Hello, Thanks for the quick response.... Please note am "using SASL on my LDAP"... If i create a user in ldap (eg 101821 ) server itself i am able to authenticate the user( Please see the debug output "1") . Am facing problem only for those users whom am using SASL mechanism for userPassword (Please see the debug output "2" ) Debug output "1" rad_recv: Access-Request packet from host 10.168.109.120 port 57709, id=24, length=58 User-Name = "101821" User-Password = "q" NAS-IP-Address = 10.1.109.120 NAS-Port = 0 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "101821", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[smbpasswd] returns notfound [ldap] performing user authorization for 101821 [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> 101821 [ldap] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=101821) [ldap] expand: ou=Users,dc=cdac,dc=in -> ou=Users,dc=cdac,dc=in [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in ou=Users,dc=cdac,dc=in, with filter (uid=101821) request done: ld 0x126be520 msgid 4 [ldap] Added User-Password = q in check items [ldap] looking for check items in directory... [ldap] looking for reply items in directory... [ldap] user 101821 authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group PAP {...} [pap] login attempt with password "q" [pap] Using clear text password "q" [pap] User authenticated successfully ++[pap] returns ok # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 24 to 10.168.109.120 port 57709 Finished request 2. Going to the next request Waking up in 4.9 seconds. Cleaning up request 2 ID 24 with timestamp +854 Ready to process requests.
Debug output "2" rad_recv: Access-Request packet from host 10.168.109.120 port 54218, id=100, length=58 User-Name = "105900" User-Password = "sbt" NAS-IP-Address = 10.1.109.120 NAS-Port = 0 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "105900", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[smbpasswd] returns notfound [ldap] performing user authorization for 105900 [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> 105900 [ldap] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=105900) [ldap] expand: ou=Users,dc=cdac,dc=in -> ou=Users,dc=cdac,dc=in [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in ou=Users,dc=cdac,dc=in, with filter (uid=105900) request done: ld 0x126be520 msgid 3 [ldap] Added User-Password = {SASL}suresht in check items [ldap] looking for check items in directory... [ldap] looking for reply items in directory... [ldap] user 105900 authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group PAP {...} [pap] login attempt with password "sbt" [pap] Using clear text password "{SASL}suresht" [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> 105900 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 100 to 10.168.109.120 port 54218 Waking up in 4.9 seconds. Cleaning up request 1 ID 100 with timestamp +106 Ready to process requests. Regards Vijay On January 17, 2012 at 5:35 PM Phil Mayers <p.may...@imperial.ac.uk> wrote: > On 17/01/12 11:55, vijay t wrote: > > My LDAP server uses SASL mechanism for authenticating uid/username > > against userPassword. How can I integrate this LDAp server with > > FreeRadius server and what all configuration need to be changed ???. On > > debug, my radius server shows following error. Kindly suggest > > Read this: > > http://deployingradius.com/documents/protocols/compatibility.html > > And this: > > http://deployingradius.com/documents/protocols/oracles.html > > Short version: if you need to use "LDAP BIND", you can only support PAP > authentication. > > > [ldap] expand: %{User-Name} -> google > > [ldap] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=google) > > [ldap] expand: ou=Users,dc=cdac,dc=in -> ou=Users,dc=cdac,dc=in > > [ldap] ldap_get_conn: Checking Id: 0 > > [ldap] ldap_get_conn: Got Id: 0 > > [ldap] performing search in ou=Users,dc=cdac,dc=in, with filter (uid=google) > > request done: ld 0x748c7d0 msgid 9 > > [ldap] object not found > > [ldap] search failed > > Your first problem is that the LDAP Search has failed. Fix your LDAP > search filter, or ensure the user exists. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html