FreeRADIUS 3, FreeBSD, eDirectory
Peter Lambrechtsen
peter at crypt.nz
Wed Aug 2 10:55:47 CEST 2017
Actually I suspect it's the SSL library compiled or not compuled into the
openldap library. Since you need for Universal password to work a TLS
session to eDir.
Can you do the same LDAP search using standard ldapsearch over SSL? As the
search is failing so that doesn't bode well.
On 2/08/2017 20:49, "Peter Lambrechtsen" <peter at crypt.nz> wrote:
> I suspect that you need to rebuild FR3 with the right LDAP library.
> Something looks very odd there as I have compiled FR3 with eDir on RHEL 6&7
> using universal password without an issue.
>
> On 2/08/2017 19:47, "Marco Pirovano" <marco.pirovano at unibocconi.it> wrote:
>
>> Hi Arran,
>>
>> yes, the universal password is enabled and is working with FR2.
>>
>> The problem is with FR3.
>>
>> On FR2 in debug mode:
>>
>> The client:
>>
>> [root at cariddi:~] radtest -x pirovano xxxxxxxx 10.5.255.241 1 yyyyyyyy
>> Sending Access-Request of id 97 to 10.5.255.241 port 1812
>> User-Name = "pirovano"
>> User-Password = "xxxxxxxx"
>> NAS-IP-Address = 10.5.255.241
>> NAS-Port = 1
>> Message-Authenticator = 0x00000000000000000000000000000000
>> rad_recv: Access-Accept packet from host 10.5.255.241 port 1812, id=97,
>> length=20
>>
>> The FR2:
>>
>> [eDirectory-UNI] ldap_get_conn: Checking Id: 0
>> [eDirectory-UNI] ldap_get_conn: Got Id: 0
>> [eDirectory-UNI] attempting LDAP reconnection
>> [eDirectory-UNI] (re)connect to ldap.unibocconi.it:389, authentication
>> 0
>> [eDirectory-UNI] starting TLS
>> [eDirectory-UNI] bind as cn=RADIUSAdmin,ou=Servers,o=INetServices/zzzzzzzzz
>> to ldap.unibocconi.it:389
>> [eDirectory-UNI] waiting for bind result ...
>> [eDirectory-UNI] Bind was successful
>> [eDirectory-UNI] performing search in ou=Faculty-Staff,ou=Bocconi,o=INetServices,
>> with filter (cn=pirovano)
>> [eDirectory-UNI] Added the eDirectory password xxxxxxxx in check items as
>> Cleartext-Password
>>
>>
>>
>> On FR3 in debug mode:
>>
>> the client:
>>
>> [root at freeradius3:~] radtest pirovano xxxxxxxx 10.1.1.82 1 yyyyyyyy
>> Sent Access-Request Id 157 from 0.0.0.0:35640 to 10.1.1.82:1812 length 78
>> User-Name = "pirovano"
>> User-Password = "xxxxxxxx"
>> NAS-IP-Address = 10.1.1.82
>> NAS-Port = 1
>> Message-Authenticator = 0x00
>> Cleartext-Password = "xxxxxxxx"
>> Received Access-Reject Id 157 from 10.1.1.82:1812 to 0.0.0.0:0 length 20
>> (0) -: Expected Access-Accept got Access-Reject
>>
>>
>> The FR3:
>>
>> (0) eDirectory-ICT: EXPAND (cn=%{%{Stripped-User-Name}:-%{User-Name}})
>> (0) eDirectory-ICT: --> (cn=pirovano)
>> (0) eDirectory-ICT: Performing search in "ou=Faculty-Staff,ou=Bocconi,o=INetServices"
>> with filter "(cn=pirovano)", scope "sub"
>> (0) eDirectory-ICT: Waiting for search result...
>> ber_get_next failed.
>> ber_get_next failed.
>> (0) eDirectory-ICT: User object found at DN "cn=Pirovano,ou=ICT,ou=Faculty
>> -Staff,ou=Bocconi,o=INetServices"
>>
>> (0) eDirectory-ICT: ERROR: Failed to retrieve eDirectory password: (80)
>> Other (e.g., implementation specific) error
>>
>> rlm_ldap (eDirectory-ICT): Released connection (0)
>> Need 5 more connections to reach 10 spares
>> rlm_ldap (eDirectory-ICT): Opening additional connection (5), 1 of 27
>> pending slots used
>> rlm_ldap (eDirectory-ICT): Connecting to ldap://ldaps.unibocconi.it:636
>> rlm_ldap (eDirectory-ICT): Waiting for bind result...
>> rlm_ldap (eDirectory-ICT): Bind successful
>> (0) [eDirectory-ICT] = fail
>> (0) } # authorize = fail
>>
>>
>>
>> Thanks.
>> Marco
>>
>>
>> ----- Il 1-ago-17, alle 19:35, Arran Cudbard-Bell
>> a.cudbardb at freeradius.org ha scritto:
>>
>> >> On Aug 1, 2017, at 11:29 AM, Marco Pirovano <
>> marco.pirovano at unibocconi.it>
>> >> wrote:
>> >>
>> >> Hello list,
>> >>
>> >> we are using FreeRADIUS to authenticate students wireless access.
>> >> It's FreeRADIUS Version 2.2.8 running on FreeBSD 9.2-STABLE.
>> >>
>> >> Our LDAP server is eDirectory version 8.8
>> >>
>> >>
>> >> Now, we are upgrading to FreeRADIUS 3.0.15 (installed from ports)
>> running on
>> >> FreeBSD 11.1-RELEASE.
>> >> LDAP is always eDirectory 8.8.
>> >>
>> >> The bind to LDAP server it's ok, but the user is not authenticate, the
>> error is:
>> >>
>> >> Invalid user (eDirectory-ICT: Failed to retrieve eDirectory password:
>> (80) Other
>> >> (e.g., implementation specific) error):
>> >>
>> >
>> > Have you enabled universal password?
>> >
>> > https://www.netiq.com/documentation/edir_radius/pdfdoc/
>> radiusadmin/radiusadmin.pdf
>> >
>> > -Arran
>> >
>> > -
>> > List info/subscribe/unsubscribe? See http://www.freeradius.org/list
>> /users.html
>>
>> --
>> Marco Pirovano
>> Infrastrutture e Tecnologie
>> Information and Communication Technology
>> Universita' Bocconi
>> via Gobbi, 5 - 20136 Milano
>> Tel. +39 02 5836.3173 Fax. +39 02 5836.3160
>>
>> Windows makes noise, Linux plays music,
>> but BSD Rocks!
>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list
>> /users.html
>
>
More information about the Freeradius-Users
mailing list