/* In the client terminal ,now i've tried to authenticate with user : ldapuser
[EMAIL PROTECTED] ~]# radtest ldapuser ldapuser localhost 2 testing123
Sending Access-Request of id 119 to 127.0.0.1 port 1812
User-Name = "ldapuser"
User-Password = "ldapuser"
NAS-IP-Address = 255.255.255.255
NAS-Port = 2
// On the server side, response to ldapuser user authentication request...
rad_recv: Access-Request packet from host 127.0.0.1:32769, id=119, length=60
User-Name = "ldapuser"
User-Password = "ldapuser"
NAS-IP-Address = 255.255.255.255
NAS-Port = 2
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat: '/usr/local//var/log/radius/radacct/127.0.0.1/auth-detail-20060403'
rlm_detail: /usr/local//var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local//var/log/radius/radacct/127.0.0.1/auth-detail-20060403
modcall[authorize]: module "auth_log" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "ldapuser", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 0
users: Matched entry DEFAULT at line 152
users: Matched entry DEFAULT at line 158
modcall[authorize]: module "files" returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for ldapuser
radius_xlat: '(uid=ldapuser)'
radius_xlat: 'ou=People,dc=example,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as / to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=People,dc=example,dc=com, with filter (uid=ldapuser)
rlm_ldap: Added password {crypt}$1$nwby/I64$ORzJuBh4/Ec3c.FAt2oqV0 in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user ldapuser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type LDAP
auth: type "LDAP"
Processing the authenticate section of radiusd.conf
modcall: entering group LDAP for request 0
rlm_ldap: - authenticate
rlm_ldap: login attempt by "ldapuser" with password "ldapuser"
rlm_ldap: user DN: uid=ldapuser,ou=People,dc=example,dc=com
rlm_ldap: (re)connect to localhost:389, authentication 1
rlm_ldap: bind as uid=ldapuser,ou=People,dc=example,dc=com/ldapuser to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind failed with invalid credentials
modcall[authenticate]: module "ldap" returns reject for request 0
modcall: leaving group LDAP (returns reject) for request 0
auth: Failed to validate the user.
Login incorrect (rlm_ldap: Bind as user failed): [ldapuser] (from client localhost port 2)
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 119 to 127.0.0.1 port 32769
Waking up in 4 seconds...
// THE CONFIGURATION DETAILS REQUIRED FOR RLM_LDAP AUTHENTICATION ARE BELOW
/* example.com.ldif (base entries added to LDAP database)
Dn: dc=example,dc=com
Objectclass: dcObject
Objectclass : organization
o: Example company
dc: example
dn: cn=manager,dc=example,dc=com
objectclass: organizationalRole
cn: manager
dn: ou=people,dc=example,dc=com
ou: people
description: All people in the organization
objectClass: dcObject
objectClass: organizationalUnit
dc: example
/* ldapuser.ldif (details of user account for authentication added to the LDAP database */
dn: uid=ldapuser,ou=People,dc=example,dc=com
uid: ldapuser
cn: ldapuser
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$1$nwby/I64$ORzJuBh4/Ec3c.FAt2oqV0
shadowLastChange: 13238
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 503
gidNumber: 100
homeDirectory: /home/ldapuser
/* radiusd.conf (LDAP MODULE)
ldap {
server = "localhost"
# identity = "cn=admin,o=My Org,c=UA"
# password = mypass
basedn = "ou=People,dc=example,dc=com"
password_attribute = "userPassword"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
# base_filter = "(objectclass=radiusprofile)"
start_tls = no
# tls_cacertfile = /path/to/cacert.pem
# tls_cacertdir = /path/to/ca/dir/
# tls_certfile = /path/to/radius.crt
# tls_keyfile = /path/to/radius.key
# tls_randfile = /path/to/rnd
# tls_require_cert = "demand"
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
# profile_attribute = "radiusProfileDn"
# access_attr = "dialupAccess"
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
# compare_check_items = yes
# do_xlat = yes
# access_attr_used_for_allow = yes
}
authorize {
chap
mschap
eap
files
ldap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
Unix
Auth-Type LDAP {
ldap
}
Slapd.conf (ldap configuration)
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/nis.schema
pidfile /usr/local/var/slapd.pid
argsfile /usr/local/var/slapd.args
#######################################################################
# ldbm database definitions
#######################################################################
database bdb
suffix "dc=example,dc=com"
rootdn "cn=manager,dc=example,dc=com"
rootpw {SSHA}Rt9x/xGxM5e8+RpKbvTCWYT8POUEaKwA
# Indices to maintain
index cn,sn,uid pres,eq,approx,sub
index objectClass eq
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html