Unable to Login with LDAP (freeipa) User

Mohiddin Shaik kms31786 at gmail.com
Wed Apr 4 10:25:48 CEST 2018


Hi,



Recently I installed freeradius server on freeipa server by following
configuration, when I tried to test using radtest user <password>
serverinfo 1812 somesecret  getting error



Received Access-Reject Id 226 from 10.0.0.95:1812 to 0.0.0.0:0 length 20

   1. -: Expected Access-Accept got Access-Reject



(10) Received Access-Request Id 226 from 10.0.0.95:55049 to 10.0.0.95:1812
length 83

(10)   User-Name = "test at test.org"

(10)   User-Password = "Reflexis at 0418"

(10)   NAS-IP-Address = 10.0.0.95

(10)   NAS-Port = 1812

(10)   Message-Authenticator = 0xf9fc18c97a4bc9e5e8f71bb6224f46bb

(10) # Executing section authorize from file /etc/raddb/sites-enabled/
default

(10)   authorize {

(10)     policy filter_username {

(10)       if (&User-Name) {

(10)       if (&User-Name)  -> TRUE

(10)       if (&User-Name)  {

(10)         if (&User-Name =~ / /) {

(10)         if (&User-Name =~ / /)  -> FALSE

(10)         if (&User-Name =~ /@[^@]*@/ ) {

(10)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(10)         if (&User-Name =~ /\.\./ ) {

(10)         if (&User-Name =~ /\.\./ )  -> FALSE

(10)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(10)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE

(10)         if (&User-Name =~ /\.$/)  {

(10)         if (&User-Name =~ /\.$/)   -> FALSE

(10)         if (&User-Name =~ /@\./)  {

(10)         if (&User-Name =~ /@\./)   -> FALSE

(10)       } # if (&User-Name)  = notfound

(10)     } # policy filter_username = notfound

(10)     [preprocess] = ok

(10)     [chap] = noop

(10)     [mschap] = noop

(10)     [digest] = noop

(10) suffix: Checking for suffix after "@"

(10) suffix: Looking up realm "test.org" for User-Name = "test at test.org"

(10) suffix: No such realm "test.org"

(10)     [suffix] = noop

(10) eap: No EAP-Message, not doing EAP

(10)     [eap] = noop

(10)     [files] = noop

rlm_ldap (ldap): Closing connection (11): Hit idle_timeout, was idle for
223 seconds

rlm_ldap (ldap): You probably need to lower "min"

rlm_ldap (ldap): Closing connection (9): Hit idle_timeout, was idle for 169
seconds

rlm_ldap (ldap): You probably need to lower "min"

rlm_ldap (ldap): Closing connection (12): Hit idle_timeout, was idle for
169 seconds

rlm_ldap (ldap): You probably need to lower "min"

rlm_ldap (ldap): 0 of 0 connections in use.  You  may need to increase
"spare"

rlm_ldap (ldap): Opening additional connection (13), 1 of 32 pending slots
used

rlm_ldap (ldap): Connecting to ldap://rflxpnqrds02.test.org:389

rlm_ldap (ldap): Waiting for bind result...

rlm_ldap (ldap): Bind successful

rlm_ldap (ldap): Reserved connection (13)

(10) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})

(10) ldap:    --> (uid=test at test.org)

(10) ldap: Performing search in "dc=test,dc=org" with filter "(uid=
test at test.org)", scope "sub"

(10) ldap: Waiting for search result...

