Re: ldap redundant w/ ldap-group
Dustin, thank you very much for this! It works like a charm, even though it is quite ugly... -JP On Fri Dec 10 2004 at 20:58:59 CET, Dustin Doris wrote: ... However, when I am using redundant, I cannot have this redundancy for Ldap-Group lookups. It appears that for Ldap-Group lookups, only the last ldap instance that I create (ldap2) is actually used for Ldap-Group lookups. If I take down ldap1, I can still authenticate. I get the redundancy of ldap2 for autz and auth. However, if I put ldap1 back up and take down ldap2, I get a failure because I cannot lookup the Ldap-Group, so it falls through to the reject statement. So, reading through configurable failover, I tried instantiating both ldap1 and ldap2. This was neat, because I could specify ldap1-Ldap-Group or ldap2-Ldap-Group. ... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP failover on freeRADIUS 1.0.1
I have two freeRADIUS 1.0.1 servers configured with two LDAP backends
in order to be able to answer RADIUS requests even if one of the
LDAP servers is down. We had a problem the other day, at which time
the second LDAP server simply froze and the Radius server waited
almost indefinitely (over 3 minutes for each request) until it answered.
With the configuration below, each of the LDAP instances is queried
sequentially, which is not what I want. I see:
rlm_ldap: (re)connect to l2:389, authentication 0
...
rlm_ldap: (re)connect to l1:389, authentication 0
...
rlm_ldap: (re)connect to l1:389, authentication 1
...
What am I doing wrong?
My configuration is
ldap ldap1 {
server = l1
...
}
ldap ldap2 {
server = l2
}
instantiate {
ldap1
ldap2
}
authorize {
preprocess
auth_log
files
redundant {
ldap1 {
notfound = 1
}
ldap2
}
}
authenticate {
Auth-Type LDAP {
redundant {
ldap1 {
notfound = 1
}
ldap2
}
}
}
Thanks regards,
-JP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP failover on freeRADIUS 1.0.1
On Thu May 12 2005 at 18:24:09 CEST, Alan DeKok wrote: Jan-Piet Mens [EMAIL PROTECTED] wrote: With the configuration below, each of the LDAP instances is queried sequentially, which is not what I want. I see: It's what you configured. If the first one is down, it falls over to the second one. If the second one is down, there's nothing left to do but wait for it to come back up. Well, not quite. In the log output shown in my previous message, both LDAP servers are healthy and answering queries correctly. Why is freeRadius querying both the servers, and what must I change to avoid that? -JP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
xlat LDAP woes
I'm using FreeRadius 1.0.1 on Linux RHES3 and would like to return
a dynamically constructed Framed-IP-Address. Unfortunately, I can't
get xlat to work correctly for that.
This works when in a user's LDAP entry:
radiusReplyItem: Reply-Message += JP
%{ldap1:ldap:///dc=retail-sc,dc=com?cn?sub?uid=su00-%n};
and correctly returns Reply-Message = JP 1.1.1.1 to the client,
but this doesn't work:
radiusFramedIPAddress:
%{ldap1:ldap:///dc=retail-sc,dc=com?cn?sub?uid=su00-%n};
I cannot see why. Any help?
Thanks,
-JP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: xlat LDAP woes
On Tue Apr 19 2005 at 18:46:49 CEST, Alan DeKok wrote:
Jan-Piet Mens [EMAIL PROTECTED] wrote:
and correctly returns Reply-Message = JP 1.1.1.1 to the client,
but this doesn't work:
radiusFramedIPAddress:
%{ldap1:ldap:///dc=retail-sc,dc=com?cn?sub?uid=su00-%n};
The LDAP attribute is supposed to be an IP address, not a string
that requires more processing before it becomes an IP address.
Would it be possible and can you please give me a hint, perhaps a pointer to
documentation?
-JP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP MySQL
On Sat, 28 Feb 2004, Alan DeKok wrote: Jan-Piet Mens [EMAIL PROTECTED] wrote: My `radcheck' MySQL table is empty That is most likely the problem. If nothing in the databases matches, then the replies aren't added. Add an attribute which will always match to the check table, and you should see the reply. Can you give me a hint on what kind of attribute that could be? Thanks regards, -JP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP MySQL
Hello,
I'm using freeradius-0.9.3 and I'd like to perform authorization
of my users against our LDAP directory, but the reply items
should be retrieved from an SQL database (MySQL).
