Re: LDAP, old TCP connections, and retry
Please ignore previous email. Employer has decided best course of action is to pass on as much info as possible, and let client fix firewall. On Mon, Mar 15, 2010 at 12:06 PM, Justin Steward wrote: > On Wed, Mar 10, 2010 at 6:34 PM, Alan DeKok wrote: >> Change the source code in rlm_ldap. >> > > Unfortunately, the source code is far beyond my abilities to modify. > Does the freeradius / rlm_ldap module send keepalives, and if not, > would it be possible for someone to provide a simple patch that would > enable keepalives? > > Many Thanks, > Justin Steward > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP, old TCP connections, and retry
On Wed, Mar 10, 2010 at 6:34 PM, Alan DeKok wrote: > Change the source code in rlm_ldap. > Unfortunately, the source code is far beyond my abilities to modify. Does the freeradius / rlm_ldap module send keepalives, and if not, would it be possible for someone to provide a simple patch that would enable keepalives? Many Thanks, Justin Steward - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP, old TCP connections, and retry
Hi Alan, > > I fail to understand why people do this. Firewall two critical > components, and then *increase* failure by having the FW break TCP > connections. > Unfortunately I don't get to decide what the network looks like, I just have to find a way to work with what I'm given. >> How can I force an idle timeout on LDAP connections in FR? > > Change the source code in rlm_ldap. I was hoping you wouldn't say that. Although I was more or less expecting it. > >> Question 2: >>>From the information I have been given, it appears that if the >> connection times out, LDAP does not attempt to retry. >> >> Is there a way to force FR to make 1 or 2 attempts at retrying the >> connection before giving up on LDAP? > > Change the source code. > >> The current situation is causing many headaches trying to log in, and >> the client is reluctant to relax their firewall for a number of >> reasons. > > They chose to destroy their own network. I'm not surprised > they're hesitant to fix it. I think the main problem is their firewall vendor thinks that's the right way to do it. Anyway, thanks for your response. I'll see what I can do with the source. Kind Regards, Justin Steward - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP, old TCP connections, and retry
Hi Guys, A few quick questions on tweaking rlm_ldap for freeradius. Question 1: The LDAP server which the radius server attempts to connect to is located behind a firewall which kills TCP connections that have been idle for 30 minutes. FR then tries to do a lookup using a connection that has been open and idle for half an hour or more, and the firewall drops the now invalid connection. How can I force an idle timeout on LDAP connections in FR? Question 2: >From the information I have been given, it appears that if the connection times out, LDAP does not attempt to retry. Is there a way to force FR to make 1 or 2 attempts at retrying the connection before giving up on LDAP? The current situation is causing many headaches trying to log in, and the client is reluctant to relax their firewall for a number of reasons. Many Thanks, Justin Steward - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration of FreeRADIUS on Ubuntu/Debian with OPEN-LDAP Authentication
On Tue, Sep 29, 2009 at 12:45 AM, Ryaz Khan wrote: > I googled it lot but did not come to any comprehensive solution. You'll probably learn this the hard way anyway, but don't try to google for freeradius. Most of those hits will be outdated, even if it is on the topic you're searching for. 1) Search the docs installed with freerad. 2) Search the freerad website/wiki. 3) This mailing list. ~Justin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP/AD and multiple OU's
On Tue, Sep 15, 2009 at 11:00 PM, Danner, Mearl wrote: > The default LDAP search in freeradius is sub (search all subcontainers from > supplied root DN). > Many thanks. > As to using UID: > > You'll need to search sAMAccountName in AD to insure that the name is unique. > > I don't believe that uid has guaranteed uniqueness. Evidently your > implementation does not have unique uids. > > http://msdn.microsoft.com/en-us/library/ms680508%28VS.85%29.aspx > > Note that it's not single-valued. Whereas: > > http://msdn.microsoft.com/en-us/library/ms679635%28VS.85%29.aspx > sAMAccountName is. Also it's indexed. Search's will be faster. Ah, great. Thank you. Will test that out tomorrow. Thanks, Justin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP/AD and multiple OU's
> > > That's not a good way. It will work only for pap requests. > > http://deployingradius.com/documents/configuration/active_directory.html > > Good way or not, it's the only viable option for what I need to achieve, so any help on what I asked for would be much appreciated. Many Thanks, Justin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-FAST and GTC
On Tue, Sep 15, 2009 at 9:51 AM, Matthew Benjamin wrote: > > > No, everytime I go to the website it tells me about database errors. > Is there something wrong with the Freeradius wiki? > > Just refresh the page a few times, and it'll sort itself out. I'm guessing it's under a fairly heavy load or something at the moment. ~Justin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Password Policies?
