Freeradius-Users Digest, Vol 196, Issue 9
Valery Kayukov
kayukovvalery at gmail.com
Mon Aug 9 19:28:08 CEST 2021
Alan,
I found that I haven't closed the authentication section in the right
place. But I still have error:
Mon Aug 9 17:25:06 2021 : Error: /etc/raddb/sites-enabled/default[62]:
Unknown attribute 'Ldap-Group'
Where and how to use LDAP-groups. Could you please help to craft this
section.
Best regards,
Valery
On Mon, 9 Aug 2021 at 18:04, Valery Kayukov <kayukovvalery at gmail.com> wrote:
> Hi Alan,
>
> I am trying to upgrade freeradius from 2.0 version to 3.0.17.
>
> Now I am with error:
> Mon Aug 9 17:00:32 2021 : Debug: # Loading authenticate {...}
> Mon Aug 9 17:00:32 2021 : Debug: eap
> Mon Aug 9 17:00:32 2021 : Error: /etc/raddb/sites-enabled/default[20]:
> Errors parsing preacct sub-section.
>
> Here is section:
> server {
> authorize {
> preprocess
> chap
> mschap
> # digest
> suffix
> eap {
> ok = return
> }
> files
> redundant-load-balance {
> ldap-server-a
> ldap-server-b
> }
> expiration
> logintime
> pap
> }
> authenticate {
> Auth-Type PAP {
> pap
> }
> Auth-Type CHAP {
> chap
> }
> Auth-Type MS-CHAP {
> mschap
> }
> # digest
> # unix
> eap
> Auth-Type LDAP {
> redundant-load-balance {
> ldap-server-a
> ldap-server-b
> }
> }
> preacct {
> preprocess
> acct_unique
> suffix
> files
> }
> }
> accounting {
> detail
> # unix
> radutmp
> exec
> attr_filter.accounting_response
> }
> session {
> radutmp
> }
> post-auth {
> exec
> Post-Auth-Type REJECT {
> attr_filter.access_reject
> }
> #LDAP B Service
> if !(&Ldap-Group == "cn=scaler_vip,ou=resource
> groups,ou=Groups,dc= company ,dc=net") {
> update reply {
> Service-Type = "Administrative-User",
> Citrix-Group += "dwansible_netscaler_vip",
> Fall-Through = Yes
> }
> }
> #LDAP A Service
> elsif !(&Ldap-Group == "cn=scaler_service,ou=resource
> groups,ou=Groups,dc=company,dc=net") {
> update reply {
> Service-Type = "Administrative-User",
> Citrix-Group += "scaler_service"
> }
> }
> else {
> reject
> }
> }
> pre-proxy {
> }
> post-proxy {
> eap
> }
> }
>
> Could you please help to understand what is wrong, where to place LDAP
> group check and what is the syntax.
>
> Best regards,
> Valery
>
> On Mon, 9 Aug 2021 at 11:00, <
> freeradius-users-request at lists.freeradius.org> wrote:
>
>> Send Freeradius-Users mailing list submissions to
>> freeradius-users at lists.freeradius.org
>>
>> To subscribe or unsubscribe via the World Wide Web, visit
>> http://lists.freeradius.org/mailman/listinfo/freeradius-users
>> or, via email, send a message with subject or body 'help' to
>> freeradius-users-request at lists.freeradius.org
>>
>> You can reach the person managing the list at
>> freeradius-users-owner at lists.freeradius.org
>>
>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of Freeradius-Users digest..."
