Freeradius-Users Digest, Vol 196, Issue 9
Valery Kayukov
kayukovvalery at gmail.com
Mon Aug 9 19:04:40 CEST 2021
Hi Alan,
I am trying to upgrade freeradius from 2.0 version to 3.0.17.
Now I am with error:
Mon Aug 9 17:00:32 2021 : Debug: # Loading authenticate {...}
Mon Aug 9 17:00:32 2021 : Debug: eap
Mon Aug 9 17:00:32 2021 : Error: /etc/raddb/sites-enabled/default[20]:
Errors parsing preacct sub-section.
Here is section:
server {
authorize {
preprocess
chap
mschap
# digest
suffix
eap {
ok = return
}
files
redundant-load-balance {
ldap-server-a
ldap-server-b
}
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
# digest
# unix
eap
Auth-Type LDAP {
redundant-load-balance {
ldap-server-a
ldap-server-b
}
}
preacct {
preprocess
acct_unique
suffix
files
}
}
accounting {
detail
# unix
radutmp
exec
attr_filter.accounting_response
}
session {
radutmp
}
post-auth {
exec
Post-Auth-Type REJECT {
attr_filter.access_reject
}
#LDAP B Service
if !(&Ldap-Group == "cn=scaler_vip,ou=resource
groups,ou=Groups,dc= company ,dc=net") {
update reply {
Service-Type = "Administrative-User",
Citrix-Group += "dwansible_netscaler_vip",
Fall-Through = Yes
}
}
#LDAP A Service
elsif !(&Ldap-Group == "cn=scaler_service,ou=resource
groups,ou=Groups,dc=company,dc=net") {
update reply {
Service-Type = "Administrative-User",
Citrix-Group += "scaler_service"
}
}
else {
reject
}
}
pre-proxy {
}
post-proxy {
eap
}
}
Could you please help to understand what is wrong, where to place LDAP
group check and what is the syntax.
Best regards,
Valery
On Mon, 9 Aug 2021 at 11:00, <freeradius-users-request at lists.freeradius.org>
wrote:
> Send Freeradius-Users mailing list submissions to
> freeradius-users at lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
> freeradius-users-request at lists.freeradius.org
>
> You can reach the person managing the list at
> freeradius-users-owner at lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
> 1. Re: Freeradius-Users Digest, Vol 196, Issue 8 (Valery Kayukov)
> 2. Re: Freeradius-Users Digest, Vol 196, Issue 8 (Alan DeKok)
> 3. How to Migrate (EAP) from: 2.1.xx to: 3.0.xx ? (Dennis Schneck)
> 4. missing shared objects - proto_auth.so & proto_acct.so - on
> openSuSE LEAP 15.3 (Dennis Schneck)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sun, 8 Aug 2021 12:44:38 +0100
> From: Valery Kayukov <kayukovvalery at gmail.com>
> To: freeradius-users at lists.freeradius.org
> Subject: Re: Freeradius-Users Digest, Vol 196, Issue 8
> Message-ID:
> <
> CAAoKmEsmGHkTC-AV+8Dm1fG7xxVa_8qc_SkDOc4txuwJ-61DBw at mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> Hi Alan,
>
> Thank you for your help. By the way I use 3.0.17 version. I have fixed that
> but still have this problem with LDAP groups:
> Sun Aug 8 11:36:22 2021 : Debug: # Instantiating module "files" from
> file /etc/raddb/mods-enabled/files
> Sun Aug 8 11:36:22 2021 : Debug: reading pairlist file
> /etc/raddb/mods-config/files/authorize
> Sun Aug 8 11:36:22 2021 : Error:
> /etc/raddb/mods-config/files/authorize[10]: Parse error (check) for entry
> DEFAULT: Unknown name "LDAP-Group"
> Sun Aug 8 11:36:22 2021 : Error: Failed reading
> /etc/raddb/mods-config/files/authorize
> Sun Aug 8 11:36:22 2021 : Error: /etc/raddb/mods-enabled/files[9]:
> Instantiation failed for module "files"
>
> I have read the /etc/raddb/README.rst file about LDAP-Group but still not
> getting how to apply it.
