Please help with ldap problem

[Rick Whitley]

I am running freeradius 20030922 snapshot on RedHat 9.0. I am
authorizing and authenticating via ldap. I seem to be getting authorized
and authenticated but my supplicant continues to try and authenticate.
Below is my debug output. If anyone can see anything unusual please let
me know. Thanks for any help.

rad_recv: Access-Request packet from host 10.5.50.115:1645, id=106,
length=211
User-Name = install
Framed-MTU = 1400
Called-Station-Id = 000d.bd43.d9a8
Calling-Station-Id = 0040.9645.c07a
Message-Authenticator = 0xaba44c3d8a18f7aa63dbf2fe20630dae
EAP-Message =
0x0205004f1580004517030100409dcc64928d8f5ff60c838cef0ac6a057006e51ad920af73b628207daa197dcbdcd1fbd2ea04505100cd5d27cf356a14adb8eb92944976da2adffa2e5623fdea9
NAS-Port-Type = Virtual
NAS-Port = 496
State = 0x0cd1fc1c30ee0fc4a8488e79f6205014
NAS-IP-Address = 10.5.50.115
NAS-Identifier = TESTAP1
modcall: entering group authorize
rlm_ldap: - authorize
rlm_ldap: performing user authorization for install
radius_xlat:  '(uid=install)'
radius_xlat:  'ou=academics,o=dbu'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=academics,o=dbu, with filter
(uid=install)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user install authorized to use remote access
ldap_release_conn: Release Id: 0
  modcall[authorize]: module ldap returns ok
  rlm_eap: EAP packet type response id 5 length 79
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module eap returns updated
modcall: group authorize returns updated
  rad_check_password:  Found Auth-Type LDAP
  rad_check_password:  Found Auth-Type EAP
Warning:  Found 2 auth-types on request for user 'install'
auth: type EAP
modcall: entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP_TYPE - ttls
  rlm_eap: processing type ttls
  rlm_eap_ttls: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls:  Length Included
  eaptls_verify returned 11
  eaptls_process returned 7
  rlm_eap_ttls: Session established.  Proceeding to decode tunneled
attributes.

  TTLS: Got tunneled request
User-Name = install
User-Password = f0ulb3ast
Freeradius-Proxied-To = 127.0.0.1
  TTLS: Sending tunneled request
User-Name = install
User-Password = f0ulb3ast
Freeradius-Proxied-To = 127.0.0.1
modcall: entering group authorize
rlm_ldap: - authorize
rlm_ldap: performing user authorization for install
radius_xlat:  '(uid=install)'
radius_xlat:  'ou=academics,o=dbu'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=academics,o=dbu, with filter
(uid=install)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user install authorized to use remote access
ldap_release_conn: Release Id: 0
  modcall[authorize]: module ldap returns ok
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module eap returns noop
modcall: group authorize returns ok
  rad_check_password:  Found Auth-Type LDAP
auth: type LDAP
modcall: entering group authenticate
rlm_ldap: - authenticate
rlm_ldap: login attempt by install with password f0ulb3ast
rlm_ldap: user DN: cn=install,ou=Academics,o=DBU
rlm_ldap: (re)connect to 10.5.10.215:389, authentication 1
rlm_ldap: bind as cn=install,ou=Academics,o=DBU/f0ulb3ast to
10.5.10.215:389
rlm_ldap: waiting for bind result ...
rlm_ldap: user install authenticated succesfully
  modcall[authenticate]: module ldap returns ok
modcall: group authenticate returns ok
Trying to look up name of unknown client 127.0.0.1.
Login OK: [install/f0ulb3ast] (from client UNKNOWN-CLIENT port 0)
  TTLS: Got tunneled reply RADIUS code 2
  TTLS: Got tunneled Access-Accept
  rlm_eap: Freeing handler
  modcall[authenticate]: module eap returns handled
modcall: group authenticate returns handled
Sending Access-Accept of id 106 to 10.5.50.115:1645
MS-MPPE-Recv-Key =
0xe4bcd7f454abdd128405446d00ebf4127842ccf9716b0ae4ebd5da185ad75c17
MS-MPPE-Send-Key =
0xa847b8c85d1c43f533610ebceef89cbe6c8f1daf24e04dfe6316513047111c6f
EAP-Message = 0x03050004
Message-Authenticator = 0x
User-Name = install
Finished request 23
Going to the next request
Waking up in 1 seconds...


rick...
Rom.5:8

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

LDAP Problem

[Atanu Das]

