FreeRadius and FreeIpa integration not working in our Lab setup
Krishna Chaitanya
krishna.chaitanya at qi-cap.com
Wed Jul 13 09:52:02 UTC 2022
Matthew,
Not really,Somehow, I missed reading all of the debug report.
I am very new to Linux and having a hard time interpreting all of the Debug
report.
However, After going through the errors:
1. I can say that the username is not being used twice.Even, created
another user profile with username "krishnachaitanya" and getting the same
error message when running the radtest.
2. In the next test run, modified "base_dn" details as
'O=QI-CAP.COM,CN=Certificate
Authority' and the test resulted in the below error.After reviewing the
highlighted errors, finding it confused to understand and not really sure
the fix for these errors.As far as I know, PAP can read only clear text
passwords and in mycase the passwords are not encrypted when running the
radtest command as "radtest krishnachaitanya *Freeip at 1234 *122.1.5.84
1812 testing123" and not sure why am seeing PAP password errors.
3. and I am not sure why am seeing the messages "(0) ldap: Waiting for
search result...
(0) ldap: The specified DN wasn't found
(0) ldap: Search returned no results" when "rlm_ldap bind is successful".
Is there any relation between them?
*Please help!*
[Ready to process requests
(0) Received Access-Request Id 252 from 122.1.5.84:55576 to 122.1.5.84:1812
length 86
(0) User-Name = "krishnachaitanya"
(0) User-Password = "Freeip at 1234"
(0) NAS-IP-Address = 122.1.5.84
(0) NAS-Port = 1812
(0) Message-Authenticator = 0x7d7802787a4d84809dbcd42a46873fe6
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "krishnachaitanya", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) [files] = noop
rlm_ldap (ldap): Reserved connection (0)
(0) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(0) ldap: --> (uid=krishnachaitanya)
(0) ldap: Performing search in "O=QI-CAP.COM,CN=Certificate Authority" with
filter "(uid=krishnachaitanya)", scope "sub"
(0) ldap: Waiting for search result...
(0) ldap: The specified DN wasn't found
(0) ldap: Search returned no results
rlm_ldap (ldap): Released connection (0)
Need 5 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots
used
rlm_ldap (ldap): Connecting to ldap://122.1.5.84:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(0) [ldap] = notfound
(0) if ((ok || updated) && User-Password) {
(0) if ((ok || updated) && User-Password) -> FALSE
(0) [expiration] = noop
(0) [logintime] = noop
(0) pap: WARNING: No "known good" password found for the user. Not setting
Auth-Type
(0) pap: WARNING: Authentication will fail unless a "known good" password
is available
(0) [pap] = noop
(0) } # authorize = ok
(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type =
Reject
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject: --> krishnachaitanya
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0) [attr_filter.access_reject] = updated
(0) [eap] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1.000000 seconds
Waking up in 0.2 seconds.
Waking up in 0.7 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 252 from 122.1.5.84:1812 to 122.1.5.84:55576
length 20
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 252 with timestamp +5
Ready to process requests
*Krishna Chaitanya Ala*
*Network and Operations Engineer*
On Fri, 8 Jul 2022 at 16:27, Matthew Newton <mcn at freeradius.org> wrote:
>
>
> On 08/07/2022 11:45, Krishna Chaitanya wrote:
> >
> > # search result
> > search: 2
> > result: 0 Success
> >
> > # numResponses: 3
> > # numEntries: 2
>
>
> > *(0) ldap: ERROR: Ambiguous search result, returned 2 unsorted entries
> > (should return 1 or 0). Enable sorting, or specify a more restrictive
> > base_dn, filter or scope(0) ldap: ERROR: The following entries were
> > returned:(0) ldap: ERROR:
> > uid=admin,cn=users,cn=compat,dc=qi-cap,dc=com(0) ldap: ERROR:
> > uid=admin,cn=users,cn=accounts,dc=qi-cap,dc=com*
> > rlm_ldap (ldap): Released connection (0)
> > Need 5 more connections to reach 10 spares
>
>
> Did you read the debug output?
>
> You have two users with the same uid. FreeRADIUS won't have any idea
> which one you want.
>
> So you need to either not use the same username twice, or configure
> FreeRADIUS with a more restrictive base DN so that it only finds one of
> them.
>
> --
> Matthew
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list