Re: Authenticating using LDAP module
On Thu, 18 Sep 2003, Vishal Jose wrote:
> On Thu, 18 Sep 2003 12:30:02 +0300 (EEST)
> Kostas Kalevras <[EMAIL PROTECTED]> wrote:
>
> > > What I need now is CHAP-Password type to be
> > > send across to Radius Server from Client.My password in the LDAP database is
> > > plain text.I would like to know what is addition that to be given in
> > > radiusd.conf if necessary?
> >
> > This has been discussed many times in the list. Check the list archives. Also
> > doc/rlm_ldap includes plenty of information on the subject.
>
>
> B'4 posting the former mail I checked out the mailing listBut still I didn't
> able to figure out.Sorry if I have missed to pin point something
>
> When I issue command say
>
> $ echo "User-Name = \"vishal\", CHAP-Password = \"vishal\"" | radclient -x -s
> 10.0.1.180 auth testing123
>
> $ radiusd -x
> rad_recv: Access-Request packet from host 10.0.1.180:1122, id=128, length=47
> User-Name = "vishal"
> CHAP-Password = 0x80c8b36527f114b9b5845eee357625c2b4
> rlm_chap: Setting 'Auth-Type := CHAP'
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for vishal
> ldap_get_conn: Got Id: 0
> rlm_ldap: looking for check items in directory...
> rlm_ldap: Adding sn as User-Name, value vishal & op=21
> rlm_ldap: looking for reply items in directory...
> rlm_ldap: user vishal authorized to use remote access
> ldap_release_conn: Release Id: 0
> rlm_chap: login attempt by "vishal" with CHAP password ??³e'?^?5v%??
> rlm_chap: Could not find clear text password for user vishal
So the user clear text password is not available. This means that rlm_ldap does
not extract the corresponding password from the user ldap entry
> rad_recv: Access-Request packet from host 10.0.1.180:1122, id=128, length=47
> Sending Access-Reject of id 128 to 10.0.1.180:1122
>
>
> my radiusd.conf is
> ldap{
>
> server = "10.0.1.180"
> basedn = "o=icope"
> filter = "cn=%u"
> password_attribute = userPassword
> password_header = "{clear}"
Based on your posted user entry:
dn: cn=vishal,o=icope
sn: vishal
cn: vishal
userPassword: vishal
objectClass: person
telephoneNumber: 5716909
description: He is a employee
You don't need to set password_header. So leave it commented out.
> dictionary_mapping = ${raddbdir}/ldap.attrmap
> timeout = 4
> timelimit = 3
> net_timeout = 1
> ldap_debug = 0x
>
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating using LDAP module
On Thu, 18 Sep 2003 12:30:02 +0300 (EEST)
Kostas Kalevras <[EMAIL PROTECTED]> wrote:
> > What I need now is CHAP-Password type to be
> > send across to Radius Server from Client.My password in the LDAP database is
> > plain text.I would like to know what is addition that to be given in
> > radiusd.conf if necessary?
>
> This has been discussed many times in the list. Check the list archives. Also
> doc/rlm_ldap includes plenty of information on the subject.
B'4 posting the former mail I checked out the mailing listBut still I didn't able
to figure out.Sorry if I have missed to pin point something
When I issue command say
$ echo "User-Name = \"vishal\", CHAP-Password = \"vishal\"" | radclient -x -s
10.0.1.180 auth testing123
$ radiusd -x
rad_recv: Access-Request packet from host 10.0.1.180:1122, id=128, length=47
User-Name = "vishal"
CHAP-Password = 0x80c8b36527f114b9b5845eee357625c2b4
rlm_chap: Setting 'Auth-Type := CHAP'
rlm_ldap: - authorize
rlm_ldap: performing user authorization for vishal
ldap_get_conn: Got Id: 0
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding sn as User-Name, value vishal & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user vishal authorized to use remote access
ldap_release_conn: Release Id: 0
rlm_chap: login attempt by "vishal" with CHAP password ?ȳe'ñ?¹µ?^î5v%´
rlm_chap: Could not find clear text password for user vishal
rad_recv: Access-Request packet from host 10.0.1.180:1122, id=128, length=47
Sending Access-Reject of id 128 to 10.0.1.180:1122
my radiusd.conf is
ldap{
server = "10.0.1.180"
basedn = "o=icope"
filter = "cn=%u"
password_attribute = userPassword
password_header = "{clear}"
dictionary_mapping = ${raddbdir}/ldap.attrmap
timeout = 4
timelimit = 3
net_timeout = 1
ldap_debug = 0x
}
authorize{
ldap
chap
}
authenticate{
Auth-Type CHAP{
chap
}
Auth-Type LDAP{
ldap
}
}
In Users file
I tried out with both (either of) entry given down and without also
DEFAULT Auth-Type := LDAP
Fall-Through = yes
DEFAULT Auth-Type := CHAP
Fall-Through = yes
If it is without CHAP the same settings is working smoothly.Where I'm failing once
again?
