Porting ldap module configuration from 2.2.9 to 3.0.15

Olivier Olivier.Nicole at cs.ait.ac.th
Wed Sep 20 10:03:54 CEST 2017


"Fajar A. Nugraha" <list at fajar.net> writes:

> On Wed, Sep 20, 2017 at 12:11 PM, Olivier <Olivier.Nicole at cs.ait.ac.th>
> wrote:
>
>> "Fajar A. Nugraha" <list at fajar.net> writes:
>>
>> > The last part shouldn't be there, since you should've had an entry that
>> > adds Ldap-UserDN.
>> >
>> > It should print something like this
>> > (0)   authorize {
>> > (0) files: EXPAND uid=%{User-Name},ou=people,dc=company,dc=com
>> > (0) files:    --> uid=testuser,ou=people,dc=company,dc=com
>> > (0) files: users: Matched entry DEFAULT at line 1
>> > ...
>> > (0)     [files] = ok
>> >
>> > Did you edit the correct file? The default (in ubuntu)
>> > is /etc/freeradius/users (or /etc/raddb/users in most other distros),
>> which
>> > is a symlink to mods-config/files/authorize
>>
>> I found my mistake. When setting the chroot, I copied all raddb with
>> cp(1) and the symlinks got overwritten by plain files. raddb/users was
>> not a symlink anymore.
>>
>> Now I get the correct result for authorize/files. I removed any
>> reference to ldap in the authorize section of sites-enable/default.
>>
>> Now I get the error "ERROR: No Auth-Type found: rejecting the user via
>> Post-Auth-Type = Reject"
>>
>>
>
> Here's what works for me, tested on fresh openldap user (with only one
> user, the 'admin' user) on ubuntu:
>
> - top of /etc/freeradius/users
>
> admin Ldap-UserDN := "cn=%{User-Name},dc=ldap1,dc=s,dc=1elf,dc=net",
> Auth-Type := LDAP
>    Fall-Through = yes
>
> Adjust to your DN, obviously. If all your users are LDAP users, you should
> be able to replace 'admin' with 'DEFAULT'
>
>
> - /etc/freeradius/sites-enabled/default:
>
> comment-out '-ldap' from authorize section. You don't need it if you ONLY
> use LDAP for authentication with LDAP bind.
>
> uncomment these lines from authenticate section (also read the comments
> before these lines to understand what they do):
>         Auth-Type LDAP {
>                 ldap
>         }
>

That's what I have (modulo the change of the DN).

>
> Relevant part of my debug log using 'radtest'
> ...
> (0) # Executing section authorize from file
> /etc/freeradius/sites-enabled/default
> (0)   authorize {
> ...
> (0) files: EXPAND cn=%{User-Name},dc=ldap1,dc=s,dc=1elf,dc=net
> (0) files:    --> cn=admin,dc=ldap1,dc=s,dc=1elf,dc=net
> (0) files: users: Matched entry admin at line 1
> (0)     [files] = ok
> ...
> (0)   } # authorize = ok
> (0) Found Auth-Type = LDAP
> (0) # Executing group from file /etc/freeradius/sites-enabled/default
> (0)   Auth-Type LDAP {
> ...
> rlm_ldap (ldap): Reserved connection (0)
> (0) ldap: Login attempt by "admin"
> (0) ldap: Using user DN from request "cn=admin,dc=ldap1,dc=s,dc=1elf,dc=net"
> (0) ldap: Waiting for bind result...
> (0) ldap: Bind successful
> (0) ldap: Bind as user "cn=admin,dc=ldap1,dc=s,dc=1elf,dc=net" was
> successful
> ...
> (0)     [ldap] = ok
> (0)   } # Auth-Type LDAP = ok
> ...
> (0) Sent Access-Accept Id 122 from 127.0.0.1:1812 to 127.0.0.1:46573 length
> 0

But I still get:

(0) files: EXPAND uid=%{User-Name},ou=People,ou=csim,dc=cs,dc=ait,dc=ac,dc=th
(0) files:    --> uid=on,ou=People,ou=csim,dc=cs,dc=ait,dc=ac,dc=th
(0)     [files] = ok
(0)     [expiration] = noop
(0)     [logintime] = noop
(0)   } # authorize = ok
(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject

Could it be something linked to user-Password vs. Cleartext-Password, as
mentioned in raddb/README.rst:

   From version 3.0 onwards the server no longer supports authenticating
   against a cleartext password in the 'User-Password' attribute. Any
   occurences of this (for instance, in the users file) should now be
   changed to 'Cleartext-Password' instead.


I see that radtest sends both User-Password and Cleartext-Password:

Sent Access-Request Id 17 from 0.0.0.0:24803 to 192.41.170.3:1812 length 72
        User-Name = "on"
        User-Password = "**** password redacted"
        NAS-IP-Address = 192.41.170.6
        NAS-Port = 0
        Message-Authenticator = 0x00
        Cleartext-Password = "**** password redacted"

but in the debug messages from radiusd -X, I only see the User-Password:

Ready to process requests
(0) Received Access-Request Id 17 from 192.41.170.3:24803 to 192.41.170.3:1812 length 72
(0)   User-Name = "on"
(0)   User-Password = "**** password redacted"
(0)   NAS-IP-Address = 192.41.170.6
(0)   NAS-Port = 0
(0)   Message-Authenticator = 0xb299934119453c5d6105169256071d2a

Thank you,

Olivier
-- 


More information about the Freeradius-Users mailing list