>
> In /etc/raddb/mods-config/files/authorize file I have following:
> #LDAP NetEng team members
> DEFAULT LDAP-Group == "cn=neteng,ou=system
> groups,ou=Groups,dc=company,dc=net"
> Service-Type = "Administrative-User",
> cisco-avpair := "shell:roles=network-admin,vdc-admin",
> cisco-avpair += "shell:priv-lvl=15",
> Filter-Id = ":group_name=neteng;"
>
> In /etc/raddb/sites-available/default config:
> authorize {
> ...
> ldap-server-a
> if ((ok || updated) && User-Password) {
> update control {
> Auth-Type := ldap
> }
> }
> ldap-server-b
> if ((ok || updated) && User-Password) {
> update control {
> Auth-Type := ldap
> }
> }
> ...
> }
> authenticate {
> ...
> redundant {
> location1
> location2
> }
> ...
> }
>
> In /etc/raddb/mods-available/ldap config:
> ldap ldap-server-a {
> server = "ldap-a.company.net"
> basedn = "dc=company,dc=net"
> }
> ...
> }
>
> ldap ldap-server-b {
> server = "ldap-b.company.net"
> basedn = "dc=company,dc=net"
> ...
> }
>
> How convert config in file /etc/raddb/mods-config/files/authorize to v3?
>
> Best regards,
> Valeriy
>
> On Sun, 8 Aug 2021 at 11:00, <
> freeradius-users-request at lists.freeradius.org>
> wrote:
>
> > Send Freeradius-Users mailing list submissions to
> > freeradius-users at lists.freeradius.org
> >
> > To subscribe or unsubscribe via the World Wide Web, visit
> > http://lists.freeradius.org/mailman/listinfo/freeradius-users
> > or, via email, send a message with subject or body 'help' to
> > freeradius-users-request at lists.freeradius.org
> >
> > You can reach the person managing the list at
> > freeradius-users-owner at lists.freeradius.org
> >
> > When replying, please edit your Subject line so it is more specific
> > than "Re: Contents of Freeradius-Users digest..."
> >
> >
> > Today's Topics:
> >
> > 1. Parse error (check) for entry DEFAULT: Unknown name
> > "LDAP-Group" (Valery Kayukov)
> > 2. Re: Parse error (check) for entry DEFAULT: Unknown name
> > "LDAP-Group" (Alan DeKok)
> >
> >
> > ----------------------------------------------------------------------
> >
> > Message: 1
> > Date: Sat, 7 Aug 2021 13:00:11 +0100
> > From: Valery Kayukov <kayukovvalery at gmail.com>
> > To: freeradius-users at lists.freeradius.org
> > Subject: Parse error (check) for entry DEFAULT: Unknown name
> > "LDAP-Group"
> > Message-ID:
> > <
> > CAAoKmEsJSQ4ZMxM5UxEbwHks_4JyzfejTe6spjhJZeBEyS6ThQ at mail.gmail.com>
> > Content-Type: text/plain; charset="UTF-8"
> >
> > Hi team,
> >
> > I am new to the freeRADIUS project. Can't start my server, it return
> error
> > message:
> > Sat Aug 7 11:48:24 2021 : Debug: # Instantiating module "files" from
> > file /etc/raddb/mods-enabled/files
> > Sat Aug 7 11:48:24 2021 : Debug: reading pairlist file
> > /etc/raddb/mods-config/files/authorize
> > Sat Aug 7 11:48:24 2021 : Error:
> > /etc/raddb/mods-config/files/authorize[10]: Parse error (check) for entry
> > DEFAULT: Unknown name "LDAP-Group"
> > Sat Aug 7 11:48:24 2021 : Error: Failed reading
> > /etc/raddb/mods-config/files/authorize
> > Sat Aug 7 11:48:24 2021 : Error: /etc/raddb/mods-enabled/files[9]:
> > Instantiation failed for module "files"
> >
> > Here is configuration file /etc/raddb/mods-config/files/authorize:
> > #LDAP Rancid service account
> > rancid LDAP-UserDN :=
> > `uid=rancid,ou=services,ou=Accounts,dc=company,dc=net`
> > Service-Type = "NAS-Prompt-User",
> > cisco-avpair := "optional shell:roles=rancid,network-operator",
> > cisco-avpair += "shell:priv-lvl=15",
> > Juniper-Local-User-Name := "rancid",
> > Citrix-Group = "rancid"
> >
> > #LDAP Apple team members
> > DEFAULT LDAP-Group == "cn=apple,ou=system groups,ou=Groups,dc=
> > company,dc=net"
> > Service-Type = "Administrative-User",
> > cisco-avpair := "shell:roles=network-admin,vdc-admin",
> > cisco-avpair += "shell:priv-lvl=15",
> > Juniper-Local-User-Name := "apple",
> > Citrix-Group = "apple",
> > Filter-Id = ":group_name=apple;"
> >
> > What is wrong here?
