LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (http://www.linuxquestions.org/questions/linux-server-73/)
-   -   freeradius ldap help required. (http://www.linuxquestions.org/questions/linux-server-73/freeradius-ldap-help-required-730198/)

tssav 06-02-2009 12:26 PM

freeradius ldap help required.
 
Hi Folks,

I need some help with freeradius and ldap.

I believe LDAP is running fine. As I my squid is configure to use LDAP and the authentication is working fine. I can do a "passwd user" and it says "LDAP password information changed for user".

radtest is succesfull for any LDAP user.
When I do a NTRadPing I get an accept to any LDAP user with appropriate CN. But when I try to connect from my MACBook or iPhone I get the following:

Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
modcall[authorize]: module "preprocess" returns ok for request 4
modcall[authorize]: module "mschap" returns noop for request 4
rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 4
rlm_eap: EAP packet type response id 0 length 11
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 4
users: Matched entry DEFAULT at line 171
modcall[authorize]: module "files" returns ok for request 4
rlm_ldap: - authorize
rlm_ldap: performing user authorization for testuser
radius_xlat: '(uid=testuser)'
radius_xlat: 'dc=test,dc=local'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=test,dc=local, with filter (uid=testuser)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user testuser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 4
modcall: leaving group authorize (returns updated) for request 4
rad_check_password: Found Auth-Type EAP
auth: type "LDAP"
Processing the authenticate section of radiusd.conf
modcall: entering group LDAP for request 4
rlm_ldap: - authenticate
rlm_ldap: Attribute "User-Password" is required for authentication.
modcall[authenticate]: module "ldap" returns invalid for request 4
modcall: leaving group LDAP (returns invalid) for request 4
auth: Failed to validate the user.
----------------------------------------
This is my first go at freeradius ldap and I would be very greatful for any help. Thanks in advance.

acid_kewpie 06-02-2009 12:37 PM

Well I would guess that it's the EAP method's use compared to what I would expect to be a CHAP or PAP method on your test tools. Can you show us a successful debug (with -xxx debug options) and some files... radiusd.conf, sites-enabled and the ldap module config (forget the exact file name offhand)

tssav 06-02-2009 12:59 PM

Hi Chris,
I appreciate your quick reply.
Below please find a successful debug from NTRadPing and couple files:

rad_recv: Access-Request packet from host 192.168.1.32:1552, id=2, length=46
User-Name = "thomas"
User-Password = "thomas"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 6
modcall[authorize]: module "preprocess" returns ok for request 6
modcall[authorize]: module "mschap" returns noop for request 6
rlm_realm: No '@' in User-Name = "thomas", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 6
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 6
modcall[authorize]: module "files" returns notfound for request 6
rlm_ldap: - authorize
rlm_ldap: performing user authorization for thomas
radius_xlat: '(uid=thomas)'
radius_xlat: 'dc=test,dc=local'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=test,dc=local, with filter (uid=thomas)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: Setting Auth-Type = ldap
rlm_ldap: user thomas authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 6
modcall: leaving group authorize (returns ok) for request 6
rad_check_password: Found Auth-Type ldap
auth: type "LDAP"
Processing the authenticate section of radiusd.conf
modcall: entering group LDAP for request 6
rlm_ldap: - authenticate
rlm_ldap: login attempt by "thomas" with password "thomas"
rlm_ldap: user DN: cn=Thomas Surname,ou=Users,dc=test,dc=local
rlm_ldap: (re)connect to 192.168.1.254:389, authentication 1
rlm_ldap: bind as cn=Thomas Surname,ou=Users,dc=test,dc=local/thomas to 192.168.1.254:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: user thomas authenticated succesfully
modcall[authenticate]: module "ldap" returns ok for request 6
modcall: leaving group LDAP (returns ok) for request 6
Sending Access-Accept of id 2 to 192.168.1.32 port 1552

---------------------------------------------------------------

radius.conf

modules {

pap {
encryption_scheme = crypt
}

# CHAP module
#
# To authenticate requests containing a CHAP-Password attribute.
#
chap {
authtype = CHAP
}

ldap {
server = "192.168.1.254"
identity = "cn=admin,dc=test,dc=local"
password = password
basedn = "dc=test,dc=local"
filter = "(posixAccount)(uid=%u))"
#filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
base_filter = "(objectclass=radiusprofile)"

# set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
# The StartTLS operation is supposed to be used with normal
# ldap connections instead of using ldaps (port 689) connections
start_tls = no

# tls_cacertfile = /path/to/cacert.pem
# tls_cacertdir = /path/to/ca/dir/
# tls_certfile = /path/to/radius.crt
# tls_keyfile = /path/to/radius.key
# tls_randfile = /path/to/rnd
# tls_require_cert = "demand"

# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
# profile_attribute = "radiusProfileDn"
# access_attr = "dialupAccess"

# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap

ldap_connections_number = 5


}

authorize {
preprocess
MSCHAP
suffix
eap
files
ldap
}

authenticate {

Auth-Type MS-CHAP {
mschap
}
unix

Auth-Type LDAP {
ldap
}

#
# Allow EAP authentication.
eap

}
-----------------------------------------------------
users

#DEFAULT Auth-Type = LDAP
# Fall-Through = 1

tssav 06-04-2009 02:34 AM

Anyone???

acid_kewpie 06-05-2009 12:22 PM

In the first request you've missed to attribute dumps, so I can't see if User-Password is being provided by the client. Can you redo it?


All times are GMT -5. The time now is 10:48 AM.