I'm currently doing a bit of battle with FreeRadius rlm_ldap. I'm not quite sure where my problems lie, so I figured I'd ask the list.
Background:
New OpenLDAP install with what seemed to be working entries for qmail-ldap/pop3/courier-imap-ldap to be happy but I'm afraid I'm missing something for FreeRadius that I can't quite nail down.
Sample LDIF for a user (with qmail specifics left in):
dn: [EMAIL PROTECTED],o=MyNet Networks,c=US userPassword: {CRYPT}SNOUEr6lAxJJg cn: Joe Mamma sn: Mamma objectClass: top objectClass: person objectClass: qmailuser mailHost: testbox.mynet.net mailMessageStore: /maildirs/joe/ uid: joe uid: [EMAIL PROTECTED] accountStatus: active qmailDotMode: ldaponly mailQuotaSize: 100000000 mailQuotaCount: 10000 mail: [EMAIL PROTECTED] mailAlternateAddress: [EMAIL PROTECTED]
FreeRadius 0.9.3 (not out of ports, obviously) , FreeBSD 4.9.
radiusd.conf:
basedn = "o=MyNet Networks,c=US" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
radiusd -X -A with a ./radtest joe test localhost 0 secret (test is CRYPTed in the LDIF)
I have auth failure show up in radius debug:
Nothing to do. Sleeping until we see a request.
rad_recv: Access-Request packet from host 127.0.0.1:3453, id=12, length=55
User-Name = "joe"
User-Password = "test"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
modcall[authorize]: module "chap" returns noop for request 1
modcall[authorize]: module "eap" returns noop for request 1
rlm_realm: No '@' in User-Name = "joe", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 1
users: Matched DEFAULT at 152
modcall[authorize]: module "files" returns ok for request 1
modcall[authorize]: module "mschap" returns noop for request 1
modcall: group authorize returns ok for request 1
rad_check_password: Found Auth-Type LDAP
auth: type "LDAP"
modcall: entering group Auth-Type for request 1
rlm_ldap: - authenticate
rlm_ldap: login attempt by "joe" with password "test"
radius_xlat: '(uid=joe)'
radius_xlat: 'o=MyNet Networks,c=US'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=MyNet Networks,c=US, with filter (uid=joe)
ldap_release_conn: Release Id: 0
rlm_ldap: user DN: [EMAIL PROTECTED],o=MyNet Networks,c=US
rlm_ldap: (re)connect to lance.mynet.net:389, authentication 1
rlm_ldap: bind as [EMAIL PROTECTED],o=MyNet Networks,c=US/test to lance.mynet.net:389
rlm_ldap: waiting for bind result ...
modcall[authenticate]: module "ldap" returns reject for request 1
modcall: group Auth-Type returns reject for request 1
auth: Failed to validate the user.
Delaying request 1 for 1 seconds
Finished request 1
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 12 to 127.0.0.1:3453
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 1 ID 12 with timestamp 4004b280
Nothing to do. Sleeping until we see a request.
After some thought, I changed my crypt in the LDIF to something else, first SSHA, and then MD5, and all of a sudden
auth worked (with both). Clearly I have a probem with CRYPT...
The only hint is in configure output:
checking for crypt.h... no checking whether crypt must be declared... no checking for crypt in -lcrypt... yes
This seems like everything is ok, but, clearly it isn't..
It wouldn't be a big deal, except I have many crypt'd PW's I'd intended on migrating into my directory that I would like radius to auth against.
This may be better off in a FBSD list, but, I thought I'd ask here since I hadn't yet encountered the problem with any other
app i've been working with (except quite probably pam_ldap).
Thanks!
Joe
-- Joe Hetrick: jhetrick(at)avalon.net | Systems Admin Avalon Networks Inc. perl -e 'print pack("H*","6a6865747269636b406176616c6f6e2e6e6574")' Your Excuse is: Root name servers corrupted.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html