FreeRadius - LDAP
Massimiliano Tommasi
m.tommasi at purplesrl.com
Wed Jul 20 18:23:11 CEST 2011
As you can see, there is a try with PAP after LDAP.
Is there something I have to modify, in your opinion?
Thanks,
Max
Wed Jul 20 13:35:25 2011 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0
Wed Jul 20 13:35:25 2011 : Info: ++[ldap] returns ok
Wed Jul 20 13:35:25 2011 : Info: ++[expiration] returns noop
Wed Jul 20 13:35:25 2011 : Info: ++[logintime] returns noop
Wed Jul 20 13:35:25 2011 : Info: ++[pap] returns updated
Wed Jul 20 13:35:25 2011 : Info: Found Auth-Type = PAP
Wed Jul 20 13:35:25 2011 : Info:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Wed Jul 20 13:35:25 2011 : Info: !!! Replacing User-Password in
config items with Cleartext-Password. !!!
Wed Jul 20 13:35:25 2011 : Info:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Wed Jul 20 13:35:25 2011 : Info: !!! Please update your configuration so
that the "known good" !!!
Wed Jul 20 13:35:25 2011 : Info: !!! clear text password is in
Cleartext-Password, and not in User-Password. !!!
Wed Jul 20 13:35:25 2011 : Info:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Wed Jul 20 13:35:25 2011 : Info: +- entering group PAP {...}
Wed Jul 20 13:35:25 2011 : Info: [pap] login attempt with password "121212"
Wed Jul 20 13:35:25 2011 : Info: [pap] Using clear text password "121212 "
Wed Jul 20 13:35:25 2011 : Info: [pap] Passwords don't match
Wed Jul 20 13:35:25 2011 : Info: ++[pap] returns reject
Wed Jul 20 13:35:25 2011 : Info: Failed to authenticate the user.
Wed Jul 20 13:35:25 2011 : Info: Using Post-Auth-Type Reject
Wed Jul 20 13:35:25 2011 : Info: +- entering group REJECT {...}
Wed Jul 20 13:35:25 2011 : Info: [attr_filter.access_reject] expand:
%{User-Name} -> ldapuser
Wed Jul 20 13:35:25 2011 : Debug: attr_filter: Matched entry DEFAULT at
line 11
Wed Jul 20 13:35:25 2011 : Info: ++[attr_filter.access_reject] returns
updated
Wed Jul 20 13:35:25 2011 : Info: Delaying reject of request 0 for 1 seconds
Wed Jul 20 13:35:25 2011 : Debug: Going to the next request
Wed Jul 20 13:35:25 2011 : Debug: Waking up in 0.7 seconds.
Wed Jul 20 13:35:26 2011 : Info: Sending delayed reject for request 0
Sending Access-Reject of id 64 to 127.0.0.1 port 44404
Il 20/07/11 18.07, up at 3.am ha scritto:
>
> You're using LDAP with POSIX type users, including shadow passwords. I'm pretty
> sure this means you cannot use CHAP on the client end, but must use PAP. Somebody
> can correct me if I'm wrong about this.
>
> While they are at it, maybe they can let me know how to get FreeRADIUS to respect
> the shadow password aging attibutes. :-/
>
>> Il 20/07/11 10.19, Fajar A. Nugraha-2 [via FreeRadius] ha scritto:
>>> On Wed, Jul 20, 2011 at 3:07 PM, m4xmr <[hidden email]
>>> </user/SendEmail.jtp?type=node&node=4615111&i=0>> wrote:
>>>> Hello,
>>>> I'm trying to make working LDAP as authentication backend for RADIUS.
>>>> I verified that the data are right and the query to LDAP is properly
>>> working
>>>> if I use ldapsearch.
