Re: multiple ldap servers::solved::
On May 5, 2012, at 5:09 AM, Alan DeKok wrote:
> jeff donovan wrote:
>> I made two changes. and it worked.,.. not sure if it the best syntax, but
>> it's the first time I got both systems to call back.
>>
>> authorize {
>>
>> ldap1
>> if (notfound) {
>> ldap2
>> }
>
> This is OK.
>
>> if (reject) {
>> ldap2
>> }
>
> This doesn't do anything. If ldap1 rejects the user (which it won't
> in the "authorize" section), then it will *immediately* return reject.
> i.e. the "if reject" line won't be reached.
you are correct. An authorize section would not return reject. i removed it and
things work fine.
>
>
>> authenticate {
>>
>> Auth-Type LDAP {
>> ldap1{
>> reject = 1
>> ok = return
>> }
>> ldap2 {
>> reject = 1
>> ok = return
>> }
>> }
>
> This is wrong, too. You've forced "Auth-Type := LDAP" somewhere in
> your config.
the config Im using is stock ubuntu,..which has a few default includes.
radiusd.conf specifies;
$INCLUDE ${confdir}/modules/
i have a file in modules called ldap. Located in this file are two ldap servers
entries.
#
ldap ldap1 {
server = "ldap1.example.com"
basedn = "cn=users,dc=ldap1,dc=example.com"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = no
}
dictionary_mapping = ${confdir}/ldap.attrmap
#
edir_account_policy_check = no
#ldap_debug = 0x0028
}
ldap ldap2 {
server = "ldap2.example.com"
basedn = "cn=users,dc=ldap2,dc=example.com"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = no
}
dictionary_mapping = ${confdir}/ldap.attrmap
#
edir_account_policy_check = no
#ldap_debug = 0x0028
}
}
> You could instead use "set_auth_type" in the modules/ldap
> configuration. It's recommended to *not* use it, but it's fine here.
>
> Then, just do:
>
> authenticate {
> ...
> ldap1
> ldap2
> ...
> }
--- oof okay.
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
digest
# pam
unix
ldap1
ldap2
eap
}
Yes Totally works.!
my bad i thought I had to set the AUTH type. similar to some of the other
configs.
>
> If the "ldap1" module finds the user, it sets Auth-Type = "ldap1".
> And the same for ldap2.
>
> This means that there are fewer queries to ldap1 in the "authenticate"
> phase. That's nice.
im into that. thanks for the help. hopefully my stumbles will aid someone in
the future.
-j
smime.p7s
Description: S/MIME cryptographic signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multiple ldap servers
On 05.05.2012 10:36, Tobias Hachmer wrote: As I tried to explain before it's not the authentication of the user in radius request which fails but the bind user so the ldap module wasn't able to check the user credentials! Please reread the ldap documentation if this is unclear... Sorry, I have to correct myself. The authentication will be done as a simple user bind with username and cleartext-password from radius-request. only in authorize section the binddn user from ldap module will be taken to do the ldap search. Please correct me again if I'm false. Sorry for confusing... Best regards, Tobias Hachmer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multiple ldap servers::solved::
jeff donovan wrote:
> I made two changes. and it worked.,.. not sure if it the best syntax, but
> it's the first time I got both systems to call back.
>
> authorize {
>
> ldap1
> if (notfound) {
> ldap2
> }
This is OK.
> if (reject) {
> ldap2
> }
This doesn't do anything. If ldap1 rejects the user (which it won't
in the "authorize" section), then it will *immediately* return reject.
i.e. the "if reject" line won't be reached.
> authenticate {
>
> Auth-Type LDAP {
> ldap1{
> reject = 1
> ok = return
> }
> ldap2 {
> reject = 1
> ok = return
> }
> }
This is wrong, too. You've forced "Auth-Type := LDAP" somewhere in
your config. You could instead use "set_auth_type" in the modules/ldap
configuration. It's recommended to *not* use it, but it's fine here.
Then, just do:
authenticate {
...
ldap1
ldap2
...
}
If the "ldap1" module finds the user, it sets Auth-Type = "ldap1".
And the same for ldap2.
This means that there are fewer queries to ldap1 in the "authenticate"
phase. That's nice.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multiple ldap servers
On 05/05/2012 01:40 AM, jeff donovan wrote:
greetings
sorry
i snipped the bottom off , I didn't think it relevant since nothing happened
after it tried to auth on ldap1.
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> drfoo
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 2 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 2
Sending Access-Reject of id 158 to 10.135.1.15 port 65478
Waking up in 4.9 seconds.
Cleaning up request 2 ID 158 with timestamp +22
Ready to process requests.
Hi Jeff,
are you sure you configured your ldap modules right?
For me it seems you don't because your ldap bind fails. configure your
ldap1 module for the ldap1 server with a bind user which exists on ldap
server 1. In debug output your ldap1 module references with a user dn in
"cn=users,dc=ldap2,dc=example.com". Is this correct or have it to be
"cn=users,dc=ldap1,dc=example.com" ?
As I tried to explain before it's not the authentication of the user in
radius request which fails but the bind user so the ldap module wasn't
able to check the user credentials! Please reread the ldap documentation
if this is unclear...
Regards,
Tobias Hachmer
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multiple ldap servers::solved::
On May 4, 2012, at 7:40 PM, jeff donovan wrote:
>
>
> and that is correct. The user does not exist on LDAP1, his records are on
> LDAP2, which it finds, but it trys to auth against ldap1 ( which will fail ).
> I need it to step to ldap2
greetings
I made two changes. and it worked.,.. not sure if it the best syntax, but it's
the first time I got both systems to call back.
authorize {
ldap1
if (notfound) {
ldap2
}
if (reject) {
ldap2
}
authenticate {
Auth-Type LDAP {
ldap1{
reject = 1
ok = return
}
ldap2 {
reject = 1
ok = return
}
}
works very well.
thanks for your assistance
-j
smime.p7s
Description: S/MIME cryptographic signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multiple ldap servers
On May 4, 2012, at 3:58 PM, Tobias Hachmer wrote:
> On 04.05.2012 21:05, jeff donovan wrote:
>> Found Auth-Type = LDAP
>> # Executing group from file /etc/freeradius/sites-enabled/default
>> +- entering group LDAP {...}
>> [ldap1] login attempt by "drfoo" with password "XxXxXxX"
>> [ldap1] user DN: uid=drfoo,cn=users,dc=ldap2,dc=example.com
>> [ldap1] (re)connect to ldap1.example.com:389, authentication 1
>> [ldap1] bind as uid=drfoo,cn=users,dc=ldap2,dc=example.com/XxXxXxX
>> to ldap1.example.com:389
>> [ldap1] waiting for bind result ...
>> [ldap1] Bind failed with invalid credentials
>> ++[ldap1] returns reject
>> Failed to authenticate the user.
>> Using Post-Auth-Type Reject
>> # Executing group from file /etc/freeradius/sites-enabled/default
>> +- entering group REJECT {...}
>
> OK, so what happened here? The ldap bind has failed! That's not the failure
> message that the user you want to authenticate has wrong credentials.
> Be sure you configured the ldap modules correctly or send the whole radiusd
> -X debug output.
greetings
sorry
i snipped the bottom off , I didn't think it relevant since nothing happened
after it tried to auth on ldap1.
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> drfoo
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 2 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 2
Sending Access-Reject of id 158 to 10.135.1.15 port 65478
Waking up in 4.9 seconds.
Cleaning up request 2 ID 158 with timestamp +22
Ready to process requests.
and that is correct. The user does not exist on LDAP1, his records are on
LDAP2, which it finds, but it trys to auth against ldap1 ( which will fail ). I
need it to step to ldap2
I thought the result code was " reject " so under authentication if result of
ldap1 = reject try ldap2.
Auth-Type LDAP {
ldap1
if (reject) {
ldap2
}
}
smime.p7s
Description: S/MIME cryptographic signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multiple ldap servers
On 04.05.2012 21:05, jeff donovan wrote:
Found Auth-Type = LDAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group LDAP {...}
[ldap1] login attempt by "drfoo" with password "XxXxXxX"
[ldap1] user DN: uid=drfoo,cn=users,dc=ldap2,dc=example.com
[ldap1] (re)connect to ldap1.example.com:389, authentication 1
[ldap1] bind as uid=drfoo,cn=users,dc=ldap2,dc=example.com/XxXxXxX
to ldap1.example.com:389
[ldap1] waiting for bind result ...
[ldap1] Bind failed with invalid credentials
++[ldap1] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
OK, so what happened here? The ldap bind has failed! That's not the
failure message that the user you want to authenticate has wrong
credentials.
Be sure you configured the ldap modules correctly or send the whole
radiusd -X debug output.
Best regards,
Tobias Hachmer
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multiple ldap servers
On May 4, 2012, at 10:14 AM, Alan DeKok wrote:
> snip
>> authorize {
> ...
>>redundant {
>> ldap1
>> ldap2
>>}
>
> Change that to:
>
> ldap1
> if (notfound) {
> ldap2
> }
>
> And it will work.
greetings i read the unlang pages.
I modified my Authorize section, and you are correct, the user is found on
ldap1 or checks the next server.
Now it seems to be sticking on the first reject in the Authenticate section.
here is what I have;
authenticate {
Auth-Type LDAP {
ldap1
if (reject) {
ldap2
}
}
I have also tried
Auth-Type LDAP {
ldap1
ldap2
}
in this case if the credentials do not exist on ldap1 everything stops.
here is my debug;
[ldap1] performing user authorization for drfoo
[ldap1] expand: %{Stripped-User-Name} ->
[ldap1] ... expanding second conditional
[ldap1] expand: %{User-Name} -> drfoo
[ldap1] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(uid=drfoo)
[ldap1] expand: cn=users,dc=ldap1,dc=example.com ->
cn=users,dc=ldap1,dc=example.com
[ldap1] ldap_get_conn: Checking Id: 0
[ldap1] ldap_get_conn: Got Id: 0
[ldap1] performing search in cn=users,dc=ldap1,dc=example.com, with filter
(uid=drfoo)
[ldap1] object not found
[ldap1] search failed
[ldap1] ldap_release_conn: Release Id: 0
++[ldap1] returns notfound
++? if (notfound)
? Evaluating (notfound) -> TRUE
++? if (notfound) -> TRUE
++- entering if (notfound) {...}
[ldap2] performing user authorization for drfoo
[ldap2] expand: %{Stripped-User-Name} ->
[ldap2] ... expanding second conditional
[ldap2] expand: %{User-Name} -> drfoo
[ldap2] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(uid=drfoo)
[ldap2] expand: cn=users,dc=ldap2,dc=example.com ->
cn=users,dc=ldap2,dc=example.com
[ldap2] ldap_get_conn: Checking Id: 0
[ldap2] ldap_get_conn: Got Id: 0
[ldap2] performing search in cn=users,dc=ldap2,dc=example.com, with filter
(uid=drfoo)
[ldap2] No default NMAS login sequence
[ldap2] looking for check items in directory...
[ldap2] userPassword -> Password-With-Header == ""
[ldap2] looking for reply items in directory...
[ldap2] Setting Auth-Type = LDAP
[ldap2] user drfoo authorized to use remote access
[ldap2] ldap_release_conn: Release Id: 0
+++[ldap2] returns ok
++- if (notfound) returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Failed to decode Password-With-Header = ""
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = LDAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group LDAP {...}
[ldap1] login attempt by "drfoo" with password "XxXxXxX"
[ldap1] user DN: uid=drfoo,cn=users,dc=ldap2,dc=example.com
[ldap1] (re)connect to ldap1.example.com:389, authentication 1
[ldap1] bind as uid=drfoo,cn=users,dc=ldap2,dc=example.com/XxXxXxX to
ldap1.example.com:389
[ldap1] waiting for bind result ...