Dear ALL,
I tried creatinga simpleLDAP structure the 
following way!

dn: dc=company,dc=com
objectclass: top
objectclass: domain

dn: ou=people,dc=company,dc=com
ou: people
objectclass: top
objectclass:organisationalUnit
dn: 
uid=group1-dialup,ou=people,dc=company,dc=comobjectclass: 
radiusprofileradiusPortLimit: 1dn: 
uid=user1,ou=people,dc=company,dc=comobjectclass: 
radiusprofiledialupregularprofile: 
uid=group1-dialup,ou=people,dc=company,dc=com
But i am getting the following error
11:52:00 AM: Failed to add new entry uid=user1, ou=radius, 
dc=neline,dc=comRoot error: [LDAP: error code 17 - dialupregularprofile: 
attribute type undefined]


I have included both the LDAP schema that came with 
freeradius in the slapd.conf file with schemacheck option off.

Where am I wrong!!!

Atanu DasSystem DevelopmentSS NetCom Pvt 
Ltd.DhankhetiShillong-793003Ph: 91+361+502355Visit us at: http://www.neline.com

Re: LDAP Problem

[Kostas Kalevras]

On Fri, 13 Sep 2002, Atanu Das wrote:

 Dear ALL,
 I tried creating a simple LDAP structure the following way!

 dn: dc=company,dc=com
 objectclass: top
 objectclass: domain

 dn: ou=people,dc=company,dc=com
 ou: people
 objectclass: top
 objectclass: organisationalUnit

 dn: uid=group1-dialup,ou=people,dc=company,dc=com
 objectclass: radiusprofile
 radiusPortLimit: 1

 dn: uid=user1,ou=people,dc=company,dc=com
 objectclass: radiusprofile
 dialupregularprofile: uid=group1-dialup,ou=people,dc=company,dc=com

 But i am getting the following error
 11:52:00 AM: Failed to add new entry uid=user1, ou=radius, dc=neline,dc=com
 Root error: [LDAP: error code 17 - dialupregularprofile: attribute type undefined]


 I have included both the LDAP schema that came with freeradius in the slapd.conf 
file with schemacheck option off.

 Where am I wrong!!!

 Atanu Das

You should use the radiusprofiledn instead of dialupregularprofile.

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]  National Technical University of Athens, Greece
Work Phone: +30 10 7721861
'Go back to the shadow' Gandalf


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: LDAP Problem

[Atanu Das]

Hi,

I got ur point. But how to use the radiusprofiledn. I was following the
mailing list archives, but i could not figure what should i do in
radius.conf file and users file.
My ldif tree now look like this.

dn: dc=neline,dc=com
objectclass: top
objectclass: domain

dn: ou=group,dc=neline,dc=com
ou: group
objectclass: top
objectclass: organizationalUnit

dn: cn=testgroup,ou=group,dc=neline,dc=com
objectClass: top
objectClass: radiusprofile
cn: testgroup
radiusGroupName: G022
gidNumber: 1000

dn: uid=testing,ou=group,dc=neline,dc=com
cn: testing
uid: testing
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: radiusprofile
ou: group
userPassword: neline
radiusProfileDn: cn=testgroup,ou=group,dc=neline,dc=com
radiusGroupName: testgroup

RADIUSD.CONF###

ldap {

server = 192.9.168.2

# identity = cn=admin,o=My Org,c=UA

# password = mypass

basedn = dc=neline,dc=com

filter = (uid=%u)

# set this to 'yes' to use TLS encrypted connections

# to the LDAP database.

start_tls = no

default_profile = cn=testgroup,ou=group,dc=neline,dc=com

profile_attribute = radiusProfileDn

#access_group = cn=testgroup,ou=group,dc=neline,dc=com

#access_attr = dialupAccess

# Mapping of RADIUS dictionary attributes to LDAP

# directory attributes.

dictionary_mapping = ${raddbdir}/ldap.attrmap

# ldap_cache_timeout = 120

# ldap_cache_size = 0

ldap_connections_number = 5

# password_header = {clear}

#password_attribute = userPassword

#groupname_attribute = cn

#groupmembership_filter =
(|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupO
fUniqueNames)(uniquemember=%{Ldap-UserDn})))

timeout = 4

timelimit = 3

net_timeout = 1

# compare_check_items = yes

# access_attr_used_for_allow = yes

}


PLEASE SHOW ME THE WAY

Atanu Das
System Development
SS NetCom Pvt Ltd.
Dhankheti
Shillong-793003
Ph: 91+361+502355
Visit us at: http://www.neline.com



