FreeRadius - LDAP

Massimiliano Tommasi m.tommasi at purplesrl.com
Wed Jul 20 18:23:11 CEST 2011


As you can see, there is a try with PAP after LDAP.
Is there something I have to modify, in your opinion?

Thanks,
Max

Wed Jul 20 13:35:25 2011 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0
Wed Jul 20 13:35:25 2011 : Info: ++[ldap] returns ok
Wed Jul 20 13:35:25 2011 : Info: ++[expiration] returns noop
Wed Jul 20 13:35:25 2011 : Info: ++[logintime] returns noop
Wed Jul 20 13:35:25 2011 : Info: ++[pap] returns updated
Wed Jul 20 13:35:25 2011 : Info: Found Auth-Type = PAP
Wed Jul 20 13:35:25 2011 : Info:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Wed Jul 20 13:35:25 2011 : Info: !!!    Replacing User-Password in
config items with Cleartext-Password.     !!!
Wed Jul 20 13:35:25 2011 : Info:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Wed Jul 20 13:35:25 2011 : Info: !!! Please update your configuration so
that the "known good"               !!!
Wed Jul 20 13:35:25 2011 : Info: !!! clear text password is in
Cleartext-Password, and not in User-Password. !!!
Wed Jul 20 13:35:25 2011 : Info:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Wed Jul 20 13:35:25 2011 : Info: +- entering group PAP {...}
Wed Jul 20 13:35:25 2011 : Info: [pap] login attempt with password "121212"
Wed Jul 20 13:35:25 2011 : Info: [pap] Using clear text password "121212 "
Wed Jul 20 13:35:25 2011 : Info: [pap] Passwords don't match
Wed Jul 20 13:35:25 2011 : Info: ++[pap] returns reject
Wed Jul 20 13:35:25 2011 : Info: Failed to authenticate the user.
Wed Jul 20 13:35:25 2011 : Info: Using Post-Auth-Type Reject
Wed Jul 20 13:35:25 2011 : Info: +- entering group REJECT {...}
Wed Jul 20 13:35:25 2011 : Info: [attr_filter.access_reject] 	expand:
%{User-Name} -> ldapuser
Wed Jul 20 13:35:25 2011 : Debug:  attr_filter: Matched entry DEFAULT at
line 11
Wed Jul 20 13:35:25 2011 : Info: ++[attr_filter.access_reject] returns
updated
Wed Jul 20 13:35:25 2011 : Info: Delaying reject of request 0 for 1 seconds
Wed Jul 20 13:35:25 2011 : Debug: Going to the next request
Wed Jul 20 13:35:25 2011 : Debug: Waking up in 0.7 seconds.
Wed Jul 20 13:35:26 2011 : Info: Sending delayed reject for request 0
Sending Access-Reject of id 64 to 127.0.0.1 port 44404


Il 20/07/11 18.07, up at 3.am ha scritto:
> 
> You're using LDAP with POSIX type users, including shadow passwords.  I'm pretty
> sure this means you cannot use CHAP on the client end, but must use PAP.  Somebody
> can correct me if I'm wrong about this.
> 
> While they are at it, maybe they can let me know how to get FreeRADIUS to respect
> the shadow password aging attibutes. :-/
> 
>> Il 20/07/11 10.19, Fajar A. Nugraha-2 [via FreeRadius] ha scritto:
>>> On Wed, Jul 20, 2011 at 3:07 PM, m4xmr <[hidden email]
>>> </user/SendEmail.jtp?type=node&node=4615111&i=0>> wrote:
>>>> Hello,
>>>> I'm trying to make working LDAP as authentication backend for RADIUS.
>>>> I verified that the data are right and the query to LDAP is properly
>>> working
>>>> if I use ldapsearch.