[ldap1] Bind failed with invalid credentials
++[ldap1] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
smime.p7s
Description: S/MIME cryptographic signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multiple ldap servers
jeff donovan wrote: > thanks for the reply. can i really use if then else ? Do you think I'm lying to you? Did you read "man unlang", which explains all of this? > with that said, i should be able to apply the same for fail ? $ man unlang Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multiple ldap servers
On May 4, 2012, at 10:14 AM, Alan DeKok wrote:
> jeff donovan wrote:
>> I'm new to radius but have been reading.
>
> That's always positive.
>
>> how can i search and alternate LDAP server for user credentials ?
>> If the first LDAP search fails try the next server in line.
>
> Do you mean "fail" or "notfound"? They're different...
true,. i will probably come across both.
>
>> I found some documentation-
>> * http://freeradius.org/radiusd/doc/ldap_howto.txt does not mention a
>> second server.
>> *http://freeradius.org/radiusd/doc/configurable_failover explains the
>> redundant setup for sql accounting.
>
> See also "man unlang". It explains this in more detail.
k tnx-more reading :)
>
>> so far I tried adding the second ldap server, it's info is read during
>> module load -- no errors. The problem is,.. only one of the ldap systems
>> contains the correct info. So one WILL fail and the other will pass.
>> with that being said,.. How do i configure my server to Pass if either
>> system returns " ok " ? currently it will fail even if one LDAP system
>> returns good.
>
> That's because you're using a "redundant" block. It treats "notfound"
> as "LDAP server is still up", and it doesn't fail over to the next one.
> Because there was no failure!
>
>> authorize {
> ...
>>redundant {
>> ldap1
>> ldap2
>>}
>
> Change that to:
>
> ldap1
> if (notfound) {
> ldap2
> }
>
> And it will work.
>
thanks for the reply. can i really use if then else ?
with that said, i should be able to apply the same for fail ?
--- ill post more when i adjust my settings and try with the not found. then I
try with fail.
-j
smime.p7s
Description: S/MIME cryptographic signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multiple ldap servers
jeff donovan wrote:
> I'm new to radius but have been reading.
That's always positive.
> how can i search and alternate LDAP server for user credentials ?
> If the first LDAP search fails try the next server in line.
Do you mean "fail" or "notfound"? They're different...
> I found some documentation-
> * http://freeradius.org/radiusd/doc/ldap_howto.txt does not mention a
> second server.
> *http://freeradius.org/radiusd/doc/configurable_failover explains the
> redundant setup for sql accounting.
See also "man unlang". It explains this in more detail.
> so far I tried adding the second ldap server, it's info is read during
> module load -- no errors. The problem is,.. only one of the ldap systems
> contains the correct info. So one WILL fail and the other will pass.
> with that being said,.. How do i configure my server to Pass if either
> system returns " ok " ? currently it will fail even if one LDAP system
> returns good.
That's because you're using a "redundant" block. It treats "notfound"
as "LDAP server is still up", and it doesn't fail over to the next one.
Because there was no failure!
> authorize {
...
> redundant {
> ldap1
> ldap2
> }
Change that to:
ldap1
if (notfound) {
ldap2
}
And it will work.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multiple ldap servers
Hi Jeff,
On 04.05.2012 14:30, jeff donovan wrote:
how can i search and alternate LDAP server for user credentials ? If
the first LDAP search fails try the next server in line.
Just mention only this ldap server in authenticate section:
authenticate {
Auth-Type LDAP {
ldap1 # the ldap server which has the credentials
}
}
That's it. Only the ldap servers you have mentioned in authorize
section will be queried for group memberships.
Greetz,
Tobias
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
multiple ldap servers
Greetings
I'm new to radius but have been reading.
I have a freeradius server running on ubuntu 11, my users file is an ldap
server which works great. My question is,
how can i search and alternate LDAP server for user credentials ?
If the first LDAP search fails try the next server in line.
I found some documentation-
* http://freeradius.org/radiusd/doc/ldap_howto.txt does not mention a second
server.
*http://freeradius.org/radiusd/doc/configurable_failover explains the redundant
setup for sql accounting.
so far I tried adding the second ldap server, it's info is read during module
load -- no errors. The problem is,.. only one of the ldap systems contains the
correct info. So one WILL fail and the other will pass.
with that being said,.. How do i configure my server to Pass if either system
returns " ok " ? currently it will fail even if one LDAP system returns good.
authorize {
preprocess
chap
mschap
digest
suffix
eap {
ok = return
}
files
redundant {
ldap1
ldap2
}
expiration
logintime
pap
# Autz-Type Status-Server {
#
# }
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
digest
#
# Pluggable Authentication Modules.
# pam
unix
Auth-Type LDAP {
ldap1
ldap2
}
eap
# Auth-Type eap {
# eap {
# handled = 1
# }
# if (handled && (Response-Packet-Type == Access-Challenge)) {
# attr_filter.access_challenge.post-auth
# handled # override the "updated" code from attr_filter
# }
# }
}
Any Assistance would be helpful.
-j
smime.p7s
Description: S/MIME cryptographic signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: configuring multiple ldap servers
Sorry, I think I misunderstood.
So you have (let's say) 2 LDAP servers with a different user base on each.
You want an internal access point to look at one server and an external
firewall to look at another
I'm not sure, but you might be able to use HuntGroups to discover which
client device is "calling" and then use unlang IF statement in the authorize
section.
This will probably take a little testing on your side. If you get it
working I would love to see the end config.
Bob
On Tue, Mar 23, 2010 at 1:36 PM, V Jyothi-B22245 wrote:
> Hi,
>
> I think it will solve the problem to some extent.
>
> If I have to use a specific ldap server for a specific radius client,
> like I have two radius clients and two ldap servers and I want to use ldap1
> for rad-cl1 and ldap2 for rad-cl2.
> How to map??
>
> Thank you for much your information, I could understand on how to
> load-balance.
>
> Thanks
> Jyothi
>
> --
> *From:*
> freeradius-users-bounces+b22245=freescale@lists.freeradius.org[mailto:
> freeradius-users-bounces+b22245 =
> freescale@lists.freeradius.org] *On Behalf Of *Bob Brandt
> *Sent:* Tuesday, March 23, 2010 2:23 PM
> *To:* FreeRadius users mailing list
> *Subject:* Re: configuring multiple ldap servers
>
> How about you use something like:
>
> authorize {
>redundant {
>redundant-load-balance {
>ldap1
>ldap2
>}
>ldap3
>}
> }
>
> Where the load will be shared evenly between ldap 1 and 2 and only use 3 if
> 1 and 2 are not available.
>
> Bob
>
> On Tue, Mar 23, 2010 at 6:53 AM, V Jyothi-B22245 wrote:
>
>>
>> Hi,
>>
>> I want to understand in freeradius with rlm_ldap,
>> Is it possible to configure multiple LDAP servers in Freeradius and the
>> freeradius uses different LDAP server for different requests.
>>
>> Is it possible to add some kind of id in radius requests, so that
>> freeradius makes use of that ID to choose which LDAP server can be used for
>> that request.
>> I am new to this freeradius.
>> Please help me to get some understanding ??
>>
>> We can configure one LDAP server in freeradius radiusd.conf ldap section??
>> but how to configure multiple LDAP servers and what is the purpose of filter
>> id attribute in freeradius??
>>
>> Thanks
>> Jyothi
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
>
>
> --
> The problem with socialism is that you eventually run out of other people's
> money. - Margaret Thatcher
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
--
The problem with socialism is that you eventually run out of other people's
money. - Margaret Thatcher
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: configuring multiple ldap servers
Hi,
I think it will solve the problem to some extent.
If I have to use a specific ldap server for a specific radius client,
like I have two radius clients and two ldap servers and I want to use
ldap1 for rad-cl1 and ldap2 for rad-cl2.
How to map??
Thank you for much your information, I could understand on how to
load-balance.
Thanks
Jyothi
From:
freeradius-users-bounces+b22245=freescale@lists.freeradius.org
[mailto:freeradius-users-bounces+b22245=freescale@lists.freeradius.o
rg] On Behalf Of Bob Brandt
Sent: Tuesday, March 23, 2010 2:23 PM
To: FreeRadius users mailing list
Subject: Re: configuring multiple ldap servers
How about you use something like:
authorize {
redundant {
redundant-load-balance {
ldap1
ldap2
}
ldap3
}
}
Where the load will be shared evenly between ldap 1 and 2 and
only use 3 if 1 and 2 are not available.
Bob
On Tue, Mar 23, 2010 at 6:53 AM, V Jyothi-B22245
wrote:
Hi,
I want to understand in freeradius with rlm_ldap,
Is it possible to configure multiple LDAP servers in
Freeradius and the freeradius uses different LDAP server for different
requests.
Is it possible to add some kind of id in radius
requests, so that freeradius makes use of that ID to choose which LDAP
server can be used for that request.
I am new to this freeradius.
Please help me to get some understanding ??
We can configure one LDAP server in freeradius
radiusd.conf ldap section?? but how to configure multiple LDAP servers
and what is the purpose of filter id attribute in freeradius??
Thanks
Jyothi
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
The problem with socialism is that you eventually run out of
other people's money. - Margaret Thatcher
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: configuring multiple ldap servers
How about you use something like:
authorize {
redundant {
redundant-load-balance {
ldap1
ldap2
}
ldap3
}
}
Where the load will be shared evenly between ldap 1 and 2 and only use 3 if
1 and 2 are not available.
Bob
On Tue, Mar 23, 2010 at 6:53 AM, V Jyothi-B22245 wrote:
>
> Hi,
>
> I want to understand in freeradius with rlm_ldap,
> Is it possible to configure multiple LDAP servers in Freeradius and the
> freeradius uses different LDAP server for different requests.
>
> Is it possible to add some kind of id in radius requests, so that
> freeradius makes use of that ID to choose which LDAP server can be used for
> that request.
> I am new to this freeradius.
> Please help me to get some understanding ??
>
> We can configure one LDAP server in freeradius radiusd.conf ldap section??
> but how to configure multiple LDAP servers and what is the purpose of filter
> id attribute in freeradius??
>
> Thanks
> Jyothi
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
--
The problem with socialism is that you eventually run out of other people's
money. - Margaret Thatcher
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
configuring multiple ldap servers
Hi, I want to understand in freeradius with rlm_ldap, Is it possible to configure multiple LDAP servers in Freeradius and the freeradius uses different LDAP server for different requests. Is it possible to add some kind of id in radius requests, so that freeradius makes use of that ID to choose which LDAP server can be used for that request. I am new to this freeradius. Please help me to get some understanding ?? We can configure one LDAP server in freeradius radiusd.conf ldap section?? but how to configure multiple LDAP servers and what is the purpose of filter id attribute in freeradius?? Thanks Jyothi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help with multiple LDAP servers
>> ... >>>rad_check_password: Found Auth-Type LDAP >>> auth: type "LDAP" >> >> Remove that from users file. Let pap module do the authentication. Ldap >> should return the password to radius via ldap.attrmap. > > I still need this in the users file though. Without it, I get rejections. > It seems like this is all working well right now. Thanks a lot! Then your ldap isn't passing the user password to radius (or is encrypted and has a header and auto-headers aren't enabled). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help with multiple LDAP servers
Quoting "Ivan Kalik" : Ok. You can remove redundant (module is not failing, so no failover needed). Just list the two modules one below the other. Removing the redundant lines, seems to make this work! ... rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Remove that from users file. Let pap module do the authentication. Ldap should return the password to radius via ldap.attrmap. I still need this in the users file though. Without it, I get rejections. It seems like this is all working well right now. Thanks a lot! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help with multiple LDAP servers
> Quoting "Ivan Kalik" :
>
>> So what does first ldap section return when user is missling - fail or
>> reject (I see you have access attribute configured there)? If it's
>> reject
>> you need unlang (ie 2.x).
