Freeipa and Freeradius integration

KL Forwarder kl.forwarder at gmail.com
Tue Apr 28 16:47:05 CEST 2015


Hi,

On Wed, Apr 22, 2015 at 2:37 PM, Arran Cudbard-Bell
<a.cudbardb at freeradius.org> wrote:
>> Can you resend. I've allowed 'application/octet-stream' as an attachment, so the listserv should preserve it. Still building the list of useful content types.
>>
>> On the plus side, no horrifically formatted HTML email, and there's been a noticeable drop in garish signature images :)

:)

> Ok, after reviewing the capture (sent off list)...
>
> The search is returning multiple entries for the same object, the first of which holds no attributes. FreeRADIUS only processes the first result, which is why no attributes are being added. This is sane behaviour on the part of FreeRADIUS.
>
> RFC4511 doesn't mention a situation where multiple searchResults can be returned for the same object, but neither does it expressly forbid it.
>
> Your capture missed the search request, so I can't tell if that was because some unusual search control got added.
>
> Can you send a capture with the search request too? Preferably one from ldapsearch and one from FreeRADIUS so we can see the differences. Also complete output from ldapsearch would be useful, with maximum verbosity.
>
> I imagine it'll show two search results returned, one with no attributes, and one with attributes. If it only displays one, i'll check through the OpenLDAP code and figure out why. Maybe they know something we don't...

I *think* it shows two. But the output might mean more to you.

> What's odd is this would have been an issue with v2.x.x and v1.x.x, but it's only been reported now... So either this is a new bug/feature in RedHat's LDAP server, or your LDAP configuration is broken.

I have not seen a lot of people trying it, that might be the reason.

What I have done, and will send you off-list (privacy) is:
1) start a tcpdump (tcpdump -A -i any -w
dump_all_port_389_and_1812.pcap port 389 or port 1812)
2) start radiusd (radiusd -X 2>&1 | tee radiusd.out)
3) do a radtest (~16:33:28) (radtest klutest password 127.0.0.1 1812
41P***********qcfu | tee radtest.out)
4) do a ldapsearch (ldapsearch -x -v -W -D 'cn=Directory Manager'  uid=klutest)
5) stop the tcpdump

I will send you the files. Thanks again.
/kl


More information about the Freeradius-Users mailing list