Re: autostart script for FreeRADIUS
On 31/3/09 02:46, "Tseveendorj" wrote: > John Hawkes-Reed wrote: [ ... ] > Hi John > > Thank you for trying to help me. > > It has but I didn't know this is exactly right. Something looks like > following > > > inside /usr/local/etc/rc.d/mysql-server > > # PROVIDE: mysql > # REQUIRE: LOGIN > # KEYWORD: shutdown > > > inside /usr/local/etc/rc.d/radiusd > > # PROVIDE: radiusd > # REQUIRE: NETWORKING SERVERS mysql > # KEYWORD: shutdown > > In my opinion the MySQL starts after LOGIN process then radiusd is > starting when the mysql started. > > But it doesn't. Hm. Bother. >From 'man 8 rc': Certain scripts may want to provide enhanced functionality. The user may access this functionality through additional commands. The script may list and define as many commands at it needs. #!/bin/sh # # PROVIDE: foo # REQUIRE: bar_service_required_to_precede_foo # BEFORE: baz_service_requiring_foo_to_precede_it So I guess try a 'BEFORE: radiusd' in the mysql rc file. After that, I'd be debugging the script start order by hand. [ ... ] -- John Hawkes-Reed Systems Administrator. Future Publishing. x 2526 -- Future Publishing Limited (registered company number 2008885) and Future Publishing (Overseas) Limited (registered company number 06202940) are wholly owned subsidiaries of Future plc (registered company number 3757874). Future Publishing Limited, Future Publishing (Overseas) Limited and Future plc are all incorporated in England and Wales and share the same registered address at Beauford Court, 30 Monmouth Street, Bath BA1 2BW. This email and any files transmitted with it are confidential. If you have received this email in error please notify the sender and then delete it immediately. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Future. The recipient should check this email and any attachments for the presence of viruses. Future accepts no liability for any damage caused by any virus transmitted by this email. Future may regularly and randomly monitor outgoing and incoming emails (including the content of them) and other telecommunications on its email and telecommunications systems. By replying to this email you give your consent to such monitoring. * Save resources: think before you print. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: autostart script for FreeRADIUS
On 30/3/09 13:42, "Luciano Afranllie" wrote: > On Mon, Mar 30, 2009 at 6:53 AM, Tseveendorj wrote: >> Doug Hardie wrote: >>> >>> On Mar 29, 2009, at 20:10, Tseveendorj wrote: >>> >>>> May be I got the problem why radiusd didn't come up. [ ... ] >>>> In my config FreeRADIUS must work with MySQL but from the log freeradius >>>> couldn't connect to mysql server. >>>> I thought that is problem. isn't it ? >>> >>> >>> There lies the problem. It would appear that MySQL is not running when >>> FreeRADIUS starts. Check through the messages log to seen what the startup >>> order is. I suspect its backwards. > > Check your /etc/rcx.d where x is your default runlevel. mysql should > have a lower S number than freeRadius. That would be true for a Linux/SysV startup. The rc script for FreeRadius under FreeBSD should contain the following header: # # PROVIDE: radiusd # REQUIRE: NETWORKING SERVERS nmbd winbindd # KEYWORD: shutdown # # Add the following lines to /etc/rc.conf to enable radiusd: # # radiusd_enable="YES" There should be something similar for the MySQL startup. Take a note of the entry in the MySQL PROVIDE: line and append that to the radiusd REQUIRE: line. That should ensure that the MySQL server is started before FreeRadius. -- John Hawkes-Reed Systems Administrator. Future Publishing. x 2526 -- Future Publishing Limited (registered company number 2008885) and Future Publishing (Overseas) Limited (registered company number 06202940) are wholly owned subsidiaries of Future plc (registered company number 3757874). Future Publishing Limited, Future Publishing (Overseas) Limited and Future plc are all incorporated in England and Wales and share the same registered address at Beauford Court, 30 Monmouth Street, Bath BA1 2BW. This email and any files transmitted with it are confidential. If you have received this email in error please notify the sender and then delete it immediately. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Future. The recipient should check this email and any attachments for the presence of viruses. Future accepts no liability for any damage caused by any virus transmitted by this email. Future may regularly and randomly monitor outgoing and incoming emails (including the content of them) and other telecommunications on its email and telecommunications systems. By replying to this email you give your consent to such monitoring. * Save resources: think before you print. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP2 Failure
On 17/3/09 17:05, "Mike Diggins" wrote: > > > On Tue, 17 Mar 2009, a.l.m.bu...@lboro.ac.uk wrote: > >> Hi, >> >>> I've made no progress in finding a solution to my MSCHAP problem. To >>> summarize, Winbind and FreeRadius authenticate via PAP fine on both [ ... ] >> /etc/krb5.conf ? > > I didn't change the configuration on this file on either system, and both > are identical. System time? Clock skew will stop Kerberos in its tracks. -- John Hawkes-Reed Systems Administrator. Future Publishing. x 2526 -- Future Publishing Limited (registered company number 2008885) and Future Publishing (Overseas) Limited (registered company number 06202940) are wholly owned subsidiaries of Future plc (registered company number 3757874). Future Publishing Limited, Future Publishing (Overseas) Limited and Future plc are all incorporated in England and Wales and share the same registered address at Beauford Court, 30 Monmouth Street, Bath BA1 2BW. This email and any files transmitted with it are confidential. If you have received this email in error please notify the sender and then delete it immediately. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Future. The recipient should check this email and any attachments for the presence of viruses. Future accepts no liability for any damage caused by any virus transmitted by this email. Future may regularly and randomly monitor outgoing and incoming emails (including the content of them) and other telecommunications on its email and telecommunications systems. By replying to this email you give your consent to such monitoring. * Save resources: think before you print. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ldap-UserDn character set problem?
