization for testuser1
[ldap-server1] expand: %{Stripped-User-Name} ->
[ldap-server1] ... expanding second conditional
[ldap-server1] expand: %{User-Name} -> testuser1
[ldap-server1] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(uid=testuser1)
[ldap-server1] expand: ou=people,o=test <http://isu.edu/>,o=isp ->
ou=people,o=test <http://isu.edu/>,o=isp
[ldap-server1] ldap_get_conn: Checking Id: 0
[ldap-server1] ldap_get_conn: Got Id: 0
[ldap-server1] performing search in ou=people,o=test <http://isu.edu/>,o=isp,
with filter (uid=testuser1)
[ldap-server1] looking for check items in directory...
[ldap-server1] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the
user is configured correctly?
[ldap-server1] user testuser1 authorized to use remote access
[ldap rlm_ldap::ldap_groupcmp: User found in group
cn=DialupFS,ou=Groups,o=test <http://isu.edu/>,o=isp
-server1] ldap_release_conn: Release Id: 0
+++[ldap-server1] returns ok
++- policy redundant returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] returns noop
No authenticate method (Auth-Type) configuration found for the
request:Rejecting the user
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> testuser1
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 166 to 127.0.0.1 port 52514
Reply-Message = "FS User Authorized"
Waking up in 4.9 seconds.
Cleaning up request 0 ID 166 with timestamp +74
Ready to process requests.
On Thu, Aug 12, 2010 at 1:59 AM, Alan Buxey <A.L.M.Buxey at lboro.ac.uk> wrote:
> Hi,
> > I apologize for the inconvenience of sending the configuration files. I
> thought sending more detail would help :-). The below steps you provided
> still didn't work and ended with the same problem. Again I apologize.
>
> ....radiusd -X ?
>
>
> we cannot help without this information
>
>
> alan
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100813/849a278f/attachment.html>
More information about the Freeradius-Users
mailing list