Freeipa and Freeradius integration
KL Forwarder
kl.forwarder at gmail.com
Fri Apr 10 14:58:23 CEST 2015
All,
I can use your help. I am trying to set up freeradius on my RHEL
IDM/freeipa server. A mail [0] from the freeipa list indicated that
this would be easy, but I think I am missing one step.
So far, freeradius can find the user in ldap ("User object found at DN
"uid=username,cn=users,cn=compat,dc=companyname,dc=local"). It just
does not seem to be able to verify if the pass word is correct. What
steps do I need to take? I am just trying to figure this out, I don't
have a guide or anything.
I have uploaded my radiusd.conf [ http://pastebin.com/GijucMps ], my
mods-available/ldap [ http://pastebin.com/YJTi8srS ] and
sites-available/ldap [ http://pastebin.com/MMGzU8Sj ].
All help is welcome. Is is probably something easy.
This is the log I get:
============================================================
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0) authorize {
(0) filter_username filter_username {
(0) ? if (User-Name != "%{tolower:%{User-Name}}")
(0) expand: "%{tolower:%{User-Name}}" -> 'klu'
(0) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(0) ? if (User-Name =~ / /)
(0) ? if (User-Name =~ / /) -> FALSE
(0) ? if (User-Name =~ /@.*@/ )
(0) ? if (User-Name =~ /@.*@/ ) -> FALSE
(0) ? if (User-Name =~ /\\.\\./ )
(0) ? if (User-Name =~ /\\.\\./ ) -> FALSE
(0) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(0) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
(0) ? if (User-Name =~ /\\.$/)
(0) ? if (User-Name =~ /\\.$/) -> FALSE
(0) ? if (User-Name =~ /@\\./)
(0) ? if (User-Name =~ /@\\./) -> FALSE
(0) } # filter_username filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix : No '@' in User-Name = "klu", looking up realm NULL
(0) suffix : No such realm "NULL"
(0) [suffix] = noop
(0) eap : No EAP-Message, not doing EAP
(0) [eap] = noop
(0) [files] = noop
rlm_ldap (ldap): Reserved connection (4)
(0) ldap : expand: "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
-> '(uid=klu)'
(0) ldap : expand: "dc=kahuna,dc=local" -> 'dc=kahuna,dc=local'
(0) ldap : Performing search in 'dc=kahuna,dc=local' with filter '(uid=klu)'
(0) ldap : Waiting for search result...
(0) ldap : User object found at DN
"uid=klu,cn=users,cn=compat,dc=kahuna,dc=local"
(0) ldap : Processing user attributes
(0) WARNING: ldap : No "reference" password added. Ensure the admin
user has permission to read the password attribute
(0) WARNING: ldap : PAP authentication will *NOT* work with Active
Directory (if that is what you were trying to configure)
rlm_ldap (ldap): Released connection (4)
(0) [ldap] = ok
(0) [expiration] = noop
(0) [logintime] = noop
(0) WARNING: pap : No "known good" password found for the user. Not
setting Auth-Type.
(0) WARNING: pap : Authentication will fail unless a "known good"
password is available.
(0) [pap] = noop
(0) } # authorize = ok
(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
(0) Failed to authenticate the user.
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) Post-Auth-Type REJECT {
(0) attr_filter.access_reject : expand: "%{User-Name}" -> 'klu'
(0) attr_filter.access_reject : Matched entry DEFAULT at line 11
(0) [attr_filter.access_reject] = updated
(0) eap : Request didn't contain an EAP-Message, not inserting EAP-Failure
(0) [eap] = noop
(0) remove_reply_message_if_eap remove_reply_message_if_eap {
(0) ? if (reply:EAP-Message && reply:Reply-Message)
(0) ? if (reply:EAP-Message && reply:Reply-Message) -> FALSE
(0) else else {
(0) [noop] = noop
(0) } # else else = noop
(0) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(0) } # Post-Auth-Type REJECT = updated
(0) Finished request 0.
============================================================
[0] https://www.redhat.com/archives/freeipa-users/2008-October/msg00036.html
Thanks!
More information about the Freeradius-Users
mailing list