>>
>
> Here is my output of radtest with a user on the second LDAP server.
> This server never gets quieried unless the first one is offline. I
> also made these changes to radiusd.conf after re-reading the
> configurable_failover document.
> I would appreciate some pointers because I am just not getting it.
>
> redundant {
>
> rhds_ldap
> notfound = 1
> ok = return
> ad_ldap
> notfound = 1
> ok = return
> }
>
>
> modcall: entering group authorize for request 0
>modcall[authorize]: module "preprocess" returns ok for request 0
> rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
> rlm_realm: No such realm "NULL"
>modcall[authorize]: module "suffix" returns noop for request 0
>rlm_eap: No EAP-Message, not doing EAP
>modcall[authorize]: module "eap" returns noop for request 0
> modcall: entering group redundant for request 0
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for testuser
> radius_xlat: '(uid=testuser)'
> radius_xlat: 'dc=xx,dc=xx,dc=xx'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to xx.xx.com:389, authentication 0
> rlm_ldap: bind as cn=ciscoap,ou=System,dc=xx,dc=xx,dc=xx/ to
> xx.xx.com:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: performing search in dc=xx,dc=xx,dc=xx, with filter
> (uid=testuser)
> rlm_ldap: object not found or got ambiguous search result
> rlm_ldap: search failed
> rlm_ldap: ldap_release_conn: Release Id: 0
>modcall[authorize]: module "rhds_ldap" returns notfound for request 0
Ok. You can remove redundant (module is not failing, so no failover
needed). Just list the two modules one below the other.
...
> users: Matched entry DEFAULT at line 216
...
>rad_check_password: Found Auth-Type LDAP
> auth: type "LDAP"
Remove that from users file. Let pap module do the authentication. Ldap
should return the password to radius via ldap.attrmap.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help with multiple LDAP servers
AJ wrote:
> I would appreciate some pointers because I am just not getting it.
>
> redundant {
>
> rhds_ldap
> notfound = 1
> ok = return
You need brackets around everything:
redundant {
rhds_ldap {
notfound = 1
ok = return
} #rdhs_ldap
...
} # redundant
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help with multiple LDAP servers
Quoting "Ivan Kalik" :
So what does first ldap section return when user is missling - fail or
reject (I see you have access attribute configured there)? If it's reject
you need unlang (ie 2.x).
Here is my output of radtest with a user on the second LDAP server.
This server never gets quieried unless the first one is offline. I
also made these changes to radiusd.conf after re-reading the
configurable_failover document.
I would appreciate some pointers because I am just not getting it.
redundant {
rhds_ldap
notfound = 1
ok = return
ad_ldap
notfound = 1
ok = return
}
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 0
modcall: entering group redundant for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for testuser
radius_xlat: '(uid=testuser)'
radius_xlat: 'dc=xx,dc=xx,dc=xx'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to xx.xx.com:389, authentication 0
rlm_ldap: bind as cn=ciscoap,ou=System,dc=xx,dc=xx,dc=xx/ to xx.xx.com:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=xx,dc=xx,dc=xx, with filter (uid=testuser)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "rhds_ldap" returns notfound for request 0
modcall: leaving group redundant (returns notfound) for request 0
users: Matched entry DEFAULT at line 153
users: Matched entry DEFAULT at line 216
modcall[authorize]: module "files" returns ok for request 0
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
modcall[authorize]: module "pap" returns noop for request 0
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type LDAP
auth: type "LDAP"
Processing the authenticate section of radiusd.conf
modcall: entering group LDAP for request 0
rlm_ldap: - authenticate
rlm_ldap: login attempt by "testuser" with password "password"
radius_xlat: '(uid=testuser)'
radius_xlat: 'dc=xx,dc=xx,dc=xx'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=xx,dc=xx,dc=xx, with filter (uid=testuser)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authenticate]: module "rhds_ldap" returns notfound for request 0
modcall: leaving group LDAP (returns notfound) for request 0
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 236 to 127.0.0.1 port 41511
Waking up in 4 seconds...
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help with multiple LDAP servers
>> Redundant should work in 1.1.7. But in 2.x you can use unlang for even >> more flexibility. Not to mention all the bug and security fixes and >> enhancements in years since 1.1.7. If you are upgrading go for the >> latest >> version. > > I have upgraded to 1.1.7, and I still have the same behavior. Is my > configuration right for what I want to do? So what does first ldap section return when user is missling - fail or reject (I see you have access attribute configured there)? If it's reject you need unlang (ie 2.x). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help with multiple LDAP servers
AJ wrote: > I know this has been discussed before on the list and there is > documentation for this, but I have literally spent days on this and I > cannot get the result that I am looking for. I am hoping someone can > share a configuration with me that works. Basically, I am looking to > have radius authenticate to two LDAP servers one after the other. It is > not a true failover or load balance situation, as both servers need to > be queried at the same time. Basically, I want the first LDAP server to > be queried for a username/password, then if the user is not found, try > the second one. In 1.1.x, read doc/configurable_failover It explains how to configure what you want, including the module return codes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help with multiple LDAP servers
Quoting "Ivan Kalik" : Redundant should work in 1.1.7. But in 2.x you can use unlang for even more flexibility. Not to mention all the bug and security fixes and enhancements in years since 1.1.7. If you are upgrading go for the latest version. I have upgraded to 1.1.7, and I still have the same behavior. Is my configuration right for what I want to do? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help with multiple LDAP servers
>> Upgrade. Then create redundant section for ldap servers in authorize. >> > > Would I be able to go to latest 1.1.x release to get this working or > do I need to go to 2.x? Redundant should work in 1.1.7. But in 2.x you can use unlang for even more flexibility. Not to mention all the bug and security fixes and enhancements in years since 1.1.7. If you are upgrading go for the latest version. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help with multiple LDAP servers
Quoting "Ivan Kalik" : Upgrade. Then create redundant section for ldap servers in authorize. Would I be able to go to latest 1.1.x release to get this working or do I need to go to 2.x? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help with multiple LDAP servers
> I know this has been discussed before on the list and there is > documentation for this, but I have literally spent days on this and I > cannot get the result that I am looking for. I am hoping someone can > share a configuration with me that works. Basically, I am looking to > have radius authenticate to two LDAP servers one after the other. It > is not a true failover or load balance situation, as both servers need > to be queried at the same time. Basically, I want the first LDAP > server to be queried for a username/password, then if the user is not > found, try the second one. > > radiusd -v: > radiusd: FreeRADIUS Version 1.1.3 > > rpm -qa | grep freeradius: > freeradius-1.1.3-1.2.el5 Upgrade. Then create redundant section for ldap servers in authorize. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help with multiple LDAP servers
Hi,
I know this has been discussed before on the list and there is
documentation for this, but I have literally spent days on this and I
cannot get the result that I am looking for. I am hoping someone can
share a configuration with me that works. Basically, I am looking to
have radius authenticate to two LDAP servers one after the other. It
is not a true failover or load balance situation, as both servers need
to be queried at the same time. Basically, I want the first LDAP
server to be queried for a username/password, then if the user is not
found, try the second one. I did not extend the schema on either LDAP
server, and I do not really want to do that if at all possible, since
I am just using freeradius for authentication. One a side note, if I
just use one LDAP server in the configuration, it works fine. I can
authenticate to both LDAP servers if I only list one. What seems to
happen with this configuration is that it only trys the first LDAP
server, and if the user does not exist, it quits right there and does
not try the second (ad_ldap). Any help would be greatly appreciated.
I am running the following version of freeradius:
radiusd -v:
radiusd: FreeRADIUS Version 1.1.3
rpm -qa | grep freeradius:
freeradius-1.1.3-1.2.el5
Here are the relevant parts of my config:
$sysconfdir/raddb/radiusd.conf:
modules {
ldap rhds_ldap {
server = "xxx.xxx.com"
identity = "cn=ciscoap,ou=System,dc=xx,dc=xx,dc=xx"
password = ""
basedn = "dc=xx,dc=xx,dc=xx"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
base_filter = "(objectclass=DUser)"
start_tls = no
access_attr = "uid"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
}
ldap ad_ldap {
server = "yyy.yyy.com"
identity = "CN=CiscoAP,CN=Users,DC=yy,DC=yy"
password = ""
basedn = "dc=yy,dc=yy"
filter =
"(samAccountName=%{Stripped-User-Name:-%{User-Name}})"
base_filter = "(objectclass=person)"
start_tls = no
access_attr = "samAccountName"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
}
}
authorize {
redundant {
rhds_ldap
rhds_ldap
notfound = reject
}
}
authenticate {
Auth-Type LDAP {
rhds_ldap
ad_ldap
}
}
$sysconfdir/raddb/users: (added)
DEFAULT Auth-Type := LDAP
Fall-Through = Yes
$sysconfdir/raddb/ldap.attrmap: (added)
checkItem User-Password userPassword
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with multiple ldap servers
Hello Ivan and Alan Thanks a lot for tolerating my pestering. It has worked. The problem was with the PAP module. The auto header detection was turned off. It works perfectly now. Thanks Sambuddho On Mon, 2008-07-07 at 10:08 +0100, Ivan Kalik wrote: > > Does that mean that I cannot authenticate against a LDAP server from a > >freeradius server using cleartext passwords. > > But you are not using cleartext passwords. Passwords in ldap are > encrypted. > > >So the freeradius client > >needs to send the password in encrypted format. But other programs which > >using LDAP server to authenticate (eg. the pam_ldap ) takes as input the > >cleartext password. Is there a solution to this ? > > You need to add a header to the userPassword field. If you don't know > what password header is and how to do that, ask on the ldap list. > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with multiple ldap servers
Hello Ivan
The ldap database has passwords have the '{crypt}' header. What I meant
by cleartext passwords is that I am typing in the password in clear text
in the radtest program.
Thanks
Sambuddho
On Mon, 2008-07-07 at 10:08 +0100, Ivan Kalik wrote:
> > Does that mean that I cannot authenticate against a LDAP server from a
> >freeradius server using cleartext passwords.
>
> But you are not using cleartext passwords. Passwords in ldap are
> encrypted.
>
> >So the freeradius client
> >needs to send the password in encrypted format. But other programs which
> >using LDAP server to authenticate (eg. the pam_ldap ) takes as input the
> >cleartext password. Is there a solution to this ?
>
> You need to add a header to the userPassword field. If you don't know
> what password header is and how to do that, ask on the ldap list.
