Porting ldap module configuration from 2.2.9 to 3.0.15
Fajar A. Nugraha
list at fajar.net
Wed Sep 20 14:40:40 CEST 2017
On Wed, Sep 20, 2017 at 3:03 PM, Olivier <Olivier.Nicole at cs.ait.ac.th>
wrote:
> "Fajar A. Nugraha" <list at fajar.net> writes:
>
> > On Wed, Sep 20, 2017 at 12:11 PM, Olivier <Olivier.Nicole at cs.ait.ac.th>
> > wrote:
> >
> >> "Fajar A. Nugraha" <list at fajar.net> writes:
> >>
> >> > The last part shouldn't be there, since you should've had an entry
> that
> >> > adds Ldap-UserDN.
> >> >
> >> > It should print something like this
> >> > (0) authorize {
> >> > (0) files: EXPAND uid=%{User-Name},ou=people,dc=company,dc=com
> >> > (0) files: --> uid=testuser,ou=people,dc=company,dc=com
> >> > (0) files: users: Matched entry DEFAULT at line 1
> >> > ...
> >> > (0) [files] = ok
> >> >
> >> > Did you edit the correct file? The default (in ubuntu)
> >> > is /etc/freeradius/users (or /etc/raddb/users in most other distros),
> >> which
> >> > is a symlink to mods-config/files/authorize
> >>
> >> I found my mistake. When setting the chroot, I copied all raddb with
> >> cp(1) and the symlinks got overwritten by plain files. raddb/users was
> >> not a symlink anymore.
> >>
> >> Now I get the correct result for authorize/files. I removed any
> >> reference to ldap in the authorize section of sites-enable/default.
> >>
> >> Now I get the error "ERROR: No Auth-Type found: rejecting the user via
> >> Post-Auth-Type = Reject"
> >>
> >>
> >
> > Here's what works for me, tested on fresh openldap user (with only one
> > user, the 'admin' user) on ubuntu:
> >
> > - top of /etc/freeradius/users
> >
> > admin Ldap-UserDN := "cn=%{User-Name},dc=ldap1,dc=s,dc=1elf,dc=net",
> > Auth-Type := LDAP
> > Fall-Through = yes
> >
> > Adjust to your DN, obviously. If all your users are LDAP users, you
> should
> > be able to replace 'admin' with 'DEFAULT'
> >
> >
> > - /etc/freeradius/sites-enabled/default:
> >
> > comment-out '-ldap' from authorize section. You don't need it if you ONLY
> > use LDAP for authentication with LDAP bind.
> >
> > uncomment these lines from authenticate section (also read the comments
> > before these lines to understand what they do):
> > Auth-Type LDAP {
> > ldap
> > }
> >
>
> That's what I have (modulo the change of the DN).
>
> >
> > Relevant part of my debug log using 'radtest'
> > ...
> > (0) # Executing section authorize from file
> > /etc/freeradius/sites-enabled/default
> > (0) authorize {
> > ...
> > (0) files: EXPAND cn=%{User-Name},dc=ldap1,dc=s,dc=1elf,dc=net
> > (0) files: --> cn=admin,dc=ldap1,dc=s,dc=1elf,dc=net
> > (0) files: users: Matched entry admin at line 1
> > (0) [files] = ok
> > ...
> > (0) } # authorize = ok
> > (0) Found Auth-Type = LDAP
> > (0) # Executing group from file /etc/freeradius/sites-enabled/default
> > (0) Auth-Type LDAP {
> > ...
> > rlm_ldap (ldap): Reserved connection (0)
> > (0) ldap: Login attempt by "admin"
> > (0) ldap: Using user DN from request "cn=admin,dc=ldap1,dc=s,dc=
> 1elf,dc=net"
> > (0) ldap: Waiting for bind result...
> > (0) ldap: Bind successful
> > (0) ldap: Bind as user "cn=admin,dc=ldap1,dc=s,dc=1elf,dc=net" was
> > successful
> > ...
> > (0) [ldap] = ok
> > (0) } # Auth-Type LDAP = ok
> > ...
> > (0) Sent Access-Accept Id 122 from 127.0.0.1:1812 to 127.0.0.1:46573
> length
> > 0
>
> But I still get:
>
> (0) files: EXPAND uid=%{User-Name},ou=People,ou=
> csim,dc=cs,dc=ait,dc=ac,dc=th
> (0) files: --> uid=on,ou=People,ou=csim,dc=cs,dc=ait,dc=ac,dc=th
> (0) [files] = ok
> (0) [expiration] = noop
> (0) [logintime] = noop
> (0) } # authorize = ok
> (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type =
> Reject
>
>
Short version: If you still get 'No Auth-Type found', your users file is
different from mine. Doublecheck my example, and compare to yours.
Auth-Type (in your case) should be set in users file (or whatever method
you choose, can be db, ulang, etc) in authorize section.
> Could it be something linked to user-Password vs. Cleartext-Password, as
> mentioned in raddb/README.rst:
>
> From version 3.0 onwards the server no longer supports authenticating
> against a cleartext password in the 'User-Password' attribute. Any
> occurences of this (for instance, in the users file) should now be
> changed to 'Cleartext-Password' instead.
>
>
> I see that radtest sends both User-Password and Cleartext-Password:
>
> Sent Access-Request Id 17 from 0.0.0.0:24803 to 192.41.170.3:1812 length
> 72
> User-Name = "on"
> User-Password = "**** password redacted"
> NAS-IP-Address = 192.41.170.6
> NAS-Port = 0
> Message-Authenticator = 0x00
> Cleartext-Password = "**** password redacted"
>
> but in the debug messages from radiusd -X, I only see the User-Password:
>
> Ready to process requests
> (0) Received Access-Request Id 17 from 192.41.170.3:24803 to
> 192.41.170.3:1812 length 72
> (0) User-Name = "on"
> (0) User-Password = "**** password redacted"
> (0) NAS-IP-Address = 192.41.170.6
> (0) NAS-Port = 0
> (0) Message-Authenticator = 0xb299934119453c5d6105169256071d2a
>
>
If you still get 'ERROR: No Auth-Type found: rejecting the user via
Post-Auth-Type = Reject', anything that comes after that doesn't matter.
Fix that first.
--
Fajar
More information about the Freeradius-Users
mailing list