Thanx
-Vishal
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating using LDAP module
On Thu, 18 Sep 2003, Vishal Jose wrote: > > Kostas Kalevras <[EMAIL PROTECTED]> wrote: > > > > filter = "uid=%u" > > > > Hmm, that should be "cn=%u" for things to work. > > Thanx,it solved my problem.What I need now is CHAP-Password type to be > send across to Radius Server from Client.My password in the LDAP database is > plain text.I would like to know what is addition that to be given in > radiusd.conf if necessary? This has been discussed many times in the list. Check the list archives. Also doc/rlm_ldap includes plenty of information on the subject. > > Thanx > > -Vishal > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating using LDAP module
On Wed, 17 Sep 2003, Narasimha Reddy Gujja wrote: > Quoting [EMAIL PROTECTED]: > > > Send Freeradius-Users mailing list submissions to > > [EMAIL PROTECTED] > > > > To subscribe or unsubscribe via the World Wide Web, visit > > http://lists.cistron.nl/mailman/listinfo/freeradius-users > > or, via email, send a message with subject or body 'help' to > > [EMAIL PROTECTED] > > > > You can reach the person managing the list at > > [EMAIL PROTECTED] > > > > When replying, please edit your Subject line so it is more specific > > than "Re: Contents of Freeradius-Users digest..." > > > > > > there seems to be a problem with radius interpreting the IP address of the ldap > machine. even if you give ldap://ipaddr it wont contact the ldap server, OR > maybe not maybe iam ignorant.(-; , just my view. You will need to have HAVE_LDAP_INITIALIZE defined during compilation of rlm_ldap for ldap urls to be accepted. The configure script of rlm_ldap needs to be updated to find if ldap_initialize() is available. > > when you used localhost did you put it in quote like "localhost", if not try that. > > and how do you want to use ldap for authenticate without using "userPassword" > attribute in your ldap entry?? > > Reddy > ([EMAIL PROTECTED]) > > > > - > This mail sent through IMP: http://horde.org/imp/ > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating using LDAP module
Kostas Kalevras <[EMAIL PROTECTED]> wrote: > > filter = "uid=%u" > > Hmm, that should be "cn=%u" for things to work. Thanx,it solved my problem.What I need now is CHAP-Password type to be send across to Radius Server from Client.My password in the LDAP database is plain text.I would like to know what is addition that to be given in radiusd.conf if necessary? Thanx -Vishal - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating using LDAP module
Quoting [EMAIL PROTECTED]: > Send Freeradius-Users mailing list submissions to > [EMAIL PROTECTED] > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.cistron.nl/mailman/listinfo/freeradius-users > or, via email, send a message with subject or body 'help' to > [EMAIL PROTECTED] > > You can reach the person managing the list at > [EMAIL PROTECTED] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Freeradius-Users digest..." > > there seems to be a problem with radius interpreting the IP address of the ldap machine. even if you give ldap://ipaddr it wont contact the ldap server, OR maybe not maybe iam ignorant.(-; , just my view. when you used localhost did you put it in quote like "localhost", if not try that. and how do you want to use ldap for authenticate without using "userPassword" attribute in your ldap entry?? Reddy ([EMAIL PROTECTED]) - This mail sent through IMP: http://horde.org/imp/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating using LDAP module
At 12:22 PM 9/17/2003, Kostas Kalevras wrote: On Wed, 17 Sep 2003, Vishal Jose wrote: > Meanwhile in the server end(I'm adding all the log from server end) > > $ radiusd -x Please use radiusd -X so that both debug levels are logged To increase the debug level, simply add additional -x ( lower case ), as in 'radiusd -x -x'. The -X ( upper case ) flag has other side effects such as disabling threaded operation which may or may not be intended if you simply need more verbose logging to determine an issue. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating using LDAP module
On Wed, 17 Sep 2003, Vishal Jose wrote:
>
>
> I have a problem in(my radclient) getting authenticated by RADIUS Server using LDAP
> module.I have installed Openldap in my local machine.
>
> Let me put the info about my files that I'm using.I'm very sorry if u people feel
> that this much info is not necessary to figure out problem...
>
> Say my slapd.conf is the following:
>
> --
>
> modules{
> ldap{
>
> server = "10.0.1.180"
> #server = localhost ->Tried this also
> #identity = "cn=manager ,o=icope"
> #password = coin
> basedn = "o=icope"
> filter = "uid=%u"
Hmm, that should be "cn=%u" for things to work.
> dictionary_mapping = ${raddbdir}/ldap.attrmap
> timeout = 4
> timelimit = 3
> net_timeout = 1
> ldap_debug = 0x
> }
> }
>
> Meanwhile in the server end(I'm adding all the log from server end)
>
> $ radiusd -x
Please use radiusd -X so that both debug levels are logged
> rad_recv: Access-Request packet from host 10.0.1.180:1088, id=104, length=46
> User-Name = "vishal"
> Password = "vishal"
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for vishal
> ldap_get_conn: Got Id: 0
> rlm_ldap: (re)connect to 10.0.1.180:389, authentication 0
> rlm_ldap: bind as / to 10.0.1.180:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: object not found or got ambiguous search result
The ldap search was not successful. Please increase the debug level in radiusd
(either -xx or -X) and check your ldap server logs.