>>>
>>> does LDAP BIND work correctly using ldapsearch (i.e. ldapsearch -D)
>>
>> I tried: ldapsearch -x -b "dc=example,dc=com" "uid=ldapuser"
>> and it works good:
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <dc=example,dc=com> with scope subtree
>> # filter: uid=ldapuser
>> # requesting: ALL
>> #
>>
>> # ldapuser, People, example.com
>> dn: uid=ldapuser,ou=People,dc=example,dc=com
>> uid: ldapuser
>> cn: ldapuser
>> objectClass: account
>> objectClass: posixAccount
>> objectClass: top
>> objectClass: shadowAccount
>> userPassword:: MTIxMjEyIA==
>> shadowLastChange: 15174
>> shadowMin: 0
>> shadowMax: 99999
>> shadowWarning: 7
>> loginShell: /bin/bash
>> uidNumber: 500
>> gidNumber: 100
>> homeDirectory: /home/ldapuser
>>
>> # search result
>> search: 2
>> result: 0 Success
>>
>> # numResponses: 2
>> # numEntries: 1
>>
>>>
>>>> rad_recv: Access-Request packet from host 127.0.0.1:59221, id=78,
>>> length=60
>>>> User-Name = "ldapuser"
>>>> User-Password = "121212"
>>>
>>>> rlm_ldap: Setting Auth-Type = ldap
>>>
>>> Hmmm ... that's odd. I thought rlm_ldap was supposed to just grab
>>> attributes (e.g. Cleartext-Password) and not set the Auth-Type? Are
>>> you doing anything special like forcing Auth-Type := LDAP?
>>
>> I was following a tutorial, this one:
>>
>> http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch31_:_Centralized_Logins_Using_LDAP_and_RADIUS
>>>
>>>> rlm_ldap: user ldapuser authorized to use remote access
>>>
>>> this line says there's a user called ldapuser
>>>
>>>> rlm_ldap: - authenticate
>>>> rlm_ldap: login attempt by "ldapuser" with password "121212"
>>>> rlm_ldap: user DN: uid=ldapuser,ou=People,dc=example,dc=com
>>>> rlm_ldap: (re)connect to localhost:389, authentication 1
>>>> rlm_ldap: bind as uid=ldapuser,ou=People,dc=example,dc=com/121212 to
>>>> localhost:389
>>>> rlm_ldap: waiting for bind result ...
>>>> rlm_ldap: Bind failed with invalid credentials
>>>
>>> ... while this one says the bind failed. Is the password correct?
>>
>> I configured that password..., it could be some problem of hasing..., maybe.
>>
>> Anyway I have upgraded to FreeRADIUS Version 2.1.7
>> this is the output of radiusd -X
>>
>> radiusd -X
>> FreeRADIUS Version 2.1.7, for host i686-redhat-linux-gnu, built on Mar
>> 31 2010 at 00:25:31
>> Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
>> There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
>> PARTICULAR PURPOSE.
>> You may redistribute copies of FreeRADIUS under the terms of the
>> GNU General Public License v2.
>> Starting - reading configuration files ...
>> including configuration file /etc/raddb/radiusd.conf
>> including configuration file /etc/raddb/proxy.conf
>> including configuration file /etc/raddb/clients.conf
>> including files in directory /etc/raddb/modules/
>> including configuration file /etc/raddb/modules/digest
>> including configuration file /etc/raddb/modules/exec
>> including configuration file /etc/raddb/modules/cui
>> including configuration file /etc/raddb/modules/realm
>> including configuration file /etc/raddb/modules/attr_rewrite
>> including configuration file /etc/raddb/modules/radutmp
>> including configuration file /etc/raddb/modules/sradutmp
>> including configuration file /etc/raddb/modules/detail.example.com
>> including configuration file /etc/raddb/modules/linelog
>> including configuration file /etc/raddb/modules/smsotp
>> including configuration file /etc/raddb/modules/ippool
>> including configuration file /etc/raddb/modules/wimax
>> including configuration file /etc/raddb/modules/detail
>> including configuration file /etc/raddb/modules/inner-eap
>> including configuration file /etc/raddb/modules/passwd
>> including configuration file /etc/raddb/modules/mschap
>> including configuration file /etc/raddb/modules/files
>> including configuration file /etc/raddb/modules/smbpasswd
>> including configuration file /etc/raddb/modules/ldap
>> including configuration file /etc/raddb/modules/etc_group
>> including configuration file /etc/raddb/modules/always
>> including configuration file /etc/raddb/modules/counter
>> including configuration file /etc/raddb/modules/echo
>> including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
>> including configuration file /etc/raddb/modules/checkval
>> including configuration file /etc/raddb/modules/sql_log
