When to ldap?

Dean, Barry B.Dean at liverpool.ac.uk
Thu May 13 12:31:13 CEST 2010


On 13 May 2010, at 10:15, Alan DeKok wrote:

> Dean, Barry wrote:
> ...
>>  [ldap] performing search in OU=UOL,DC=adserer,DC=liv,DC=ac,DC=uk, with filter (sAMAccountName=user)
>> [ldap] looking for check items in directory...
>> [ldap] looking for reply items in directory...
>> WARNING: No "known good" password was found in LDAP.  Are you sure that the user is configured correctly?
> 
>  I mean, really... what's the issue?

The issue is that the self same configuration in FreeRADIUS 2.0.2 works! But with 2.1.8 it fails.

The difference in the debug output is:

++[logintime] returns noop
rlm_pap: WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
  rad_check_password:  Found Auth-Type ldap
auth: type "LDAP"
+- entering group LDAP
rlm_ldap: - authenticate

In FR 2.0.2 this "rad_check_password" is causing LDAP authentication, whereas is FR 2.1.8 the same section of debug output says:

++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
Failed to authenticate the user.

> ...
>> [pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
> 
>  That should be a hint.

True. My problem was why was LDAP not being attempted for this basic request. No EAP, just a username and a password, which works just fine with FR 2.0.2.

In fact with 2.0.2 either:

	if (!EAP-Message) {
		ldap
	}

or

	ldap

Works in the authorise section as the Non-EAP request calls ldap either way.

With FR 2.1.8, both fail. They follow the same path and produce the "No authentication method ..." error.

All the complex EAP/TTLS/PEAP/MSCHAP etc stuff is working with FR 2.1.8 with my config, just the simple stuff is broken.

Maybe my question should have been:

"FR 2.0.2 reports 'rad_check_password: Found Auth-Type ldap' then goes on to authenticate a user against LDAP, whereas FR 2.1.8 reports that there is no Auth-Type set and does not attempt LDAP authentication."


Complete output for working one:

rad_recv: Access-Request packet from host 192.168.0.10 port 33158, id=66, length=49
        User-Name = "user"
        User-Password = "password"
        NAS-IP-Address = 192.168.0.10
server radius {
+- entering group authorize
++[preprocess] returns ok
        expand: /log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /log/radacct/192.168.0.10/auth-detail-20100513
rlm_detail: /log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /log/radacct/192.168.0.10/auth-detail-20100513
        expand: %t -> Thu May 13 10:46:02 2010
++[auth_log] returns ok
++? if ("%{User-Name}" =~ /forbidden/i)
        expand: %{User-Name} -> user
? Evaluating ("%{User-Name}" =~ /forbidden/i) -> FALSE
++? if ("%{User-Name}" =~ /forbidden/i) -> FALSE
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: No '@' in User-Name = "user", looking up realm NULL
    rlm_realm: Found realm "NULL"
    rlm_realm: Adding Stripped-User-Name = "user"
    rlm_realm: Proxying request from user user to realm NULL
    rlm_realm: Adding Realm = "NULL"
    rlm_realm: Authentication realm is LOCAL.
++[suffix] returns noop
  rlm_eap: No EAP-Message, not doing EAP
++[eap-eduroam] returns noop
    users: Matched entry user at line 203
++[files] returns ok
++? if (!EAP-Message)
? Evaluating !(EAP-Message) -> FALSE
++? if (!EAP-Message) -> TRUE
++- entering if (!EAP-Message)
rlm_ldap: - authorize
rlm_ldap: performing user authorization for user
        expand: %{Stripped-User-Name} -> user
        expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=user)
        expand: OU=UOL,DC=adserver,DC=liv,DC=ac,DC=uk -> OU=UOL,DC=adserver,DC=liv,DC=ac,DC=uk
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to adserver.liv.ac.uk:389, authentication 0
rlm_ldap: bind as CN=radius-account,OU=Service Accounts,OU=UOL,DC=adserver,DC=liv,DC=ac,DC=uk/special-password to adserver.liv.ac.uk:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in OU=UOL,DC=adserver,DC=liv,DC=ac,DC=uk, with filter (sAMAccountName=user)
rlm_ldap: No default NMAS login sequence
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that the user is configured correctly?
rlm_ldap: Setting Auth-Type = ldap
rlm_ldap: user user authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
  rad_check_password:  Found Auth-Type ldap
auth: type "LDAP"
+- entering group LDAP
rlm_ldap: - authenticate
rlm_ldap: login attempt by "user" with password "password"
rlm_ldap: user DN: CN=User\, Test,OU=users,OU=UOL,DC=adserver,DC=liv,DC=ac,DC=uk
rlm_ldap: (re)connect to adserver.liv.ac.uk:389, authentication 1
rlm_ldap: bind as CN=User\, Test,OU=users,OU=UOL,DC=adserver,DC=liv,DC=ac,DC=uk/password to adserveradserver.liv.ac.uk:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: user user authenticated succesfully
++[ldap] returns ok
Login OK: [user/password] (from client EZProxy port 0)
+- entering group post-auth
        expand: /log/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d -> /log/radacct/192.168.0.10/reply-detail-20100513
rlm_detail: /log/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /log/radacct/192.168.0.10/reply-detail-20100513
        expand: %t -> Thu May 13 10:46:02 2010
++[reply_log] returns ok
} # server radius
Finished request 0.
Going to the next request
Waking up in 0.9 seconds. 
Waking up in 4.0 seconds. 
Cleaning up request 0 ID 66 with timestamp +34
Ready to process requests.

----------------------
Barry Dean
Principal Programmer/Analyst
Networks Group
Computing Services Department
Tel: 0151 795 9540


-------------- next part --------------
A non-text attachment was scrubbed...
Name: h1_a.png
Type: image/png
Size: 3693 bytes
Desc: h1_a.png
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100513/6c49c1fc/attachment.png>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ATT00001.txt
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100513/6c49c1fc/attachment.txt>


More information about the Freeradius-Users mailing list