(10) ldap: Search returned no results

rlm_ldap (ldap): Released connection (13)

Need 2 more connections to reach min connections (3)

rlm_ldap (ldap): Opening additional connection (14), 1 of 31 pending slots
used

rlm_ldap (ldap): Connecting to ldap://rflxpnqrds02.test.org:389

rlm_ldap (ldap): Waiting for bind result...

rlm_ldap (ldap): Bind successful

(10)     [ldap] = notfound

(10)     if ((ok || updated) && User-Password) {

(10)     if ((ok || updated) && User-Password)  -> FALSE

(10)     [expiration] = noop

(10)     [logintime] = noop

(10) pap: WARNING: No "known good" password found for the user.  Not
setting Auth-Type

(10) pap: WARNING: Authentication will fail unless a "known good" password
is available

(10)     [pap] = noop

(10)   } # authorize = ok

(10) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type =
Reject

(10) Failed to authenticate the user

(10) Using Post-Auth-Type Reject

(10) # Executing group from file /etc/raddb/sites-enabled/default

(10)   Post-Auth-Type REJECT {

(10) attr_filter.access_reject: EXPAND %{User-Name}

(10) attr_filter.access_reject:    --> test at test.org

(10) attr_filter.access_reject: Matched entry DEFAULT at line 11

(10)     [attr_filter.access_reject] = updated

(10)     [eap] = noop

(10)     policy remove_reply_message_if_eap {

(10)       if (&reply:EAP-Message && &reply:Reply-Message) {

(10)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE

(10)       else {

(10)         [noop] = noop

(10)       } # else = noop

(10)     } # policy remove_reply_message_if_eap = noop

(10)   } # Post-Auth-Type REJECT = updated

(10) Delaying response for 1.000000 seconds

Waking up in 0.3 seconds.

Waking up in 0.6 seconds.

(10) Sending delayed response

(10) Sent Access-Reject Id 226 from 10.0.0.95:1812 to 10.0.0.95:55049
length 20

Waking up in 3.9 seconds.

(10) Cleaning up request packet ID 226 with timestamp +756



Followed installation steps  (Source : https://www.freeipa.org/page/
Using_FreeIPA_and_FreeRadius_as_a_RADIUS_based_software_
token_OTP_system_with_CentOS/RedHat_7)



root at ipa ~]# yum install freeradius freeradius-utils freeradius-ldap
freeradius-krb5

...

In order to configure the RADIUS server to authenticate with the software
token provided by the IPA server, we must let RADIUS accept requests from
your clients (including the IPA server itself), enable the default
configuration to search for users in the IPA server with LDAP protocol and
try to authenticate them with an LDAP bind() operation.

All the RADIUS configuration files are in /etc/raddb, and most of the
configuration is done by linking files from the mod-available directory to
mod-enabled and then editing them as needed.

As a first step, add the following lines at the beginning of clients.conf:

client localnet {

        ipaddr = 192.168.1.0/24

        proto = *

        secret = somesecret

        nas_type = other<------># localhost isn't usually a NAS...

        limit {

                max_connections = 16

                lifetime = 0

                idle_timeout = 30

        }

}

In sites-enabled/default and sites-enabled/inner-tunnel replace these line

        #

        #  The ldap module reads passwords from the LDAP database.

        -ldap

with these

        #

        #  The ldap module reads passwords from the LDAP database.

        ldap

        if ((ok || updated) && User-Password) {

            update {

                control:Auth-Type := ldap

            }

        }

and uncomment the following lines

#       Auth-Type LDAP {

#               ldap

#       }

As a last step, enable and configure the LDAP backend in RADIUS.

Add LDAP to the enabled mods:

[root at ipa raddb]# ln -s /etc/raddb/mods-available/ldap
/etc/raddb/mods-enabled/

[root at ipa raddb]#

Edit mods-enable/ldap to change

        server = "ldap.rrdns.example.org ldap.rrdns.example.org
ldap.example.org"

and

#       base_dn = "dc=example,dc=org"

to

        server = "ipa.test.org"

and

        base_dn = "dc=test,dc=org"

To reach the RADIUS server from other clients, we must also open the
firewall for the required ports:

[root at ipa ~]# firewall-cmd --permanent --zone=public --add-port=1812/udp
--add-port=1813/udp

Success

[root at ipa ~]# systemctl restart firewalld.service

[root at ipa ~]#





*Thanks,*

Mohiddin


More information about the Freeradius-Users mailing list