Unable to Login with LDAP (freeipa) User
Mohiddin Shaik
kms31786 at gmail.com
Wed Apr 4 10:25:48 CEST 2018
Hi,
Recently I installed freeradius server on freeipa server by following
configuration, when I tried to test using radtest user <password>
serverinfo 1812 somesecret getting error
Received Access-Reject Id 226 from 10.0.0.95:1812 to 0.0.0.0:0 length 20
1. -: Expected Access-Accept got Access-Reject
(10) Received Access-Request Id 226 from 10.0.0.95:55049 to 10.0.0.95:1812
length 83
(10) User-Name = "test at test.org"
(10) User-Password = "Reflexis at 0418"
(10) NAS-IP-Address = 10.0.0.95
(10) NAS-Port = 1812
(10) Message-Authenticator = 0xf9fc18c97a4bc9e5e8f71bb6224f46bb
(10) # Executing section authorize from file /etc/raddb/sites-enabled/
default
(10) authorize {
(10) policy filter_username {
(10) if (&User-Name) {
(10) if (&User-Name) -> TRUE
(10) if (&User-Name) {
(10) if (&User-Name =~ / /) {
(10) if (&User-Name =~ / /) -> FALSE
(10) if (&User-Name =~ /@[^@]*@/ ) {
(10) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(10) if (&User-Name =~ /\.\./ ) {
(10) if (&User-Name =~ /\.\./ ) -> FALSE
(10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(10) if (&User-Name =~ /\.$/) {
(10) if (&User-Name =~ /\.$/) -> FALSE
(10) if (&User-Name =~ /@\./) {
(10) if (&User-Name =~ /@\./) -> FALSE
(10) } # if (&User-Name) = notfound
(10) } # policy filter_username = notfound
(10) [preprocess] = ok
(10) [chap] = noop
(10) [mschap] = noop
(10) [digest] = noop
(10) suffix: Checking for suffix after "@"
(10) suffix: Looking up realm "test.org" for User-Name = "test at test.org"
(10) suffix: No such realm "test.org"
(10) [suffix] = noop
(10) eap: No EAP-Message, not doing EAP
(10) [eap] = noop
(10) [files] = noop
rlm_ldap (ldap): Closing connection (11): Hit idle_timeout, was idle for
223 seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): Closing connection (9): Hit idle_timeout, was idle for 169
seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): Closing connection (12): Hit idle_timeout, was idle for
169 seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): 0 of 0 connections in use. You may need to increase
"spare"
rlm_ldap (ldap): Opening additional connection (13), 1 of 32 pending slots
used
rlm_ldap (ldap): Connecting to ldap://rflxpnqrds02.test.org:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Reserved connection (13)
(10) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(10) ldap: --> (uid=test at test.org)
(10) ldap: Performing search in "dc=test,dc=org" with filter "(uid=
test at test.org)", scope "sub"
(10) ldap: Waiting for search result...
(10) ldap: Search returned no results
rlm_ldap (ldap): Released connection (13)
Need 2 more connections to reach min connections (3)
rlm_ldap (ldap): Opening additional connection (14), 1 of 31 pending slots
used
rlm_ldap (ldap): Connecting to ldap://rflxpnqrds02.test.org:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(10) [ldap] = notfound
(10) if ((ok || updated) && User-Password) {
(10) if ((ok || updated) && User-Password) -> FALSE
(10) [expiration] = noop
(10) [logintime] = noop
(10) pap: WARNING: No "known good" password found for the user. Not
setting Auth-Type
(10) pap: WARNING: Authentication will fail unless a "known good" password
is available
(10) [pap] = noop
(10) } # authorize = ok
(10) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type =
Reject
(10) Failed to authenticate the user
(10) Using Post-Auth-Type Reject
(10) # Executing group from file /etc/raddb/sites-enabled/default
(10) Post-Auth-Type REJECT {
(10) attr_filter.access_reject: EXPAND %{User-Name}
(10) attr_filter.access_reject: --> test at test.org
(10) attr_filter.access_reject: Matched entry DEFAULT at line 11
(10) [attr_filter.access_reject] = updated
(10) [eap] = noop
(10) policy remove_reply_message_if_eap {
(10) if (&reply:EAP-Message && &reply:Reply-Message) {
(10) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(10) else {
(10) [noop] = noop
(10) } # else = noop
(10) } # policy remove_reply_message_if_eap = noop
(10) } # Post-Auth-Type REJECT = updated
(10) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(10) Sending delayed response
(10) Sent Access-Reject Id 226 from 10.0.0.95:1812 to 10.0.0.95:55049
length 20
Waking up in 3.9 seconds.
(10) Cleaning up request packet ID 226 with timestamp +756
Followed installation steps (Source : https://www.freeipa.org/page/
Using_FreeIPA_and_FreeRadius_as_a_RADIUS_based_software_
token_OTP_system_with_CentOS/RedHat_7)
root at ipa ~]# yum install freeradius freeradius-utils freeradius-ldap
freeradius-krb5
...
In order to configure the RADIUS server to authenticate with the software
token provided by the IPA server, we must let RADIUS accept requests from
your clients (including the IPA server itself), enable the default
configuration to search for users in the IPA server with LDAP protocol and
try to authenticate them with an LDAP bind() operation.
All the RADIUS configuration files are in /etc/raddb, and most of the
configuration is done by linking files from the mod-available directory to
mod-enabled and then editing them as needed.
As a first step, add the following lines at the beginning of clients.conf:
client localnet {
ipaddr = 192.168.1.0/24
proto = *
secret = somesecret
nas_type = other<------># localhost isn't usually a NAS...
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
In sites-enabled/default and sites-enabled/inner-tunnel replace these line
#
# The ldap module reads passwords from the LDAP database.
-ldap
with these
#
# The ldap module reads passwords from the LDAP database.
ldap
if ((ok || updated) && User-Password) {
update {
control:Auth-Type := ldap
}
}
and uncomment the following lines
# Auth-Type LDAP {
# ldap
# }
As a last step, enable and configure the LDAP backend in RADIUS.
Add LDAP to the enabled mods:
[root at ipa raddb]# ln -s /etc/raddb/mods-available/ldap
/etc/raddb/mods-enabled/
[root at ipa raddb]#
Edit mods-enable/ldap to change
server = "ldap.rrdns.example.org ldap.rrdns.example.org
ldap.example.org"
and
# base_dn = "dc=example,dc=org"
to
server = "ipa.test.org"
and
base_dn = "dc=test,dc=org"
To reach the RADIUS server from other clients, we must also open the
firewall for the required ports:
[root at ipa ~]# firewall-cmd --permanent --zone=public --add-port=1812/udp
--add-port=1813/udp
Success
[root at ipa ~]# systemctl restart firewalld.service
[root at ipa ~]#
*Thanks,*
Mohiddin
More information about the Freeradius-Users
mailing list