Porting ldap module configuration from 2.2.9 to 3.0.15
Olivier
Olivier.Nicole at cs.ait.ac.th
Wed Sep 20 07:11:20 CEST 2017
"Fajar A. Nugraha" <list at fajar.net> writes:
> The last part shouldn't be there, since you should've had an entry that
> adds Ldap-UserDN.
>
> It should print something like this
> (0) authorize {
> (0) files: EXPAND uid=%{User-Name},ou=people,dc=company,dc=com
> (0) files: --> uid=testuser,ou=people,dc=company,dc=com
> (0) files: users: Matched entry DEFAULT at line 1
> ...
> (0) [files] = ok
>
> Did you edit the correct file? The default (in ubuntu)
> is /etc/freeradius/users (or /etc/raddb/users in most other distros), which
> is a symlink to mods-config/files/authorize
I found my mistake. When setting the chroot, I copied all raddb with
cp(1) and the symlinks got overwritten by plain files. raddb/users was
not a symlink anymore.
Now I get the correct result for authorize/files. I removed any
reference to ldap in the authorize section of sites-enable/default.
Now I get the error "ERROR: No Auth-Type found: rejecting the user via
Post-Auth-Type = Reject"
With the full messages being:
Ready to process requests
(0) Received Access-Request Id 162 from 192.41.170.3:19766 to 192.41.170.3:1812 length 72
(0) User-Name = "on"
(0) User-Password = "***** password redeacted"
(0) NAS-IP-Address = 192.41.170.6
(0) NAS-Port = 0
(0) Message-Authenticator = 0x768ce2f6e2d22042c783973be35af3b8
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) policy filter_password {
(0) if (&User-Password && (&User-Password != "%{string:User-Password}")) {
(0) EXPAND %{string:User-Password}
(0) --> ***** password redeacted
(0) if (&User-Password && (&User-Password != "%{string:User-Password}")) -> FALSE
(0) } # policy filter_password = notfound
(0) [preprocess] = ok
(0) auth_log: EXPAND /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(0) auth_log: --> /var/log/radacct/192.41.170.3/auth-detail-20170920
(0) auth_log: /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radacct/192.41.170.3/auth-detail-20170920
(0) auth_log: EXPAND %t
(0) auth_log: --> Wed Sep 20 04:48:30 2017
(0) [auth_log] = ok
(0) [mschap] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "on", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) files: EXPAND %{Client-IP-Address}
(0) files: --> 192.41.170.3
(0) files: users: Matched entry DEFAULT at line 222
(0) files: EXPAND uid=%{User-Name},ou=People,ou=csim,dc=cs,dc=ait,dc=ac,dc=th
(0) files: --> uid=on,ou=People,ou=csim,dc=cs,dc=ait,dc=ac,dc=th
(0) [files] = ok
(0) [expiration] = noop
(0) [logintime] = noop
(0) } # authorize = ok
(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) Post-Auth-Type sub-section not found. Ignoring.
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject): [on/***** password redeacted] (from client fbsd35.cs.ait.ac.th port 0)
Thank you,
Olivier
--
More information about the Freeradius-Users
mailing list