Authentication us mySQL and AD(LDAP)

chenjiang chenjiang at microshield.com.cn
Tue May 26 04:06:40 CEST 2015 

   Hi! Experts

   Sorry for disturbing, I am struggleing with FreeRADIUS user
   authentication through Windows AD(LDAP), but I found when enable LDAP
   mySQL backend is not works any more.

   From debug output(radius -X), we found even mySQL module returns
   OK,FreeRADIUS still returns Accept-Reject when LDAP module returns
   fail.

   rad_recv: Access-Request packet from host 127.0.0.1 port 56492, id=130,
   length=76

           User-Name = "lichan"

           User-Password = "lab123"

           NAS-IP-Address = 192.99.166.230

           NAS-Port = 0

           Message-Authenticator = 0xae46df97fecc24cc74a8413240088489

   # Executing section authorize from file
   /etc/raddb/sites-enabled/default

   +- entering group authorize {...}

   ++[preprocess] returns ok

   ++[chap] returns noop

   ++[mschap] returns noop

   [suffix] No '@' in User-Name = "lichan", looking up realm NULL

   [suffix] No such realm "NULL"

   ++[suffix] returns noop

   [eap] No EAP-Message, not doing EAP

   ++[eap] returns noop

   [sql]   expand: %{User-Name} -> lichan

   [sql] sql_set_user escaped user --> 'lichan'

   rlm_sql (sql): Reserving sql socket id: 30

   [sql]   expand: SELECT id, username, attribute, value, op
   FROM radcheck           WHERE username = '%{SQL-User-Name}'
   ORDER BY id -> SELECT id, username, attribute, value, op           FROM
   radcheck           WHERE username = 'lichan'           ORDER BY id

   [sql] User found in radcheck table

   [sql]   expand: SELECT id, username, attribute, value, op
   FROM radreply           WHERE username = '%{SQL-User-Name}'
   ORDER BY id -> SELECT id, username, attribute, value, op           FROM
   radreply           WHERE username = 'lichan'           ORDER BY id

   [sql]   expand: SELECT groupname           FROM radusergroup
   WHERE username = '%{SQL-User-Name}'           ORDER BY priority ->
   SELECT groupname           FROM radusergroup           WHERE username =
   'lichan'           ORDER BY priority

   [sql]   expand: SELECT id, groupname, attribute,           Value, op
           FROM radgroupcheck           WHERE groupname = '%{Sql-Group}'
           ORDER BY id -> SELECT id, groupname, attribute,
   Value, op           FROM radgroupcheck           WHERE groupname =
   'microshield'           ORDER BY id

   [sql] User found in group microshield

   [sql]   expand: SELECT id, groupname, attribute,           value, op
           FROM radgroupreply           WHERE groupname = '%{Sql-Group}'
           ORDER BY id -> SELECT id, groupname, attribute,
   value, op           FROM radgroupreply           WHERE groupname =
   'microshield'           ORDER BY id

   rlm_sql (sql): Released sql socket id: 30

   ++[sql] returns ok

   [ldap] performing user authorization for lichan

   [ldap]  expand: %{Stripped-User-Name} ->

   [ldap]  ... expanding second conditional

   [ldap]  expand: %{User-Name} -> lichan

   [ldap]  expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})
   -> (sAMAccountName=lichan)

   [ldap]  expand: dc=ms,dc=local -> dc=ms,dc=local

     [ldap] ldap_get_conn: Checking Id: 0

     [ldap] ldap_get_conn: Got Id: 0

     [ldap] attempting LDAP reconnection

     [ldap] (re)connect to 192.168.254.102:389, authentication 0

     [ldap] bind as cn=Administrator,cn=Users,dc=ms,dc=local/1qaz!QAZ to
   192.168.254.102:389

     [ldap] waiting for bind result ...

     [ldap] Bind was successful

     [ldap] performing search in dc=ms,dc=local, with filter
   (sAMAccountName=lichan)

     [ldap] ldap_search() failed: Operations error

   [ldap] search failed

     [ldap] ldap_release_conn: Release Id: 0

   ++[ldap] returns fail

   Using Post-Auth-Type Reject

   # Executing group from file /etc/raddb/sites-enabled/default

   +- entering group REJECT {...}

   [attr_filter.access_reject]     expand: %{User-Name} -> lichan

   attr_filter: Matched entry DEFAULT at line 11

   ++[attr_filter.access_reject] returns updated

   Delaying reject of request 0 for 1 seconds

   Going to the next request

   Waking up in 0.9 seconds.

   Sending delayed reject for request 0

   Sending Access-Reject of id 130 to 127.0.0.1 port 56492

   Waking up in 4.9 seconds.

   Cleaning up request 0 ID 130 with timestamp +25

   Ready to process requests.

   Is this expected behaviour? How can I enable them() both at same time,
   The scanario is I want to use AD for internal exploymee 802.1x
   authentication and use mySQL for visitor authentication.

   Thanks for your support!
   BR!
   Chen Jiang
   Microshield Technology Co., Ltd
   å京å¸æµ·æ·åºè¥¿ä¸ç¯åè·¯50å·è±ªæ大å¦C2座18-19å± 100048
   (86)10-88518768
   (86)18612696123
   [1]chenjiang at microshield.com.cn

References

   1. mailto:chenjiang at microshield.com.cn

More information about the Freeradius-Users mailing list