>
> Ivan Kalik
> Kalik Informatika ISP
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with multiple ldap servers
> Does that mean that I cannot authenticate against a LDAP server from a >freeradius server using cleartext passwords. But you are not using cleartext passwords. Passwords in ldap are encrypted. >So the freeradius client >needs to send the password in encrypted format. But other programs which >using LDAP server to authenticate (eg. the pam_ldap ) takes as input the >cleartext password. Is there a solution to this ? You need to add a header to the userPassword field. If you don't know what password header is and how to do that, ask on the ldap list. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with multiple ldap servers
Hi, > I went through the documentation on the website and in the doc/ > directory in the source distribution. I read through the > ldap_howto.txt. Is that the example you refer to ? (Thats the only one I > found with the source distribution). It had many components that I dont > require. I scrolled down the find the freeradius configuration. But I am > still now clear how to exactly tailor it for my needs. Is there an > example / url I can use as reference ? Am I looking at the wrong > place ? first basic question. why did you add an authenticate and authorise section to radiusd.conf? that stuff is already in the sites-enabled/default file - which gets read and used on server startup. if you have to edit such entries, edit them in the right place. radiusd.conf now is a very basic file which sets up logging, imports other conf files and a few other mundane things. what you COULD do, and what is 'reasonable' is to rename the sites-enabled/default file to something like sites-enabled/my-service and then edit it for your required service. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with multiple ldap servers
Hello Alan
I went through the documentation on the website and in the doc/
directory in the source distribution. I read through the
ldap_howto.txt. Is that the example you refer to ? (Thats the only one I
found with the source distribution). It had many components that I dont
require. I scrolled down the find the freeradius configuration. But I am
still now clear how to exactly tailor it for my needs. Is there an
example / url I can use as reference ? Am I looking at the wrong
place ?
Thanks
Sambuddho
On Sun, 2008-07-06 at 19:15 +0200, Alan DeKok wrote:
> Sambuddho Chakravarty wrote:
> > My intent is not to pester you with my queries but the problem is still
> > what it was initially. Ill once again tell you the configuration that I
> > am using.
>
> The difficulty I'm having is being *able* to help you. At this point
> it's clear that the documentation isn't helping you, and neither are the
> answers on this list.
>
> > radiusd.conf---
> >
> >
> > /* Most of the stuff is untouched.
> > */
> >
> > /* Added authenticate{} and authorize{} section */
>
> Why? Have you even bothered trying to understand how the server
> works? Are you completely un-aware of the existing documentation and
> sample configuration files?
>
> You seem insistent on ignoring the examples, ignoring the
> documentation, and ignoring the responses on this list.
>
> > Please point me out what may have possibly gone wrong.
>
> We did. You were given clear directions on what to do. You failed to
> follow the directions.
>
> At this point, I have to say that there's no point in you continuing
> to post questions until you've managed to follow the instructions to
> your previous questions.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with multiple ldap servers
Sambuddho Chakravarty wrote:
> My intent is not to pester you with my queries but the problem is still
> what it was initially. Ill once again tell you the configuration that I
> am using.
The difficulty I'm having is being *able* to help you. At this point
it's clear that the documentation isn't helping you, and neither are the
answers on this list.
> radiusd.conf---
>
>
> /* Most of the stuff is untouched.
> */
>
> /* Added authenticate{} and authorize{} section */
Why? Have you even bothered trying to understand how the server
works? Are you completely un-aware of the existing documentation and
sample configuration files?
You seem insistent on ignoring the examples, ignoring the
documentation, and ignoring the responses on this list.
> Please point me out what may have possibly gone wrong.
We did. You were given clear directions on what to do. You failed to
follow the directions.
At this point, I have to say that there's no point in you continuing
to post questions until you've managed to follow the instructions to
your previous questions.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with multiple ldap servers
Hello Alan and Ivan
My intent is not to pester you with my queries but the problem is still
what it was initially. Ill once again tell you the configuration that I
am using.
radiusd.conf---
/* Most of the stuff is untouched.
*/
/* Added authenticate{} and authorize{} section */
authenticate {
ldap1
ldap2
}
authorize{
ldap1
ldap2
}
-module/ldap--
ldap ldap1{
#
# Note that this needs to match the name in the LDAP
# server certificate, if you're using ldaps.
server = ""
identity = "."
password = .
basedn = "ou=People,dc=example,dc=com"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
ldap_connections_number = 5
password_header="{crypt}"
password_attribute=userPassword
password_radius_attribute=Crypt-Password
.
}
ldap ldap1{
#
# Note that this needs to match the name in the LDAP
# server certificate, if you're using ldaps.
server = ""
identity = "."
password = .
basedn = "ou=People,dc=example,dc=com"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
ldap_connections_number = 5
password_header="{crypt}"
password_attribute=userPassword
password_radius_attribute=Crypt-Password
.
}
'users' and 'client' file is unchanged.
I run the server with the following command line options. 'radiusd -X'
To test I run the radtest tool with the following option.
radtest catch "catchall" localhost 2 testing123
Here catch and catchall are user and password in the LDAP database
created from a unix account on the host hosting the LDAP database. The
migration from the regular unix /etc/passwd to the LDIF file was done
using the migration tools.
The reply received was rad_recv: Access-Reject. The following was the
debug output from the server.
rlm_ldap: performing search in ou=People,dc=example,dc=com, with filter
(uid=catch)
rlm_ldap: Added User-Password = $1$FYblmPWy$fmgebhCOLpHvhdECNP4EG0 in
check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user catch authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap2] returns ok
!!!
!!!Replacing User-Password in config items with
Cleartext-Password. !!!
!!!
!!! Please update your configuration so that the "known
good" !!!
!!! clear text password is in Cleartext-Password, and not in
User-Password. !!!
!!!
auth: type Local
auth: user supplied User-Password does NOT match local User-Password
auth: Failed to validate the user.
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> catch
attr_filter: Matched entry DEFAULT at line 11
Please point me out what may have possibly gone wrong.
Another observation :
1. When I try to test using the username 'try' stored in the other ldap
database, it doesn't search in the other LDAP server but only searches
in the one which doesn't have it and fails.
2. The problem in (1) doesn't occur when I comment out the
'password_attribute' line in the modules/ldap file. It then searches the
appropriate LDAP database , however fails with the following output.
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind failed with invalid credentials
Please advice.
Thanks
Sambuddho
On Sun, 2008-07-06 at 08:06 +0200, Alan DeKok wrote:
> Sambuddho Chakravarty wrote:
> > Does that mean that I cannot authenticate against a LDAP server from a
> > freeradius server using cleartext passwords.
>
> No. That is not what he said.
>
> > So the freeradius client
> > needs to send the password in encrypted format.
>
> No. That is not what he said.
>
> > But other programs which
> > using LDAP server to authenticate (eg. the pam_ldap ) takes as input the
> > cleartext password.
>
> We know. We've been doing this for years.
>
> > Is there a solution to this ?
>
> Do what Ivan said.
>
> > Maybe I am mistaken somewhere.
>
> Lots.
>
> > Please let me know.
>
> We're trying to help you. It's not working.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with multiple ldap servers
Sambuddho Chakravarty wrote: > Does that mean that I cannot authenticate against a LDAP server from a > freeradius server using cleartext passwords. No. That is not what he said. > So the freeradius client > needs to send the password in encrypted format. No. That is not what he said. > But other programs which > using LDAP server to authenticate (eg. the pam_ldap ) takes as input the > cleartext password. We know. We've been doing this for years. > Is there a solution to this ? Do what Ivan said. > Maybe I am mistaken somewhere. Lots. > Please let me know. We're trying to help you. It's not working. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with multiple ldap servers
Interestingly the bind as the root DN works with password supplied in
clear-text through the ldap {} module...
Thanks
Sambuddho
On Sat, 2008-07-05 at 18:03 -0400, Sambuddho Chakravarty wrote:
> Hello Ivan
> Does that mean that I cannot authenticate against a LDAP server from a
> freeradius server using cleartext passwords. So the freeradius client
> needs to send the password in encrypted format. But other programs which
> using LDAP server to authenticate (eg. the pam_ldap ) takes as input the
> cleartext password. Is there a solution to this ? Maybe I am mistaken
> somewhere . Please let me know.
> Thanks
> Sambuddho
> On Fri, 2008-07-04 at 09:56 +0100, Ivan Kalik wrote:
> > > Problem still persists. What do you mean by the {crypt} header.
> >
> > >From RFC2256:
> >
> > 5.36. userPassword
> >
> > ( 2.5.4.35 NAME 'userPassword' EQUALITY octetStringMatch
> > SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} )
> >
> >Passwords are stored using an Octet String syntax and are not
> >encrypted.
> >
> > Since you are intent on violating RFC you need to add a password header
> > to indicate what type of encryption is used.
> >
> > >rlm_ldap: waiting for bind result ...
> > >rlm_ldap: Bind failed with invalid credentials
> > >++[ldap1] returns reject
> > >auth: Failed to validate the user.
> >
> > Without the header userPassword is treated as clear text (not crypted
> > value) and that does't match.
> >
> > Ivan Kalik
> > Kalik Informatika ISP
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with multiple ldap servers
Hello Ivan
Does that mean that I cannot authenticate against a LDAP server from a
freeradius server using cleartext passwords. So the freeradius client
needs to send the password in encrypted format. But other programs which
using LDAP server to authenticate (eg. the pam_ldap ) takes as input the
cleartext password. Is there a solution to this ? Maybe I am mistaken
somewhere . Please let me know.
Thanks
Sambuddho
On Fri, 2008-07-04 at 09:56 +0100, Ivan Kalik wrote:
> > Problem still persists. What do you mean by the {crypt} header.
>
> >From RFC2256:
>
> 5.36. userPassword
>
> ( 2.5.4.35 NAME 'userPassword' EQUALITY octetStringMatch
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} )
>
>Passwords are stored using an Octet String syntax and are not
>encrypted.
>
> Since you are intent on violating RFC you need to add a password header
> to indicate what type of encryption is used.
>
> >rlm_ldap: waiting for bind result ...
> >rlm_ldap: Bind failed with invalid credentials
> >++[ldap1] returns reject
> >auth: Failed to validate the user.
>
> Without the header userPassword is treated as clear text (not crypted
> value) and that does't match.
>
> Ivan Kalik
> Kalik Informatika ISP
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with multiple ldap servers
> Problem still persists. What do you mean by the {crypt} header.
>From RFC2256:
5.36. userPassword
( 2.5.4.35 NAME 'userPassword' EQUALITY octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} )
Passwords are stored using an Octet String syntax and are not
encrypted.
Since you are intent on violating RFC you need to add a password header
to indicate what type of encryption is used.
>rlm_ldap: waiting for bind result ...
>rlm_ldap: Bind failed with invalid credentials
>++[ldap1] returns reject
>auth: Failed to validate the user.
Without the header userPassword is treated as clear text (not crypted
value) and that does't match.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with multiple ldap servers
Hello Ivan
Problem still persists. What do you mean by the {crypt} header. These
are simple /etc/passwd file converted into a ldif database using LDAP
Migration Scripts from padl.com
This is what the logs look like
(supplied clear
text passwd - from
radtest)
rlm_ldap: bind as uid=try,ou=People,dc=example,dc=com/trialanderror to
30.0.0.2:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind failed with invalid credentials
++[ldap1] returns reject
auth: Failed to validate the user.
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> try
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Thanks
Sambuddho
On Wed, 2008-07-02 at 23:45 +0100, Ivan Kalik wrote:
> http://wiki.freeradius.org/index.php/Rlm_ldap
>
> See use of password_header and password_attribute.