- Original Message -
From: Kostas Kalevras [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, September 13, 2002 1:03 PM
Subject: Re: LDAP Problem


 On Fri, 13 Sep 2002, Atanu Das wrote:

  Dear ALL,
  I tried creating a simple LDAP structure the following way!
 
  dn: dc=company,dc=com
  objectclass: top
  objectclass: domain
 
  dn: ou=people,dc=company,dc=com
  ou: people
  objectclass: top
  objectclass: organisationalUnit
 
  dn: uid=group1-dialup,ou=people,dc=company,dc=com
  objectclass: radiusprofile
  radiusPortLimit: 1
 
  dn: uid=user1,ou=people,dc=company,dc=com
  objectclass: radiusprofile
  dialupregularprofile: uid=group1-dialup,ou=people,dc=company,dc=com
 
  But i am getting the following error
  11:52:00 AM: Failed to add new entry uid=user1, ou=radius,
dc=neline,dc=com
  Root error: [LDAP: error code 17 - dialupregularprofile: attribute type
undefined]
 
 
  I have included both the LDAP schema that came with freeradius in the
slapd.conf file with schemacheck option off.
 
  Where am I wrong!!!
 
  Atanu Das

 You should use the radiusprofiledn instead of dialupregularprofile.

 --
 Kostas Kalevras Network Operations Center
 [EMAIL PROTECTED] National Technical University of Athens, Greece
 Work Phone: +30 10 7721861
 'Go back to the shadow' Gandalf


 -
 List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

ldap problem

[Brian Leung]

hi all,

i try to add these in the radiusd.conf
authtype LDAP {
ldap
}

authtype LDAP1 {
ldap1
}

but when i start it and it prompt me
radiusd.conf[650] Failed to link to module 'rlm_ldap1': file not found

how should i fixed? Thank you

Regards,
Brian Leung
System Engineer
Pacific Supernet


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: ldap problem

[J. S. Townsley]

Do something like this:

Define your ldap blocks:

ldap FOO{
...
}
ldap FOO2{
...
}

Then do your authtype:
authtype LDAP {
FOO
FOO2
}

Actually, you may want to make that:

authtype LDAP {
redundant {
  FOO
  FOO2
}
}


--JST

On Mon, 22 Jul 2002, Brian Leung wrote:

 Date: Mon, 22 Jul 2002 17:30:27 +0800 (HKT)
 From: Brian Leung [EMAIL PROTECTED]
 Reply-To: [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Subject: ldap problem

 hi all,

 i try to add these in the radiusd.conf
 authtype LDAP {
 ldap
 }

 authtype LDAP1 {
 ldap1
 }

 but when i start it and it prompt me
 radiusd.conf[650] Failed to link to module 'rlm_ldap1': file not found

 how should i fixed? Thank you

 Regards,
 Brian Leung
 System Engineer
 Pacific Supernet


 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Radius Authenticaion with LDAP Problem

[Penny]

Hi,everyone:
I want to make Radius authentication with LDAP server. When I start radiusd,it 
seems ok. And I use the command : radtest ypguo password localhost 1 test123
The result is: radclient:Unknown attribute User-Password
Can you tell me what is the problem?
Thank 
~Penny
ŠËbú?²æìr¸›{û§²æìr¸›y'ž†Ûiÿü0ÁúÞz¶Šë(®åŠËºÇ«²f

Yet LDAP problem

[Falmeida]

 Verify that you've updated the configuration line for the
'basedn'option. Run the server in debugging mode, and see that the
server isusing that new configuration. Verify that the user's
realm isavailable to the LDAP module. The 'Realm'
attribute is NOT something which is magically generatedwhen a user logs
in via 'username@realm'. You must add configurationto the server
telling it to look for that realm. e.g. in the 'realms'
file:realm1 LOCALrealm2
LOCAL If you don't have any special treatment of the
realms, then theserver will not know about the realms.
Alan DeKok.

 Hi Alan..
 I compiled the last nightly snapshot, updated the configuration
file (ou=%{Realm},ou=mydomain). The realm file contains a entry like
this (myrealm LOCAL)...

Now Im having a strange behaviour with the server... running the radtest
program the log shows several lines like this:
Sending Access-Request of id 163 to 127.0.0.1...
and then core dump...
This only occurs if the basedn contains a variable in it.. If I took off
the %{Realm} part of the basedn, the server becomes normal..










Essa mensagem foi enviado pelo Webmail Overnet



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html