I've now got
authorize {
preprocess
chap
realmslash
realmsuffix
files
ldap
sql
}
working, but the sql module wants me to have a Password == attribute
in the SQL table `radcheck', which I'd like to avoid.
Is it possible to do this, and what would I need to change?
Thanks regards,
-JP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP MySQL
On Fri, 27 Feb 2004, Alan DeKok wrote: the sql module wants me to have a Password == attribute in the SQL table `radcheck', which I'd like to avoid. I don't see why. There's nothing in the module which requires a User-Password attribute in the database. Would you be willing to post the debug output which leads you to that conclusion? My `users' file holds: DEFAULT NAS-IP-Address == 10.37.8.1, Realm == NL Cisco-AVPair = ip:dns-servers=37.37.37.1 37.37.37.2, Fall-Through = no I'm hitting the server with radclient -f /tmp/n hostname auth secret where /tmp/n contains: User-Name = nl/su00 User-Password = ts Service-Type = Framed-User NAS-IP-Address = 10.37.8.1 NAS-Port-Type = Async `radclient' reports: Received response ID 50, code 2, length = 64 Cisco-AVPair = ip:dns-servers=37.37.37.1 37.37.37.2 My `radcheck' MySQL table is empty, and `radreply' holds: select * from radreply where realm = 'NL'; ++--+-++---+---+ | id | UserName | Attribute | op | Value | realm | ++--+-++---+---+ | 6 | su00 | Session-Timeout | := | 3737 | NL| ++--+-++---+---+ [I've added a realm column and adjusted the queries in sql.conf accordingly] This is the output of radiusd -X: Listening on IP address 10.0.243.143, ports 1812/udp and 1813/udp, with proxy on 1814/udp. Ready to process requests. rad_recv: Access-Request packet from host 10.0.243.143:50261, id=50, length=65 User-Name = nl/su00 User-Password = ts Service-Type = Framed-User NAS-IP-Address = 10.37.8.1 NAS-Port-Type = Async rad_lowerpair: User-Name now 'nl/su00' rad_rmspace_pair: User-Name now 'nl/su00' modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 rlm_realm: Looking up realm nl for User-Name = nl/su00 rlm_realm: Found realm NL rlm_realm: Adding Stripped-User-Name = su00 rlm_realm: Proxying request from user su00 to realm NL rlm_realm: Adding Realm = NL rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module realmslash returns noop for request 0 rlm_realm: Request already proxied. Ignoring. modcall[authorize]: module realmsuffix returns noop for request 0 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'dc=retail-sc,dc=com' radius_xlat: '(uid=su00)' ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to m1.intdus.retail-sc.com m2.intdus.retail-sc.com:389, authentication 0 rlm_ldap: bind as cn=manager,dc=retail-sc,dc=com/fupdoc to m1.intdus.retail-sc.com m2.intdus.retail-sc.co m:389 rlm_ldap: waiting for bind result ... rlm_ldap: performing search in dc=retail-sc,dc=com, with filter (uid=su00) ldap_release_conn: Release Id: 0 radius_xlat: '((uid=su00)(objectclass=radiusProfile))' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=retail-sc,dc=com, with filter ((radiusGroupName=disabled)((uid=su00)( objectclass=radiusProfile))) rlm_ldap: object not found or got ambiguous search result ldap_release_conn: Release Id: 0 rlm_ldap::ldap_groupcmp: Group disabled not found or user is not a member. users: Matched DEFAULT at 13 modcall[authorize]: module files returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for su00 radius_xlat: '(uid=su00)' radius_xlat: 'dc=retail-sc,dc=com' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=retail-sc,dc=com, with filter (uid=su00) rlm_ldap: Added password ts in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user su00 authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 radius_xlat: 'su00' rlm_sql (sql): sql_set_user escaped user -- 'su00' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'su00' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'su00' ORDER BY id rlm_sql (sql): User su00 not found in radcheck ^^^ radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Valu e,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'su00' AND usergroup.GroupNam e = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupch eck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'su00' AND usergroup. GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id