>>
>>
>> Today's Topics:
>>
>> 1. Re: Freeradius-Users Digest, Vol 196, Issue 8 (Valery Kayukov)
>> 2. Re: Freeradius-Users Digest, Vol 196, Issue 8 (Alan DeKok)
>> 3. How to Migrate (EAP) from: 2.1.xx to: 3.0.xx ? (Dennis Schneck)
>> 4. missing shared objects - proto_auth.so & proto_acct.so - on
>> openSuSE LEAP 15.3 (Dennis Schneck)
>>
>>
>> ----------------------------------------------------------------------
>>
>> Message: 1
>> Date: Sun, 8 Aug 2021 12:44:38 +0100
>> From: Valery Kayukov <kayukovvalery at gmail.com>
>> To: freeradius-users at lists.freeradius.org
>> Subject: Re: Freeradius-Users Digest, Vol 196, Issue 8
>> Message-ID:
>> <
>> CAAoKmEsmGHkTC-AV+8Dm1fG7xxVa_8qc_SkDOc4txuwJ-61DBw at mail.gmail.com>
>> Content-Type: text/plain; charset="UTF-8"
>>
>> Hi Alan,
>>
>> Thank you for your help. By the way I use 3.0.17 version. I have fixed
>> that
>> but still have this problem with LDAP groups:
>> Sun Aug 8 11:36:22 2021 : Debug: # Instantiating module "files" from
>> file /etc/raddb/mods-enabled/files
>> Sun Aug 8 11:36:22 2021 : Debug: reading pairlist file
>> /etc/raddb/mods-config/files/authorize
>> Sun Aug 8 11:36:22 2021 : Error:
>> /etc/raddb/mods-config/files/authorize[10]: Parse error (check) for entry
>> DEFAULT: Unknown name "LDAP-Group"
>> Sun Aug 8 11:36:22 2021 : Error: Failed reading
>> /etc/raddb/mods-config/files/authorize
>> Sun Aug 8 11:36:22 2021 : Error: /etc/raddb/mods-enabled/files[9]:
>> Instantiation failed for module "files"
>>
>> I have read the /etc/raddb/README.rst file about LDAP-Group but still not
>> getting how to apply it.
>>
>> In /etc/raddb/mods-config/files/authorize file I have following:
>> #LDAP NetEng team members
>> DEFAULT LDAP-Group == "cn=neteng,ou=system
>> groups,ou=Groups,dc=company,dc=net"
>> Service-Type = "Administrative-User",
>> cisco-avpair := "shell:roles=network-admin,vdc-admin",
>> cisco-avpair += "shell:priv-lvl=15",
>> Filter-Id = ":group_name=neteng;"
>>
>> In /etc/raddb/sites-available/default config:
>> authorize {
>> ...
>> ldap-server-a
>> if ((ok || updated) && User-Password) {
>> update control {
>> Auth-Type := ldap
>> }
>> }
>> ldap-server-b
>> if ((ok || updated) && User-Password) {
>> update control {
>> Auth-Type := ldap
>> }
>> }
>> ...
>> }
>> authenticate {
>> ...
>> redundant {
>> location1
>> location2
>> }
>> ...
>> }
>>
>> In /etc/raddb/mods-available/ldap config:
>> ldap ldap-server-a {
>> server = "ldap-a.company.net"
>> basedn = "dc=company,dc=net"
>> }
>> ...
>> }
>>
>> ldap ldap-server-b {
>> server = "ldap-b.company.net"
>> basedn = "dc=company,dc=net"
>> ...
>> }
>>
>> How convert config in file /etc/raddb/mods-config/files/authorize to v3?
>>
>> Best regards,
>> Valeriy
>>
>> On Sun, 8 Aug 2021 at 11:00, <
>> freeradius-users-request at lists.freeradius.org>
>> wrote:
>>
>> > Send Freeradius-Users mailing list submissions to
>> > freeradius-users at lists.freeradius.org
>> >
>> > To subscribe or unsubscribe via the World Wide Web, visit
>> > http://lists.freeradius.org/mailman/listinfo/freeradius-users
>> > or, via email, send a message with subject or body 'help' to
>> > freeradius-users-request at lists.freeradius.org
>> >
>> > You can reach the person managing the list at
>> > freeradius-users-owner at lists.freeradius.org
>> >
>> > When replying, please edit your Subject line so it is more specific
>> > than "Re: Contents of Freeradius-Users digest..."