>
> Ivan Kalik
> Kalik Informatika ISP
>
>
> Dana 2/7/2008, "Sambuddho Chakravarty" <[EMAIL PROTECTED]> piše:
>
> >Hello
> > I think I know what the problem is. The radius server is looking up
> >using cleartext password , while the LDAP data base stores the hashed
> >passwords. How can I force the radiuse server to search for the password
> >as a hashed value (rather than searching for the clear-text value) ?
> >
> >Thanks
> >Sambuddho
> >On Wed, 2008-07-02 at 17:09 -0400, Sambuddho Chakravarty wrote:
> >> Hello Alan
> >> I made sure this time that rlm_ldap was compiled. Now the following is
> >> the configuration
> >>
> >> --/etc/raddb/modules/ldap---
> >>
> >> ldap ldap1 {
> >>server = "a.b.c.d"
> >>...
> >>}
> >>
> >> ldap ldap2 {
> >>server = "w.x.y.z"
> >>...
> >>}
> >>
> >> -/etc/raddb/radiusd.conf-
> >>
> >>
> >> authorize {
> >>ldap1
> >>
> >> ldap2
> >>
> >> }
> >>
> >>authenticate {
> >> ldap1
> >> ldap2
> >> }
> >>
> >>
> >>
> >> When I execute /sbin/radiusd -X
> >>
> >> It shows instantiating module ldap1 and module ldap2
> >>
> >>
> >> Module: Instantiating ldap2
> >> ldap ldap1 {
> >> server = "a.b.c.d"
> >> port = 389
> >>
> >> Module: Instantiating ldap2
> >> ldap ldap2 {
> >> server = "w.x.y.z"
> >> port = 389
> >>
> >>
> >> When sending a radtest request using the following command (from the
> >> same machine as one which is running the server)
> >>
> >> $ radtest user "secret" localhost 2 testing123
> >>
> >> I get ACCESS-REJECT reply from the sever.
> >>
> >> On the server the logs show something like this
> >> ---
> >> It shows binding to both LDAP servers one by one through something like
> >> this :
> >>
> >> rlm_ldap: performing user authorization for catch
> >> WARNING: Deprecated conditional expansion ":-". See "man unlang" for
> >> details
> >> expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch)
> >> expand: ou=People,dc=example,dc=example ->
> >> ou=People,dc=example,dc=example
> >> rlm_ldap: ldap_get_conn: Checking Id: 0
> >> rlm_ldap: ldap_get_conn: Got Id: 0
> >> rlm_ldap: attempting LDAP reconnection
> >> rlm_ldap: (re)connect to 30.0.0.2:389, authentication 0
> >> rlm_ldap: bind as / to 30.0.0.2:389
> >> rlm_ldap: waiting for bind result ...
> >> rlm_ldap: Bind was successful
> >> rlm_ldap: performing search in ou=People,dc=example,dc=example, with
> >> filter (uid=catch)
> >> rlm_ldap: object not found or got ambiguous search result
> >> rlm_ldap: search failed
> >> rlm_ldap: ldap_release_conn: Release Id: 0
> >> ++[ldap1] returns notfound
> >> rlm_ldap: - authorize
> >> rlm_ldap: performing user authorization for catch
> >> WARNING: Deprecated conditional expansion ":-". See "man unlang" for
> >> details
> >> expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch)
> >> expand: ou=People,dc=example,dc=example ->
> >> ou=People,dc=example,dc=example
> >> rlm_ldap: ldap_get_conn: Checking Id: 0
> >> rlm_ldap: ldap_get_conn: Got Id: 0
> >> rlm_ldap: attempting LDAP reconnection
> >> rlm_ldap: (re)connect to 10.0.0.1:389, authentication 0
> >> rlm_ldap: bind as / to 10.0.0.1:389
> >> rlm_ldap: waiting for bind result ...
> >> rlm_ldap: Bind was successful
> >> rlm_ldap: performing search in ou=People,dc=example,dc=example, with
> >> filter (uid=catch)
> >> rlm_ldap: object not found or got ambiguous search result
> >> rlm_ldap: search failed
> >> rlm_ldap: ldap_release_conn: Release Id: 0
> >> ++[ldap2] returns notfound
> >>
> >> auth: No authenticate method (Auth-Type) configuration found for the
> >> request: Rejecting the user
> >> auth: Failed to validate the user.
> >>
> >> You can see it is attempting to search both databases but fails. If I
> >> use a simple telnet or ssh to authenticate against the LDAP server it
> >> logs in fi
Re: Freeradius-Users Digest, Vol 39, Issue 18 topic 5:freeradiuswith multiple ldap servers
>> >ldap ldap1{
>> >
>> >
>> > identity = (root DN)
>> > password = (password for the root DN)
>> >
>> > password_header="{crypt}"
>> > password_attribute=Crypt-Password
>
>Yes changed this to password_radius_attribute=Crypt-Password
>
>However , if I change the password_attribute=userPassword, the auth type
>is detected wrongly as Local
>
OK. I had a quick look at the code. It looks like you dont need to use
any of those settings at all. You should have a (crypt) header in
userPassword field and ldap module will put the value into appropriate
attribute on it's own (it has auto-header discovery now).
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 39, Issue 18 topic 5: freeradiuswith multiple ldap servers
Hello Ivan
Problem still the same
I changed :-
On Thu, 2008-07-03 at 22:20 +0100, Ivan Kalik wrote:
> >
> >Added to ldap.attrmap
> >---
> >checkItem Crypt-Password userPassword
> >
>
Removed this from ldap.attrmap
> Don't do that. userPassword is already mapped in ldap module:
>
> # password_attribute: Define the attribute which contains the user
> # password.
> # While integrating FreeRADIUS with Novell eDirectory, set
> # 'password_attribute = nspmpassword' in order to use the universal
> # password of the eDirectory users for RADIUS authentication. This will
> # work only if FreeRADIUS is configured to build with --with-edir option.
> #
> # default: NULL - don't add password
> #
> # password_attribute = "userPassword"
>
> # password_radius_attribute: Defined the RADIUS attribute where the
> extracted
> # user password will be stored to. Can be used to set it to NT-Password
> or any
> # other similar attribute instead of the default
> #
> # default: User-Password
> #
> # password_radius_attribute = "NT-Password"
>
> >Added to modules/ldap
> >
> >
> >ldap ldap1{
> >
> >
> > identity = (root DN)
> > password = (password for the root DN)
> >
> > password_header="{crypt}"
> > password_attribute=Crypt-Password
Yes changed this to password_radius_attribute=Crypt-Password
However , if I change the password_attribute=userPassword, the auth type
is detected wrongly as Local
auth: type Local
auth: user supplied User-Password does NOT match local User-Password
Thanks
Sambuddho
> No, not password_attribute but password_radius_attribute.
> password_attribute should remain userPassword (as it is by default).
>
> Ivan Kalik
> Kalik Informatika ISP
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 39, Issue 18 topic 5: freeradiuswith multiple ldap servers
>
>Added to ldap.attrmap
>---
>checkItem Crypt-Password userPassword
>
Don't do that. userPassword is already mapped in ldap module:
# password_attribute: Define the attribute which contains the user
# password.
# While integrating FreeRADIUS with Novell eDirectory, set
# 'password_attribute = nspmpassword' in order to use the universal
# password of the eDirectory users for RADIUS authentication. This will
# work only if FreeRADIUS is configured to build with --with-edir option.
#
# default: NULL - don't add password
#
# password_attribute = "userPassword"
# password_radius_attribute: Defined the RADIUS attribute where the
extracted
# user password will be stored to. Can be used to set it to NT-Password
or any
# other similar attribute instead of the default
#
# default: User-Password
#
# password_radius_attribute = "NT-Password"
>Added to modules/ldap
>
>
>ldap ldap1{
>
>
> identity = (root DN)
> password = (password for the root DN)
>
> password_header="{crypt}"
> password_attribute=Crypt-Password
No, not password_attribute but password_radius_attribute.
password_attribute should remain userPassword (as it is by default).
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 39, Issue 18 topic 5: freeradius with multiple ldap servers
.
> >
> > Andy
> >
> >
> > [EMAIL PROTECTED] wrote:
> > > Send Freeradius-Users mailing list submissions to
> > > freeradius-users@lists.freeradius.org
> > >
> > > To subscribe or unsubscribe via the World Wide Web, visit
> > > http://lists.freeradius.org/mailman/listinfo/freeradius-users
> > > or, via email, send a message with subject or body 'help' to
> > > [EMAIL PROTECTED]
> > >
> > > You can reach the person managing the list at
> > > [EMAIL PROTECTED]
> > >
> > > When replying, please edit your Subject line so it is more specific
> > > than "Re: Contents of Freeradius-Users digest..."
> > >
> > >
> > > Today's Topics:
> > >
> > >1. Re: =?UTF-8?Q?freeradius-proxy_+_PAP_works,
> > > _PEAP_and_the_rest_doesn=C2=B4t?= ([EMAIL PROTECTED])
> > >2. Re: freeradius-proxy + PAP works, PEAP and the rest doesn?t
> > > (Alan DeKok)
> > >3. Re: freeradius-proxy + PAP works, PEAP and the rest doesn?t
> > > (Ivan Kalik)
> > >4. Re: sqlippool (Ivan Kalik)
> > >5. Re: freeradius with multiple ldap servers (Sambuddho Chakravarty)
> > >6.
> > >
> > > Re:=?UTF-8?Q?freeradius-proxy_+_PAP_works,_PEAP_and_the_rest_doesn=C2=B4t?=
> > > ([EMAIL PROTECTED])
> > >
> > >
> > > --
> > >
> > > Message: 5
> > > Date: Thu, 03 Jul 2008 12:50:25 -0400
> > > From: Sambuddho Chakravarty <[EMAIL PROTECTED]>
> > > Subject: Re: freeradius with multiple ldap servers
> > > To: FreeRadius users mailing list
> > >
> > > Message-ID: <[EMAIL PROTECTED]>
> > > Content-Type: text/plain; charset=utf-8
> > >
> > > Hello Ivan
> > > But I don't have a field in the database by that name . The name of the
> > > field is "userPassword" . This is what the openLDAP migration scripts
> > > generated. Please let me know what mistake I am doing . Also , my
> > > question on failover. Is the failover used when the first LDAP server is
> > > down / unresponsive to connection attempts or when it is not able to
> > > authenticate (example bad username / password) ?
> > >
> > > Thanks
> > > Sambuddho
> > > On Thu, 2008-07-03 at 10:24 +0100, Ivan Kalik wrote:
> > >
> > >> Password (radius) attribute should be Crypt-Password not User-Password.
> > >>
> > >> Ivan Kalik
> > >> Kalik Informatika ISP
> > >>
> > >>
> > >> Dana 3/7/2008, "Sambuddho Chakravarty" <[EMAIL PROTECTED]> pi?e:
> > >>
> > >>
> > >>> Hello
> > >>>
> > >>> I set the password_header to = {crypt} and password_attribute to
> > >>> "userPassword" (Thats the name of the field in the database). Now this
> > >>> is what the logs show,
> > >>>
> > >>> rlm_ldap: performing search in ou=People,dc=example,dc=com, with filter
> > >>> (uid=try)
> > >>> rlm_ldap: Added User-Password = $1$n48a7wCp$RfvlOx1pZgiVNfmMmA2xS. in
> > >>> check items
> > >>> rlm_ldap: looking for check items in directory...
> > >>> rlm_ldap: looking for reply items in directory...
> > >>> rlm_ldap: user try authorized to use remote access
> > >>> rlm_ldap: ldap_release_conn: Release Id: 0
> > >>> +++[ldap1] returns ok
> > >>> ++- policy redundant returns ok
> > >>> !!!
