Hi all
I have an issue where i'm trying to use realms to determine what LDAP
server to authenticate a user against. What seems to happen is that the
realm in my users file is never matched and hence the authentication
fails. Any help would be greatly appreciated.
My users file is -
DEFAULT Realm == "NULL", Auth-Type := ldap-default, Autz-Type :=
ldap-default
DEFAULT Realm == "test.com", Auth-Type :=test.com, Autz-Type := test.com
DEFAULT Auth-Type := Reject
my proxy.conf has the following -
realm test.com {
type = radius
authhost= LOCAL
accthost= LOCAL
nostrip
}
realm NULL {
type= radius
authhost= LOCAL
accthost= LOCAL
}
realm LOCAL {
type= radius
authhost= LOCAL
accthost= LOCAL
}
The radius.conf is -
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = ${localstatedir}/log/radius
raddbdir = /etc/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run
log_file = ${logdir}/radiusd.log
pidfile = ${run_dir}/radiusd.pid
user = radiusd
group = radiusd
libdir = /usr/lib/freeradius
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 256
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions= yes
log_stripped_names = yes
log_auth = yes
log_auth_badpass = yes
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf
$INCLUDE ${confdir}/clients.conf
snmp= no
thread pool {
start_servers = 1
max_servers = 4
min_spare_servers = 1
max_spare_servers = 3
max_requests_per_server = 0
}
modules {
pap {
#auto_header = yes
encryption_scheme = crypt
}
chap {
authtype = CHAP
}
$INCLUDE ${confdir}/eap.conf
mschap {
authtype = MS-CHAP
use_mppe = yes
require_encryption = yes
require_strong = yes
authtype = MS-CHAP
# with_ntdomain_hack = yes
}
files {
usersfile = ${confdir}/users
compat = no
}
### Added
ldap test.com {
server = "ldap1.test.com"
#port = 389
port = 636
identity = "cn="
password = "xxx"
basedn = "o=xxx"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
tls_mode= yes
tls_cacertfile = /etc/raddb/certs/cert.b64
tls_cacertdir = /etc/raddb/certs/
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
edir_account_policy_check=no
timeout = 4
timelimit = 3
net_timeout = 1
set_auth_type = yes
password_attribute = nspmPassword
}
ldap ldap-default {
server = "ldap1.test.com"
#port = 389
port = 636
identity = "cn=xxxl"
password = "xxx"
basedn = "o=xxx"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
tls_mode= yes
tls_cacertfile = /etc/raddb/certs/cert.b64
tls_cacertdir = /etc/raddb/certs/
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
edir_account_policy_check=no
timeout = 4
timelimit = 3
net_timeout = 1
set_auth_type = yes
password_attribute = nspmPassword
}
### //
realm suffix {
format = suffix
delimiter = "@"
ignore_default = no
ignore_null = no
}
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
### Added
Auth-Type test.com {
test.com
}
Auth-Type ldap-default {
ldap-default
}
### //
eap
}
authorize {
chap
mschap
eap
files
### Added
Autz-Type test.com {
test.com
}
Autz-Type ldap-default {
ldap-default
}
### //
}
post-auth {
ldap-default
Post-Auth-Type REJECT {
ldap-default
}
}
I then see the following -
rad_recv: Access-Request packet from host xxx:40485, id=38, length=63
User-Name = "a...@test.com"
User-Password = "xx"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
modcall[authorize]: module "chap" returns noop for request 2
modcall[authorize]: module "mschap" returns noop for request 2
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noo