Markus Krause wrote:
Zitat von David W Bell <[EMAIL PROTECTED]>:
LDAP is installed and working out of the box, having been set to be
used for authenication during the SUSE install.
This is proven by the ability to log in to the box, both locally and
via SSH
I installed freeRADIUS from the latest source and it is working also.
freeRADIUS seems unable to find a password for the user during
Authenication.
I issue the following on my workstation
[EMAIL PROTECTED]:~$ echo "User-Name = belld,Password=p455w0rd" |
radclient 212.95.255.242:1812 auth testing
Received response ID 99, code 3, length = 20
And see the following from freeRADIUS Listening on authentication
address * port 1812
Listening on accounting address * port 1813
Ready to process requests.
rad_recv: Access-Request packet from host 212.95.252.25 port 20758,
id=99, length=45
User-Name = "belld"
User-Password = "p455w0rd"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "belld", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
rlm_ldap: - authorize
rlm_ldap: performing user authorization for belld
WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=belld)
expand: dc=dxi,dc=net -> dc=dxi,dc=net
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as cn=Administrator,dc=dxi,dc=net/trPic4n03 to
localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=dxi,dc=net, with filter (uid=belld)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that
the user is configured correctly?
rlm_ldap: user belld authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Login incorrect: [belld/p455w0rd] (from client 212.95.252.25 port 0)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> belld
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 99 to 212.95.252.25 port 20758
Waking up in 4.9 seconds.
What I cant work out is whether this is due to an LDAP or a RADIUS
config problem.
what is the result of the following commands (using a terminal):
ldapsearch -x -h localhost -b "dc=dxi,dc=net" uid=belld
ldapsearch -x -h localhost -b "dc=dxi,dc=net" -D
"cn=Administrator,dc=dxi,dc=net" -w trPic4n03 uid=belld
if they (especially the latter) do not return a value for the field
"userPassword" the problem is on the LDAP side.
markus
----------------------------------------------------------------------
This message was sent using https://webmail.biochem.mpg.de
If you encounter any problems please report to [EMAIL PROTECTED]
------------------------------------------------------------------------
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks Markus.
I thought of that - and had done the 1st search and HAD noticed there
was no LDAP password set
# extended LDIF
#
# LDAPv3
# base <dc=dxi,dc=net> with scope subtree
# filter: uid=belld
# requesting: ALL
#
# belld, people, dxi.net
dn: uid=belld,ou=people,dc=dxi,dc=net
cn: David Bell
gidNumber: 100
givenName: David
homeDirectory: /home/belld
loginShell: /bin/bash
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
shadowInactive: -1
shadowMax: 99999
shadowMin: 0
shadowWarning: 7
sn: Bell
uid: belld
uidNumber: 1000
shadowLastChange: 13920
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
[EMAIL PROTECTED]:~>
I thought this was because LDAP was handing that aspect over to
something else but your second command shows a password.
[EMAIL PROTECTED]:~> ldapsearch -x -h localhost -b "dc=dxi,dc=net" -D
"cn=Administrator,dc=dxi,dc=net" -w trPic4n03 uid=belld
# extended LDIF
#
# LDAPv3
# base <dc=dxi,dc=net> with scope subtree
# filter: uid=belld
# requesting: ALL
#
# belld, people, dxi.net
dn: uid=belld,ou=people,dc=dxi,dc=net
cn: David Bell
gidNumber: 100
givenName: David
homeDirectory: /home/belld
loginShell: /bin/bash
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
shadowInactive: -1
shadowMax: 99999
shadowMin: 0
shadowWarning: 7
sn: Bell
uid: belld
uidNumber: 1000
userPassword:: e2NyeXB0fWUvMmlHZW9tWXJHTG8=
shadowLastChange: 13920
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
[EMAIL PROTECTED]:~>
Any further thoughts?
David
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