> rlm_ldap: search failed
> ldap_release_conn: Release Id: 0
> rad_recv: Access-Request packet from host 10.0.1.180:1088, id=104, length=46
> Sending Access-Reject of id 104 to 10.0.1.180:1088
>
> How to look about this probs.As a newbie to RADIUS Server configuration, I'll
> appreciate if somebody can help me out in figuring this problem.
>
> Thanx in advance
>
> -Vishal
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authenticating using LDAP module
mapped to RADIUS NT-Password rlm_ldap: LDAP userPassword mapped to RADIUS User-Password rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port conns: 0x80b0c00 Module: Instantiated ldap (ldap) Module: Loaded preprocess Module: Instantiated preprocess (preprocess) Module: Loaded files Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id Module: Instantiated acct_unique (acct_unique) Module: Loaded detail Module: Instantiated detail (detail) Module: Loaded radutmp Module: Instantiated radutmp (radutmp) Initializing the thread pool... Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp. Ready to process requests. rad_recv: Access-Request packet from host 10.0.1.180:1088, id=104, length=46 User-Name = "vishal" Password = "vishal" rlm_ldap: - authorize rlm_ldap: performing user authorization for vishal ldap_get_conn: Got Id: 0 rlm_ldap: (re)connect to 10.0.1.180:389, authentication 0 rlm_ldap: bind as / to 10.0.1.180:389 rlm_ldap: waiting for bind result ... rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed ldap_release_conn: Release Id: 0 rad_recv: Access-Request packet from host 10.0.1.180:1088, id=104, length=46 Sending Access-Reject of id 104 to 10.0.1.180:1088 How to look about this probs.As a newbie to RADIUS Server configuration, I'll appreciate if somebody can help me out in figuring this problem. Thanx in advance -Vishal - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: creating ldap module with Solaris 9.
Install openldap-2x and run the ./configure, make , make install. You do not have to use Openldap just need the libraries at compile time. We run it here with Iplanet 5.1 and everything works great. Gene Parks VIP Direct -Original Message- From: Randall Badilla [mailto:rbadilla@;cesa.co.cr] Sent: Tuesday, November 05, 2002 9:55 AM To: [EMAIL PROTECTED] Subject: creating ldap module with Solaris 9. Hi all: I have recently downloaded the 0.7.1 version of freeradius, to be used with a LDAP server built on solaris 9 with SunOne (netscape) directory server 5.X. My problem is with the call of libraries although I have ber_decode and other commands/headers on the ldap library -lldap, the configure of that module insist call -llber; can any body tell me if I can workaround this and how..? copying libraries and renaming??? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: creating ldap module with Solaris 9.
Randall Badilla <[EMAIL PROTECTED]> wrote: > I have recently downloaded the 0.7.1 version of freeradius, to be used > with a LDAP server built on solaris 9 with SunOne (netscape) directory > server 5.X. I think that the module is for OpenLDAP, not Netscape LDAP. It would need patches to make it work with netscape, sorry. Alan Dekok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
creating ldap module with Solaris 9.
Hi all: I have recently downloaded the 0.7.1 version of freeradius, to be used with a LDAP server built on solaris 9 with SunOne (netscape) directory server 5.X. My problem is with the call of libraries although I have ber_decode and other commands/headers on the ldap library -lldap, the configure of that module insist call -llber; can any body tell me if I can workaround this and how..? copying libraries and renaming??? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP module crashes
On Wed, 4 Sep 2002, Stefan Radovanovici wrote: > > > > tests I added some more reply items but this makes the LDAP module to > > > crash. If I keep the number of reply items low, it works fine. Here is a > > > working log request. Next will follow the log when I have added one more > > > reply items. > > Could you post the new reply item you added? > > The added reply item is the bintecipNatPresetTable variable with the value > "IfIndex=1000 IntAddr=192.168.150.0 IntMask=255.255.255.0 ExtAddr=10.16.1.10 > ExtMask=255.255.255.0". But it ended up kinda truncated (as seen from the log), > everything after ExtAddr is gone. > > If, for example, I shorten the value, works fine, no crash. I tried several > values, it does not seem to matter. What seems to matter is the length > OK, thanks for the bug report, there was a problem when the attribute value was larger than the available buffer space. Try a cvs update on the rlm_ldap module and it should work fine. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP module crashes