>>>
>>> does LDAP BIND work correctly using ldapsearch (i.e. ldapsearch -D)
>>
>> I tried:  ldapsearch -x -b "dc=example,dc=com" "uid=ldapuser"
>> and it works good:
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <dc=example,dc=com> with scope subtree
>> # filter: uid=ldapuser
>> # requesting: ALL
>> #
>>
>> # ldapuser, People, example.com
>> dn: uid=ldapuser,ou=People,dc=example,dc=com
>> uid: ldapuser
>> cn: ldapuser
>> objectClass: account
>> objectClass: posixAccount
>> objectClass: top
>> objectClass: shadowAccount
>> userPassword:: MTIxMjEyIA==
>> shadowLastChange: 15174
>> shadowMin: 0
>> shadowMax: 99999
>> shadowWarning: 7
>> loginShell: /bin/bash
>> uidNumber: 500
>> gidNumber: 100
>> homeDirectory: /home/ldapuser
>>
>> # search result
>> search: 2
>> result: 0 Success
>>
>> # numResponses: 2
>> # numEntries: 1
>>
>>>
>>>> rad_recv: Access-Request packet from host 127.0.0.1:59221, id=78,
>>> length=60
>>>>        User-Name = "ldapuser"
>>>>        User-Password = "121212"
>>>
>>>> rlm_ldap: Setting Auth-Type = ldap
>>>
>>> Hmmm ... that's odd. I thought rlm_ldap was supposed to just grab
>>> attributes (e.g. Cleartext-Password) and not set the Auth-Type? Are
>>> you doing anything special like forcing Auth-Type := LDAP?
>>
>> I was following a tutorial, this one:
>>
>> http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch31_:_Centralized_Logins_Using_LDAP_and_RADIUS
>>>
>>>> rlm_ldap: user ldapuser authorized to use remote access
>>>
>>> this line says there's a user called ldapuser
>>>
>>>> rlm_ldap: - authenticate
>>>> rlm_ldap: login attempt by "ldapuser" with password "121212"
>>>> rlm_ldap: user DN: uid=ldapuser,ou=People,dc=example,dc=com
>>>> rlm_ldap: (re)connect to localhost:389, authentication 1
>>>> rlm_ldap: bind as uid=ldapuser,ou=People,dc=example,dc=com/121212 to
>>>> localhost:389
>>>> rlm_ldap: waiting for bind result ...
>>>> rlm_ldap: Bind failed with invalid credentials
>>>
>>> ... while this one says the bind failed. Is the password correct?
>>
>> I configured that password..., it could be some problem of hasing..., maybe.
>>
>> Anyway I have upgraded to FreeRADIUS Version 2.1.7
>> this is the output of radiusd -X
>>
>> radiusd -X
>> FreeRADIUS Version 2.1.7, for host i686-redhat-linux-gnu, built on Mar
>> 31 2010 at 00:25:31
>> Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
>> There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
>> PARTICULAR PURPOSE.
>> You may redistribute copies of FreeRADIUS under the terms of the
>> GNU General Public License v2.
>> Starting - reading configuration files ...