On Tue, Sep 15, 2009 at 8:31 AM, Alan DeKok wrote: > Then it has to go into a Reply-Message attribute. > > Unless you're doing EAP. In which case you have to extend the EAP > authentication method to handle sending messages inside of EAP. > http://wiki.freeradius.org/Radiusd.conf Has a short section discussing the "Expiration module" (Which didn't seem to exist in my config) Copied that into my config, set up a user with an "Expiration" attribute of last month, and voila, rad_recv: Access-Reject packet from host xxx.xxx.xxx.xxx port 1812, id=31, length=44 Reply-Message = "Password Has Expired\r\n" Thanks guys, now to get the front end co-operating. ~Justin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP/AD and multiple OU's
Hi guys, A couple of quick questions just to make sure I don't end up chasing my own tail. Need to authenticate by doing a basic bind against an AD server. All users are contained in seperate OU's below a primary OU. The relevant LDAP lines from radiusd -X are (with identifiable information removed): rlm_ldap: bind as Cn=lookupuser,OU=Primary, ou=../password123 to .:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=Primary,ou=., with filter (uid=username) rlm_ldap: object not found or got ambiguous search result Now, I know the user is actually contained in ou=2015,ou=Primary,ou=. and there are others contained in 2016,2017,2018, etc. 1) Does freeRadius automatically search each of these sub containers, or do I have to tell it to some how? 2) Does AD even store usernames in UID? (loln00b question. But i have no experienec with AD, so far I haven't had an AD box to play with, and this one is more or less out of my control, I can only talk to it over LDAP.) Many Thanks, Justin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Password Policies?
On Mon, Sep 14, 2009 at 6:25 PM, Ivan Kalik wrote: > > Yes. The only problem is that most supplicants will ignore this message > and never display it to the user. > > That's not a problem as I'll be extending the client application to add in the password policy mechanisms, I can force it to behave however I want (almost). How would I go about configuring radius to send an expired message? Ideally the message would form part of an access-reject statement. Many Thanks, Justin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Password Policies?
Hi guys, Having just come from a meeting, I've not actually had a chance to do any research myself, and hoped to lean on the community a little. A concern was put forward regarding password policies for policies stored in a radius server. Now, policies like "Must be 8 characters" and "must have 2 numbers" can be handled easily enough in form processing on some sort of front end, however, is it possible have a radius password expire after a set period of time, and then send back a specific message saying that the password has expired? (ie one month?) Many Thanks, Justin Steward - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple AD's and domains?
On Wed, Jul 22, 2009 at 10:15 PM, Alan DeKok wrote: > Justin Steward wrote: > > And with regard to my other question, can I just use plain ol' LDAP to > > authenticate? A successful LDAP Bind is all I need for our purposes. > > That will work for PAP. > > Ok, thanks for confirmation. Kind Regards, Justin Steward - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple AD's and domains?
On Wed, Jul 22, 2009 at 11:22 AM, Alan DeKok wrote: > However... they all need to be part of the same AD forest / whatever. > You CANNOT authenticate to two completely independent AD systems. This > is a fundamental limitation of AD. > > That's more or less what I was expecting. That is what I need to do, however. I suppose in that case I would need my radius server to proxy to other radius servers for each domain. And with regard to my other question, can I just use plain ol' LDAP to authenticate? A successful LDAP Bind is all I need for our purposes. ~Justin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple AD's and domains?
Hi Guys, I have an upcoming project where the setup is going to be something along the following: Client logs in using their username/password for domain FreeRadius authenticates the user against the AD server for that domain There will be clients using the service from MULTIPLE different AD domains with multiple different AD servers. The freeRadius version will be built from the latest stable source. Now, the stock standard way of authenticating against AD is using samba, joining the domain, and using NTLM Auth. Since I have multiple AD domains, how would this best be handled? I know that PHP is capable of using LDAP to authenticate against an AD server. Can freeRadius also do this? How, or why not? Thanks, ~Justin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP with fallback on local authentication?
On Mon, Apr 13, 2009 at 4:48 AM, Ivan Kalik wrote:
> > You've mentioned a few times that LDAP is not meant for
> authentication, however the default config that ships with FreeRADIUS has
> LDAP in
> > the authentication section. Could you clear that up a little for me
> please? (or point me to somewhere it's been cleared up before?)