> > tests I added some more reply items but this makes the LDAP module to > > crash. If I keep the number of reply items low, it works fine. Here is a > > working log request. Next will follow the log when I have added one more > > reply items. > > Could you post the new reply item you added? > Do you get a core dump? If not enable core dumps in the config file > (allow_core_dumps = yes) and in the shell (ulimit -c unlimited) > Do a backtrace on the core file if you get one and send back the results. I enabled core but I do not get one when the segmentation fault occurs :-/ Some more tests showed that as soon as the attribute value length exceedes 64 bytes, the server crashes. Regards, Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP module crashes
> > tests I added some more reply items but this makes the LDAP module to > > crash. If I keep the number of reply items low, it works fine. Here is a > > working log request. Next will follow the log when I have added one more > > reply items. > Could you post the new reply item you added? The added reply item is the bintecipNatPresetTable variable with the value "IfIndex=1000 IntAddr=192.168.150.0 IntMask=255.255.255.0 ExtAddr=10.16.1.10 ExtMask=255.255.255.0". But it ended up kinda truncated (as seen from the log), everything after ExtAddr is gone. If, for example, I shorten the value, works fine, no crash. I tried several values, it does not seem to matter. What seems to matter is the length > Do you get a core dump? If not enable core dumps in the config file > (allow_core_dumps = yes) and in the shell (ulimit -c unlimited) > Do a backtrace on the core file if you get one and send back the results. I will try to enable core and see if I get one, will send the results. Regards, Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP module crashes
On Tue, 3 Sep 2002, Stefan Radovanovici wrote: > Greetings everybody, > > I am using Freeradius 0.7 and OpenLDAP 2.1.4 (had also 2.0.25). My users > are defined in the LDAP and I have several reply items that have to get > back to the NAS once the user is authenticated. Today while doing some > tests I added some more reply items but this makes the LDAP module to > crash. If I keep the number of reply items low, it works fine. Here is a > working log request. Next will follow the log when I have added one more > reply items. Could you post the new reply item you added? Do you get a core dump? If not enable core dumps in the config file (allow_core_dumps = yes) and in the shell (ulimit -c unlimited) Do a backtrace on the core file if you get one and send back the results. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP module crashes
Greetings everybody,
I am using Freeradius 0.7 and OpenLDAP 2.1.4 (had also 2.0.25). My users
are defined in the LDAP and I have several reply items that have to get
back to the NAS once the user is authenticated. Today while doing some
tests I added some more reply items but this makes the LDAP module to
crash. If I keep the number of reply items low, it works fine. Here is a
working log request. Next will follow the log when I have added one more
reply items.
Normal request:
rad_recv: Access-Request packet from host 127.0.0.1:1215, id=25, length=62
User-Name = "isdn_SEYFR"
User-Password = "\305{\300\2660\263\327@\327\202\230\345:\232G\336"
NAS-IP-Address = 255.255.255.255
NAS-Port-Id = "ISDN"
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
rlm_ldap: - authorize
rlm_ldap: performing user authorization for isdn_SEYFR
radius_xlat: '(dc=isdn_SEYFR)'
radius_xlat: 'o=rts'
ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 172.16.5.70:389, authentication 0
rlm_ldap: setting TLS mode to 4
rlm_ldap: could not set LDAP_OPT_X_TLS option Success
rlm_ldap: bind as cn=root,o=rts/test to 172.16.5.70:389
rlm_ldap: waiting for bind result ...
rlm_ldap: performing search in o=rts, with filter (dc=isdn_SEYFR)
rlm_ldap: Added password seydler in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding userPassword as CHAP-Password, value seydler & op=11
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding bintecipExtIfTable as BinTec-ipExtIfTable, value Nat=on & op=11
rlm_ldap: Adding bintecbiboDialTable as BinTec-biboDialTable, value
direction=outgoing number=111 & op=11
rlm_ldap: Adding bintecbiboPPPTable as BinTec-biboPPPTable, value
biboPPPAuthentication=chap & op=11
rlm_ldap: Adding bintecbiboPPPTable as BinTec-biboPPPTable, value
biboPPPLocalIdent=rts & op=11
rlm_ldap: Adding radiusIdleTimeout as Idle-Timeout, value 60 & op=11
rlm_ldap: Adding radiusFramedIPNetmask as Framed-IP-Netmask, value
255.255.255.255 & op=11
rlm_ldap: Adding radiusFramedIPAddress as Framed-IP-Address, value 192.168.19.14
& op=11
rlm_ldap: user isdn_SEYFR authorized to use remote access
ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok
modcall[authorize]: module "files" returns notfound
modcall: group authorize returns ok
rad_check_password: Found Auth-Type LDAP
auth: type "Ldap"
modcall: entering group authtype
rlm_ldap: - authenticate
rlm_ldap: login attempt by "isdn_SEYFR" with password "seydler"
rlm_ldap: user DN: dc=isdn_SEYFR,dc=tstfr,dc=cus,ou=resources,o=rts
rlm_ldap: (re)connect to 172.16.5.70:389, authentication 1
rlm_ldap: setting TLS mode to 4
rlm_ldap: could not set LDAP_OPT_X_TLS option Success
rlm_ldap: bind as dc=isdn_SEYFR,dc=tstfr,dc=cus,ou=resources,o=rts/seydler to
172.16.5.70:389
rlm_ldap: waiting for bind result ...