> > >>> !!!Replacing User-Password in config items with
> > >>> Cleartext-Password. !!!
> > >>> !!!
> > >>> !!! Please update your configuration so that the "known
> > >>> good" !!!
> > >>> !!! clear text password is in Cleartext-Password, and not in
> > >>> User-Password. !!!
> > >>> !!!
> > >>> auth: type Local
> > >>> auth: user supplied User-Password does NOT match local User-Password
> > >>> auth: Failed to validate the user.
> > >>> Found Post-Auth-Type Reject
> > >
Re: Freeradius-Users Digest, Vol 39, Issue 18 topic 5: freeradius with multiple ldap servers
Hi Andy
Thanks a lot. The problem is that I have a file named ldap
inside /etc/raddb/modules directory and it has two ldap modules , ldap1
and ldap2.
ldap ldap1 {
server =
identity = (set the appropriate CN)
password = password for the above CN
basedn = "ou=People,dc=example,dc=com"
...
}
ldap ldap1 {
server =
identity = (set the appropriate CN)
password = password for the above CN
basedn = "ou=People,dc=example,dc=com"
...
}
The first server has a user named 'try' and the second one has one named
'catch'.
When I try to perform authentication using radtest tool with the
username and password (say for try ) , it searches it in the LDAP server
which doesn't have it and doesn't search the one which actually has the
username. When I try with username 'catch' , it finds the username and
the password but then it goes into
auth: type Local
and fails.
WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch)
expand: ou=People,dc=example,dc=com ->
ou=People,dc=example,dc=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=People,dc=example,dc=com, with filter
(uid=catch)
rlm_ldap: Added User-Password = $1$FYblmPWy$fmgebhCOLpHvhdECNP4EG0 in
check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user catch authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap2] returns ok
!!!
!!!Replacing User-Password in config items with
Cleartext-Password. !!!
!!!
!!! Please update your configuration so that the "known
good" !!!
!!! clear text password is in Cleartext-Password, and not in
User-Password. !!!
!!!
auth: type Local
auth: user supplied User-Password does NOT match local User-Password
auth: Failed to validate the user.
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> catch
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Sending Access-Reject of id 48 to 127.0.0.1 port 1025
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 2 ID 48 with timestamp +39
Ready to process requests.
I know its trivial but I am now struggling with this for a long time.
(Freeradius version : 2.05)
Thanks
Sambuddho
On Thu, 2008-07-03 at 12:35 -0700, Andy An wrote:
> Hi Sambuddho:
>
> I met similar problem a few weeks ago.
> You need to set the ldap identity/password for your freeRadius server at
> modules/ldap:
> e.g. mine is like:
>
> server = "ldap.xxx.ca"
> identity = "cn=radius,ou=Applications,dc=xxx,dc=ca"
> password = "password"
> basedn = "ou=People,dc=xxx,dc=ca"
>
> The default setting is "read-only" anonymous search(i.e. without
> identity/password setting) and it will fail because ldap server does not
> allow anonymous search for other user's password.
> Hope this is helpful.
>
> Andy
>
>
> [EMAIL PROTECTED] wrote:
> > Send Freeradius-Users mailing list submissions to
> > freeradius-users@lists.freeradius.org
> >
> > To subscribe or unsubscribe via the World Wide Web, visit
> > http://lists.freeradius.org/mailman/listinfo/freeradius-users
> > or, via email, send a message with subject or body 'help' to
> > [EMAIL PROTECTED]
> >
> > You can reach the person managing the list at
> > [EMAIL PROTECTED]
> >
> > When replying, please edit your Subject line so it is more specific
> > than "Re: Contents of Freeradius-Users digest..."
> >
> >
> > Today's Topics:
> >
> >1. Re: =?UTF-8?Q?freeradius-proxy_+_PAP_works,
> > _PEAP_and_the_rest_doesn=C2=B4t?= ([EMAIL PROTECTED])
> >2. Re: freeradius-proxy + PAP works, PEAP and the rest doesn?t
> > (Alan DeKok)
> >3. Re: freeradius-proxy + PAP works, PEAP and the rest doesn?t
> > (Ivan Kalik)
> >4. Re: sqlippool (Ivan Kalik)
> > 5. Re: freeradius with multiple ldap servers (Sambuddho Chakravarty)
> >6.
> >
> > Re:=?UTF-8?Q?freeradius-proxy_+_PAP_works,_PEAP_and_the_rest_doesn=C2=B4t?=
> > ([EMAIL PROTECTED])
> >
> &g
Re: freeradius with multiple ldap servers
> But I don't have a field in the database by that name . No, you don't. I am talking about ldap section of radiusd.conf. You need to set the appropriate radius password attribute. http://wiki.freeradius.org/index.php/Rlm_ldap >Also , my >question on failover. Is the failover used when the first LDAP server is >down / unresponsive to connection attempts or when it is not able to >authenticate (example bad username / password) ? > No response or no user in that ldap database. If the user is present but password is wrong user will be rejected. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 39, Issue 18 topic 5: freeradius with multiple ldap servers
Hi Sambuddho:
I met similar problem a few weeks ago.
You need to set the ldap identity/password for your freeRadius server at modules/ldap:
e.g. mine is like:
server = "ldap.xxx.ca"
identity = "cn=radius,ou=Applications,dc=xxx,dc=ca"
password = "password"
basedn = "ou=People,dc=xxx,dc=ca"
The default setting is "read-only" anonymous search(i.e. without
identity/password setting) and it will fail because ldap server does not
allow anonymous search for other user's password.
Hope this is helpful.
Andy
[EMAIL PROTECTED] wrote:
Send Freeradius-Users mailing list submissions to
freeradius-users@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
[EMAIL PROTECTED]
You can reach the person managing the list at
[EMAIL PROTECTED]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. Re: =?UTF-8?Q?freeradius-proxy_+_PAP_works,
_PEAP_and_the_rest_doesn=C2=B4t?= ([EMAIL PROTECTED])
2. Re: freeradius-proxy + PAP works, PEAP and the rest doesn?t
(Alan DeKok)
3. Re: freeradius-proxy + PAP works, PEAP and the rest doesn?t
(Ivan Kalik)
4. Re: sqlippool (Ivan Kalik)
5. Re: freeradius with multiple ldap servers (Sambuddho Chakravarty)
6.
Re:=?UTF-8?Q?freeradius-proxy_+_PAP_works,_PEAP_and_the_rest_doesn=C2=B4t?=
([EMAIL PROTECTED])
--
Message: 5
Date: Thu, 03 Jul 2008 12:50:25 -0400
From: Sambuddho Chakravarty <[EMAIL PROTECTED]>
Subject: Re: freeradius with multiple ldap servers
To: FreeRadius users mailing list
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=utf-8
Hello Ivan
But I don't have a field in the database by that name . The name of the
field is "userPassword" . This is what the openLDAP migration scripts
generated. Please let me know what mistake I am doing . Also , my
question on failover. Is the failover used when the first LDAP server is
down / unresponsive to connection attempts or when it is not able to
authenticate (example bad username / password) ?
Thanks
Sambuddho
On Thu, 2008-07-03 at 10:24 +0100, Ivan Kalik wrote:
Password (radius) attribute should be Crypt-Password not User-Password.
Ivan Kalik
Kalik Informatika ISP
Dana 3/7/2008, "Sambuddho Chakravarty" <[EMAIL PROTECTED]> pi?e:
Hello
I set the password_header to = {crypt} and password_attribute to
"userPassword" (Thats the name of the field in the database). Now this
is what the logs show,
rlm_ldap: performing search in ou=People,dc=example,dc=com, with filter
(uid=try)
rlm_ldap: Added User-Password = $1$n48a7wCp$RfvlOx1pZgiVNfmMmA2xS. in
check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user try authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
+++[ldap1] returns ok
++- policy redundant returns ok
!!!
!!!Replacing User-Password in config items with
Cleartext-Password. !!!
!!!
!!! Please update your configuration so that the "known
good" !!!
!!! clear text password is in Cleartext-Password, and not in
User-Password. !!!
!!!
auth: type Local
auth: user supplied User-Password does NOT match local User-Password
auth: Failed to validate the user.
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> try
attr_filter: Matched entry DEFAULT at line 11
My guess is authorize{} worked but not authenticate {}. Also , I see
both modules ldap1 and ldap2 being loaded but whenever I try to
authenticate with the username/password that is found in ldap2 , the
radius server never attempts to connect to the other LDAP server.
Instead it search for the entries in the "ldap1"'s server only.
Any suggestions ?
Thanks
Sambuddho
On Wed, 2008-07-02 at 23:45 +0100, Ivan Kalik wrote:
http://wiki.freeradius.org/index.php/Rlm_ldap
See use of password_header and password_attribute.
Ivan Kalik
Kalik Informatika ISP
Dana 2/7/2008, "Sambuddho Chakravarty" <[EMAIL PROTECTED]> pi??e:
Hello
I think I know what the problem is. The radius server is looking up
using cleartext password , while the LDAP data base stores the hashed
passwords. How can I force the radiuse server to search for the password
as a hashed value (rather than searching for the clear-text value) ?
Tha
Re: freeradius with multiple ldap servers
Hello Ivan
But I don't have a field in the database by that name . The name of the
field is "userPassword" . This is what the openLDAP migration scripts
generated. Please let me know what mistake I am doing . Also , my
question on failover. Is the failover used when the first LDAP server is
down / unresponsive to connection attempts or when it is not able to
authenticate (example bad username / password) ?
Thanks
Sambuddho
On Thu, 2008-07-03 at 10:24 +0100, Ivan Kalik wrote:
> Password (radius) attribute should be Crypt-Password not User-Password.
>
> Ivan Kalik
> Kalik Informatika ISP
>
>
> Dana 3/7/2008, "Sambuddho Chakravarty" <[EMAIL PROTECTED]> piše:
>
> >Hello
> >
> >I set the password_header to = {crypt} and password_attribute to
> >"userPassword" (Thats the name of the field in the database). Now this
> >is what the logs show,
> >
> >rlm_ldap: performing search in ou=People,dc=example,dc=com, with filter
> >(uid=try)
> >rlm_ldap: Added User-Password = $1$n48a7wCp$RfvlOx1pZgiVNfmMmA2xS. in
> >check items
> >rlm_ldap: looking for check items in directory...
> >rlm_ldap: looking for reply items in directory...
> >rlm_ldap: user try authorized to use remote access
> >rlm_ldap: ldap_release_conn: Release Id: 0
> >+++[ldap1] returns ok
> >++- policy redundant returns ok
> >!!!
> >!!!Replacing User-Password in config items with
> >Cleartext-Password. !!!
> >!!!
> >!!! Please update your configuration so that the "known
> >good" !!!
> >!!! clear text password is in Cleartext-Password, and not in
> >User-Password. !!!
> >!!!
> >auth: type Local
> >auth: user supplied User-Password does NOT match local User-Password
> >auth: Failed to validate the user.
> > Found Post-Auth-Type Reject
> >+- entering group REJECT
> >expand: %{User-Name} -> try
> > attr_filter: Matched entry DEFAULT at line 11
> >
> >
> >
> >My guess is authorize{} worked but not authenticate {}. Also , I see
> >both modules ldap1 and ldap2 being loaded but whenever I try to
> >authenticate with the username/password that is found in ldap2 , the
> >radius server never attempts to connect to the other LDAP server.
> >Instead it search for the entries in the "ldap1"'s server only.