>> including configuration file /etc/raddb/radiusd.conf
>> including configuration file /etc/raddb/proxy.conf
>> including configuration file /etc/raddb/clients.conf
>> including files in directory /etc/raddb/modules/
>> including configuration file /etc/raddb/modules/digest
>> including configuration file /etc/raddb/modules/exec
>> including configuration file /etc/raddb/modules/cui
>> including configuration file /etc/raddb/modules/realm
>> including configuration file /etc/raddb/modules/attr_rewrite
>> including configuration file /etc/raddb/modules/radutmp
>> including configuration file /etc/raddb/modules/sradutmp
>> including configuration file /etc/raddb/modules/detail.example.com
>> including configuration file /etc/raddb/modules/linelog
>> including configuration file /etc/raddb/modules/smsotp
>> including configuration file /etc/raddb/modules/ippool
>> including configuration file /etc/raddb/modules/wimax
>> including configuration file /etc/raddb/modules/detail
>> including configuration file /etc/raddb/modules/inner-eap
>> including configuration file /etc/raddb/modules/passwd
>> including configuration file /etc/raddb/modules/mschap
>> including configuration file /etc/raddb/modules/files
>> including configuration file /etc/raddb/modules/smbpasswd
>> including configuration file /etc/raddb/modules/ldap
>> including configuration file /etc/raddb/modules/etc_group
>> including configuration file /etc/raddb/modules/always
>> including configuration file /etc/raddb/modules/counter
>> including configuration file /etc/raddb/modules/echo
>> including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
>> including configuration file /etc/raddb/modules/checkval
>> including configuration file /etc/raddb/modules/sql_log
>> including configuration file /etc/raddb/modules/pam
>> including configuration file /etc/raddb/modules/mac2vlan
>> including configuration file /etc/raddb/modules/chap
>> including configuration file /etc/raddb/modules/pap
>> including configuration file /etc/raddb/modules/mac2ip
>> including configuration file /etc/raddb/modules/otp
>> including configuration file /etc/raddb/modules/unix
>> including configuration file /etc/raddb/modules/policy
>> including configuration file /etc/raddb/modules/detail.log
>> including configuration file /etc/raddb/modules/attr_filter
>> including configuration file /etc/raddb/modules/acct_unique
>> including configuration file /etc/raddb/modules/expr
>> including configuration file /etc/raddb/modules/expiration
>> including configuration file /etc/raddb/modules/logintime
>> including configuration file /etc/raddb/modules/perl
>> including configuration file /etc/raddb/modules/preprocess
>> including configuration file /etc/raddb/eap.conf
>> including configuration file /etc/raddb/policy.conf
>> including files in directory /etc/raddb/sites-enabled/
>> including configuration file /etc/raddb/sites-enabled/default
>> including configuration file /etc/raddb/sites-enabled/inner-tunnel
>> including configuration file /etc/raddb/sites-enabled/control-socket
>> group = radiusd
>> user = radiusd
>> including dictionary file /etc/raddb/dictionary
>> main {
>> 	prefix = "/usr"
>> 	localstatedir = "/var"
>> 	logdir = "/var/log/radius"
>> 	libdir = "/usr/lib/freeradius"
>> 	radacctdir = "/var/log/radius/radacct"
>> 	hostname_lookups = no
>> 	max_request_time = 30
>> 	cleanup_delay = 5
>> 	max_requests = 1024
>> 	allow_core_dumps = no
>> 	pidfile = "/var/run/radiusd/radiusd.pid"
>> 	checkrad = "/usr/sbin/checkrad"
>> 	debug_level = 0
>> 	proxy_requests = yes
>>  log {
>> 	stripped_names = no
>> 	auth = no
>> 	auth_badpass = no
>> 	auth_goodpass = no
>>  }
>>  security {
>> 	max_attributes = 200
>> 	reject_delay = 1
>> 	status_server = yes
>>  }
>> }
>> radiusd: #### Loading Realms and Home Servers ####
>>  proxy server {
>> 	retry_delay = 5
>> 	retry_count = 3
>> 	default_fallback = no
>> 	dead_time = 120
>> 	wake_all_if_all_dead = no
>>  }
>>  home_server localhost {
>> 	ipaddr = 127.0.0.1
>> 	port = 1812
>> 	type = "auth"
>> 	secret = "testing123"
>> 	response_window = 20
>> 	max_outstanding = 65536
