|
freeradius ldap help required.
Hi Folks,
I need some help with freeradius and ldap. I believe LDAP is running fine. As I my squid is configure to use LDAP and the authentication is working fine. I can do a "passwd user" and it says "LDAP password information changed for user". radtest is succesfull for any LDAP user. When I do a NTRadPing I get an accept to any LDAP user with appropriate CN. But when I try to connect from my MACBook or iPhone I get the following: Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module "preprocess" returns ok for request 4 modcall[authorize]: module "mschap" returns noop for request 4 rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 4 rlm_eap: EAP packet type response id 0 length 11 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 4 users: Matched entry DEFAULT at line 171 modcall[authorize]: module "files" returns ok for request 4 rlm_ldap: - authorize rlm_ldap: performing user authorization for testuser radius_xlat: '(uid=testuser)' radius_xlat: 'dc=test,dc=local' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=test,dc=local, with filter (uid=testuser) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user testuser authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 4 modcall: leaving group authorize (returns updated) for request 4 rad_check_password: Found Auth-Type EAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group LDAP for request 4 rlm_ldap: - authenticate rlm_ldap: Attribute "User-Password" is required for authentication. modcall[authenticate]: module "ldap" returns invalid for request 4 modcall: leaving group LDAP (returns invalid) for request 4 auth: Failed to validate the user. ---------------------------------------- This is my first go at freeradius ldap and I would be very greatful for any help. Thanks in advance. |
Well I would guess that it's the EAP method's use compared to what I would expect to be a CHAP or PAP method on your test tools. Can you show us a successful debug (with -xxx debug options) and some files... radiusd.conf, sites-enabled and the ldap module config (forget the exact file name offhand)
|
Hi Chris,
I appreciate your quick reply. Below please find a successful debug from NTRadPing and couple files: rad_recv: Access-Request packet from host 192.168.1.32:1552, id=2, length=46 User-Name = "thomas" User-Password = "thomas" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 modcall[authorize]: module "mschap" returns noop for request 6 rlm_realm: No '@' in User-Name = "thomas", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 6 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 6 modcall[authorize]: module "files" returns notfound for request 6 rlm_ldap: - authorize rlm_ldap: performing user authorization for thomas radius_xlat: '(uid=thomas)' radius_xlat: 'dc=test,dc=local' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=test,dc=local, with filter (uid=thomas) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Setting Auth-Type = ldap rlm_ldap: user thomas authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 6 modcall: leaving group authorize (returns ok) for request 6 rad_check_password: Found Auth-Type ldap auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group LDAP for request 6 rlm_ldap: - authenticate rlm_ldap: login attempt by "thomas" with password "thomas" rlm_ldap: user DN: cn=Thomas Surname,ou=Users,dc=test,dc=local rlm_ldap: (re)connect to 192.168.1.254:389, authentication 1 rlm_ldap: bind as cn=Thomas Surname,ou=Users,dc=test,dc=local/thomas to 192.168.1.254:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user thomas authenticated succesfully modcall[authenticate]: module "ldap" returns ok for request 6 modcall: leaving group LDAP (returns ok) for request 6 Sending Access-Accept of id 2 to 192.168.1.32 port 1552 --------------------------------------------------------------- radius.conf modules { pap { encryption_scheme = crypt } # CHAP module # # To authenticate requests containing a CHAP-Password attribute. # chap { authtype = CHAP } ldap { server = "192.168.1.254" identity = "cn=admin,dc=test,dc=local" password = password basedn = "dc=test,dc=local" filter = "(posixAccount)(uid=%u))" #filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)" # set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # The StartTLS operation is supposed to be used with normal # ldap connections instead of using ldaps (port 689) connections start_tls = no # tls_cacertfile = /path/to/cacert.pem # tls_cacertdir = /path/to/ca/dir/ # tls_certfile = /path/to/radius.crt # tls_keyfile = /path/to/radius.key # tls_randfile = /path/to/rnd # tls_require_cert = "demand" # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" # profile_attribute = "radiusProfileDn" # access_attr = "dialupAccess" # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 } authorize { preprocess MSCHAP suffix eap files ldap } authenticate { Auth-Type MS-CHAP { mschap } unix Auth-Type LDAP { ldap } # # Allow EAP authentication. eap } ----------------------------------------------------- users #DEFAULT Auth-Type = LDAP # Fall-Through = 1 |
Anyone???
|
In the first request you've missed to attribute dumps, so I can't see if User-Password is being provided by the client. Can you redo it?
|
| All times are GMT -5. The time now is 07:57 AM. |