>> including configuration file /etc/raddb/modules/pam
>> including configuration file /etc/raddb/modules/mac2vlan
>> including configuration file /etc/raddb/modules/chap
>> including configuration file /etc/raddb/modules/pap
>> including configuration file /etc/raddb/modules/mac2ip
>> including configuration file /etc/raddb/modules/otp
>> including configuration file /etc/raddb/modules/unix
>> including configuration file /etc/raddb/modules/policy
>> including configuration file /etc/raddb/modules/detail.log
>> including configuration file /etc/raddb/modules/attr_filter
>> including configuration file /etc/raddb/modules/acct_unique
>> including configuration file /etc/raddb/modules/expr
>> including configuration file /etc/raddb/modules/expiration
>> including configuration file /etc/raddb/modules/logintime
>> including configuration file /etc/raddb/modules/perl
>> including configuration file /etc/raddb/modules/preprocess
>> including configuration file /etc/raddb/eap.conf
>> including configuration file /etc/raddb/policy.conf
>> including files in directory /etc/raddb/sites-enabled/
>> including configuration file /etc/raddb/sites-enabled/default
>> including configuration file /etc/raddb/sites-enabled/inner-tunnel
>> including configuration file /etc/raddb/sites-enabled/control-socket
>> group = radiusd
>> user = radiusd
>> including dictionary file /etc/raddb/dictionary
>> main {
>> prefix = "/usr"
>> localstatedir = "/var"
>> logdir = "/var/log/radius"
>> libdir = "/usr/lib/freeradius"
>> radacctdir = "/var/log/radius/radacct"
>> hostname_lookups = no
>> max_request_time = 30
>> cleanup_delay = 5
>> max_requests = 1024
>> allow_core_dumps = no
>> pidfile = "/var/run/radiusd/radiusd.pid"
>> checkrad = "/usr/sbin/checkrad"
>> debug_level = 0
>> proxy_requests = yes
>> log {
>> stripped_names = no
>> auth = no
>> auth_badpass = no
>> auth_goodpass = no
>> }
>> security {
>> max_attributes = 200
>> reject_delay = 1
>> status_server = yes
>> }
>> }
>> radiusd: #### Loading Realms and Home Servers ####
>> proxy server {
>> retry_delay = 5
>> retry_count = 3
>> default_fallback = no
>> dead_time = 120
>> wake_all_if_all_dead = no
>> }
>> home_server localhost {
>> ipaddr = 127.0.0.1
>> port = 1812
>> type = "auth"
>> secret = "testing123"
>> response_window = 20
>> max_outstanding = 65536
>> require_message_authenticator = no
>> zombie_period = 40
>> status_check = "status-server"
>> ping_interval = 30
>> check_interval = 30
>> num_answers_to_alive = 3
>> num_pings_to_alive = 3
>> revive_interval = 120
>> status_check_timeout = 4
>> irt = 2
>> mrt = 16
>> mrc = 5
>> mrd = 30
>> }
>> home_server_pool my_auth_failover {
>> type = fail-over
>> home_server = localhost
>> }
>> realm example.com {
>> auth_pool = my_auth_failover
>> }
>> realm LOCAL {
>> }
>> radiusd: #### Loading Clients ####
>> client localhost {
>> ipaddr = 127.0.0.1
>> require_message_authenticator = no
>> secret = "testing123"
>> nastype = "other"
>> }
>> radiusd: #### Instantiating modules ####
>> instantiate {
>> Module: Linked to module rlm_exec
>> Module: Instantiating exec
>> exec {
>> wait = no
>> input_pairs = "request"
>> shell_escape = yes
>> }
>> Module: Linked to module rlm_expr
>> Module: Instantiating expr
>> Module: Linked to module rlm_expiration
>> Module: Instantiating expiration
>> expiration {
>> reply-message = "Password Has Expired "
>> }
>> Module: Linked to module rlm_logintime
>> Module: Instantiating logintime
>> logintime {
>> reply-message = "You are calling outside your allowed timespan "
>> minimum-timeout = 60
>> }
>> }
>> radiusd: #### Loading Virtual Servers ####
>> server inner-tunnel {
>> modules {
>> Module: Checking authenticate {...} for more modules to load
>> Module: Linked to module rlm_pap
>> Module: Instantiating pap
>> pap {
>> encryption_scheme = "auto"
>> auto_header = no
>> }
>> Module: Linked to module rlm_chap
>> Module: Instantiating chap
>> Module: Linked to module rlm_mschap
>> Module: Instantiating mschap
>> mschap {
>> use_mppe = yes
>> require_encryption = no
>> require_strong = no
>> with_ntdomain_hack = no
>> }
>> Module: Linked to module rlm_unix
>> Module: Instantiating unix
>> unix {
>> radwtmp = "/var/log/radius/radwtmp"
>> }
>> Module: Linked to module rlm_eap
>> Module: Instantiating eap
