FreeRadius and FreeIpa integration not working in our Lab setup

Michael Schwartzkopff ms at sys4.de
Wed Jul 13 09:55:12 UTC 2022 

On 13.07.22 11:52, Krishna Chaitanya wrote:
> Matthew,
> Not really,Somehow, I missed reading all of the debug report.
> I am very new to Linux and having a hard time interpreting all of the Debug
> report.
> However, After going through the errors:
>
>     1. I can say that the username is not being used twice.Even, created
>     another user profile with username "krishnachaitanya" and getting the same
>     error message when running the radtest.
>     2. In the next test run, modified "base_dn" details as
> 'O=QI-CAP.COM,CN=Certificate
>     Authority' and the test resulted in the below error.After reviewing the
>     highlighted errors, finding it confused to understand and not really sure
>     the fix for these errors.As far as I know, PAP can read only clear text
>     passwords and in mycase the passwords are not encrypted when running the
>     radtest command as "radtest krishnachaitanya *Freeip at 1234 *122.1.5.84
>     1812 testing123" and not sure why am seeing PAP password errors.
>     3. and I am not sure why am seeing the messages "(0) ldap: Waiting for
>     search result...
>     (0) ldap: The specified DN wasn't found
>     (0) ldap: Search returned no results" when "rlm_ldap bind is successful".
>     Is there any relation between them?
>
> *Please help!*
>
> [Ready to process requests
> (0) Received Access-Request Id 252 from 122.1.5.84:55576 to 122.1.5.84:1812
> length 86
> (0)   User-Name = "krishnachaitanya"
> (0)   User-Password = "Freeip at 1234"
> (0)   NAS-IP-Address = 122.1.5.84
> (0)   NAS-Port = 1812
> (0)   Message-Authenticator = 0x7d7802787a4d84809dbcd42a46873fe6
> (0) # Executing section authorize from file /etc/raddb/sites-enabled/default
> (0)   authorize {
> (0)     policy filter_username {
> (0)       if (&User-Name) {
> (0)       if (&User-Name)  -> TRUE
> (0)       if (&User-Name)  {
> (0)         if (&User-Name =~ / /) {
> (0)         if (&User-Name =~ / /)  -> FALSE
> (0)         if (&User-Name =~ /@[^@]*@/ ) {
> (0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
> (0)         if (&User-Name =~ /\.\./ ) {
> (0)         if (&User-Name =~ /\.\./ )  -> FALSE
> (0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
> (0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
> FALSE
> (0)         if (&User-Name =~ /\.$/)  {
> (0)         if (&User-Name =~ /\.$/)   -> FALSE
> (0)         if (&User-Name =~ /@\./)  {
> (0)         if (&User-Name =~ /@\./)   -> FALSE
> (0)       } # if (&User-Name)  = notfound
> (0)     } # policy filter_username = notfound
> (0)     [preprocess] = ok
> (0)     [chap] = noop
> (0)     [mschap] = noop
> (0)     [digest] = noop
> (0) suffix: Checking for suffix after "@"
> (0) suffix: No '@' in User-Name = "krishnachaitanya", looking up realm NULL
> (0) suffix: No such realm "NULL"
> (0)     [suffix] = noop
> (0) eap: No EAP-Message, not doing EAP
> (0)     [eap] = noop
> (0)     [files] = noop
> rlm_ldap (ldap): Reserved connection (0)
> (0) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
> (0) ldap:    --> (uid=krishnachaitanya)
> (0) ldap: Performing search in "O=QI-CAP.COM,CN=Certificate Authority" with
> filter "(uid=krishnachaitanya)", scope "sub"
> (0) ldap: Waiting for search result...
> (0) ldap: The specified DN wasn't found
> (0) ldap: Search returned no results
> rlm_ldap (ldap): Released connection (0)
> Need 5 more connections to reach 10 spares
> rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots
> used
> rlm_ldap (ldap): Connecting to ldap://122.1.5.84:389
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Bind successful
> (0)     [ldap] = notfound
> (0)     if ((ok || updated) && User-Password) {
> (0)     if ((ok || updated) && User-Password)  -> FALSE
> (0)     [expiration] = noop
> (0)     [logintime] = noop
> (0) pap: WARNING: No "known good" password found for the user.  Not setting
> Auth-Type
> (0) pap: WARNING: Authentication will fail unless a "known good" password
> is available
> (0)     [pap] = noop
> (0)   } # authorize = ok
> (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type =
> Reject
> (0) Failed to authenticate the user
> (0) Using Post-Auth-Type Reject
> (0) # Executing group from file /etc/raddb/sites-enabled/default
> (0)   Post-Auth-Type REJECT {
> (0) attr_filter.access_reject: EXPAND %{User-Name}
> (0) attr_filter.access_reject:    --> krishnachaitanya
> (0) attr_filter.access_reject: Matched entry DEFAULT at line 11
> (0)     [attr_filter.access_reject] = updated
> (0)     [eap] = noop
> (0)     policy remove_reply_message_if_eap {
> (0)       if (&reply:EAP-Message && &reply:Reply-Message) {
> (0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
> (0)       else {
> (0)         [noop] = noop
> (0)       } # else = noop
> (0)     } # policy remove_reply_message_if_eap = noop
> (0)   } # Post-Auth-Type REJECT = updated
> (0) Delaying response for 1.000000 seconds
> Waking up in 0.2 seconds.
> Waking up in 0.7 seconds.
> (0) Sending delayed response
> (0) Sent Access-Reject Id 252 from 122.1.5.84:1812 to 122.1.5.84:55576
> length 20
> Waking up in 3.9 seconds.
> (0) Cleaning up request packet ID 252 with timestamp +5
> Ready to process requests
>
>
> *Krishna Chaitanya Ala*
> *Network and Operations Engineer*
>
>
>
> On Fri, 8 Jul 2022 at 16:27, Matthew Newton <mcn at freeradius.org> wrote:
>
>>
>> On 08/07/2022 11:45, Krishna Chaitanya wrote:
>>> # search result
>>> search: 2
>>> result: 0 Success
>>>
>>> # numResponses: 3
>>> # numEntries: 2
>>
>>> *(0) ldap: ERROR: Ambiguous search result, returned 2 unsorted entries
>>> (should return 1 or 0).  Enable sorting, or specify a more restrictive
>>> base_dn, filter or scope(0) ldap: ERROR: The following entries were
>>> returned:(0) ldap:   ERROR:
>>> uid=admin,cn=users,cn=compat,dc=qi-cap,dc=com(0) ldap:   ERROR:
>>> uid=admin,cn=users,cn=accounts,dc=qi-cap,dc=com*
>>> rlm_ldap (ldap): Released connection (0)
>>> Need 5 more connections to reach 10 spares
>>
>> Did you read the debug output?
>>
>> You have two users with the same uid. FreeRADIUS won't have any idea
>> which one you want.
>>
>> So you need to either not use the same username twice, or configure
>> FreeRADIUS with a more restrictive base DN so that it only finds one of
>> them.
>>
>> --
>> Matthew
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



(0) ldap: Performing search in "O=QI-CAP.COM,CN=Certificate Authority" with
filter "(uid=krishnachaitanya)", scope "sub"
(0) ldap: Waiting for search result...
(0) ldap: The specified DN wasn't found
(0) ldap: Search returned no results

The user is not found in the LDAP. Do you use uid? oder cn? Wrong part of the tree? Whif is the LDIF of your user?
Can you do a manual ldapsearch for the user?
  

Mit freundlichen Grüßen,

-- 

[*] sys4 AG
  
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
  
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein

More information about the Freeradius-Users mailing list