Hi, Comments inlined. On Tue, 2005-07-12 at 11:15 -0700, [EMAIL PROTECTED] wrote: > I appologize in advance, but I am new to FreeRADIUS and RADIUS in general. > > Here is my setup: > - Server with FreeRADIUS 1.0.4 --with-edir on FreeBSD 4.11 > - Server with NetWare 6.5.4 > > Here is what I am trying to accomplish: > - Get FreeRADIUS to authenticate VPN users (Cisco VPN Contentrator) to LDAP > database in NetWare tree. > > Here is what I DON'T want to do: > - Mess with eDirectory (profiles, extending the schema, etc.) > > Basically, when this configuration is moved into production, FreeRADIUS would > authenticate users who IDs already exist in a complex, mature NetWare eDir tree. > I don't want to mess with Universal Passwords, extending the schema, etc. I > have already sucessfully configured the Cisco VPN Concentrator to authenticate > users using FreeRADIUS and the UNIX users list. However, I can't get FreeRADIUS > to successfully query the LDAP database on the NetWare server. > > I have been through Novell's documentation, but their docs include building > RADIUS profiles, extending the schema, etc. This is something that I am not > going to be able to do. I have also been up and down the web, FreeRADIUS mail > lists, docs, etc. I have found threads where it is mentioned that you can get > FreeRADIUS to authenticate users to a NetWare LDAP directory using cleartext, > but I have not been able to do this myself. > > I would like to take this in stages: > 1. Succesfully query LDAP without security (with the assumption that this would > be the easiest first step). The debug output shows that FreeRADIUS is already doing this, > 2. Get FreeRADIUS to query LDAP securely. This also can be configured. > > Below you will find the following: > - Text from radiusd.conf file > - Output from radiusd -X > - Text from radius.log file > <- Snipped,.... > # Lightweight Directory Access Protocol (LDAP) > # > # This module definition allows you to use LDAP for > # authorization and authentication (Auth-Type := LDAP) > # > # See doc/rlm_ldap for description of configuration options > # and sample authorize{} and authenticate{} blocks > ldap { > server = "10.1.1.71" > identity = "cn=admin,o=radius" > password = pass > basedn = "o=radius" > filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" > base_filter = "(objectclass=radiusprofile)" > > # set this to 'yes' to use TLS encrypted connections > # to the LDAP database by using the StartTLS extended > # operation. > # The StartTLS operation is supposed to be used with normal > # ldap connections instead of using ldaps (port 689) connections > start_tls = no Set start_tls = yes for making a secure connection to eDirectory. > > # tls_cacertfile = /path/to/cacert.pem Set the path to eDirectory CA cert here. > # tls_cacertdir = /path/to/ca/dir/ > # tls_certfile = /path/to/radius.crt > # tls_keyfile = /path/to/radius.key > # tls_randfile = /path/to/rnd > # tls_require_cert = "demand" > > # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" > # profile_attribute = "radiusProfileDn" > # access_attr = "dialupAccess" > > # Mapping of RADIUS dictionary attributes to LDAP > # directory attributes. > dictionary_mapping = ${raddbdir}/ldap.attrmap > > ldap_connections_number = 5 > > # > # NOTICE: The password_header directive is NOT case insensitive > # > # password_header = "{clear}" > # > # Set: > password_attribute = nspmPassword Set password_attribute to anything other than nspmPassword or comment out this attribute. This will make sure FreeRADIUS does not try to read Universal Password. > # > # to get the user's password from a Novell eDirectory > # backend. This will work *only if* freeRADIUS is > # configured to build with --with-edir option. > # > # > # The server can usually figure this out on its own, and pull > # the correct User-Password or NT-Password from the database. > # > # Note that NT-Passwords MUST be stored as a 32-digit hex > # string, and MUST start off with "0x", such as: > # > # 0x000102030405060708090a0b0c0d0e0f > # > # Without the leading "0x", NT-Passwords will not work. > # This goes for NT-Passwords stored in SQL, too. > # > # password_attribute = userPassword > # > # Un-comment the following to disable Novell eDirectory account > # policy check and