> >
> >Any suggestions ?
> >
> >Thanks
> >Sambuddho
> >
> >
> >On Wed, 2008-07-02 at 23:45 +0100, Ivan Kalik wrote:
> >> http://wiki.freeradius.org/index.php/Rlm_ldap
> >>
> >> See use of password_header and password_attribute.
> >>
> >> Ivan Kalik
> >> Kalik Informatika ISP
> >>
> >>
> >> Dana 2/7/2008, "Sambuddho Chakravarty" <[EMAIL PROTECTED]> piĹĄe:
> >>
> >> >Hello
> >> > I think I know what the problem is. The radius server is looking up
> >> >using cleartext password , while the LDAP data base stores the hashed
> >> >passwords. How can I force the radiuse server to search for the password
> >> >as a hashed value (rather than searching for the clear-text value) ?
> >> >
> >> >Thanks
> >> >Sambuddho
> >> >On Wed, 2008-07-02 at 17:09 -0400, Sambuddho Chakravarty wrote:
> >> >> Hello Alan
> >> >> I made sure this time that rlm_ldap was compiled. Now the following is
> >> >> the configuration
> >> >>
> >> >> --/etc/raddb/modules/ldap---
> >> >>
> >> >> ldap ldap1 {
> >> >> server = "a.b.c.d"
> >> >> ...
> >> >> }
> >> >>
> >> >> ldap ldap2 {
> >> >> server = "w.x.y.z"
> >> >> ...
> >> >> }
> >> >>
> >> >> -/etc/raddb/radiusd.conf-
> >> >>
> >> >>
> >> >> authorize {
> >> >>ldap1
> >> >>
> >> >> ldap2
> >> >>
> >> >> }
> >> >>
> >> >>authenticate {
> >> >> ldap1
> >> >> ldap2
> >> >> }
> >> >>
> >> >>
> >> >>
> >> >> When I execute /sbin/radiusd -X
> >> >>
> >> >> It shows instantiating module ldap1 and module ldap2
> >> >>
> >> >>
> >> >> Module: Instantiating ldap2
> >> >> ldap ldap1 {
> >> >> server = "a.b.c.d"
> >> >> port = 389
> >> >>
> >> >> Module: Instantiating ldap2
> >> >> ldap ldap2 {
> >> >> server = "w.x.y.z"
> >> >> port = 389
> >> >>
> >> >>
> >> >> When sending a radtest request using the following command (from the
> >> >> same machine as one which is running the server)
> >> >>
> >> >> $ radtest user "secret" localhost 2 testing123
> >> >>
> >> >> I get ACCESS-REJECT reply from the sever.
> >> >>
> >> >> On the server the logs show something like this
> >> >> ---
> >> >> It shows binding to both LDAP servers one by one through something like
> >> >> this :
> >> >>
> >> >> rlm_ldap: performing user authorization for catch
> >> >> WARNING: Deprecated conditional expansion ":-". See "man unlang" for
> >> >> details
> >> >>
Re: freeradius with multiple ldap servers
Password (radius) attribute should be Crypt-Password not User-Password.
Ivan Kalik
Kalik Informatika ISP
Dana 3/7/2008, "Sambuddho Chakravarty" <[EMAIL PROTECTED]> piše:
>Hello
>
>I set the password_header to = {crypt} and password_attribute to
>"userPassword" (Thats the name of the field in the database). Now this
>is what the logs show,
>
>rlm_ldap: performing search in ou=People,dc=example,dc=com, with filter
>(uid=try)
>rlm_ldap: Added User-Password = $1$n48a7wCp$RfvlOx1pZgiVNfmMmA2xS. in
>check items
>rlm_ldap: looking for check items in directory...
>rlm_ldap: looking for reply items in directory...
>rlm_ldap: user try authorized to use remote access
>rlm_ldap: ldap_release_conn: Release Id: 0
>+++[ldap1] returns ok
>++- policy redundant returns ok
>!!!
>!!!Replacing User-Password in config items with
>Cleartext-Password. !!!
>!!!
>!!! Please update your configuration so that the "known
>good" !!!
>!!! clear text password is in Cleartext-Password, and not in
>User-Password. !!!
>!!!
>auth: type Local
>auth: user supplied User-Password does NOT match local User-Password
>auth: Failed to validate the user.
> Found Post-Auth-Type Reject
>+- entering group REJECT
>expand: %{User-Name} -> try
> attr_filter: Matched entry DEFAULT at line 11
>
>
>
>My guess is authorize{} worked but not authenticate {}. Also , I see
>both modules ldap1 and ldap2 being loaded but whenever I try to
>authenticate with the username/password that is found in ldap2 , the
>radius server never attempts to connect to the other LDAP server.
>Instead it search for the entries in the "ldap1"'s server only.
>
>Any suggestions ?
>
>Thanks
>Sambuddho
>
>
>On Wed, 2008-07-02 at 23:45 +0100, Ivan Kalik wrote:
>> http://wiki.freeradius.org/index.php/Rlm_ldap
>>
>> See use of password_header and password_attribute.
>>
>> Ivan Kalik
>> Kalik Informatika ISP
>>
>>
>> Dana 2/7/2008, "Sambuddho Chakravarty" <[EMAIL PROTECTED]> piĹĄe:
>>
>> >Hello
>> > I think I know what the problem is. The radius server is looking up
>> >using cleartext password , while the LDAP data base stores the hashed
>> >passwords. How can I force the radiuse server to search for the password
>> >as a hashed value (rather than searching for the clear-text value) ?
>> >
>> >Thanks
>> >Sambuddho
>> >On Wed, 2008-07-02 at 17:09 -0400, Sambuddho Chakravarty wrote:
>> >> Hello Alan
>> >> I made sure this time that rlm_ldap was compiled. Now the following is
>> >> the configuration
>> >>
>> >> --/etc/raddb/modules/ldap---
>> >>
>> >> ldap ldap1 {
>> >> server = "a.b.c.d"
>> >> ...
>> >> }
>> >>
>> >> ldap ldap2 {
>> >> server = "w.x.y.z"
>> >> ...
>> >> }
>> >>
>> >> -/etc/raddb/radiusd.conf-
>> >>
>> >>
>> >> authorize {
>> >>ldap1
>> >>
>> >> ldap2
>> >>
>> >> }
>> >>
>> >>authenticate {
>> >> ldap1
>> >> ldap2
>> >> }
>> >>
>> >>
>> >>
>> >> When I execute /sbin/radiusd -X
>> >>
>> >> It shows instantiating module ldap1 and module ldap2
>> >>
>> >>
>> >> Module: Instantiating ldap2
>> >> ldap ldap1 {
>> >> server = "a.b.c.d"
>> >> port = 389
>> >>
>> >> Module: Instantiating ldap2
>> >> ldap ldap2 {
>> >> server = "w.x.y.z"
>> >> port = 389
>> >>
>> >>
>> >> When sending a radtest request using the following command (from the
>> >> same machine as one which is running the server)
>> >>
>> >> $ radtest user "secret" localhost 2 testing123
>> >>
>> >> I get ACCESS-REJECT reply from the sever.
>> >>
>> >> On the server the logs show something like this
>> >> ---
>> >> It shows binding to both LDAP servers one by one through something like
>> >> this :
>> >>
>> >> rlm_ldap: performing user authorization for catch
>> >> WARNING: Deprecated conditional expansion ":-". See "man unlang" for
>> >> details
>> >> expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch)
>> >> expand: ou=People,dc=example,dc=example ->
>> >> ou=People,dc=example,dc=example
>> >> rlm_ldap: ldap_get_conn: Checking Id: 0
>> >> rlm_ldap: ldap_get_conn: Got Id: 0
>> >> rlm_ldap: attempting LDAP reconnection
>> >> rlm_ldap: (re)connect to 30.0.0.2:389, authentication 0
>> >> rlm_ldap: bind as / to 30.0.0.2:389
>> >> rlm_ldap: waiting for bind result ...
>> >> rlm_ldap: Bind was successful
>> >> rlm_ldap: performing search in ou=People,dc=example,dc=example, with
>> >> filter (uid=catch)
>> >> rlm_ldap: object not found or got ambiguous search result
>> >> rlm_ldap: search failed
>> >> rlm_ldap: ldap_release_conn: Release Id: 0
>> >> ++[ldap1] returns notfound
>> >> rlm_ldap: - authorize
>> >> rlm_ldap
Re: freeradius with multiple ldap servers
Hello ,
Maybe I didn't as the correct question previously. Is it that failover
works only when the first LDAP server is not reachable ? In my case both
servers are reachable. I want to configure a case where if the login
fails in one of the servers , the other one is tried.
Thanks
Sambuddho
On Wed, 2008-07-02 at 23:45 +0100, Ivan Kalik wrote:
> http://wiki.freeradius.org/index.php/Rlm_ldap
>
> See use of password_header and password_attribute.
>
> Ivan Kalik
> Kalik Informatika ISP
>
>
> Dana 2/7/2008, "Sambuddho Chakravarty" <[EMAIL PROTECTED]> piše:
>
> >Hello
> > I think I know what the problem is. The radius server is looking up
> >using cleartext password , while the LDAP data base stores the hashed
> >passwords. How can I force the radiuse server to search for the password
> >as a hashed value (rather than searching for the clear-text value) ?
> >
> >Thanks
> >Sambuddho
> >On Wed, 2008-07-02 at 17:09 -0400, Sambuddho Chakravarty wrote:
> >> Hello Alan
> >> I made sure this time that rlm_ldap was compiled. Now the following is
> >> the configuration
> >>
> >> --/etc/raddb/modules/ldap---
> >>
> >> ldap ldap1 {
> >>server = "a.b.c.d"
> >>...
> >>}
> >>
> >> ldap ldap2 {
> >>server = "w.x.y.z"
> >>...
> >>}
> >>
> >> -/etc/raddb/radiusd.conf-
> >>
> >>
> >> authorize {
> >>ldap1
> >>
> >> ldap2
> >>
> >> }
> >>
> >>authenticate {
> >> ldap1
> >> ldap2
> >> }
> >>
> >>
> >>
> >> When I execute /sbin/radiusd -X
> >>
> >> It shows instantiating module ldap1 and module ldap2
> >>
> >>
> >> Module: Instantiating ldap2
> >> ldap ldap1 {
> >> server = "a.b.c.d"
> >> port = 389
> >>
> >> Module: Instantiating ldap2
> >> ldap ldap2 {
> >> server = "w.x.y.z"
> >> port = 389
> >>
> >>
> >> When sending a radtest request using the following command (from the
> >> same machine as one which is running the server)
> >>
> >> $ radtest user "secret" localhost 2 testing123
> >>
> >> I get ACCESS-REJECT reply from the sever.
> >>
> >> On the server the logs show something like this
> >> ---
> >> It shows binding to both LDAP servers one by one through something like
> >> this :
> >>
> >> rlm_ldap: performing user authorization for catch
> >> WARNING: Deprecated conditional expansion ":-". See "man unlang" for
> >> details
> >> expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch)
> >> expand: ou=People,dc=example,dc=example ->
> >> ou=People,dc=example,dc=example
> >> rlm_ldap: ldap_get_conn: Checking Id: 0
> >> rlm_ldap: ldap_get_conn: Got Id: 0
> >> rlm_ldap: attempting LDAP reconnection
> >> rlm_ldap: (re)connect to 30.0.0.2:389, authentication 0
> >> rlm_ldap: bind as / to 30.0.0.2:389
> >> rlm_ldap: waiting for bind result ...