>> 	require_message_authenticator = no
>> 	zombie_period = 40
>> 	status_check = "status-server"
>> 	ping_interval = 30
>> 	check_interval = 30
>> 	num_answers_to_alive = 3
>> 	num_pings_to_alive = 3
>> 	revive_interval = 120
>> 	status_check_timeout = 4
>> 	irt = 2
>> 	mrt = 16
>> 	mrc = 5
>> 	mrd = 30
>>  }
>>  home_server_pool my_auth_failover {
>> 	type = fail-over
>> 	home_server = localhost
>>  }
>>  realm example.com {
>> 	auth_pool = my_auth_failover
>>  }
>>  realm LOCAL {
>>  }
>> radiusd: #### Loading Clients ####
>>  client localhost {
>> 	ipaddr = 127.0.0.1
>> 	require_message_authenticator = no
>> 	secret = "testing123"
>> 	nastype = "other"
>>  }
>> radiusd: #### Instantiating modules ####
>>  instantiate {
>>  Module: Linked to module rlm_exec
>>  Module: Instantiating exec
>>   exec {
>> 	wait = no
>> 	input_pairs = "request"
>> 	shell_escape = yes
>>   }
>>  Module: Linked to module rlm_expr
>>  Module: Instantiating expr
>>  Module: Linked to module rlm_expiration
>>  Module: Instantiating expiration
>>   expiration {
>> 	reply-message = "Password Has Expired  "
>>   }
>>  Module: Linked to module rlm_logintime
>>  Module: Instantiating logintime
>>   logintime {
>> 	reply-message = "You are calling outside your allowed timespan  "
>> 	minimum-timeout = 60
>>   }
>>  }
>> radiusd: #### Loading Virtual Servers ####
>> server inner-tunnel {
>>  modules {
>>  Module: Checking authenticate {...} for more modules to load
>>  Module: Linked to module rlm_pap
>>  Module: Instantiating pap
>>   pap {
>> 	encryption_scheme = "auto"
>> 	auto_header = no
>>   }
>>  Module: Linked to module rlm_chap
>>  Module: Instantiating chap
>>  Module: Linked to module rlm_mschap
>>  Module: Instantiating mschap
>>   mschap {
>> 	use_mppe = yes
>> 	require_encryption = no
>> 	require_strong = no
>> 	with_ntdomain_hack = no
>>   }
>>  Module: Linked to module rlm_unix
>>  Module: Instantiating unix
>>   unix {
>> 	radwtmp = "/var/log/radius/radwtmp"
>>   }
>>  Module: Linked to module rlm_eap
>>  Module: Instantiating eap
>>   eap {
>> 	default_eap_type = "md5"
>> 	timer_expire = 60
>> 	ignore_unknown_eap_types = no
>> 	cisco_accounting_username_bug = no
>> 	max_sessions = 2048
>>   }
>>  Module: Linked to sub-module rlm_eap_md5
>>  Module: Instantiating eap-md5
>>  Module: Linked to sub-module rlm_eap_leap
>>  Module: Instantiating eap-leap
>>  Module: Linked to sub-module rlm_eap_gtc
>>  Module: Instantiating eap-gtc
>>    gtc {
>> 	challenge = "Password: "
>> 	auth_type = "PAP"
>>    }
>>  Module: Linked to sub-module rlm_eap_tls
>>  Module: Instantiating eap-tls
>>    tls {
>> 	rsa_key_exchange = no
>> 	dh_key_exchange = yes
>> 	rsa_key_length = 512
>> 	dh_key_length = 512
>> 	verify_depth = 0
>> 	pem_file_type = yes
>> 	private_key_file = "/etc/raddb/certs/server.pem"
>> 	certificate_file = "/etc/raddb/certs/server.pem"
>> 	CA_file = "/etc/raddb/certs/ca.pem"
>> 	private_key_password = "whatever"
>> 	dh_file = "/etc/raddb/certs/dh"
>> 	random_file = "/etc/raddb/certs/random"
>> 	fragment_size = 1024
>> 	include_length = yes
>> 	check_crl = no
>> 	cipher_list = "DEFAULT"
>> 	make_cert_command = "/etc/raddb/certs/bootstrap"
>>     cache {
>> 	enable = no
>> 	lifetime = 24
>> 	max_entries = 255
>>     }
>>    }
>>  Module: Linked to sub-module rlm_eap_ttls
>>  Module: Instantiating eap-ttls
>>    ttls {
>> 	default_eap_type = "md5"
>> 	copy_request_to_tunnel = no
>> 	use_tunneled_reply = no
>> 	virtual_server = "inner-tunnel"
>> 	include_length = yes
>>    }
>>  Module: Linked to sub-module rlm_eap_peap
>>  Module: Instantiating eap-peap
>>    peap {
>> 	default_eap_type = "mschapv2"
>> 	copy_request_to_tunnel = no
>> 	use_tunneled_reply = no
>> 	proxy_tunneled_request_as_eap = yes
>> 	virtual_server = "inner-tunnel"
>>    }
>>  Module: Linked to sub-module rlm_eap_mschapv2
>>  Module: Instantiating eap-mschapv2
>>    mschapv2 {
>> 	with_ntdomain_hack = no
>>    }
>>  Module: Checking authorize {...} for more modules to load
>>  Module: Linked to module rlm_realm
>>  Module: Instantiating suffix
>>   realm suffix {
>> 	format = "suffix"
>> 	delimiter = "@"
>> 	ignore_default = no