>> eap {
>> default_eap_type = "md5"
>> timer_expire = 60
>> ignore_unknown_eap_types = no
>> cisco_accounting_username_bug = no
>> max_sessions = 2048
>> }
>> Module: Linked to sub-module rlm_eap_md5
>> Module: Instantiating eap-md5
>> Module: Linked to sub-module rlm_eap_leap
>> Module: Instantiating eap-leap
>> Module: Linked to sub-module rlm_eap_gtc
>> Module: Instantiating eap-gtc
>> gtc {
>> challenge = "Password: "
>> auth_type = "PAP"
>> }
>> Module: Linked to sub-module rlm_eap_tls
>> Module: Instantiating eap-tls
>> tls {
>> rsa_key_exchange = no
>> dh_key_exchange = yes
>> rsa_key_length = 512
>> dh_key_length = 512
>> verify_depth = 0
>> pem_file_type = yes
>> private_key_file = "/etc/raddb/certs/server.pem"
>> certificate_file = "/etc/raddb/certs/server.pem"
>> CA_file = "/etc/raddb/certs/ca.pem"
>> private_key_password = "whatever"
>> dh_file = "/etc/raddb/certs/dh"
>> random_file = "/etc/raddb/certs/random"
>> fragment_size = 1024
>> include_length = yes
>> check_crl = no
>> cipher_list = "DEFAULT"
>> make_cert_command = "/etc/raddb/certs/bootstrap"
>> cache {
>> enable = no
>> lifetime = 24
>> max_entries = 255
>> }
>> }
>> Module: Linked to sub-module rlm_eap_ttls
>> Module: Instantiating eap-ttls
>> ttls {
>> default_eap_type = "md5"
>> copy_request_to_tunnel = no
>> use_tunneled_reply = no
>> virtual_server = "inner-tunnel"
>> include_length = yes
>> }
>> Module: Linked to sub-module rlm_eap_peap
>> Module: Instantiating eap-peap
>> peap {
>> default_eap_type = "mschapv2"
>> copy_request_to_tunnel = no
>> use_tunneled_reply = no
>> proxy_tunneled_request_as_eap = yes
>> virtual_server = "inner-tunnel"
>> }
>> Module: Linked to sub-module rlm_eap_mschapv2
>> Module: Instantiating eap-mschapv2
>> mschapv2 {
>> with_ntdomain_hack = no
>> }
>> Module: Checking authorize {...} for more modules to load
>> Module: Linked to module rlm_realm
>> Module: Instantiating suffix
>> realm suffix {
>> format = "suffix"
>> delimiter = "@"
>> ignore_default = no
>> ignore_null = no
>> }
>> Module: Linked to module rlm_files
>> Module: Instantiating files
>> files {
>> usersfile = "/etc/raddb/users"
>> acctusersfile = "/etc/raddb/acct_users"
>> preproxy_usersfile = "/etc/raddb/preproxy_users"
>> compat = "no"
>> }
>> Module: Checking session {...} for more modules to load
>> Module: Linked to module rlm_radutmp
>> Module: Instantiating radutmp
>> radutmp {
>> filename = "/var/log/radius/radutmp"
>> username = "%{User-Name}"
>> case_sensitive = yes
>> check_with_nas = yes
>> perm = 384
>> callerid = yes
>> }
>> Module: Checking post-proxy {...} for more modules to load
>> Module: Checking post-auth {...} for more modules to load
>> Module: Linked to module rlm_attr_filter
>> Module: Instantiating attr_filter.access_reject
>> attr_filter attr_filter.access_reject {
>> attrsfile = "/etc/raddb/attrs.access_reject"
>> key = "%{User-Name}"
>> }
>> } # modules
>> } # server
>> server {
>> modules {
>> Module: Checking authenticate {...} for more modules to load
>> Module: Linked to module rlm_ldap
>> Module: Instantiating ldap
>> ldap {
>> server = "localhost"
>> port = 389
>> password = ""
>> identity = ""
>> net_timeout = 1
>> timeout = 4
>> timelimit = 3
>> tls_mode = no
>> start_tls = no
>> tls_require_cert = "allow"
>> tls {
>> start_tls = no
>> require_cert = "allow"
>> }
>> basedn = "dc=example,dc=com"
>> filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
>> base_filter = "(objectclass=radiusprofile)"
>> auto_header = no
>> access_attr_used_for_allow = yes
>> groupname_attribute = "cn"
>> groupmembership_filter =
>> "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
>> dictionary_mapping = "/etc/raddb/ldap.attrmap"
>> ldap_debug = 0
>> ldap_connections_number = 5
>> compare_check_items = no
>> do_xlat = yes
>> set_auth_type = yes
>> }
>> rlm_ldap: Registering ldap_groupcmp for Ldap-Group
>> rlm_ldap: Registering ldap_xlat with xlat_name ldap
>> rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap
>> rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
>> rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
>> rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
>> rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
>> rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
>> rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
>> rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
>> rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
>> rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password
>> rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password
>> rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password
>> rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
>> rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
>> rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
>> rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
>> rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
>> rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
>> rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
>> rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
>> rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
>> rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
>> rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
>> rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
>> rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
>> rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
>> rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
>> rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
>> rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
>> rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
>> rlm_ldap: LDAP radiusClass mapped to RADIUS Class
>> rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
>> rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
>> rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
>> rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
>> rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
>> rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
>> rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS
>> Framed-AppleTalk-Link
>> rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS
>> Framed-AppleTalk-Network
>> rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS
>> Framed-AppleTalk-Zone
>> rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
>> rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
>> rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
>> rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type
>> rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type
>> rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS
>> Tunnel-Private-Group-Id
>> conns: 0x89d0250
>> Module: Checking authorize {...} for more modules to load
>> Module: Linked to module rlm_preprocess
>> Module: Instantiating preprocess
>> preprocess {
>> huntgroups = "/etc/raddb/huntgroups"
>> hints = "/etc/raddb/hints"
>> with_ascend_hack = no
>> ascend_channels_per_line = 23
>> with_ntdomain_hack = no
>> with_specialix_jetstream_hack = no
>> with_cisco_vsa_hack = no
>> with_alvarion_vsa_hack = no
>> }
>> Module: Checking preacct {...} for more modules to load
>> Module: Linked to module rlm_acct_unique
>> Module: Instantiating acct_unique
>> acct_unique {
>> key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address,
>> NAS-Port"
>> }
>> Module: Checking accounting {...} for more modules to load
>> Module: Linked to module rlm_detail
>> Module: Instantiating detail
>> detail {
>> detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
>> header = "%t"
>> detailperm = 384
>> dirperm = 493
>> locking = no
>> log_packet_header = no
>> }
>> Module: Instantiating attr_filter.accounting_response
>> attr_filter attr_filter.accounting_response {
>> attrsfile = "/etc/raddb/attrs.accounting_response"
>> key = "%{User-Name}"
>> }
>> Module: Checking session {...} for more modules to load
>> Module: Checking post-proxy {...} for more modules to load
>> Module: Checking post-auth {...} for more modules to load
>> } # modules
>> } # server
>> radiusd: #### Opening IP addresses and Ports ####
>> listen {
>> type = "auth"
>> ipaddr = *
>> port = 0
>> }
>> listen {
>> type = "acct"
>> ipaddr = *
>> port = 0
>> }
>> listen {
>> type = "control"
>> listen {
>> socket = "/var/run/radiusd/radiusd.sock"
>> }
>> }
>> Listening on authentication address * port 1812
>> Listening on accounting address * port 1813
>> Listening on command file /var/run/radiusd/radiusd.sock
>> Listening on proxy address * port 1814
>> Ready to process requests.