> >
> > --
> > Best Regards,
> > Valeriy Kayukov
> > System Engineer
> >
> >
> > ------------------------------
> >
> > Message: 2
> > Date: Sat, 7 Aug 2021 09:44:01 -0400
> > From: Alan DeKok <aland at deployingradius.com>
> > To: FreeRadius users mailing list
> > <freeradius-users at lists.freeradius.org>
> > Subject: Re: Parse error (check) for entry DEFAULT: Unknown name
> > "LDAP-Group"
> > Message-ID: <8F938E67-BB0D-4459-8968-2EE5B10CFCEE at deployingradius.com>
> > Content-Type: text/plain; charset=us-ascii
> >
> > On Aug 7, 2021, at 8:00 AM, Valery Kayukov <kayukovvalery at gmail.com>
> > wrote:
> > >
> > > I am new to the freeRADIUS project. Can't start my server, it return
> > error
> > > message:
> > > Sat Aug 7 11:48:24 2021 : Debug: # Instantiating module "files" from
> > > file /etc/raddb/mods-enabled/files
> > > Sat Aug 7 11:48:24 2021 : Debug: reading pairlist file
> > > /etc/raddb/mods-config/files/authorize
> > > Sat Aug 7 11:48:24 2021 : Error:
> > > /etc/raddb/mods-config/files/authorize[10]: Parse error (check) for
> entry
> > > DEFAULT: Unknown name "LDAP-Group"
> >
> > You haven't enabled the LDAP module.
> >
> > Or, depending on the local file system, you may need to edit
> > radiusd.conf to load the "ldap" module early:
> >
> > instantiate {
> > ...
> > ldap
> > }
> >
> > This is documented in the comments before the "instantiate" section.
> >
> > Alan DeKok.
> >
> >
> >
> >
> > ------------------------------
> >
> > Subject: Digest Footer
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
> > ------------------------------
> >
> > End of Freeradius-Users Digest, Vol 196, Issue 8
> > ************************************************
> >
>
>
> --
> Best Regards,
> Valeriy Kayukov
> System Engineer
>
>
> ------------------------------
>
> Message: 2
> Date: Sun, 8 Aug 2021 08:13:02 -0400
> From: Alan DeKok <aland at deployingradius.com>
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Subject: Re: Freeradius-Users Digest, Vol 196, Issue 8
> Message-ID: <1E9CA5AA-E8CD-42F3-8E16-F84327D985B4 at deployingradius.com>
> Content-Type: text/plain; charset=us-ascii
>
> On Aug 8, 2021, at 7:44 AM, Valery Kayukov <kayukovvalery at gmail.com>
> wrote:
> >
> > Thank you for your help. By the way I use 3.0.17 version.
>
> You should really upgrade. We have packages for 3.0.23 on
> http://packages.networkradius.com
>
> > I have fixed that
> > but still have this problem with LDAP groups:
> > Sun Aug 8 11:36:22 2021 : Debug: # Instantiating module "files" from
> > file /etc/raddb/mods-enabled/files
> > Sun Aug 8 11:36:22 2021 : Debug: reading pairlist file
> > /etc/raddb/mods-config/files/authorize
> > Sun Aug 8 11:36:22 2021 : Error:
> > /etc/raddb/mods-config/files/authorize[10]: Parse error (check) for entry
> > DEFAULT: Unknown name "LDAP-Group"
> > Sun Aug 8 11:36:22 2021 : Error: Failed reading
> > /etc/raddb/mods-config/files/authorize
> > Sun Aug 8 11:36:22 2021 : Error: /etc/raddb/mods-enabled/files[9]:
> > Instantiation failed for module "files"
> >
> > I have read the /etc/raddb/README.rst file about LDAP-Group but still not
> > getting how to apply it.