rlm_ldap: user isdn_SEYFR authenticated succesfully
modcall[authenticate]: module "ldap" returns ok
modcall: group authtype returns ok
Login OK: [isdn_SEYFR/seydler] (from client localhost port 0)
Sending Access-Accept of id 25 to 127.0.0.1:1215
BinTec-ipExtIfTable = "Nat=on"
BinTec-biboDialTable = "direction=outgoing number="
BinTec-biboPPPTable = "biboPPPAuthentication=chap"
BinTec-biboPPPTable = "biboPPPLocalIdent=rts"
Idle-Timeout = 60
Framed-IP-Netmask = 255.255.255.255
Framed-IP-Address = 192.168.19.14
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
I added another attribute and I get segmentation fault:
rad_recv: Access-Request packet from host 127.0.0.1:1215, id=84, length=62
User-Name = "isdn_SEYFR"
User-Password = "\273\2773\326m6\004Zl/\214I\276h\013\366"
NAS-IP-Address = 255.255.255.255
NAS-Port-Id = "ISDN"
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
rlm_ldap: - authorize
rlm_ldap: performing user authorization for isdn_SEYFR
radius_xlat: '(dc=isdn_SEYFR)'
radius_xlat: 'o=rts'
ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 172.16.5.70:389, authentication 0
rlm_ldap: setting TLS mode to 4
rlm_ldap: could not set LDAP_OPT_X_TLS option Success
rlm_ldap: bind as cn=root,o=rts/test to 172.16.5.70:389
rlm_ldap: waiting for bind result ...
rlm_ldap: performing search in o=rts, with filter (dc=isdn_SEYFR)
rlm_ldap: Added password seydler in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding userPassword as CHAP-Password, value seydler & op=11
rlm_ldap: looking for reply items in d
Ldap module compiling problems in Solaris
Hi : I am trying to build freeradius 0.5 with rlm_ldap enabled under solaris 7 with gcc 2.95.3. When compiling this module it produces an error and the compilation fails. I am using GNU make 3.79.1 and OpenLDAP 2.0.23 ( installed in /usr/local/openldap ) . I configured with CPPFLAGS=-I/usr/local/openldap/include LDFLAGS=-L/usr/local/openldap/lib and --enable-ldap=yes. The error output is as follows : [snip] Making static dynamic in rlm_ldap... make[6]: Entering directory `/export/home/rcc/software/freeradius/install/freeradius-0.5/src/modules/rlm _ldap' gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -DND EBUG -I../../include -DHAVE_LDAP_START_TLS -c rlm_ldap.c -o rlm_ldap.o rlm_ldap.c: In function `ldap_instantiate': rlm_ldap.c:240: `LDAP_OPT_X_TLS_TRY' undeclared (first use in this function) rlm_ldap.c:240: (Each undeclared identifier is reported only once rlm_ldap.c:240: for each function it appears in.) rlm_ldap.c: In function `perform_search': rlm_ldap.c:477: warning: implicit declaration of function `ldap_get_option' rlm_ldap.c: In function `ldap_connect': rlm_ldap.c:1162: warning: implicit declaration of function `ldap_set_option' rlm_ldap.c:1162: `LDAP_OPT_NETWORK_TIMEOUT' undeclared (first use in this function) rlm_ldap.c:1162: `LDAP_OPT_SUCCESS' undeclared (first use in this function) rlm_ldap.c:1168: `LDAP_OPT_DEBUG_LEVEL' undeclared (first use in this function) rlm_ldap.c:1182: warning: implicit declaration of function `ldap_start_tls_s' rlm_ldap.c:1196: warning: passing arg 2 of `ldap_simple_bind' discards qualifiers from pointer target type rlm_ldap.c:1196: warning: passing arg 3 of `ldap_simple_bind' discards qualifiers from pointer target type rlm_ldap.c: In function `ldap_pairget': rlm_ldap.c:1399: warning: passing arg 2 of `pairread' from incompatible pointer type make[6]: *** [rlm_ldap.o] Error 1 make[6]: Leaving directory `/export/home/rcc/software/freeradius-0.5/src/modules/rlm_ldap' make[5]: *** [common] Error 1 make[5]: Leaving directory `/export/home/rcc/software/freeradius-0.5/src/modules' make[4]: *** [all] Error 2 make[4]: Leaving directory `/export/home/rcc/software/freeradius-0.5/src/modules' make[3]: *** [common] Error 1 make[3]: Leaving directory `/export/home/rcc/software/freeradius-0.5/src' make[2]: *** [all] Error 2 make[2]: Leaving directory `/export/home/rcc/software/freeradius-0.5/src' make[1]: *** [common] Error 1 make[1]: Leaving directory `/export/home/rcc/software/freeradius-0.5' make: *** [all] Error 2 I did not get any error messages when I run configure. Is there anything missing , maybe a required software or a library ? I have also included /usr/local/openldap/lib in my LD_LIBRARY_PATH variable. Thans in advance for any suggestion, Richard Cotrina - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP module binding to wrong IP adress..