>>
>> --->
>>
>> NOW, when I try the auth:
>> radtest ldapuser 121212 localhost 2 testing123
>>
>> I get this output on the client side
>>
>> Sending Access-Request of id 207 to 127.0.0.1 port 1812
>> User-Name = "ldapuser"
>> User-Password = "MTIxMjEyIA=="
>> NAS-IP-Address = 127.0.0.1
>> NAS-Port = 2
>> rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=207,
>> length=20
>>
>> AND this one on the radius server side:
>>
>> rad_recv: Access-Request packet from host 127.0.0.1 port 36725, id=207,
>> length=60
>> User-Name = "ldapuser"
>> User-Password = "MTIxMjEyIA=="
>> NAS-IP-Address = 127.0.0.1
>> NAS-Port = 2
>> +- entering group authorize {...}
>> ++[preprocess] returns ok
>> ++[chap] returns noop
>> ++[mschap] returns noop
>> [suffix] No '@' in User-Name = "ldapuser", looking up realm NULL
>> [suffix] No such realm "NULL"
>> ++[suffix] returns noop
>> [eap] No EAP-Message, not doing EAP
>> ++[eap] returns noop
>> ++[unix] returns notfound
>> ++[files] returns noop
>> [ldap] performing user authorization for ldapuser
>> [ldap] expand: %{Stripped-User-Name} ->
>> [ldap] expand: %{User-Name} -> ldapuser
>> [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
>> (uid=ldapuser)
>> [ldap] expand: dc=example,dc=com -> dc=example,dc=com
>> rlm_ldap: ldap_get_conn: Checking Id: 0
>> rlm_ldap: ldap_get_conn: Got Id: 0
>> rlm_ldap: attempting LDAP reconnection
>> rlm_ldap: (re)connect to localhost:389, authentication 0
>> rlm_ldap: bind as / to localhost:389
>> rlm_ldap: waiting for bind result ...
>> rlm_ldap: Bind was successful
>> rlm_ldap: performing search in dc=example,dc=com, with filter (uid=ldapuser)
>> [ldap] looking for check items in directory...
>> [ldap] looking for reply items in directory...
>> WARNING: No "known good" password was found in LDAP. Are you sure that
>> the user is configured correctly?
>> [ldap] Setting Auth-Type = LDAP
>> [ldap] user ldapuser authorized to use remote access
>> rlm_ldap: ldap_release_conn: Release Id: 0
>> ++[ldap] returns ok
>> ++[expiration] returns noop
>> ++[logintime] returns noop
>> [pap] WARNING! No "known good" password found for the user.
>> Authentication may fail because of this.
>> ++[pap] returns noop
>> Found Auth-Type = LDAP
>> +- entering group LDAP {...}
>> [ldap] login attempt by "ldapuser" with password "MTIxMjEyIA=="
>> [ldap] user DN: uid=ldapuser,ou=People,dc=example,dc=com
>> rlm_ldap: (re)connect to localhost:389, authentication 1
>> rlm_ldap: bind as uid=ldapuser,ou=People,dc=example,dc=com/MTIxMjEyIA==
>> to localhost:389
>> rlm_ldap: waiting for bind result ...
>> rlm_ldap: Bind failed with invalid credentials
>> ++[ldap] returns reject
>> Failed to authenticate the user.
>> Using Post-Auth-Type Reject
>> +- entering group REJECT {...}
>> [attr_filter.access_reject] expand: %{User-Name} -> ldapuser
>> attr_filter: Matched entry DEFAULT at line 11
>> ++[attr_filter.access_reject] returns updated
>> Delaying reject of request 0 for 1 seconds
>> Going to the next request
>> Waking up in 0.5 seconds.
>> Sending delayed reject for request 0
>> Sending Access-Reject of id 207 to 127.0.0.1 port 36725
>> Waking up in 4.9 seconds.
>> Cleaning up request 0 ID 207 with timestamp +1224
>> Ready to process requests.
>>
>> Do you have any idea?
>> I'm not seeing something?
>>
>>
>> Regards,
>> Max
>>
>>
>>>
>>> --
>>> Fajar
>>>
>>> -
>>> List info/subscribe/unsubscribe? See
>>> http://www.freeradius.org/list/users.html
>>>
>>>
>>> ------------------------------------------------------------------------
>>> If you reply to this email, your message will be added to the discussion
>>> below:
>>> http://freeradius.1045715.n5.nabble.com/FreeRadius-LDAP-tp4615085p4615111.html
>>>
>>> To unsubscribe from FreeRadius - LDAP, click here
>>> <http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=4615085&code=bS50b21tYXNpQHB1cnBsZXNybC5jb218NDYxNTA4NXwxMTQ4Njc3MDIx>.
>>>
>>
>>
>> --
>> View this message in context:
>> http://freeradius.1045715.n5.nabble.com/FreeRadius-LDAP-tp4615085p4615357.html
>> Sent from the FreeRadius - User mailing list archive at Nabble.com.-
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
:: P u r p l e s r l
:: security and network
:: via Vittorio Veneto 8/B :: i-20091 Bresso - Milano
:: web: www.purplesrl.com
:: Massimiliano Tommasi
:: email: m.tommasi at purplesrl.com
:: phone: +39 02 36687280 :: fax: +39 02 700511249
More information about the Freeradius-Users
mailing list