Re: AAA
Quoting Alan DeKok [EMAIL PROTECTED]: Roger Thomas [EMAIL PROTECTED] wrote: My LDAP knowledge is quite shallow and as such I would like to use - openLDAP only for authentication - MySQL for authorization and accounting If that is possible, do I *still* need to extend my LDAP schema with ~/doc/examples/openldap.schema ? I don't think so. If all you're using LDAP for is usernames passwords, that should be in the default schema. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I ran radtest and it complained that there is no dialupAccess attribute, so access is denied by default. -- snippet from debug screen -- ... ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=example,dc=com, with filter ([EMAIL PROTECTED]) rlm_ldap: no dialupAccess attribute - access denied by default rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns userlock for request 0 modcall: leaving group authorize (returns userlock) for request 0 Invalid user (rlm_ldap: Access Attribute denies access): [EMAIL PROTECTED]/thepassword] (from client localhost port 10) Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 144 to 127.0.0.1 port 32803 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 144 with timestamp 44cff3d6 Nothing to do. Sleeping until we see a request. I noticed that 'dialupAccess' attribute is defined in the radiusprofile objectClass (openldap.schema). Means radiusd expects that objectClass to be made available. Wonder if there is any way around this? -- Roger --- Sign Up for free Email at http://ureg.home.net.my/ --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AAA
Quoting Markus Krause [EMAIL PROTECTED]: Zitat von Roger Thomas [EMAIL PROTECTED]: Quoting Alan DeKok [EMAIL PROTECTED]: Roger Thomas [EMAIL PROTECTED] wrote: My LDAP knowledge is quite shallow and as such I would like to use - openLDAP only for authentication - MySQL for authorization and accounting If that is possible, do I *still* need to extend my LDAP schema with ~/doc/examples/openldap.schema ? I don't think so. If all you're using LDAP for is usernames passwords, that should be in the default schema. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I ran radtest and it complained that there is no dialupAccess attribute, so access is denied by default. -- snippet from debug screen -- ... ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=example,dc=com, with filter ([EMAIL PROTECTED]) rlm_ldap: no dialupAccess attribute - access denied by default rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns userlock for request 0 modcall: leaving group authorize (returns userlock) for request 0 Invalid user (rlm_ldap: Access Attribute denies access): [EMAIL PROTECTED]/thepassword] (from client localhost port 10) Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 144 to 127.0.0.1 port 32803 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 144 with timestamp 44cff3d6 Nothing to do. Sleeping until we see a request. I noticed that 'dialupAccess' attribute is defined in the radiusprofile objectClass (openldap.schema). Means radiusd expects that objectClass to be made available. Wonder if there is any way around this? just comment out the line access_attr = dialupAccess in the ldap section of your module definition. hth markus That helps. Thanks Markus. --- Sign Up for free Email at http://ureg.home.net.my/ --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius configure line
Despite several attempts, configure failed to locate my LDAP installation. I installed openLDAP in a non standard location: /etc/ldap.2.2.13 . I have tried freeradius configure like these: a) (includes and libraries) ./configure --with-ldap-includes=/etc/ldap.2.2.13/include --with-ldap-libraries=/etc/ldap.2.2.13/lib b) (include and lib) ./configure --with-ldap-include=/etc/ldap.2.2.13/include --with-ldap-lib=/etc/ldap.2.2.13/lib c) (DASH between rlm and ldap) ./configure --with-modules=rlm-ldap --with-rlm-ldap-include-dir=/etc/ldap.2.2.13/include --with-rlm-ldap-lib-dir=/etc/ldap.2.2.13/lib d) (UNDERSCORE between rlm and ldap) ./configure --with-modules=rlm_ldap --with-rlm_ldap-include-dir=/etc/ldap.2.2.13/include --with-rlm_ldap-lib-dir=/etc/ldap.2.2.13/lib and at aech attempt, I will get these warning messages: configure: warning: silently not building rlm_ldap. configure: warning: FAILURE: rlm_ldap requires: libldap_r. I don't think it is a question whether I have installed LDAP correctly BECAUSE if I were to install LDAP libs and headers in /usr/local/lib and /usr/local/include, then freeradius would not complain and everthing compiled smoothly. That said, there could be something that I have missed and I am sure someone has done this before. Please advise. -- Roger --- Sign Up for free Email at http://ureg.home.net.my/ --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP and mySQL