On Thu, 4 Apr 2002, Erling Paulsen wrote: > Hello listusers, > > I run v.0.5 with 2 realms forwarded to Merit based RADIUS servers and DEFAULT > no relmed requests to an Active Directory box. It runs on FreeBSD 4.5 in a > chrooteed environment. > > All well, bells and trumpets, and then.. now I really need some help, and I > would appreciate it, if someone could give me some hints. > > Problem scenario as follows: > radiusd binds itself to IP address "B" on the NIC. It recieves requests on > "B" and forwards request on "B" to its external RADIUS (merit based) > authenticators (charmingly). However, when requests that needs to be forwarded > by the rlm_ldap module to the MS Active Directory server, the module forwards > the request on IP address "A" (the primary IP of the NIC, and not the one > radiusd is binded to - address "B"). I REALLY need to have the request come > from the same IP as the radiusd, because of some access lists out of my > control. > > Even direct me to somewhere in the module source-code so I can make a hack! > > BTW: FreeRADIUS is a great effort, well done! > Desperately, Erling Paulsen, Norway > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I don't think it can be done. I don't know of any way to set the source ip in the ldap requests when using the ldap api. I may be wrong though. I believe you could just use the firewalling facility of freebsd to route the ldap requests through int B instead of A. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP module binding to wrong IP adress..
Hello listusers, I run v.0.5 with 2 realms forwarded to Merit based RADIUS servers and DEFAULT no relmed requests to an Active Directory box. It runs on FreeBSD 4.5 in a chrooteed environment. All well, bells and trumpets, and then.. now I really need some help, and I would appreciate it, if someone could give me some hints. Problem scenario as follows: radiusd binds itself to IP address "B" on the NIC. It recieves requests on "B" and forwards request on "B" to its external RADIUS (merit based) authenticators (charmingly). However, when requests that needs to be forwarded by the rlm_ldap module to the MS Active Directory server, the module forwards the request on IP address "A" (the primary IP of the NIC, and not the one radiusd is binded to - address "B"). I REALLY need to have the request come from the same IP as the radiusd, because of some access lists out of my control. Even direct me to somewhere in the module source-code so I can make a hack! BTW: FreeRADIUS is a great effort, well done! Desperately, Erling Paulsen, Norway - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP module
Hi, On Wed, 27 Mar 2002, C-M Maier wrote: > i have downloaded the last version of freeradius and compiled it on > SuSE V7.3 > But the module rlm_ldap doesn't and i need this module to work with the > existing > LDAP Server in our company. I tested this on different servers. But only > > with > SuSE. Is the linux distrubtion the problem ?? I don't think so ;-) You need the openldap2, -client and -devel package installed to build the module. CU, Wolfgang - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP module
C-M Maier <[EMAIL PROTECTED]> wrote: > i have downloaded the last version of freeradius and compiled it on > SuSE V7.3 But the module rlm_ldap doesn't and i need this module to > work with the existing LDAP Server in our company. The module doesn't *what*? Build? Work? Read the output of 'configure' and 'make'. Any errors, warnings or reasons why the module didn't build will be displayed in the output. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP module
Hi @all i have downloaded the last version of freeradius and compiled it on SuSE V7.3 But the module rlm_ldap doesn't and i need this module to work with the existing LDAP Server in our company. I tested this on different servers. But only with SuSE. Is the linux distrubtion the problem ?? Thanks for helping - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help with ldap module.
"Lance Miller" <[EMAIL PROTECTED]> wrote:
> First question, I have to compile the LDAP modules in order for it to =
> work with a LDAP server correct?
Yes.
> I run the package with the -X switch and get the follow error message
>
> Module: Instantiated unix (unix)=20
> radiusd.conf[361] Failed to link to module 'rlm_ldap': file not found=20
The error messages from libtool are *so* helpful.
Later versions of libtool have better error messages, but they do
NOT work.
> I also looked in the lib directory to see if the modules compiled =
> correctly, and got the following
>
> /usr/local/raidusd/lib
>
> -rw-r--r-- 1 root other 62344 Dec 20 09:20 rlm_ldap.a
> -rwxr-xr-x 1 root other747 Dec 20 09:20 rlm_ldap.la
> lrwxrwxrwx 1 root other 17 Dec 20 09:20 rlm_ldap.so -> =
> rlm_ldap.so.0.0.0
Yeah. Do 'ldd rlm_ldap.so'. It will tell you which libraries are
needed by rlm_ldap, and where those libraries exist.
You haven't configured the dynamic linker (/etc/ld.so.conf on Linux)
to tell it where the main LDAP libraries are. So, it can't link to
them.
