ldap - edirectory authentication

Robert Koskey rkoskey at rockyview.ab.ca
Fri Dec 10 15:54:18 CET 2010


Not too sure. We've looked thru all the conf's. Where would I look?
 
 
robert
 
Robert Koskey,
Systems and Network Manager
 
Rocky View Schools
Telephone: 403-945-4080
Cell: 403-988-4640


>>> Gary Gatten <Ggatten at waddell.com> 12/10/2010 7:37 AM >>>

It’s a configure flag no?
 


From:freeradius-users-bounces+ggatten=waddell.com at lists.freeradius.org
[mailto:freeradius-users-bounces+ggatten=waddell.com at lists.freeradius.org]
On Behalf Of Robert Koskey
Sent: Friday, December 10, 2010 8:30 AM
To: FreeRadius users mailing list
Subject: Re: ldap - edirectory authentication

 

We really aren't too sure about that. We just installed it from the
media that OpenSuse 11.3 came with. We have noticed the bit about the
--with-edir  but even when we downloaded and compiled the FR 2.1.10
(latest) we didn't see how we could install with that option. If you
know, please shed some light.

 

thanks,

 

 

 

Robert Koskey,

Systems and Network Manager

 

Rocky View Schools

Telephone: 403-945-4080
Cell: 403-988-4640



>>> Peter Lambrechtsen <plambrechtsen at gmail.com> 12/9/2010 3:48 PM >>>
You may need to comment out the logintime and pap sections, since this
isn't a pap authentication.

It seems like the password is being correctly extracted out of
eDirectory using Universal Password, but are you sure that's properly
configured in the build version of FreeRadius?

On Fri, Dec 10, 2010 at 11:40 AM, Robert Koskey
<rkoskey at rockyview.ab.ca> wrote:

Can anyone help? We are trying to do a ldap authentication from
novell's edirectory to an Aruba controller for wireless access. These
are the error's we are getting.

It used to work perfectly but the original radius server blew up. We
installed a new one with the same configuration and it doesn't work. The
problem areas are bold'ed.

The problem seems to occur after the ldap authentication. I don't think
we are entirely clear about the order in which the whole process
happens. 

Any help or suggestions would be greatly appreciated.

The set up is:

OpenSuse 11.0

FreeRadius 2.0.5

We have tried:

OpenSuse 11.3

FreeRadius 2.1.9 (same result)

rad_recv: Access-Request packet from host 10.215.10.100 port 34806,
id=218, length=199
User-Name = "jordanhkaltenbruner"
NAS-IP-Address = 10.200.8.30
NAS-Port = 2
NAS-Identifier = "10.215.10.99"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "78CA39B5D3E5"
Called-Station-Id = "000B8661AC58"
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message = 0x02010018016a6f7264616e686b616c74656e6272756e6572
Aruba-Essid-Name = "SCHS-Student"
Aruba-Location-Id = "SpringbankW2-9"
Message-Authenticator = 0x4542e9b98b5978ca1ca52b7617910620
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' ( mailto:%27@%27 ) in User-Name =
"jordanhkaltenbruner", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_ldap: - authorize
rlm_ldap: performing user authorization for jordanhkaltenbruner
WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
expand: (uid=%{Stripped-User-Name:-%{User-Name}}) ->
(uid=jordanhkaltenbruner)
expand: ou=springhigh_lab,o=springhigh ->
ou=springhigh_lab,o=springhigh
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 10.215.0.3:636, authentication 0
rlm_ldap: setting TLS mode to 1
rlm_ldap: bind as cn=admin,o=springhigh/???? to 10.215.0.3:636
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=springhigh_lab,o=springhigh, with
filter (uid=jordanhkaltenbruner)
rlm_ldap: Added the eDirectory password 51601222 in check items as
Cleartext-Password
rlm_ldap: No default NMAS login sequence
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user jordanhkaltenbruner authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: No clear-text password in the request. Not performing PAP.
++[pap] returns noop
auth: type Local
auth: No User-Password or CHAP-Password attribute in the request
auth: Failed to validate the user.
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> jordanhkaltenbruner
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Sending Access-Reject of id 218 to 10.215.10.100 port 34806
Finished request 0.

Robert Koskey,

Systems and Network Manager

Rocky View Schools

Telephone: 403-945-4080
Cell: 403-988-4640

Robert Koskey,

Systems and Network Manager

Rocky View Schools

Telephone: 403-945-4080
Cell: 403-988-4640

 
_____________________________________________________________________________________

This communication is intended for the use of the recipient to which it
is addressed, and may contain confidential, personal, and or privileged
information. Please contact us immediately if you are not the intended
recipient of this communication, and do not copy, distribute, or take
action relying on it. Any communication received in error, or subsequent
reply, should be deleted or destroyed. 


-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html 

 
_____________________________________________________________________________________

This communication is intended for the use of the recipient to which it
is addressed, and may contain confidential, personal, and or privileged
information. Please contact us immediately if you are not the intended
recipient of this communication, and do not copy, distribute, or take
action relying on it. Any communication received in error, or subsequent
reply, should be deleted or destroyed. 
"This email is intended to be reviewed by only the intended recipient
and may contain information that is privileged and/or confidential. If
you are not the intended recipient, you are hereby notified that any
review, use, dissemination, disclosure or copying of this email and its
attachments, if any, is strictly prohibited. If you have received this
email in error, please immediately notify the sender by return email and
delete this email from your system." 
_____________________________________________________________________________________
This communication is intended for the use of the recipient to which it
is addressed, and may contain confidential, personal, and or privileged
information. Please contact us immediately if you are not the intended
recipient of this communication, and do not copy, distribute, or take
action relying on it. Any communication received in error, or subsequent
reply, should be deleted or destroyed.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20101210/3d912acd/attachment.html>


More information about the Freeradius-Users mailing list