>
> Don't force Auth-Type Ldap.
>
> But you will have to use two sql instances - one to store reply info and
> one to store backup passwords. You can't store passwords in sql (used for
> reply attributes) and ldap as well.
> authorize {
> ...
> sql_reply
> ldap
> if (notfound | fail) {
> sql_bkp_pass
> }
> ...
> }
>
>
Works perfectly. Exactly what I was after. Thanks Ivan.
Regards,
Justin
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP with fallback on local authentication?
>
> Don't force Auth-Type Ldap.
>
> But you will have to use two sql instances - one to store reply info and
> one to store backup passwords. You can't store passwords in sql (used for
> reply attributes) and ldap as well.
> authorize {
> ...
> sql_reply
> ldap
> if (notfound | fail) {
> sql_bkp_pass
> }
> ...
> }
>
>
Ah, thank you very much. I think I understand now. Will experiment with that
when I get back to work on Tuesday.
Many thanks,
Justin Steward
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP with fallback on local authentication?
On Fri, Apr 10, 2009 at 11:51 PM, Alan DeKok wrote:
> Justin Steward wrote:
> > I want to return some radius reply attributes from an SQL database,
> > check the user's password against an openLDAP server
>
> As I said... LDAP isn't an authentication protocol.
>
> > (maybe a Windows
> > Server running AD at some point in the future), and if possible fall
> > back against a password stored in a MySQL database. (Though this
> > password may not always be entirely up to date, so it's only for if the
> > user either doesn't exist in the directory or the LDAP server is
> > temporarily unavailable)
>
> Why not let FreeRADIUS do authentication, as I suggested? Have the
> LDAP module pull the password from LDAP. Then, do MySQL.
>
> authorize {
>...
>ldap
>if (notfound | fail) {
>sql
>}
>...
> }
>
> That does *exactly* what you suggested above. But the last time I
> suggested that solution, you said you *also* wanted to get reply
> attributes from MySQL... apparently, even for the users that were found
> in LDAP.
>
> So which is it?
>
My apologies, I tend to let things slip when I send emails late at night.
Yes, I need to also send reply attributes from a MySQL database. The reason
for this is that the LDAP server is somewhat out of my control. I can't
store values for attributes there. Again, apologies for being unclear.
You've mentioned a few times that LDAP is not meant for authentication,
however the default config that ships with FreeRADIUS has LDAP in the
authentication section. Could you clear that up a little for me please? (or
point me to somewhere it's been cleared up before?)
~Justin
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP with fallback on local authentication?
On Fri, Apr 10, 2009 at 7:32 PM, Alan DeKok wrote: > Justin Steward wrote: > > Thanks for the reply. Since SQL modules can't go in authenticate, this > > would have to be in authorize, yes? How then, would I get the reply > > attributes out of the SQL database? Or am I misunderstanding something? > > Maybe you could describe exactly what you want to do. > I want to return some radius reply attributes from an SQL database, check the user's password against an openLDAP server (maybe a Windows Server running AD at some point in the future), and if possible fall back against a password stored in a MySQL database. (Though this password may not always be entirely up to date, so it's only for if the user either doesn't exist in the directory or the LDAP server is temporarily unavailable) ~Justin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP with fallback on local authentication?
On Thu, Apr 9, 2009 at 10:27 PM, Alan DeKok wrote:
>
> $ man unlang
>
>...
>ldap
>if (fail) {
>sql
>}
>...
>
Hi Alan,
Thanks for the reply. Since SQL modules can't go in authenticate, this would
have to be in authorize, yes? How then, would I get the reply attributes out
of the SQL database? Or am I misunderstanding something?
I currently have sql in authorize, the users have Auth-Type = LDAP, and ldap
is in the authenticate section. This is authenticating users against LDAP,
and getting the reply attributes from the SQL database.
Thanks,
Justin
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP with fallback on local authentication?
Hi guys, I'm sure these are questions that have been asked a thousand times, but can't for the life of me find the answers I'm looking for. My first problem is this: I want to store reply attributes for my users in a MySQL database, however I want them to authenticate against an LDAP server. No problem, I sort of have this working. Except the reply attributes get sent even on an Access-Reject packet. This seems undesirable to me. My second problem is this: The LDAP server isn't necessarily in the same building as the radius server. I want users to be able to fall back on locally stored passwords in the MySQL database should the LDAP server be down for some reason. I'd thought that setting Fall-Through=yes and having a DEFAULT Auth-Type = local would have done this, but no dice. Any suggestions? Regards, Justin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
