LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 06-02-2009, 12:26 PM   #1
tssav
LQ Newbie
 
Registered: Jun 2009
Posts: 3

Rep: Reputation: 0
freeradius ldap help required.


Hi Folks,

I need some help with freeradius and ldap.

I believe LDAP is running fine. As I my squid is configure to use LDAP and the authentication is working fine. I can do a "passwd user" and it says "LDAP password information changed for user".

radtest is succesfull for any LDAP user.
When I do a NTRadPing I get an accept to any LDAP user with appropriate CN. But when I try to connect from my MACBook or iPhone I get the following:

Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
modcall[authorize]: module "preprocess" returns ok for request 4
modcall[authorize]: module "mschap" returns noop for request 4
rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 4
rlm_eap: EAP packet type response id 0 length 11
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 4
users: Matched entry DEFAULT at line 171
modcall[authorize]: module "files" returns ok for request 4
rlm_ldap: - authorize
rlm_ldap: performing user authorization for testuser
radius_xlat: '(uid=testuser)'
radius_xlat: 'dc=test,dc=local'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=test,dc=local, with filter (uid=testuser)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user testuser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 4
modcall: leaving group authorize (returns updated) for request 4
rad_check_password: Found Auth-Type EAP
auth: type "LDAP"
Processing the authenticate section of radiusd.conf
modcall: entering group LDAP for request 4
rlm_ldap: - authenticate
rlm_ldap: Attribute "User-Password" is required for authentication.
modcall[authenticate]: module "ldap" returns invalid for request 4
modcall: leaving group LDAP (returns invalid) for request 4
auth: Failed to validate the user.
----------------------------------------
This is my first go at freeradius ldap and I would be very greatful for any help. Thanks in advance.
 
Old 06-02-2009, 12:37 PM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,378

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
Well I would guess that it's the EAP method's use compared to what I would expect to be a CHAP or PAP method on your test tools. Can you show us a successful debug (with -xxx debug options) and some files... radiusd.conf, sites-enabled and the ldap module config (forget the exact file name offhand)

Last edited by acid_kewpie; 06-02-2009 at 12:38 PM.
 
Old 06-02-2009, 12:59 PM   #3
tssav
LQ Newbie
 
Registered: Jun 2009
Posts: 3

Original Poster
Rep: Reputation: 0
Hi Chris,
I appreciate your quick reply.
Below please find a successful debug from NTRadPing and couple files:

rad_recv: Access-Request packet from host 192.168.1.32:1552, id=2, length=46
User-Name = "thomas"
User-Password = "thomas"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 6
modcall[authorize]: module "preprocess" returns ok for request 6
modcall[authorize]: module "mschap" returns noop for request 6
rlm_realm: No '@' in User-Name = "thomas", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 6
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 6
modcall[authorize]: module "files" returns notfound for request 6
rlm_ldap: - authorize
rlm_ldap: performing user authorization for thomas
radius_xlat: '(uid=thomas)'
radius_xlat: 'dc=test,dc=local'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=test,dc=local, with filter (uid=thomas)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: Setting Auth-Type = ldap
rlm_ldap: user thomas authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 6
modcall: leaving group authorize (returns ok) for request 6
rad_check_password: Found Auth-Type ldap
auth: type "LDAP"
Processing the authenticate section of radiusd.conf
modcall: entering group LDAP for request 6
rlm_ldap: - authenticate
rlm_ldap: login attempt by "thomas" with password "thomas"
rlm_ldap: user DN: cn=Thomas Surname,ou=Users,dc=test,dc=local
rlm_ldap: (re)connect to 192.168.1.254:389, authentication 1
rlm_ldap: bind as cn=Thomas Surname,ou=Users,dc=test,dc=local/thomas to 192.168.1.254:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: user thomas authenticated succesfully
modcall[authenticate]: module "ldap" returns ok for request 6
modcall: leaving group LDAP (returns ok) for request 6
Sending Access-Accept of id 2 to 192.168.1.32 port 1552

---------------------------------------------------------------

radius.conf

modules {

pap {
encryption_scheme = crypt
}

# CHAP module
#
# To authenticate requests containing a CHAP-Password attribute.
#
chap {
authtype = CHAP
}

ldap {
server = "192.168.1.254"
identity = "cn=admin,dc=test,dc=local"
password = password
basedn = "dc=test,dc=local"
filter = "(posixAccount)(uid=%u))"
#filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
base_filter = "(objectclass=radiusprofile)"

# set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
# The StartTLS operation is supposed to be used with normal
# ldap connections instead of using ldaps (port 689) connections
start_tls = no

# tls_cacertfile = /path/to/cacert.pem
# tls_cacertdir = /path/to/ca/dir/
# tls_certfile = /path/to/radius.crt
# tls_keyfile = /path/to/radius.key
# tls_randfile = /path/to/rnd
# tls_require_cert = "demand"

# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
# profile_attribute = "radiusProfileDn"
# access_attr = "dialupAccess"

# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap

ldap_connections_number = 5


}

authorize {
preprocess
MSCHAP
suffix
eap
files
ldap
}

authenticate {

Auth-Type MS-CHAP {
mschap
}
unix

Auth-Type LDAP {
ldap
}

#
# Allow EAP authentication.
eap

}
-----------------------------------------------------
users

#DEFAULT Auth-Type = LDAP
# Fall-Through = 1
 
Old 06-04-2009, 02:34 AM   #4
tssav
LQ Newbie
 
Registered: Jun 2009
Posts: 3

Original Poster
Rep: Reputation: 0
Anyone???
 
Old 06-05-2009, 12:22 PM   #5
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,378

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
In the first request you've missed to attribute dumps, so I can't see if User-Password is being provided by the client. Can you redo it?
 
  


Reply

Tags
freeradius, ldap


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
FreeRadius Server Configuration and Integration with LDAP help required swati_sharma Linux - Newbie 3 10-06-2008 03:09 PM
FreeRadius Server Configuration and Integration with LDAP help required swati_sharma Linux - Server 3 10-06-2008 03:07 PM
FreeRadius Server Configuration and Integration with LDAP help required swati_sharma Linux - Server 2 10-06-2008 03:04 PM
FreeRadius Server Configuration and Integration with LDAP help required swati_sharma Linux - Networking 3 10-06-2008 03:01 PM


All times are GMT -5. The time now is 09:20 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration