FreeRadius and FreeIpa integration not working in our Lab setup
Krishna Chaitanya
krishna.chaitanya at qi-cap.com
Fri Jul 8 10:45:01 UTC 2022
*Matthew,*
Thanks very much for the response.
I have tried running the same after the suggested changes and below is what
I am seeing.
*=================================================================================[admin at radiustest
~]$ ldapsearch -x uid=admin*
# extended LDIF
#
# LDAPv3
# base <dc=qi-cap,dc=com> (default) with scope subtree
# filter: uid=admin
# requesting: ALL
#
# admin, users, compat, qi-cap.com
dn: uid=admin,cn=users,cn=compat,dc=qi-cap,dc=com
objectClass: posixAccount
objectClass: ipaOverrideTarget
objectClass: top
gecos: Administrator
cn: Administrator
uidNumber: 1283800000
gidNumber: 1283800000
loginShell: /bin/bash
homeDirectory: /home/admin
ipaAnchorUUID::
OklQQTpxaS1jYXAuY29tOmJjMzM0NDcyLWY2YzQtMTFlYy1iNjY4LTA4MDAyNz
M2ZWMzOQ==
uid: admin
# admin, users, accounts, qi-cap.com
dn: uid=admin,cn=users,cn=accounts,dc=qi-cap,dc=com
objectClass: top
objectClass: person
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: inetuser
objectClass: ipaobject
objectClass: ipasshuser
objectClass: ipaSshGroupOfPubKeys
objectClass: ipaNTUserAttrs
objectClass: ipauserauthtypeclass
objectClass: ipatokenradiusproxyuser
uid: admin
cn: Administrator
sn: Administrator
uidNumber: 1283800000
gidNumber: 1283800000
homeDirectory: /home/admin
loginShell: /bin/bash
gecos: Administrator
ipaNTSecurityIdentifier: S-1-5-21-2716401607-2924185208-1841578509-500
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2
==================================================================================================================================
Ready to process requests
(0) Received Access-Request Id 0 from 122.1.5.84:44216 to 122.1.5.84:1812
length 75
(0) User-Name = "admin"
(0) User-Password = "Freeip at 1234"
(0) NAS-IP-Address = 122.1.5.84
(0) NAS-Port = 1812
(0) Message-Authenticator = 0xdd3ddd98c48416cc471cdb5dd5fd527e
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "admin", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) [files] = noop
rlm_ldap (ldap): Reserved connection (0)
(0) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(0) ldap: --> (uid=admin)
(0) ldap: Performing search in "dc=QI-CAP,dc=COM" with filter
"(uid=admin)", scope "sub"
(0) ldap: Waiting for search result...
*(0) ldap: ERROR: Ambiguous search result, returned 2 unsorted entries
(should return 1 or 0). Enable sorting, or specify a more restrictive
base_dn, filter or scope(0) ldap: ERROR: The following entries were
returned:(0) ldap: ERROR:
uid=admin,cn=users,cn=compat,dc=qi-cap,dc=com(0) ldap: ERROR:
uid=admin,cn=users,cn=accounts,dc=qi-cap,dc=com*
rlm_ldap (ldap): Released connection (0)
Need 5 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots
used
rlm_ldap (ldap): Connecting to ldap://localhost:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(0) [ldap] = invalid
(0) } # authorize = invalid
(0) Invalid user (ldap: Ambiguous search result, returned 2 unsorted
entries (should return 1 or 0). Enable sorting, or specify a more
restrictive base_dn, filter or scope): [admin] (from client localhost port
1812)
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject: --> admin
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0) [attr_filter.access_reject] = updated
(0) [eap] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1.000000 seconds
Waking up in 0.1 seconds.
Waking up in 0.8 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 0 from 122.1.5.84:1812 to 122.1.5.84:44216 length
20
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 0 with timestamp +3
Ready to process requests
=================================================
Thanks
*Krishna Chaitanya Ala*
*Network and Operations Engineer*
*QI Cap Markets LLP*
*Bangalore,Karnataka*
*Slack : krishna.chaitanya at qi-cap.com <krishna.chaitanya at qi-cap.com>*
On Fri, 8 Jul 2022 at 15:34, Matthew Newton <mcn at freeradius.org> wrote:
>
>
> On 08/07/2022 10:48, Krishna Chaitanya wrote:
> > rlm_ldap (ldap): Reserved connection (0)
> > (0) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
> > (0) ldap: --> (uid=admin)
> > (0) ldap: Performing search in "dc=example,dc=org" with filter
> > "(uid=admin)", scope "sub"
> > (0) ldap: Waiting for search result...
> > (0) ldap: The specified DN wasn't found
>
> You've not configured mods-enabled/ldap with your own local settings for
> base_dn, so searches for example.org (the default) are failing.
>
> Test your local settings with ldapsearch to make sure you get LDAP
> search results back as expected, and then put them into mods-enabled/ldap.
>
> --
> Matthew
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list