>> 	ignore_null = no
>>   }
>>  Module: Linked to module rlm_files
>>  Module: Instantiating files
>>   files {
>> 	usersfile = "/etc/raddb/users"
>> 	acctusersfile = "/etc/raddb/acct_users"
>> 	preproxy_usersfile = "/etc/raddb/preproxy_users"
>> 	compat = "no"
>>   }
>>  Module: Checking session {...} for more modules to load
>>  Module: Linked to module rlm_radutmp
>>  Module: Instantiating radutmp
>>   radutmp {
>> 	filename = "/var/log/radius/radutmp"
>> 	username = "%{User-Name}"
>> 	case_sensitive = yes
>> 	check_with_nas = yes
>> 	perm = 384
>> 	callerid = yes
>>   }
>>  Module: Checking post-proxy {...} for more modules to load
>>  Module: Checking post-auth {...} for more modules to load
>>  Module: Linked to module rlm_attr_filter
>>  Module: Instantiating attr_filter.access_reject
>>   attr_filter attr_filter.access_reject {
>> 	attrsfile = "/etc/raddb/attrs.access_reject"
>> 	key = "%{User-Name}"
>>   }
>>  } # modules
>> } # server
>> server {
>>  modules {
>>  Module: Checking authenticate {...} for more modules to load
>>  Module: Linked to module rlm_ldap
>>  Module: Instantiating ldap
>>   ldap {
>> 	server = "localhost"
>> 	port = 389
>> 	password = ""
>> 	identity = ""
>> 	net_timeout = 1
>> 	timeout = 4
>> 	timelimit = 3
>> 	tls_mode = no
>> 	start_tls = no
>> 	tls_require_cert = "allow"
>>    tls {
>> 	start_tls = no
>> 	require_cert = "allow"
>>    }
>> 	basedn = "dc=example,dc=com"
>> 	filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
>> 	base_filter = "(objectclass=radiusprofile)"
>> 	auto_header = no
>> 	access_attr_used_for_allow = yes
>> 	groupname_attribute = "cn"
>> 	groupmembership_filter =
>> "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
>> 	dictionary_mapping = "/etc/raddb/ldap.attrmap"
>> 	ldap_debug = 0
>> 	ldap_connections_number = 5
>> 	compare_check_items = no
>> 	do_xlat = yes
>> 	set_auth_type = yes
>>   }
>> rlm_ldap: Registering ldap_groupcmp for Ldap-Group
>> rlm_ldap: Registering ldap_xlat with xlat_name ldap
>> rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap
>> rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
>> rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
>> rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
>> rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
>> rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
>> rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
>> rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
>> rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
>> rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password
>> rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password
>> rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password
>> rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
>> rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
>> rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
>> rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
>> rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
>> rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
>> rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
>> rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
>> rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
>> rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
>> rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
>> rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
>> rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
>> rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
>> rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
>> rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
>> rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
>> rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
>> rlm_ldap: LDAP radiusClass mapped to RADIUS Class
>> rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
>> rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
>> rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
>> rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
>> rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
>> rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
>> rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS
>> Framed-AppleTalk-Link
>> rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS
>> Framed-AppleTalk-Network
>> rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS
>> Framed-AppleTalk-Zone
>> rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
>> rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
>> rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
>> rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type
>> rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type
>> rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS
>> Tunnel-Private-Group-Id
>> conns: 0x89d0250
>>  Module: Checking authorize {...} for more modules to load
>>  Module: Linked to module rlm_preprocess
>>  Module: Instantiating preprocess
>>   preprocess {
>> 	huntgroups = "/etc/raddb/huntgroups"
>> 	hints = "/etc/raddb/hints"
>> 	with_ascend_hack = no
>> 	ascend_channels_per_line = 23
>> 	with_ntdomain_hack = no
>> 	with_specialix_jetstream_hack = no
>> 	with_cisco_vsa_hack = no
>> 	with_alvarion_vsa_hack = no
>>   }
>>  Module: Checking preacct {...} for more modules to load
>>  Module: Linked to module rlm_acct_unique
>>  Module: Instantiating acct_unique
>>   acct_unique {
>> 	key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address,
>> NAS-Port"
>>   }
>>  Module: Checking accounting {...} for more modules to load
>>  Module: Linked to module rlm_detail
>>  Module: Instantiating detail
>>   detail {
>> 	detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
>> 	header = "%t"
>> 	detailperm = 384
>> 	dirperm = 493
>> 	locking = no
>> 	log_packet_header = no
>>   }
>>  Module: Instantiating attr_filter.accounting_response
>>   attr_filter attr_filter.accounting_response {
>> 	attrsfile = "/etc/raddb/attrs.accounting_response"
>> 	key = "%{User-Name}"
>>   }
>>  Module: Checking session {...} for more modules to load
>>  Module: Checking post-proxy {...} for more modules to load
>>  Module: Checking post-auth {...} for more modules to load
>>  } # modules
>> } # server
>> radiusd: #### Opening IP addresses and Ports ####
>> listen {
>> 	type = "auth"
>> 	ipaddr = *
>> 	port = 0
>> }
>> listen {
>> 	type = "acct"
>> 	ipaddr = *
>> 	port = 0
>> }
>> listen {
>> 	type = "control"
>>  listen {
>> 	socket = "/var/run/radiusd/radiusd.sock"
>>  }
>> }
>> Listening on authentication address * port 1812
>> Listening on accounting address * port 1813
>> Listening on command file /var/run/radiusd/radiusd.sock
>> Listening on proxy address * port 1814
>> Ready to process requests.
>>
>> --->
>>
>> NOW, when I try the auth:
>> radtest ldapuser 121212 localhost 2 testing123
>>
>> I get this output on the client side
>>
>> Sending Access-Request of id 207 to 127.0.0.1 port 1812
>> 	User-Name = "ldapuser"
>> 	User-Password = "MTIxMjEyIA=="
>> 	NAS-IP-Address = 127.0.0.1
>> 	NAS-Port = 2
>> rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=207,
>> length=20
>>
>> AND this one on the radius server side:
>>
>> rad_recv: Access-Request packet from host 127.0.0.1 port 36725, id=207,
>> length=60
>> 	User-Name = "ldapuser"
>> 	User-Password = "MTIxMjEyIA=="
>> 	NAS-IP-Address = 127.0.0.1
>> 	NAS-Port = 2
>> +- entering group authorize {...}
>> ++[preprocess] returns ok
>> ++[chap] returns noop
>> ++[mschap] returns noop
>> [suffix] No '@' in User-Name = "ldapuser", looking up realm NULL
>> [suffix] No such realm "NULL"
>> ++[suffix] returns noop
>> [eap] No EAP-Message, not doing EAP
>> ++[eap] returns noop
>> ++[unix] returns notfound
>> ++[files] returns noop
>> [ldap] performing user authorization for ldapuser
>> [ldap] 	expand: %{Stripped-User-Name} ->
>> [ldap] 	expand: %{User-Name} -> ldapuser
>> [ldap] 	expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
>> (uid=ldapuser)
>> [ldap] 	expand: dc=example,dc=com -> dc=example,dc=com
>> rlm_ldap: ldap_get_conn: Checking Id: 0
>> rlm_ldap: ldap_get_conn: Got Id: 0
>> rlm_ldap: attempting LDAP reconnection
>> rlm_ldap: (re)connect to localhost:389, authentication 0
>> rlm_ldap: bind as / to localhost:389
>> rlm_ldap: waiting for bind result ...