On 21/10/08 14:10, "John Hawkes-Reed" <[EMAIL PROTECTED]> wrote: > Hello. > > I'm attempting to bring up a FreeRadius-2.1.1 rig that auths against AD. > NTLM authentication seems to work well, but LDAP authorisation appears to > hit a problem when extracting the DN: [ Debug output ] > I can find a similar bug mentioned in the archives, but that appeared to be > an older version of the code. > > Hopefully that's enough debug to enable someone to point me in the right > direction. (Other than 'Don't use AD then...') Hm. Adding '(&(objectClass=Group)(member=%{check:Ldap-UserDn}))' to the group membership filter in the LDAP module appears to fix the problem. Sorry for the noise. (And the disclaimer. Ugh.) -- John Hawkes-Reed Systems Administrator. Future Publishing. x 2526 -- Future Publishing Limited (registered company number 2008885) is a wholly owned subsidiary of Future plc (registered company number 3757874), both of which are incorporated in England and Wales and share the same registered address at Beauford Court, 30 Monmouth Street, Bath BA1 2BW. This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to which they are addressed. If you have received this email in error please reply to this email and then delete it. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Future. The recipient should check this email and any attachments for the presence of viruses. Future accepts no liability for any damage caused by any virus transmitted by this email. Future may regularly and randomly monitor outgoing and incoming emails and other telecommunications on its email and telecommunications systems. By replying to this email you give your consent to such monitoring. * Save resources: think before you print. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ldap-UserDn character set problem?
Hello. I'm attempting to bring up a FreeRadius-2.1.1 rig that auths against AD. NTLM authentication seems to work well, but LDAP authorisation appears to hit a problem when extracting the DN: rlm_ldap: Entering ldap_groupcmp() [files] expand: ou=staff,dc=uk,dc=mydomain,dc=com -> ou=staff,dc=uk,dc=mydomain,dc=com [files] expand: (sAMAccountName=%{mschap:User-Name}) -> (sAMAccountName=jhreed) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=staff,dc=uk,dc=mydomain,dc=com, with filter (sAMAccountName=jhreed) rlm_ldap: ldap_release_conn: Release Id: 0 [files] expand: (|(&(objectClass=GroupOfNames)(member=%{check:Ldap-UserDn}))(&(objectClass=G roupOfUniqueNames)(uniquemember=%{check:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=CN\3dJohn Hawkes-Reed\2cOU\3dIT\2cOU\3dStaff\2cDC\3duk\2cDC\3dmydomain\2cDC\3dcom))(&( objectClass=GroupOfUniqueNames)(uniquemember=CN\3dJohn Hawkes-Reed\2cOU\3dIT\2cOU\3dStaff\2cDC\3duk\2cDC\3dmydomain\2cDC\3dcom))) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in cn=vpn-users,ou=Security Groups,ou=Groups,dc=uk,dc=mydomain,dc=com, with filter (|(&(objectClass=GroupOfNames)(member=CN\3dJohn Hawkes-Reed\2cOU\3dIT\2cOU\3dStaff\2cDC\3duk\2cDC\3dmydomain\2cDC\3dcom))(&( objectClass=GroupOfUniqueNames)(uniquemember=CN\3dJohn Hawkes-Reed\2cOU\3dIT\2cOU\3dStaff\2cDC\3duk\2cDC\3dmydomain\2cDC\3dcom))) rlm_ldap: object not found or got ambiguous search result rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap::ldap_groupcmp: Group cn=vpn-users,ou=Security Groups,ou=Groups,dc=uk,dc=mydomain,dc=com not found or user is not a member. Running ldapsearch against AD shows the following: # vpn-users, Security Groups, Groups, uk.mydomain.com dn: CN=vpn-users,OU=Security Groups,OU=Groups,DC=uk,DC=mydomain,DC= com objectClass: top objectClass: group cn: vpn-users member: CN=John Hawkes-Reed,OU=IT,OU=Staff,DC=uk,DC=mydomain,DC=com distinguishedName: CN=vpn-users,OU=Security Groups,OU=Groups,DC=uk,DC=mydomain,DC=com I can find a similar bug mentioned in the archives, but that appeared to be an older version of the code. Hopefully that's enough debug to enable someone to point me in the right direction. (Other than 'Don't use AD then...') -- John Hawkes-Reed -- Future Publishing Limited (registered company number 2008885) is a wholly owned subsidiary of Future plc (registered company number 3757874), both of which are incorporated in England and Wales and share the same registered address at Beauford Court, 30 Monmouth Street, Bath BA1 2BW. This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to which they are addressed. If you have received this email in error please reply to this email and then delete it. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Future. The recipient should check this email and any attachments for the presence of viruses. Future accepts no liability for any damage caused by any virus transmitted by this email. Future may regularly and randomly monitor outgoing and incoming emails and other telecommunications on its email and telecommunications systems. By replying to this email you give your consent to such monitoring. * Save resources: think before you print. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html