Radius integration with LDAP (SASL)

vijay t vijayt at cdac.in
Tue Jan 17 12:55:11 CET 2012

My LDAP server uses SASL mechanism for authenticating uid/username against
userPassword. How can I integrate this LDAp server with FreeRadius server and
what all configuration need to be changed ???. On debug, my radius server shows
following error. Kindly suggest

Traffic flow as follows:

Radius client--> Radius server--> Ldap server --> SASL Authentication--->
Backend server

rad_recv: Access-Request packet from host port 42911, id=96,
        User-Name = "google"
        User-Password = "google at 1234"
        NAS-IP-Address =
        NAS-Port = 0
# Executing section authorize from file
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "google", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[smbpasswd] returns notfound
[ldap] performing user authorization for google
[ldap] WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
[ldap]  ... expanding second conditional
[ldap]  expand: %{User-Name} -> google
[ldap]  expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=google)
[ldap]  expand: ou=Users,dc=cdac,dc=in -> ou=Users,dc=cdac,dc=in
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in ou=Users,dc=cdac,dc=in, with filter (uid=google)
request done: ld 0x748c7d0 msgid 9
  [ldap] object not found
[ldap] search failed
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may
fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> google
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 13 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 13
Sending Access-Reject of id 96 to port 42911
Waking up in 4.9 seconds.


This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120117/2905cc69/attachment.html>

More information about the Freeradius-Users mailing list