>> rlm_ldap: Bind was successful
>> rlm_ldap: performing search in dc=example,dc=com, with filter (uid=ldapuser)
>> [ldap] looking for check items in directory...
>> [ldap] looking for reply items in directory...
>> WARNING: No "known good" password was found in LDAP.  Are you sure that
>> the user is configured correctly?
>> [ldap] Setting Auth-Type = LDAP
>> [ldap] user ldapuser authorized to use remote access
>> rlm_ldap: ldap_release_conn: Release Id: 0
>> ++[ldap] returns ok
>> ++[expiration] returns noop
>> ++[logintime] returns noop
>> [pap] WARNING! No "known good" password found for the user.
>> Authentication may fail because of this.
>> ++[pap] returns noop
>> Found Auth-Type = LDAP
>> +- entering group LDAP {...}
>> [ldap] login attempt by "ldapuser" with password "MTIxMjEyIA=="
>> [ldap] user DN: uid=ldapuser,ou=People,dc=example,dc=com
>> rlm_ldap: (re)connect to localhost:389, authentication 1
>> rlm_ldap: bind as uid=ldapuser,ou=People,dc=example,dc=com/MTIxMjEyIA==
>> to localhost:389
>> rlm_ldap: waiting for bind result ...
>> rlm_ldap: Bind failed with invalid credentials
>> ++[ldap] returns reject
>> Failed to authenticate the user.
>> Using Post-Auth-Type Reject
>> +- entering group REJECT {...}
>> [attr_filter.access_reject] 	expand: %{User-Name} -> ldapuser
>>  attr_filter: Matched entry DEFAULT at line 11
>> ++[attr_filter.access_reject] returns updated
>> Delaying reject of request 0 for 1 seconds
>> Going to the next request
>> Waking up in 0.5 seconds.
>> Sending delayed reject for request 0
>> Sending Access-Reject of id 207 to 127.0.0.1 port 36725
>> Waking up in 4.9 seconds.
>> Cleaning up request 0 ID 207 with timestamp +1224
>> Ready to process requests.
>>
>> Do you have any idea?
>> I'm not seeing something?
>>
>>
>> Regards,
>> Max
>>
>>
>>>
>>> --
>>> Fajar
>>>
>>> -
>>> List info/subscribe/unsubscribe? See
>>> http://www.freeradius.org/list/users.html
>>>
>>>
>>> ------------------------------------------------------------------------
>>> If you reply to this email, your message will be added to the discussion
>>> below:
>>> http://freeradius.1045715.n5.nabble.com/FreeRadius-LDAP-tp4615085p4615111.html
>>>
>>> To unsubscribe from FreeRadius - LDAP, click here
>>> <http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=4615085&code=bS50b21tYXNpQHB1cnBsZXNybC5jb218NDYxNTA4NXwxMTQ4Njc3MDIx>.
>>>
>>
>>
>> --
>> View this message in context:
>> http://freeradius.1045715.n5.nabble.com/FreeRadius-LDAP-tp4615085p4615357.html
>> Sent from the FreeRadius - User mailing list archive at Nabble.com.-
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-- 
:: P u r p l e   s r l
:: security and network
:: via Vittorio Veneto 8/B :: i-20091 Bresso - Milano
:: web: www.purplesrl.com

:: Massimiliano Tommasi
:: email: m.tommasi at purplesrl.com
:: phone: +39 02 36687280 :: fax: +39 02 700511249




More information about the Freeradius-Users mailing list