>> >
>> >
>> > Today's Topics:
>> >
>> > 1. Parse error (check) for entry DEFAULT: Unknown name
>> > "LDAP-Group" (Valery Kayukov)
>> > 2. Re: Parse error (check) for entry DEFAULT: Unknown name
>> > "LDAP-Group" (Alan DeKok)
>> >
>> >
>> > ----------------------------------------------------------------------
>> >
>> > Message: 1
>> > Date: Sat, 7 Aug 2021 13:00:11 +0100
>> > From: Valery Kayukov <kayukovvalery at gmail.com>
>> > To: freeradius-users at lists.freeradius.org
>> > Subject: Parse error (check) for entry DEFAULT: Unknown name
>> > "LDAP-Group"
>> > Message-ID:
>> > <
>> > CAAoKmEsJSQ4ZMxM5UxEbwHks_4JyzfejTe6spjhJZeBEyS6ThQ at mail.gmail.com>
>> > Content-Type: text/plain; charset="UTF-8"
>> >
>> > Hi team,
>> >
>> > I am new to the freeRADIUS project. Can't start my server, it return
>> error
>> > message:
>> > Sat Aug 7 11:48:24 2021 : Debug: # Instantiating module "files" from
>> > file /etc/raddb/mods-enabled/files
>> > Sat Aug 7 11:48:24 2021 : Debug: reading pairlist file
>> > /etc/raddb/mods-config/files/authorize
>> > Sat Aug 7 11:48:24 2021 : Error:
>> > /etc/raddb/mods-config/files/authorize[10]: Parse error (check) for
>> entry
>> > DEFAULT: Unknown name "LDAP-Group"
>> > Sat Aug 7 11:48:24 2021 : Error: Failed reading
>> > /etc/raddb/mods-config/files/authorize
>> > Sat Aug 7 11:48:24 2021 : Error: /etc/raddb/mods-enabled/files[9]:
>> > Instantiation failed for module "files"
>> >
>> > Here is configuration file /etc/raddb/mods-config/files/authorize:
>> > #LDAP Rancid service account
>> > rancid LDAP-UserDN :=
>> > `uid=rancid,ou=services,ou=Accounts,dc=company,dc=net`
>> > Service-Type = "NAS-Prompt-User",
>> > cisco-avpair := "optional shell:roles=rancid,network-operator",
>> > cisco-avpair += "shell:priv-lvl=15",
>> > Juniper-Local-User-Name := "rancid",
>> > Citrix-Group = "rancid"
>> >
>> > #LDAP Apple team members
>> > DEFAULT LDAP-Group == "cn=apple,ou=system groups,ou=Groups,dc=
>> > company,dc=net"
>> > Service-Type = "Administrative-User",
>> > cisco-avpair := "shell:roles=network-admin,vdc-admin",
>> > cisco-avpair += "shell:priv-lvl=15",
>> > Juniper-Local-User-Name := "apple",
>> > Citrix-Group = "apple",
>> > Filter-Id = ":group_name=apple;"
>> >
>> > What is wrong here?
>> >
>> > --
>> > Best Regards,
>> > Valeriy Kayukov
>> > System Engineer
>> >
>> >
>> > ------------------------------
>> >
>> > Message: 2
>> > Date: Sat, 7 Aug 2021 09:44:01 -0400
>> > From: Alan DeKok <aland at deployingradius.com>
>> > To: FreeRadius users mailing list
>> > <freeradius-users at lists.freeradius.org>
>> > Subject: Re: Parse error (check) for entry DEFAULT: Unknown name
>> > "LDAP-Group"
>> > Message-ID: <8F938E67-BB0D-4459-8968-2EE5B10CFCEE at deployingradius.com>
>> > Content-Type: text/plain; charset=us-ascii
>> >
>> > On Aug 7, 2021, at 8:00 AM, Valery Kayukov <kayukovvalery at gmail.com>
>> > wrote:
>> > >
>> > > I am new to the freeRADIUS project. Can't start my server, it return
>> > error
>> > > message:
>> > > Sat Aug 7 11:48:24 2021 : Debug: # Instantiating module "files"
>> from
>> > > file /etc/raddb/mods-enabled/files
>> > > Sat Aug 7 11:48:24 2021 : Debug: reading pairlist file
>> > > /etc/raddb/mods-config/files/authorize
>> > > Sat Aug 7 11:48:24 2021 : Error:
>> > > /etc/raddb/mods-config/files/authorize[10]: Parse error (check) for
>> entry
>> > > DEFAULT: Unknown name "LDAP-Group"
>> >
>> > You haven't enabled the LDAP module.
