freeradius ldap auth "sort of" working ?

Arran Cudbard-Bell a.cudbardb at freeradius.org
Mon Jul 1 13:42:51 CEST 2013


On 1 Jul 2013, at 12:27, Horatiu Nimigean <horatiu.nimigean at ddnet.ro> wrote:

> Greetings.
> I have a problem with freeradius using ldap to auth, here are my system specs:
> 
> Centos 6 64bit
> freeradius installed from repo
>> rpm -qa | grep -i freeradius
>> freeradius-ldap-2.1.12-4.el6_3.x86_64
>> freeradius-2.1.12-4.el6_3.x86_64
>> freeradius-utils-2.1.12-4.el6_3.x86_64
> ldap already up and running, on localhost. everything is local btw, there are no remote services and ldap is (test environment) accepting unsecured connections.
>> rpm -qa | grep -i openld
>> openldap-devel-2.4.23-32.el6_4.1.x86_64
>> openldap-clients-2.4.23-32.el6_4.1.x86_64
>> openldap-servers-2.4.23-32.el6_4.1.x86_64
>> openldap-2.4.23-32.el6_4.1.x86_64
> 
> radtest fails
>> radtest testuser_1 "letmein_1" localhost 2 testing123
>> Sending Access-Request of id 214 to 127.0.0.1 port 1812
>>        User-Name = "testuser_1"
>>        User-Password = "letmein_1"
>>        NAS-IP-Address = 127.0.0.1
>>        NAS-Port = 2
>>        Message-Authenticator = 0x00000000000000000000000000000000
>> rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=214, length=20
> and this is the output from radius (ran as radiusd -X)
> http://pastebin.com/MT0txW2c
> 
> i don't understand. it auths but then it doesn't.. the final result is not successful
> Thanks in advance,

No.

Your admin user managed to bind and retrieve credentials for your user, your user bind never succeeded.

Seeing as you have access to the crypt hash of the user's password you should use PAP to do authentication.

Set "set_auth_type = no" in modules/ldap.

and make sure 'pap' is listed in authorize.

If the password you're using in radtest is correct, this will work. If it isn't then authentication will continue to fail.

-Arran

Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team



More information about the Freeradius-Users mailing list