Either fix ld.so.conf, or add the path to the LDAP libraries to the
'libdir' path in radiusd.conf.
i.e.: libdir = ${prefix}/lib:/usr/local/ldap/lib
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
help with ldap module.
I need some clarification here about accessing LDAP with freeradius, and compiling
freeradius to work with LDAP.
First question, I have to compile the LDAP modules in order for it to work with a LDAP
server correct?
This is what I done so far.
I am compiling this on solaris 8 box.
When first compile openldap-2.0.18 with the following switches
--disabled=slapd --disabled=slurpd --disabled-ldbm
it compiled and install okay.
Then I compiled the freeradius=0.3 package with the following switches
/configure --prefix=/usr/local/radiusd --with-rlm-ldap-include=/usr/local/include
--with-rlm-ldap-include=/usr/local/lib --enable-ltdg-install --enable-ltdl-install
I put ldap in the authenticate section
looks like this
authenticate {
pam
unix
ldap
}
I run the package with the -X switch and get the follow error message
Module: Instantiated unix (unix)
radiusd.conf[361] Failed to link to module 'rlm_ldap': file not found
I also looked in the lib directory to see if the modules compiled correctly, and got
the following
/usr/local/raidusd/lib
-rw-r--r-- 1 root other 62344 Dec 20 09:20 rlm_ldap.a
-rwxr-xr-x 1 root other747 Dec 20 09:20 rlm_ldap.la
lrwxrwxrwx 1 root other 17 Dec 20 09:20 rlm_ldap.so -> rlm_ldap.so.0.0.0
lrwxrwxrwx 1 root other 17 Dec 20 09:20 rlm_ldap.so.0 ->
rlm_ldap.so.0.0.0
-rwxr-xr-x 1 root other 65212 Dec 20 09:20 rlm_ldap.so.0.0.0
Any ideas where I went wrong or what I need to do? Thanks in advance.
Thanx much,
Lance Miller
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with ldap module...
On Mon, Sep 24, 2001 at 04:58:07PM -0400, [EMAIL PROTECTED] <[EMAIL PROTECTED]> is thought to have said: > "Tabor J. Wells" <[EMAIL PROTECTED]> wrote: > > Specifically, the OpenLDAP libraries since that is the only thing > > configure will detect. The Solaris 7/8 default OS-installed ldap libraries > > are Netscape derivatives. > > Is it possible to edit src/modules/rlm_ldap/Makefile by hand, to get > it to compile with other ldap libraries? Can you post any patches to > allow it to work with other ldap libraries? Sorry. I didn't mean to give the impression that I'd gotten this working. :) So far I haven't. The APIs are just different enough that FR won't build. If I do manage to get this working, I'll certainly send patches. > I don't have access to other ldap libraries. So unless other people > help with patches, support for other versions of ldap will NEVER go > into the server. The Netscape/iPlanet SDKs are freely available at http://www.iplanet.com/downloads/developer/ HTH, Tabor -- Tabor J. Wells [EMAIL PROTECTED] Fsck It! Just another victim of the ambient morality - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with ldap module...
"Tabor J. Wells" <[EMAIL PROTECTED]> wrote: > Specifically, the OpenLDAP libraries since that is the only thing > configure will detect. The Solaris 7/8 default OS-installed ldap libraries > are Netscape derivatives. Is it possible to edit src/modules/rlm_ldap/Makefile by hand, to get it to compile with other ldap libraries? Can you post any patches to allow it to work with other ldap libraries? I don't have access to other ldap libraries. So unless other people help with patches, support for other versions of ldap will NEVER go into the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with ldap module...
Ah, well, this would be the problem then... we already have Netscape LDAP installed, but I guess I'll have to install OpenLDAP on top of that.. oh well.. Jeff Baxter Information Systems and Services George Washington University On Mon, 24 Sep 2001, Tabor J. Wells wrote: > On Mon, Sep 24, 2001 at 10:57:52AM -0400, > [EMAIL PROTECTED] <[EMAIL PROTECTED]> is thought to have said: > > > Jeff Baxter <[EMAIL PROTECTED]> wrote: > > > > > Would someone be kind enough to point out the error in my ways? > > > > I would suspect that you don't have ldap libraries installed. Go > > back over the configure script, and carefully read it's output. Read > > the output of 'make', and look for ldap. Odds are there's a message > > telling you what's happening, and you never looked for it. > > Specifically, the OpenLDAP libraries since that is the only thing > configure will detect. The Solaris 7/8 default OS-installed ldap libraries > are Netscape derivatives. > > It'd be really nice if we could link against those on Solaris or against > the iPlanet SDK libraries rather than have to have multiple sets of > libraries installed. Perhaps an argument to configure like > --with-ldap=netscape or --with-ldap=openldap or --with-ldap=solaris in the > case where you do legitimately need to have multiple ldap libs installed. > > Tabor > > -- > > Tabor J. Wells [EMAIL PROTECTED] > Fsck It! Just another victim of the ambient morality > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with ldap module...