Quoting Nicolas Baradakis [EMAIL PROTECTED]: This is common to use OpenLDAP for auth and MySQL for acct. http://freeradius.org/radiusd/doc/ldap_howto.txt In that howto on the 2nd para of OVERVIEW: The radius servers will be accepting Radius auth packets and Radius acct packets. The accounting packets will be stored locally on each radius server and then forwarded to the Accounting radius server, using radrelay. The Accounting radius server will store all the radius information in some sort of database such as MySQL, Postgres, or Oracle. Question: My setup is rather simple. Just one server at the moment that houses the LDAP, RADIUS and mySQL server. Would it be possible to make mySQL accept the acct packets by default and thus making no use of radrelay altogether? -- Roger --- Sign Up for free Email at http://ureg.home.net.my/ --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql libraries are there BUT not found
Quoting Nicolas Baradakis [EMAIL PROTECTED]: Roger Thomas wrote: In /usr/local/mysql/lib/mysql I have: -rw-r--r--1 root mysql 11866 May 15 10:56 libdbug.a -rw-r--r--1 root mysql 40304 May 15 10:56 libheap.a -rw-r--r--1 root mysql 13536 May 15 10:56 libmerge.a -rw-r--r--1 root mysql 313312 May 15 10:56 libmyisam.a -rw-r--r--1 root mysql 24982 May 15 10:56 libmyisammrg.a -rw-r--r--1 root mysql 480038 May 15 10:57 libmysqlclient.a -rwxr-xr-x1 root mysql 879 May 15 10:57 libmysqlclient.la lrwxrwxrwx1 root mysql 24 May 15 10:57 libmysqlclient.so - libmysqlclient.so.14.0.0 lrwxrwxrwx1 root mysql 24 May 15 10:57 libmysqlclient.so.14 - libmysqlclient.so.14.0.0 -rwxr-xr-x1 root mysql 409020 May 15 10:57 libmysqlclient.so.14.0.0 -rw-r--r--1 root mysql 240636 May 15 10:56 libmystrings.a -rw-r--r--1 root mysql 256614 May 15 10:56 libmysys.a -rw-r--r--1 root mysql 97536 May 15 10:56 libnisam.a -rw-r--r--1 root mysql5576 May 15 10:56 libvio.a What I have done wrong? Please advise. It looks like you don't have libmysqlclient_r.so, the thread safe version of the client library. Either configure MySQL with --enable-thread-safe-client, or configure FreeRADIUS with --without-threads. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thank you so much Nicolas. -- Roger --- Sign Up for free Email at http://ureg.home.net.my/ --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP password format
The password for my users are kept in the SHA format in my LDAP. Does that means that I have to tell radius.conf to use password_header = {sha} ? Please advise. -- roger --- Sign Up for free Email at http://ureg.home.net.my/ --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mysql libraries are there BUT not found
I received warnings about the unavailability of mysql libraries when I ran configure with -- start of text --- ... ... configure: warning: mysql libraries not found. Use --with-mysql-lib-dir=path. configure: warning: sql submodule 'mysql' disabled configure: warning: silently not building rlm_sql_postgresql. configure: warning: FAILURE: rlm_sql_postgresql requires: libpq-fe.h libpq. configure: warning: oracle headers not found. Use --with-oracle-home-dir=path. configure: warning: sql submodule 'oracle' disabled ... ... -- end of text -- Running configure with # ./configure --with-mysql-lib-dir=/usr/local/mysql/lib/mysql made no difference. In /usr/local/mysql/lib/mysql I have: -rw-r--r--1 root mysql 11866 May 15 10:56 libdbug.a -rw-r--r--1 root mysql 40304 May 15 10:56 libheap.a -rw-r--r--1 root mysql 13536 May 15 10:56 libmerge.a -rw-r--r--1 root mysql 313312 May 15 10:56 libmyisam.a -rw-r--r--1 root mysql 24982 May 15 10:56 libmyisammrg.a -rw-r--r--1 root mysql 480038 May 15 10:57 libmysqlclient.a -rwxr-xr-x1 root mysql 879 May 15 10:57 libmysqlclient.la lrwxrwxrwx1 root mysql 24 May 15 10:57 libmysqlclient.so - libmysqlclient.so.14.0.0 lrwxrwxrwx1 root mysql 24 May 15 10:57 libmysqlclient.so.14 - libmysqlclient.so.14.0.0 -rwxr-xr-x1 root mysql 409020 May 15 10:57 libmysqlclient.so.14.0.0 -rw-r--r--1 root mysql 240636 May 15 10:56 libmystrings.a -rw-r--r--1 root mysql 256614 May 15 10:56 libmysys.a -rw-r--r--1 root mysql 97536 May 15 10:56 libnisam.a -rw-r--r--1 root mysql5576 May 15 10:56 libvio.a What I have done wrong? Please advise. -- Roger --- Sign Up for free Email at http://ureg.home.net.my/ --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html