>> >
>> > Or, depending on the local file system, you may need to edit
>> > radiusd.conf to load the "ldap" module early:
>> >
>> > instantiate {
>> > ...
>> > ldap
>> > }
>> >
>> > This is documented in the comments before the "instantiate" section.
>> >
>> > Alan DeKok.
>> >
>> >
>> >
>> >
>> > ------------------------------
>> >
>> > Subject: Digest Footer
>> >
>> > -
>> > List info/subscribe/unsubscribe? See
>> > http://www.freeradius.org/list/users.html
>> >
>> > ------------------------------
>> >
>> > End of Freeradius-Users Digest, Vol 196, Issue 8
>> > ************************************************
>> >
>>
>>
>> --
>> Best Regards,
>> Valeriy Kayukov
>> System Engineer
>>
>>
>> ------------------------------
>>
>> Message: 2
>> Date: Sun, 8 Aug 2021 08:13:02 -0400
>> From: Alan DeKok <aland at deployingradius.com>
>> To: FreeRadius users mailing list
>> <freeradius-users at lists.freeradius.org>
>> Subject: Re: Freeradius-Users Digest, Vol 196, Issue 8
>> Message-ID: <1E9CA5AA-E8CD-42F3-8E16-F84327D985B4 at deployingradius.com>
>> Content-Type: text/plain; charset=us-ascii
>>
>> On Aug 8, 2021, at 7:44 AM, Valery Kayukov <kayukovvalery at gmail.com>
>> wrote:
>> >
>> > Thank you for your help. By the way I use 3.0.17 version.
>>
>> You should really upgrade. We have packages for 3.0.23 on
>> http://packages.networkradius.com
>>
>> > I have fixed that
>> > but still have this problem with LDAP groups:
>> > Sun Aug 8 11:36:22 2021 : Debug: # Instantiating module "files" from
>> > file /etc/raddb/mods-enabled/files
>> > Sun Aug 8 11:36:22 2021 : Debug: reading pairlist file
>> > /etc/raddb/mods-config/files/authorize
>> > Sun Aug 8 11:36:22 2021 : Error:
>> > /etc/raddb/mods-config/files/authorize[10]: Parse error (check) for
>> entry
>> > DEFAULT: Unknown name "LDAP-Group"
>> > Sun Aug 8 11:36:22 2021 : Error: Failed reading
>> > /etc/raddb/mods-config/files/authorize
>> > Sun Aug 8 11:36:22 2021 : Error: /etc/raddb/mods-enabled/files[9]:
>> > Instantiation failed for module "files"
>> >
>> > I have read the /etc/raddb/README.rst file about LDAP-Group but still
>> not
>> > getting how to apply it.
>> >
>> > In /etc/raddb/mods-config/files/authorize file I have following:
>> > #LDAP NetEng team members
>> > DEFAULT LDAP-Group == "cn=neteng,ou=system
>> > groups,ou=Groups,dc=company,dc=net"
>> > Service-Type = "Administrative-User",
>> > cisco-avpair := "shell:roles=network-admin,vdc-admin",
>> > cisco-avpair += "shell:priv-lvl=15",
>> > Filter-Id = ":group_name=neteng;"
>> >
>> > In /etc/raddb/sites-available/default config:
>> > authorize {
>> > ...
>> > ldap-server-a
>>
>> It would help to describe what you're doing.
