LDAP module file using localhost instead of external?

Jennifer Mehl mehl at chem.ucsb.edu
Tue Sep 11 00:47:19 CEST 2012 

Hello,

I have an existing FreeRADIUS setup that is working quite well to authenticate/authorize users for WPA2 wireless to our smbpasswd file.  This is 2.1.10+dfsg-2 on Debian Squeeze.

I've recently acquired a "captive portal" network device that we are going to use for our guest wireless users.  I'm in the process of setting FreeRADIUS for authentication to our campus' LDAP server.  

I've verified connectivity to the server using the OpenLDAP ldapsearch tools from the same host.  However, when I define the server in the /etc/freeradius/modules/ldap files, it doesn't appear to be read properly by FreeRADIUS, which is defaulting instead to 'localhost' instead of our directory server, directory.ucsb.edu, which is defined in the module file.

Here is the output of freeradius -X showing part of the file being read but then ignored?:

 Module: Linked to module rlm_ldap
 Module: Instantiating module "ucsbnetid" from file /etc/freeradius/modules/ldap
  ldap ucsbnetid {
	server = "localhost"
	port = 389
	password = ""
	identity = ""
	net_timeout = 1
	timeout = 4
	timelimit = 3
	tls_mode = no
	start_tls = no
	tls_require_cert = "allow"
   tls {
	start_tls = no
	require_cert = "allow"
   }
	basedn = "o=notexist"
	filter = "(uid=%u)"
	base_filter = "(objectclass=radiusprofile)"
	auto_header = no
	access_attr_used_for_allow = yes
	groupname_attribute = "cn"
	groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
	dictionary_mapping = "/etc/freeradius/ldap.attrmap"
	ldap_debug = 40
	ldap_connections_number = 5
	compare_check_items = no
	do_xlat = yes
	edir_account_policy_check = no
	set_auth_type = yes
  }

Here is my /etc/freeradius/modules/ldap file (password obfuscated):

ldap ucsbnetid {
	#
	#  Note that this needs to match the name in the LDAP
	#  server certificate, if you're using ldaps.
       server = "directory.ucsb.edu"
       identity = "uid=chemrad,o=ucsb"
       password = ********
       basedn = "o=ucsb"
       filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
       base_filter = "(objectclass=ucsbperson)"
	#base_filter = "(objectclass=radiusprofile)"

	#  How many connections to keep open to the LDAP server.
	#  This saves time over opening a new LDAP socket for
	#  every authentication request.
	ldap_connections_number = 5

	# seconds to wait for LDAP query to finish. default: 20
	timeout = 4

	#  seconds LDAP server has to process the query (server-side
	#  time limit). default: 20
	#
	#  LDAP_OPT_TIMELIMIT is set to this value.
	timelimit = 3

	#
	#  This subsection configures the tls related items
	#  that control how FreeRADIUS connects to an LDAP
	#  server.  It contains all of the "tls_*" configuration
	#  entries used in older versions of FreeRADIUS.  Those
	#  configuration entries can still be used, but we recommend
	#  using these.
	#
	tls {
		# Set this to 'yes' to use TLS encrypted connections
		# to the LDAP database by using the StartTLS extended
		# operation.
		#			
		# The StartTLS operation is supposed to be
		# used with normal ldap connections instead of
		# using ldaps (port 689) connections
		start_tls = no

		# cacertfile	= /path/to/cacert.pem
		# cacertdir		= /path/to/ca/dir/
		# certfile		= /path/to/radius.crt
		# keyfile		= /path/to/radius.key
		# randfile		= /path/to/rnd

		#  Certificate Verification requirements.  Can be:
		#    "never" (don't even bother trying)
		#    "allow" (try, but don't fail if the cerificate
		#		can't be verified)
		#    "demand" (fail if the certificate doesn't verify.)
		#
		#	The default is "allow"
		# require_cert	= "demand"

	#
	#  seconds to wait for response of the server. (network
	#   failures) default: 10
	#
	#  LDAP_OPT_NETWORK_TIMEOUT is set to this value.
	net_timeout = 1

	#

	}

	# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
	# profile_attribute = "radiusProfileDn"
	# access_attr = "dialupAccess"

	# Mapping of RADIUS dictionary attributes to LDAP
	# directory attributes.
	dictionary_mapping = ${confdir}/ldap.attrmap

	#  Set password_attribute = nspmPassword to get the
	#  user's password from a Novell eDirectory
	#  backend. This will work ONLY IF FreeRADIUS has been
	#  built with the --with-edir configure option.
	#
	#  See also the following links:
	#
	#  http://www.novell.com/coolsolutions/appnote/16745.html
	#https://secure-support.novell.com/KanisaPlatform/Publishing/558/3009668_f.SAL_Public.html
	#
	#  Novell may require TLS encrypted sessions before returning
	#  the user's password.
	#
	# password_attribute = userPassword

	#  Un-comment the following to disable Novell
	#  eDirectory account policy check and intruder
	#  detection. This will work *only if* FreeRADIUS is
	#  configured to build with --with-edir option.
	#
	edir_account_policy_check = no
	#
	#  Group membership checking.  Disabled by default.
	#
	# groupname_attribute = cn
	# groupmembership_filter = "(|(&(objectClass=GroupOfNames}(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueName
s)(uniquemember=%{control:Ldap-UserDn})))"
	# groupmembership_attribute = radiusGroupName

	# compare_check_items = yes
	# do_xlat = yes
	# access_attr_used_for_allow = yes

	#
	#  The following two configuration items are for Active Directory
	#  compatibility.  If you see the helpful "operations error"
	#  being returned to the LDAP module, uncomment the next
	#  two lines.
	#
	# chase_referrals = yes
	# rebind = yes

	#
	#  By default, if the packet contains a User-Password,
	#  and no other module is configured to handle the
	#  authentication, the LDAP module sets itself to do
	#  LDAP bind for authentication.
	#
	#  THIS WILL ONLY WORK FOR PAP AUTHENTICATION.
	#
	#  THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP). 
#
	#  You can disable this behavior by setting the following
	#  configuration entry to "no".
	#
	#  allowed values: {no, yes}
	# set_auth_type = yes

	#  ldap_debug: debug flag for LDAP SDK
	#  (see OpenLDAP documentation).  Set this to enable
	#  huge amounts of LDAP debugging on the screen.
	#  You should only use this if you are an LDAP expert.
	#
	#	default: 0x0000 (no debugging messages)
	#	Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
	ldap_debug = 0x0028 
}



Thank you for any assistance in troubleshooting this issue…

--Jennifer


==================================
Jennifer L. Mehl
Director of Information Technology
Dept. of Chemistry and Biochemistry
2618 PSBN 
University of California, Santa Barbara
Santa Barbara, CA 93106-9510
	mailto: mehl -at - chem.ucsb.edu
	805-893-4392 (office)
	805-451-7486 (cell)
==================================

More information about the Freeradius-Users mailing list