intruder detection. This will work *only if* > # FreeRADIUS is configured to build with --with-edir option. > # > edir_account_policy_check=yes > # > # groupname_attribute = cn > # groupmembership_filter = > "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" > # groupmembership_attribute = radiusGroupName > timeout = 4 > timelimit = 3 > net_timeout = 1 > # compare_check_items = yes > # do_xlat = yes > # access_attr_used_for_allow = yes > } > <-Snipped.... > Ready to process requests. > rad_recv: Access-Request packet from host 127.0.0.1:2302, id=75, length=57 > User-Name = "admin" > User-Password = "pass" > NAS-IP-Address = 255.255.255.255 > NAS-Port = 10 > Processing the authorize section of radiusd.conf > modcall: entering group authorize for request 0 > modcall[authorize]: module "preprocess" returns ok for request 0 > modcall[authorize]: module "chap" returns noop for request 0 > modcall[authorize]: module "mschap" returns noop for request 0 > rlm_realm: No '@' in User-Name = "admin", looking up realm NULL > rlm_realm: No such realm "NULL" > modcall[authorize]: module "suffix" returns noop for request 0 > rlm_eap: No EAP-Message, not doing EAP > modcall[authorize]: module "eap" returns noop for request 0 > users: Matched entry DEFAULT at line 152 > modcall[authorize]: module "files" returns ok for request 0 > rlm_ldap: - authorize > rlm_ldap: performing user authorization for admin > radius_xlat: '(uid=admin)' > radius_xlat: 'o=radius' > rlm_ldap: ldap_get_conn: Checking Id: 0 > rlm_ldap: ldap_get_conn: Got Id: 0 > rlm_ldap: attempting LDAP reconnection > rlm_ldap: (re)connect to 10.1.1.71:389, authentication 0 > rlm_ldap: bind as cn=admin,o=radius/pass to 10.1.1.71:389 > rlm_ldap: waiting for bind result ... > rlm_ldap: Bind was successful > rlm_ldap: performing search in o=radius, with filter (uid=admin) As you can see FreeRADIUS is already querying eDirectory for user information. > rlm_ldap: Error reading Universal Password.Return Code = 80 See comments on password_attribute. > rlm_ldap: looking for check items in directory... > rlm_ldap: looking for reply items in directory... > rlm_ldap: user admin authorized to use remote access > rlm_ldap: ldap_release_conn: Release Id: 0 > modcall[authorize]: module "ldap" returns ok for request 0 > modcall: group authorize returns ok for request 0 > rad_check_password: Found Auth-Type System The Auth-Type is set to System. I reckon this is done by one of the default entries in users file. What is the authentication mechanism you want to use? If you want to use authentication methods like CHAP, MS-CHAP, EAP etc you will have to enable Universal Password. However if you just want to authenticate against eDirectory with plain text password then you need not read Universal Password. You must enable the ldap module in the authenticate section. > auth: type "System" > Processing the authenticate section of radiusd.conf > modcall: entering group authenticate for request 0 > modcall[authenticate]: module "unix" returns notfound for request 0 > modcall: group authenticate returns notfound for request 0 > auth: Failed to validate the user. > Processing the post-auth section of radiusd.conf > modcall: entering group Post-Auth-Type for request 0 > modcall[post-auth]: module "ldap" returns noop for request 0 > modcall: group Post-Auth-Type returns noop for request 0 > Delaying request 0 for 1 seconds > Finished request 0 > Going to the next request > --- Walking the entire request list --- > Waking up in 1 seconds... > --- Walking the entire request list --- > Waking up in 1 seconds... > --- Walking the entire request list --- > Sending Access-Reject of id 75 to 127.0.0.1:2302 > Waking up in 4 seconds... > --- Walking the entire request list --- > Cleaning up request 0 ID 75 with timestamp 42d39d5d > Nothing to do. Sleeping until we see a request. > -----END RADIUSD DEBUG----- > > The line that I find disturbing is the "error reading Universal Password" line. > I assume that I must edit my config in some way so that FreeRADIUS is not > attempting to read a Universal Password, or somehow tells NLDAP not to send a > Universal Password.
Hope this helps. Get back to me in case you have any further queries. -Sayantan. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html