>>
>> If you've renamed the LDAP module, then the LDAP group information is
>> in the <LDAP-NAME>-LDAP-Group attribute.
>>
>> See the Wiki for documentation. Just type "LDAP-Group" into the search
>> bar. This is documented.
>>
>> Alan DeKok.
>>
>>
>>
>>
>> ------------------------------
>>
>> Message: 3
>> Date: Mon, 9 Aug 2021 07:33:19 +0200
>> From: Dennis Schneck <dennis.schneck at schulergroup.com>
>> To: <Freeradius-Users at lists.freeradius.org>
>> Subject: How to Migrate (EAP) from: 2.1.xx to: 3.0.xx ?
>> Message-ID: <75580212-287b-3cb9-1679-7d3bf5779af0 at schulergroup.com>
>> Content-Type: text/plain; charset="utf-8"; format=flowed
>>
>>
>> Hello,
>>
>> I am new in freeradius, should build a new system with the config of a
>> 2.1.12.
>> Did not find config parameters from /etc/raddb/eap.conf in the
>> /etc/raddb/policy.d/eap
>>
>> Where can I find how to migrate from Version 2.1.12 to 3.0.21
>>
>> Thanks
>>
>>
>> /etc/raddb/eap.conf
>>
>> eap {
>>
>> default_eap_type = peap
>>
>> timer_expire = 60
>>
>> ignore_unknown_eap_types = no
>> cisco_accounting_username_bug = no
>>
>> md5 {
>> }
>>
>> tls {
>>
>> private_key_password = password
>>
>> private_key_file = ${raddbdir}/certs/my/key.pem
>> certificate_file =
>> ${raddbdir}/certs/my/server.pem
>> # Trusted Root CA list
>> CA_file = ${raddbdir}/certs/my/our.pem
>>
>> dh_file = ${raddbdir}/certs/my/DH
>> random_file = ${raddbdir}/certs/my/random
>> #random_file = /dev/urandom
>> fragment_size = 1024
>>
>> include_length = yes
>> #check_crl = yes
>>
>> }
>> peap {
>> default_eap_type = mschapv2
>> #VIRTUAL_SERVER = "inner-Tunnel"
>> #scopy_request_to_tunnel = yes
>> #use_tunneled_reply = yes
>> #proxy_tunneled_request_as_eap = yes
>> }
>> mschapv2 {
>> }
>> }
>>
>>
>>
>>
>> ------------------------------
>>
>> Message: 4
>> Date: Mon, 9 Aug 2021 11:18:57 +0200
>> From: Dennis Schneck <dennis.schneck at schulergroup.com>
>> To: <Freeradius-Users at lists.freeradius.org>
>> Subject: missing shared objects - proto_auth.so & proto_acct.so - on
>> openSuSE LEAP 15.3
>> Message-ID: <1aa004d4-3e29-eab2-486d-49537bd90f68 at schulergroup.com>
>> Content-Type: text/plain; charset="utf-8"; format=flowed
>>
>>
>> Hello,
>>
>> installed freeradius 3.0.21 on OpenSuSE LEAP 15.3.
>>
>> created the certificates. (cd /etc/raddb/certs && ./bootstrap)
>>
>> Checked then the config with: radiusd -XXX
>>
>>
>> there are 2 shared objects missing...
>>
>> ||
>>
>> |/usr/lib64/freeradius/proto_auth.so |
>> ||
>>
>> ||
>>
>> |/usr/lib64/freeradius/proto_acct.so|
>> |
>>
>> But can not find this shared objects to install....
>>
>> How to fix this ?
>>
>> Thanks
>>
>>
>> |
>>
>>
>>
>> ------------------------------
>>
>> Subject: Digest Footer
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>> ------------------------------
>>
>> End of Freeradius-Users Digest, Vol 196, Issue 9
>> ************************************************
>>
>
>
> --
> Best Regards,
> Valeriy Kayukov
> System Engineer
>
--
Best Regards,
Valeriy Kayukov
System Engineer
More information about the Freeradius-Users
mailing list