Using LDAP with v0.81
Hello, I was testing v0.81 against our existing LDAP DB and the searches worked fine. The LDAP module seemed to authenticate the LDAP user but then somewhere along the line, Auth-Type System failed to validate the user. We only want to validate/authenticate dialin users against LDAP so does anyone know where our configuration problem might exist? We went through the rlm_ldap doc and implemented all of the LDAP configuration options it suggested. Please advise. Thanks, Pat McShane - ICDC.COM OUTPUT FROM RADTEST [EMAIL PROTECTED] root]# radtest [EMAIL PROTECTED] ziggy localhost 0 testing123 Sending Access-Request of id 237 to 127.0.0.1:1812 User-Name = [EMAIL PROTECTED] User-Password = [EMAIL PROTECTED]:\332c_\341z\036\n\004rhS NAS-IP-Address = ziggy.icdc.com NAS-Port = 0 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=237, length=20 [EMAIL PROTECTED] root]# OUTPUT FROM RADIUSD === rad_recv: Access-Request packet from host 127.0.0.1:32781, id=237, length=64 User-Name = [EMAIL PROTECTED] User-Password = ziggy NAS-IP-Address = 255.255.255.255 NAS-Port = 0 modcall: entering group authorize modcall[authorize]: module preprocess returns ok rlm_chap: Could not find proper Chap-Password attribute in request modcall[authorize]: module chap returns noop rlm_realm: Looking up realm icdc.com for User-Name = [EMAIL PROTECTED] rlm_realm: Found realm icdc.com rlm_realm: Adding Stripped-User-Name = pem rlm_realm: Proxying request from user pem to realm icdc.com rlm_realm: Adding Realm = icdc.com rlm_realm: Authentication realm is LOCAL. rlm_realm: auth_port is not set. proxy cancelled modcall[authorize]: module suffix returns noop users: Matched DEFAULT at 152 modcall[authorize]: module files returns ok rlm_ldap: - authorize rlm_ldap: performing user authorization for pem radius_xlat: '(uid=pem)' radius_xlat: 'o=icdc.com' ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ns6.icdc.com:389, authentication 0 rlm_ldap: bind as / to ns6.icdc.com:389 rlm_ldap: waiting for bind result ... rlm_ldap: performing search in o=icdc.com, with filter (uid=pem) rlm_ldap: checking if remote access for pem is allowed by dialuptemplate rlm_ldap: Added password ziggy in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding unixpassword as Password, value ziggy op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user pem authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type System auth: type System auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 237 to 127.0.0.1:32781 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 237 with timestamp 3e6ba8c3 Nothing to do. Sleeping until we see a request. BEGIN:VCARD VERSION:2.1 N:McShane;Patrick;E;Mr. FN:Patrick E McShane NICKNAME:Pat ORG:eJiva Inc.;Technology TITLE:Managing Principal Consultant NOTE;ENCODING=QUOTED-PRINTABLE:=0D=0A=0D=0A TEL;WORK;VOICE:(925) 227-6504 TEL;HOME;VOICE:925-416-0854 TEL;CELL;VOICE:925-437-0190 TEL;PAGER;VOICE:(800) 652-5887 TEL;WORK;FAX:(603) 947-9172 TEL;HOME;FAX:603-947-9172 ADR;WORK;ENCODING=QUOTED-PRINTABLE:;eJiva Technology Center;5934 Gibraltar Drive=0D=0ASuite 200;Pleasanton;CA;9= 4588;United States of America LABEL;WORK;ENCODING=QUOTED-PRINTABLE:eJiva Technology Center=0D=0A5934 Gibraltar Drive=0D=0ASuite 200=0D=0APleasa= nton, CA 94588=0D=0AUnited States of America ADR;HOME;ENCODING=QUOTED-PRINTABLE:;;3610 Andrews Drive=0D=0A;Pleasanton;CA;94588;USA LABEL;HOME;ENCODING=QUOTED-PRINTABLE:3610 Andrews Drive=0D=0A=0D=0APleasanton, CA 94588=0D=0AUSA X-WAB-GENDER:2 URL;HOME:http://www.icdc.com/~pem URL;WORK:http://www.ejiva.com ROLE:Computer Consultant BDAY:19590503 EMAIL;PREF;INTERNET:[EMAIL PROTECTED] REV:20020311T232519Z END:VCARD
Re: Using LDAP with v0.81
You probably want Auth-Type LDAP
something like below in radiusd.conf
authenticate {
authtype LDAP {
ldap
}
}
On Sun, 9 Mar 2003, Patrick McShane wrote:
Hello,
I was testing v0.81 against our existing LDAP DB and the searches worked
fine. The LDAP module seemed to authenticate the LDAP user but then
somewhere along the line, Auth-Type System failed to validate the
user. We only want to validate/authenticate dialin users against LDAP
so does anyone know where our configuration problem might exist? We
went through the rlm_ldap doc and implemented all of the LDAP
configuration options it suggested. Please advise.