On Mon, Sep 24, 2001 at 10:57:52AM -0400, [EMAIL PROTECTED] <[EMAIL PROTECTED]> is thought to have said: > Jeff Baxter <[EMAIL PROTECTED]> wrote: > > > Would someone be kind enough to point out the error in my ways? > > I would suspect that you don't have ldap libraries installed. Go > back over the configure script, and carefully read it's output. Read > the output of 'make', and look for ldap. Odds are there's a message > telling you what's happening, and you never looked for it. Specifically, the OpenLDAP libraries since that is the only thing configure will detect. The Solaris 7/8 default OS-installed ldap libraries are Netscape derivatives. It'd be really nice if we could link against those on Solaris or against the iPlanet SDK libraries rather than have to have multiple sets of libraries installed. Perhaps an argument to configure like --with-ldap=netscape or --with-ldap=openldap or --with-ldap=solaris in the case where you do legitimately need to have multiple ldap libs installed. Tabor -- Tabor J. Wells [EMAIL PROTECTED] Fsck It! Just another victim of the ambient morality - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with ldap module...
[EMAIL PROTECTED] wrote: > (sigh) The libtool people should be taken out back and beaten for > allowing it to generate nonsense error messages, when files don't > exist. They've fixed *some* of those errors in the latest version. I'll upgrade the local copy to that, and see if it does anything more intelligent. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with ldap module...
Jeff Baxter <[EMAIL PROTECTED]> wrote: > I'm just trying to set up simple LDAP authentication to our central LDAP > server. So I did a configure, make, make install Did the ldap module *build*? Did it install? > But the make failed with: > > >/export/home/users/j/b/jbaxter/development/freeradius/freeradius-0.2/libltdl/libltdl.la > -dlpreopen ../modules/rlm_ldap/rlm_ldap.la > libtool: link: `../modules/rlm_ldap/rlm_ldap.la' is not a valid libtool > archive Look in the rlm_ldap directory. There's probably no rlm_ldap.la file. (sigh) The libtool people should be taken out back and beaten for allowing it to generate nonsense error messages, when files don't exist. > Would someone be kind enough to point out the error in my ways? I would suspect that you don't have ldap libraries installed. Go back over the configure script, and carefully read it's output. Read the output of 'make', and look for ldap. Odds are there's a message telling you what's happening, and you never looked for it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems with ldap module...
Hi all - Setup: Solaris 2.8 on Sparc FreeRadius 0.2 (just d/led today) I'm just trying to set up simple LDAP authentication to our central LDAP server. So I did a configure, make, make install, and edited the radius.conf file to include the suggestions from the rlm_ldap document. When I tried to run the daemon, I got: # ./radiusd radiusd: Starting - reading configuration files ... radiusd: radiusd.conf[358] Failed to link to module 'rlm_ldap': file not found So I thought, okay, the ldap module must not be installed automatically. So I took a look at the configure options and tried: ./configure --with-static-modules="ldap" make But the make failed with: /export/home/users/j/b/jbaxter/development/freeradius/freeradius-0.2/libltdl/libltdl.la -dlpreopen ../modules/rlm_ldap/rlm_ldap.la libtool: link: `../modules/rlm_ldap/rlm_ldap.la' is not a valid libtool archive make[4]: *** [radiusd] Error 1 Would someone be kind enough to point out the error in my ways? Thanks in advance! Jeff Baxter Information Systems and Services George Washington University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems with ldap module...
Hi all - Setup: Solaris 2.8 on Sparc FreeRadius 0.2 (just d/led today) I'm just trying to set up simple LDAP authentication to our central LDAP server. So I did a configure, make, make install, and edited the radius.conf file to include the suggestions from the rlm_ldap document. When I tried to run the daemon, I got: # ./radiusd radiusd: Starting - reading configuration files ... radiusd: radiusd.conf[358] Failed to link to module 'rlm_ldap': file not found So I thought, okay, the ldap module must not be installed automatically. So I took a look at the configure options and tried: ./configure --with-static-modules="ldap" make But the make failed with: /export/home/users/j/b/jbaxter/development/freeradius/freeradius-0.2/libltdl/libltdl.la -dlpreopen ../modules/rlm_ldap/rlm_ldap.la libtool: link: `../modules/rlm_ldap/rlm_ldap.la' is not a valid libtool archive make[4]: *** [radiusd] Error 1 Would someone be kind enough to point out the error in my ways? Thanks in advance! Jeff Baxter Information Systems and Services George Washington University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP module
Hi Freeradius users! I have a question related to the LDAP module for Freeradius. The other Radius servers I looked at that do support LDAP, have 2 different options for LDAP, the first called "bind" will take the uid+realm and passwd and attempt to bind to the ldap server, if if goes through it accepts the radius request, the second method uses a search where the server is already binded to the ldap server using an administrative psswd and it searchs for the uid and compares with the passwd stored at the ldap server. I notice that Freeradius supports the first method , anybody knows if it also supports the second method? Thanks, PAulo/
