FreeRarius with multiple LDAP

Sebastijan Šilec sebastijan.silec at agenda.si
Wed Mar 28 16:05:52 CEST 2012 

I'm upgrading FreeRadius form version 1.x to 2.x and transfered the configs.

I have a problem with definig authrize and authenticate sections.

I've defined 2 ldap modules (ldap and ldap1) connecting to same LDAP 
servers but to different OU's

The old configs have this in users setup:


DEFAULT Realm == mydomain.com, Freeradius-Proxied-To == 127.0.0.1, 
Auth-Type := PAP
     User-Name = `%{User-Name}`,
     Fall-Through = yes

DEFAULT Realm == mydomain.com, Freeradius-Proxied-To == 127.0.0.1, 
Autz-Type := LDAP

DEFAULT User-Name =~ 
"^[Aa][Nn][Oo][Nn][Yy][Mm][Oo][Uu][Ss]|[Aa][Nn][Oo][Nn][Yy][Mm][Oo][Uu][Ss]@mydomain.com", 
Auth-Type := EAP



In radiusd.conf
### authorize
         Autz-Type LDAP {
             ldap
         }
###

###authenticate
         Auth-Type PAP {
                 pap
                 ldap1
         }

####

LDAP conf

ldap ldap {
         #
         #  Note that this needs to match the name in the LDAP
         #  server certificate, if you're using ldaps.
         server = "ldap.mydomain.com"
         identity = "cn=root,dc=my,dc=domain,dc=com"
         password = "test"
         basedn = "ou=workers,dc=my,dc=domain,dc=com"
         filter = "(eduPersonPrincipalName=%{User-Name})"
         #base_filter = "(objectclass=radiusprofile)"

         start_tls = no

ldap ldap1 {
         #
         #  Note that this needs to match the name in the LDAP
         #  server certificate, if you're using ldaps.
         server = "ldap.mydomain.com"
         identity = "cn=root,dc=my,dc=domain,dc=com"
         password = "test"
         basedn = "ou=nonworkers,dc=my,dc=domain,dc=com"
            filter = 
"(&(eduPersonPrincipalName=%{User-Name})(schacUserStatus=eduroam:access:enabled))"
         #base_filter = "(objectclass=radiusprofile)"

         start_tls = no



This setup works on old freeradius.
This setup forwards request for anonymous user with EAP and goes to LDAP 
for local users with mydomain.com


But this setup doesn't work with new version.

I get this:

rad_recv: Access-Request packet from host 127.0.0.1 port 59814, id=0, 
length=90
         User-Name = "test at madomain.com"
         User-Password = "test"
         NAS-IP-Address = 88.200.21.64
         NAS-Port = 1
         Message-Authenticator = 0x035a720374f2f7d52319ed9431aed16e
Wed Mar 28 15:17:25 2012 : Info: # Executing section authorize from file 
/etc/raddb/sites-enabled/default
Wed Mar 28 15:17:25 2012 : Info: +- entering group authorize {...}
Wed Mar 28 15:17:25 2012 : Info: ++[preprocess] returns ok
Wed Mar 28 15:17:25 2012 : Info: [suffix] Looking up realm 
"mydomain.com" for User-Name = "test at mydomain.com"
Wed Mar 28 15:17:25 2012 : Info: [suffix] Found realm "mydomain.com"
Wed Mar 28 15:17:25 2012 : Info: [suffix] Adding Realm = "mydomain.comi"
Wed Mar 28 15:17:25 2012 : Info: [suffix] Authentication realm is LOCAL.
Wed Mar 28 15:17:25 2012 : Info: ++[suffix] returns ok
Wed Mar 28 15:17:25 2012 : Info: [eap] No EAP-Message, not doing EAP
Wed Mar 28 15:17:25 2012 : Info: ++[eap] returns noop
Wed Mar 28 15:17:25 2012 : Info: [files]        expand: %{User-Name} -> 
test at mydomain.com
Wed Mar 28 15:17:25 2012 : Info: ++[files] returns noop
Wed Mar 28 15:17:25 2012 : Info: ++[expiration] returns noop
Wed Mar 28 15:17:25 2012 : Info: ++[logintime] returns noop
Wed Mar 28 15:17:25 2012 : Info: [pap] WARNING! No "known good" password 
found for the user.  Authentication may fail because of this.
Wed Mar 28 15:17:25 2012 : Info: ++[pap] returns noop
Wed Mar 28 15:17:25 2012 : Info: ERROR: No authenticate method 
(Auth-Type) found for the request: Rejecting the user
Wed Mar 28 15:17:25 2012 : Info: Failed to authenticate the user.
Wed Mar 28 15:17:25 2012 : Auth: Login incorrect: 
[test at mydomain.com/test] (from client loopback port 1)
Wed Mar 28 15:17:25 2012 : Info: Using Post-Auth-Type Reject
Wed Mar 28 15:17:25 2012 : Info: # Executing group from file 
/etc/raddb/sites-enabled/default
Wed Mar 28 15:17:25 2012 : Info: +- entering group REJECT {...}
Wed Mar 28 15:17:25 2012 : Info: [attr_filter.access_reject]    expand: 
%{User-Name} -> test at mydomain.com
Wed Mar 28 15:17:25 2012 : Debug: attr_filter: Matched entry DEFAULT at 
line 11
Wed Mar 28 15:17:25 2012 : Info: ++[attr_filter.access_reject] returns 
updated
Wed Mar 28 15:17:25 2012 : Info: Delaying reject of request 12 for 1 seconds
Wed Mar 28 15:17:25 2012 : Debug: Going to the next request
Wed Mar 28 15:17:25 2012 : Debug: Waking up in 0.9 seconds.
Wed Mar 28 15:17:26 2012 : Info: Sending delayed reject for request 12

It looks it doesn't use LDAP at all.

If I enable both ldap setups in authorize section in sites-available/default

#authorize

ldap
ldap1
pap

###

Then it doesn't use users file and always tryes to bind to first LDAP.  
For anonymous user too, which is wrong.


Any pointers?

Thanks


S.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sebastijan_silec.vcf
Type: text/x-vcard
Size: 326 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120328/730c4c2c/attachment.vcf>

More information about the Freeradius-Users mailing list