Trying to integrate with LDAP

fernando.sg1 at gmail.com fernando.sg1 at gmail.com
Thu Mar 14 16:41:51 CET 2013


Hey, thanks for the help.

yeah, this part seems to be ok, the second part i wrongly quoted
if i undertood this, freeradius can authorizate but no authenticate, look
the full result of freeradius -X


# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
[ldap] performing user authorization for user1
[ldap] expand: (uid=%u) -> (uid=user1)
[ldap] expand: dc=xxxx,dc=edu,dc=br -> dc=ifsudeste,dc=edu,dc=br
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
  [ldap] (re)connect to 200.xx.xx.47:389, authentication 0
  [ldap] bind as cn=admin,dc=xxxx,dc=edu,dc=br/123abc to 200.xxx.xx.47:389
[ldap] waiting for bind result ...
[ldap] Bind was successful


*here he makes the bind and return ok, right?*
*
*  [ldap] performing search in dc=xxxx,dc=edu,dc=br, with filter
(uid=user1)                  <-------- *now he try to find user1 on LDAP
base.*
[ldap] checking if remote access for user1 is allowed by uid
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] userPassword -> Password-With-Header ==
"{MD5}ICy5YqxZB1uWSwcVLSNLcA=="
[ldap] looking for reply items in directory...
[ldap] Setting Auth-Type = LDAP
[ldap] user user1 authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
           <---- *so far... everything o**k *
++[expiration] returns noop
++[logintime] returns noop


*now he do that and i dont know why correctly, but i guess now he try to
authenticate, am i right?*


Found Auth-Type = LDAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group LDAP {...}
[ldap] login attempt by "user1" with password "123"
[ldap] user DN: cn=user1,ou=People,dc=xxxxxxx,dc=edu,dc=br
       * <---------------   here he try to bind again!?*
  [ldap] (re)connect to 200.xxx.xxx.47:389, authentication 1
  [ldap] bind as cn=user1,ou=People,dc=xxxxxxx,dc=edu,dc=br/123 to
200.xxx.xx.47:389   *<----- and seems to try to use user1 to bind, but user
1 isn't a bind user*
[ldap] waiting for bind result ...
[ldap] Bind failed with invalid credentials    *<---------- This is what
i'm complaining.*
++[ldap] returns reject
Failed to authenticate the user.
Login incorrect ( [ldap] Bind as user failed): [user1/123] (from client
localhost port 10)
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> user1
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated

*and the result of radtest is:*

radtest user1 123 127.0.0.1 10 testing123
Sending Access-Request of id 156 to 127.0.0.1 port 1812
User-Name = "user1"
User-Password = "123"
NAS-IP-Address = 200.131.96.47
NAS-Port = 10
rad_recv: *Access-Reject* packet from host 127.0.0.1 port 1812, id=156,
length=20


any idea why?


2013/3/14 Arran Cudbard-Bell <a.cudbardb at freeradius.org>

>
> On 13 Mar 2013, at 22:03, fernando.sg1 at gmail.com wrote:
>
> > now at the PC, i can write better:
> >
> > 1st: shout i uncoment this 2 lines on /modules/ldap
> > # identity = "cn=admin,dc=xxxxx,dc=edu,dc=br"
> > # password = "123abc"
> > ?
>
> Um yes if you need to do an authenticated bind to search in the directory.
>
> >
> > i tryed both configs with ou=People or without and dont work.
> >
> >
> > uncomenting the 2 lines i get this on freeradius -X:
> >
> > [ldap] performing user authorization for user1
> > [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang"
> for details
> > [ldap] ... expanding second conditional
> > [ldap] expand: %{User-Name} -> user1
> > [ldap] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=user1)
> > [ldap] expand: ou=People,dc=xxxx,dc=edu,dc=br ->
> ou=People,dc=xxxxxx,dc=edu,dc=br
> > [ldap] ldap_get_conn: Checking Id: 0
> > [ldap] ldap_get_conn: Got Id: 0
> > [ldap] attempting LDAP reconnection
> > [ldap] (re)connect to 200.131.96.47:389, authentication 0
> >   [ldap] bind as cn=admin,dc=xxxxxx,dc=edu,dc=br/123abc to
> 200.131.96.47:389
> > [ldap] waiting for bind result ...
> > [ldap] Bind was successful
> >   [ldap] performing search in ou=People,dc=xxxxx,dc=edu,dc=br, with
> filter (uid=user1)
> > [ldap] checking if remote access for user1 is allowed by uid
> > [ldap] No default NMAS login sequence
> > [ldap] looking for check items in directory...
> > [ldap] userPassword -> Password-With-Header ==
> "{MD5}ICy5YqxZB1uWSwcVLSNLcA=="
> > [ldap] looking for reply items in directory...
> > [ldap] Setting Auth-Type = LDAP
> > [ldap] user user1 authorized to use remote access
> >
>
> Which seems to be correct?
>
> -Arran
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130314/990f394f/attachment-0001.html>


More information about the Freeradius-Users mailing list