FreeRarius with multiple LDAP

Phil Mayers p.mayers at imperial.ac.uk
Wed Mar 28 16:26:36 CEST 2012 

On 28/03/12 15:05, Sebastijan Šilec wrote:
> I'm upgrading FreeRadius form version 1.x to 2.x and transfered the
> configs.
>
> I have a problem with definig authrize and authenticate sections.
>
> I've defined 2 ldap modules (ldap and ldap1) connecting to same LDAP
> servers but to different OU's
>
> The old configs have this in users setup:
>
>
> DEFAULT Realm == mydomain.com, Freeradius-Proxied-To == 127.0.0.1,
> Auth-Type := PAP
> User-Name = `%{User-Name}`,
> Fall-Through = yes
>
> DEFAULT Realm == mydomain.com, Freeradius-Proxied-To == 127.0.0.1,
> Autz-Type := LDAP
>
> DEFAULT User-Name =~
> "^[Aa][Nn][Oo][Nn][Yy][Mm][Oo][Uu][Ss]|[Aa][Nn][Oo][Nn][Yy][Mm][Oo][Uu][Ss]@mydomain.com",
> Auth-Type := EAP
>
>
>
> In radiusd.conf
> ### authorize
> Autz-Type LDAP {
> ldap
> }
> ###
>
> ###authenticate
> Auth-Type PAP {
> pap
> ldap1
> }
>
> ####
>
> LDAP conf
>
> ldap ldap {
> #
> # Note that this needs to match the name in the LDAP
> # server certificate, if you're using ldaps.
> server = "ldap.mydomain.com"
> identity = "cn=root,dc=my,dc=domain,dc=com"
> password = "test"
> basedn = "ou=workers,dc=my,dc=domain,dc=com"
> filter = "(eduPersonPrincipalName=%{User-Name})"
> #base_filter = "(objectclass=radiusprofile)"
>
> start_tls = no
>
> ldap ldap1 {
> #
> # Note that this needs to match the name in the LDAP
> # server certificate, if you're using ldaps.
> server = "ldap.mydomain.com"
> identity = "cn=root,dc=my,dc=domain,dc=com"
> password = "test"
> basedn = "ou=nonworkers,dc=my,dc=domain,dc=com"
> filter =
> "(&(eduPersonPrincipalName=%{User-Name})(schacUserStatus=eduroam:access:enabled))"
>
> #base_filter = "(objectclass=radiusprofile)"
>
> start_tls = no
>
>
>
> This setup works on old freeradius.
> This setup forwards request for anonymous user with EAP and goes to LDAP
> for local users with mydomain.com
>
>
> But this setup doesn't work with new version.
>
> I get this:
>
> rad_recv: Access-Request packet from host 127.0.0.1 port 59814, id=0,
> length=90
> User-Name = "test at madomain.com"
> User-Password = "test"
> NAS-IP-Address = 88.200.21.64
> NAS-Port = 1
> Message-Authenticator = 0x035a720374f2f7d52319ed9431aed16e
> Wed Mar 28 15:17:25 2012 : Info: # Executing section authorize from file
> /etc/raddb/sites-enabled/default
> Wed Mar 28 15:17:25 2012 : Info: +- entering group authorize {...}
> Wed Mar 28 15:17:25 2012 : Info: ++[preprocess] returns ok
> Wed Mar 28 15:17:25 2012 : Info: [suffix] Looking up realm
> "mydomain.com" for User-Name = "test at mydomain.com"
> Wed Mar 28 15:17:25 2012 : Info: [suffix] Found realm "mydomain.com"
> Wed Mar 28 15:17:25 2012 : Info: [suffix] Adding Realm = "mydomain.comi"
> Wed Mar 28 15:17:25 2012 : Info: [suffix] Authentication realm is LOCAL.
> Wed Mar 28 15:17:25 2012 : Info: ++[suffix] returns ok
> Wed Mar 28 15:17:25 2012 : Info: [eap] No EAP-Message, not doing EAP
> Wed Mar 28 15:17:25 2012 : Info: ++[eap] returns noop
> Wed Mar 28 15:17:25 2012 : Info: [files] expand: %{User-Name} ->
> test at mydomain.com
> Wed Mar 28 15:17:25 2012 : Info: ++[files] returns noop
> Wed Mar 28 15:17:25 2012 : Info: ++[expiration] returns noop
> Wed Mar 28 15:17:25 2012 : Info: ++[logintime] returns noop
> Wed Mar 28 15:17:25 2012 : Info: [pap] WARNING! No "known good" password
> found for the user. Authentication may fail because of this.
> Wed Mar 28 15:17:25 2012 : Info: ++[pap] returns noop
> Wed Mar 28 15:17:25 2012 : Info: ERROR: No authenticate method
> (Auth-Type) found for the request: Rejecting the user
> Wed Mar 28 15:17:25 2012 : Info: Failed to authenticate the user.
> Wed Mar 28 15:17:25 2012 : Auth: Login incorrect:
> [test at mydomain.com/test] (from client loopback port 1)
> Wed Mar 28 15:17:25 2012 : Info: Using Post-Auth-Type Reject
> Wed Mar 28 15:17:25 2012 : Info: # Executing group from file
> /etc/raddb/sites-enabled/default
> Wed Mar 28 15:17:25 2012 : Info: +- entering group REJECT {...}
> Wed Mar 28 15:17:25 2012 : Info: [attr_filter.access_reject] expand:
> %{User-Name} -> test at mydomain.com
> Wed Mar 28 15:17:25 2012 : Debug: attr_filter: Matched entry DEFAULT at
> line 11
> Wed Mar 28 15:17:25 2012 : Info: ++[attr_filter.access_reject] returns
> updated
> Wed Mar 28 15:17:25 2012 : Info: Delaying reject of request 12 for 1
> seconds
> Wed Mar 28 15:17:25 2012 : Debug: Going to the next request
> Wed Mar 28 15:17:25 2012 : Debug: Waking up in 0.9 seconds.
> Wed Mar 28 15:17:26 2012 : Info: Sending delayed reject for request 12
>
> It looks it doesn't use LDAP at all.
>
> If I enable both ldap setups in authorize section in
> sites-available/default
>
> #authorize
>
> ldap
> ldap1
> pap
>
> ###
>
> Then it doesn't use users file and always tryes to bind to first LDAP.
> For anonymous user too, which is wrong.
>
>
> Any pointers?

  1. Don't set Auth-Type. It's almost always wrong, and confusing
  2. Don't use Autz-Type any more. Use an "unlang" block (see below)
  3. Please spell out in a bit more detail what process you want; it's 
unclear from your email. When do you want ldap, ldap1 to be called? How 
does "pap" work unless you're setting a cleartext password? why

How about something like this:

authorize {
   ...
   suffix
   ...
   if (Realm == mydomain.com) {
     # only call ldap module for these users
     ldap
     # only permit pap for these users
     pap
   }
   else {
     # permit EAP for other users
     eap
   }

}
authenticate {
   ...
}

Unless you specify the rules you want to choose ldap1 instead of ldap, 
it's not obvious where "ldap1" fits in here.

More information about the Freeradius-Users mailing list