Thanks,
Pat McShane - ICDC.COM
OUTPUT FROM RADTEST
[EMAIL PROTECTED] root]# radtest [EMAIL PROTECTED] ziggy localhost 0 testing123
Sending Access-Request of id 237 to 127.0.0.1:1812
User-Name = [EMAIL PROTECTED]
User-Password = [EMAIL PROTECTED]:\332c_\341z\036\n\004rhS
NAS-IP-Address = ziggy.icdc.com
NAS-Port = 0
rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=237,
length=20
[EMAIL PROTECTED] root]#
OUTPUT FROM RADIUSD
===
rad_recv: Access-Request packet from host 127.0.0.1:32781, id=237,
length=64
User-Name = [EMAIL PROTECTED]
User-Password = ziggy
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
modcall: entering group authorize
modcall[authorize]: module preprocess returns ok
rlm_chap: Could not find proper Chap-Password attribute in request
modcall[authorize]: module chap returns noop
rlm_realm: Looking up realm icdc.com for User-Name = [EMAIL PROTECTED]
rlm_realm: Found realm icdc.com
rlm_realm: Adding Stripped-User-Name = pem
rlm_realm: Proxying request from user pem to realm icdc.com
rlm_realm: Adding Realm = icdc.com
rlm_realm: Authentication realm is LOCAL.
rlm_realm: auth_port is not set. proxy cancelled
modcall[authorize]: module suffix returns noop
users: Matched DEFAULT at 152
modcall[authorize]: module files returns ok
rlm_ldap: - authorize
rlm_ldap: performing user authorization for pem
radius_xlat: '(uid=pem)'
radius_xlat: 'o=icdc.com'
ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ns6.icdc.com:389, authentication 0
rlm_ldap: bind as / to ns6.icdc.com:389
rlm_ldap: waiting for bind result ...
rlm_ldap: performing search in o=icdc.com, with filter (uid=pem)
rlm_ldap: checking if remote access for pem is allowed by dialuptemplate
rlm_ldap: Added password ziggy in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding unixpassword as Password, value ziggy op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user pem authorized to use remote access
ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns ok
modcall: group authorize returns ok
rad_check_password: Found Auth-Type System
auth: type System
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 237 to 127.0.0.1:32781
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 237 with timestamp 3e6ba8c3
Nothing to do. Sleeping until we see a request.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using LDAP with v0.81
Patrick McShane [EMAIL PROTECTED] wrote: I was testing v0.81 against our existing LDAP DB and the searches worked fine. The LDAP module seemed to authenticate the LDAP user but then somewhere along the line, Auth-Type System failed to validate the user. We only want to validate/authenticate dialin users against LDAP so does anyone know where our configuration problem might exist? The 'users' file comes configured to do 'Auth-Type System'. You did 'grep' for those key words in the configuration file, didn't you? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