> >
> > In /etc/raddb/mods-config/files/authorize file I have following:
> > #LDAP NetEng team members
> > DEFAULT LDAP-Group == "cn=neteng,ou=system
> > groups,ou=Groups,dc=company,dc=net"
> > Service-Type = "Administrative-User",
> > cisco-avpair := "shell:roles=network-admin,vdc-admin",
> > cisco-avpair += "shell:priv-lvl=15",
> > Filter-Id = ":group_name=neteng;"
> >
> > In /etc/raddb/sites-available/default config:
> > authorize {
> > ...
> > ldap-server-a
>
> It would help to describe what you're doing.
>
> If you've renamed the LDAP module, then the LDAP group information is in
> the <LDAP-NAME>-LDAP-Group attribute.
>
> See the Wiki for documentation. Just type "LDAP-Group" into the search
> bar. This is documented.
>
> Alan DeKok.
>
>
>
>
> ------------------------------
>
> Message: 3
> Date: Mon, 9 Aug 2021 07:33:19 +0200
> From: Dennis Schneck <dennis.schneck at schulergroup.com>
> To: <Freeradius-Users at lists.freeradius.org>
> Subject: How to Migrate (EAP) from: 2.1.xx to: 3.0.xx ?
> Message-ID: <75580212-287b-3cb9-1679-7d3bf5779af0 at schulergroup.com>
> Content-Type: text/plain; charset="utf-8"; format=flowed
>
>
> Hello,
>
> I am new in freeradius, should build a new system with the config of a
> 2.1.12.
> Did not find config parameters from /etc/raddb/eap.conf in the
> /etc/raddb/policy.d/eap
>
> Where can I find how to migrate from Version 2.1.12 to 3.0.21
>
> Thanks
>
>
> /etc/raddb/eap.conf
>
> eap {
>
> default_eap_type = peap
>
> timer_expire = 60
>
> ignore_unknown_eap_types = no
> cisco_accounting_username_bug = no
>
> md5 {
> }
>
> tls {
>
> private_key_password = password
>
> private_key_file = ${raddbdir}/certs/my/key.pem
> certificate_file = ${raddbdir}/certs/my/server.pem
> # Trusted Root CA list
> CA_file = ${raddbdir}/certs/my/our.pem
>
> dh_file = ${raddbdir}/certs/my/DH
> random_file = ${raddbdir}/certs/my/random
> #random_file = /dev/urandom
> fragment_size = 1024
>
> include_length = yes
> #check_crl = yes
>
> }
> peap {
> default_eap_type = mschapv2
> #VIRTUAL_SERVER = "inner-Tunnel"
> #scopy_request_to_tunnel = yes
> #use_tunneled_reply = yes
> #proxy_tunneled_request_as_eap = yes
> }
> mschapv2 {
> }
> }
>
>
>
>
> ------------------------------
>
> Message: 4
> Date: Mon, 9 Aug 2021 11:18:57 +0200
> From: Dennis Schneck <dennis.schneck at schulergroup.com>
> To: <Freeradius-Users at lists.freeradius.org>
> Subject: missing shared objects - proto_auth.so & proto_acct.so - on
> openSuSE LEAP 15.3
> Message-ID: <1aa004d4-3e29-eab2-486d-49537bd90f68 at schulergroup.com>
> Content-Type: text/plain; charset="utf-8"; format=flowed
>
>
> Hello,
>
> installed freeradius 3.0.21 on OpenSuSE LEAP 15.3.
>
> created the certificates. (cd /etc/raddb/certs && ./bootstrap)
>
> Checked then the config with: radiusd -XXX
>
>
> there are 2 shared objects missing...
>
> ||
>
> |/usr/lib64/freeradius/proto_auth.so |
> ||
>
> ||
>
> |/usr/lib64/freeradius/proto_acct.so|
> |
>
> But can not find this shared objects to install....
>
> How to fix this ?
>
> Thanks
>
>
> |
>
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> ------------------------------
>
> End of Freeradius-Users Digest, Vol 196, Issue 9
> ************************************************
>
--
Best Regards,
Valeriy Kayukov
System Engineer
More information about the Freeradius-Users
mailing list