> >> rlm_ldap: Bind was successful
> >> rlm_ldap: performing search in ou=People,dc=example,dc=example, with
> >> filter (uid=catch)
> >> rlm_ldap: object not found or got ambiguous search result
> >> rlm_ldap: search failed
> >> rlm_ldap: ldap_release_conn: Release Id: 0
> >> ++[ldap1] returns notfound
> >> rlm_ldap: - authorize
> >> rlm_ldap: performing user authorization for catch
> >> WARNING: Deprecated conditional expansion ":-". See "man unlang" for
> >> details
> >> expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch)
> >> expand: ou=People,dc=example,dc=example ->
> >> ou=People,dc=example,dc=example
> >> rlm_ldap: ldap_get_conn: Checking Id: 0
> >> rlm_ldap: ldap_get_conn: Got Id: 0
> >> rlm_ldap: attempting LDAP reconnection
> >> rlm_ldap: (re)connect to 10.0.0.1:389, authentication 0
> >> rlm_ldap: bind as / to 10.0.0.1:389
> >> rlm_ldap: waiting for bind result ...
> >> rlm_ldap: Bind was successful
> >> rlm_ldap: performing search in ou=People,dc=example,dc=example, with
> >> filter (uid=catch)
> >> rlm_ldap: object not found or got ambiguous search result
> >> rlm_ldap: search failed
> >> rlm_ldap: ldap_release_conn: Release Id: 0
> >> ++[ldap2] returns notfound
> >>
> >> auth: No authenticate method (Auth-Type) configuration found for the
> >> request: Rejecting the user
> >> auth: Failed to validate the user.
> >>
> >> You can see it is attempting to search both databases but fails. If I
> >> use a simple telnet or ssh to authenticate against the LDAP server it
> >> logs in fine. LDAP client login against the LDAP server is otherwise
> >> working fine. I know I have been bothering using trivial question. But
> >> any help would be appreciated :-)
> >>
> >> Thanks in advance.
> >> Sambuddho
> >>
> >>
> >>
> >> On Tue, 2008-07-01 at 22:33 +0200, Alan DeKok wrote:
> >> > Sambuddho Chakravarty wrote:
> >> > > This is exactly what I did . I forgot to put the separate module names
> >> >
> >> > The consistent problems you see make me think that the issue is more
> >> > than "forgot".
Re: freeradius with multiple ldap servers
Hello
I set the password_header to = {crypt} and password_attribute to
"userPassword" (Thats the name of the field in the database). Now this
is what the logs show,
rlm_ldap: performing search in ou=People,dc=example,dc=com, with filter
(uid=try)
rlm_ldap: Added User-Password = $1$n48a7wCp$RfvlOx1pZgiVNfmMmA2xS. in
check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user try authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
+++[ldap1] returns ok
++- policy redundant returns ok
!!!
!!!Replacing User-Password in config items with
Cleartext-Password. !!!
!!!
!!! Please update your configuration so that the "known
good" !!!
!!! clear text password is in Cleartext-Password, and not in
User-Password. !!!
!!!
auth: type Local
auth: user supplied User-Password does NOT match local User-Password
auth: Failed to validate the user.
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> try
attr_filter: Matched entry DEFAULT at line 11
My guess is authorize{} worked but not authenticate {}. Also , I see
both modules ldap1 and ldap2 being loaded but whenever I try to
authenticate with the username/password that is found in ldap2 , the
radius server never attempts to connect to the other LDAP server.
Instead it search for the entries in the "ldap1"'s server only.
Any suggestions ?
Thanks
Sambuddho
On Wed, 2008-07-02 at 23:45 +0100, Ivan Kalik wrote:
> http://wiki.freeradius.org/index.php/Rlm_ldap
>
> See use of password_header and password_attribute.
>
> Ivan Kalik
> Kalik Informatika ISP
>
>
> Dana 2/7/2008, "Sambuddho Chakravarty" <[EMAIL PROTECTED]> piše:
>
> >Hello
> > I think I know what the problem is. The radius server is looking up
> >using cleartext password , while the LDAP data base stores the hashed
> >passwords. How can I force the radiuse server to search for the password
> >as a hashed value (rather than searching for the clear-text value) ?
> >
> >Thanks
> >Sambuddho
> >On Wed, 2008-07-02 at 17:09 -0400, Sambuddho Chakravarty wrote:
> >> Hello Alan
> >> I made sure this time that rlm_ldap was compiled. Now the following is
> >> the configuration
> >>
> >> --/etc/raddb/modules/ldap---
> >>
> >> ldap ldap1 {
> >>server = "a.b.c.d"
> >>...
> >>}
> >>
> >> ldap ldap2 {
> >>server = "w.x.y.z"
> >>...
> >>}
> >>
> >> -/etc/raddb/radiusd.conf-
> >>
> >>
> >> authorize {
> >>ldap1
> >>
> >> ldap2
> >>
> >> }
> >>
> >>authenticate {
> >> ldap1
> >> ldap2
> >> }
> >>
> >>
> >>
> >> When I execute /sbin/radiusd -X
> >>
> >> It shows instantiating module ldap1 and module ldap2
> >>
> >>
> >> Module: Instantiating ldap2
> >> ldap ldap1 {
> >> server = "a.b.c.d"
> >> port = 389
> >>
> >> Module: Instantiating ldap2
> >> ldap ldap2 {
> >> server = "w.x.y.z"
> >> port = 389
> >>
> >>
> >> When sending a radtest request using the following command (from the
> >> same machine as one which is running the server)
> >>
> >> $ radtest user "secret" localhost 2 testing123
> >>
> >> I get ACCESS-REJECT reply from the sever.
> >>
> >> On the server the logs show something like this
> >> ---
> >> It shows binding to both LDAP servers one by one through something like
> >> this :
> >>
> >> rlm_ldap: performing user authorization for catch
> >> WARNING: Deprecated conditional expansion ":-". See "man unlang" for
> >> details
> >> expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch)
> >> expand: ou=People,dc=example,dc=example ->
> >> ou=People,dc=example,dc=example
> >> rlm_ldap: ldap_get_conn: Checking Id: 0
> >> rlm_ldap: ldap_get_conn: Got Id: 0
> >> rlm_ldap: attempting LDAP reconnection
> >> rlm_ldap: (re)connect to 30.0.0.2:389, authentication 0
> >> rlm_ldap: bind as / to 30.0.0.2:389
> >> rlm_ldap: waiting for bind result ...
> >> rlm_ldap: Bind was successful
> >> rlm_ldap: performing search in ou=People,dc=example,dc=example, with
> >> filter (uid=catch)
> >> rlm_ldap: object not found or got ambiguous search result
> >> rlm_ldap: search failed
> >> rlm_ldap: ldap_release_conn: Release Id: 0
> >> ++[ldap1] returns notfound
> >> rlm_ldap: - authorize
> >> rlm_ldap: performing user authorization for catch
> >> WARNING: Deprecated conditional expansion ":-". See "man unlang" for
> >> details
> >> expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch)
> >> expand: ou=People,dc=example,dc=example ->
> >> ou=People,dc=example,dc=example
> >> rlm_ldap: ld
Re: freeradius with multiple ldap servers
http://wiki.freeradius.org/index.php/Rlm_ldap
See use of password_header and password_attribute.
Ivan Kalik
Kalik Informatika ISP
Dana 2/7/2008, "Sambuddho Chakravarty" <[EMAIL PROTECTED]> piše:
>Hello
> I think I know what the problem is. The radius server is looking up
>using cleartext password , while the LDAP data base stores the hashed
>passwords. How can I force the radiuse server to search for the password
>as a hashed value (rather than searching for the clear-text value) ?
>
>Thanks
>Sambuddho
>On Wed, 2008-07-02 at 17:09 -0400, Sambuddho Chakravarty wrote:
>> Hello Alan
>> I made sure this time that rlm_ldap was compiled. Now the following is
>> the configuration
>>
>> --/etc/raddb/modules/ldap---
>>
>> ldap ldap1 {
>> server = "a.b.c.d"
>> ...
>> }
>>
>> ldap ldap2 {
>> server = "w.x.y.z"
>> ...
>> }
>>
>> -/etc/raddb/radiusd.conf-
>>
>>
>> authorize {
>>ldap1
>>
>> ldap2
>>
>> }
>>
>>authenticate {
>> ldap1
>> ldap2
>> }
>>
>>
>>
>> When I execute /sbin/radiusd -X
>>
>> It shows instantiating module ldap1 and module ldap2
>>
>>
>> Module: Instantiating ldap2
>> ldap ldap1 {
>> server = "a.b.c.d"
>> port = 389
>>
>> Module: Instantiating ldap2
>> ldap ldap2 {
>> server = "w.x.y.z"
>> port = 389
>>
>>
>> When sending a radtest request using the following command (from the
>> same machine as one which is running the server)
>>
>> $ radtest user "secret" localhost 2 testing123
>>
>> I get ACCESS-REJECT reply from the sever.
>>
>> On the server the logs show something like this
>> ---
>> It shows binding to both LDAP servers one by one through something like
>> this :
>>
>> rlm_ldap: performing user authorization for catch
>> WARNING: Deprecated conditional expansion ":-". See "man unlang" for
>> details
>> expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch)
>> expand: ou=People,dc=example,dc=example ->
>> ou=People,dc=example,dc=example
>> rlm_ldap: ldap_get_conn: Checking Id: 0
>> rlm_ldap: ldap_get_conn: Got Id: 0
>> rlm_ldap: attempting LDAP reconnection
>> rlm_ldap: (re)connect to 30.0.0.2:389, authentication 0
>> rlm_ldap: bind as / to 30.0.0.2:389
>> rlm_ldap: waiting for bind result ...
>> rlm_ldap: Bind was successful
>> rlm_ldap: performing search in ou=People,dc=example,dc=example, with
>> filter (uid=catch)
>> rlm_ldap: object not found or got ambiguous search result
>> rlm_ldap: search failed
>> rlm_ldap: ldap_release_conn: Release Id: 0
>> ++[ldap1] returns notfound
>> rlm_ldap: - authorize
>> rlm_ldap: performing user authorization for catch
>> WARNING: Deprecated conditional expansion ":-". See "man unlang" for
>> details
>> expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch)
>> expand: ou=People,dc=example,dc=example ->
>> ou=People,dc=example,dc=example
>> rlm_ldap: ldap_get_conn: Checking Id: 0
>> rlm_ldap: ldap_get_conn: Got Id: 0
>> rlm_ldap: attempting LDAP reconnection
>> rlm_ldap: (re)connect to 10.0.0.1:389, authentication 0
>> rlm_ldap: bind as / to 10.0.0.1:389
>> rlm_ldap: waiting for bind result ...
>> rlm_ldap: Bind was successful
>> rlm_ldap: performing search in ou=People,dc=example,dc=example, with
>> filter (uid=catch)
>> rlm_ldap: object not found or got ambiguous search result
>> rlm_ldap: search failed
>> rlm_ldap: ldap_release_conn: Release Id: 0
>> ++[ldap2] returns notfound
>>
>> auth: No authenticate method (Auth-Type) configuration found for the
>> request: Rejecting the user
>> auth: Failed to validate the user.
>>
>> You can see it is attempting to search both databases but fails. If I
>> use a simple telnet or ssh to authenticate against the LDAP server it
>> logs in fine. LDAP client login against the LDAP server is otherwise
>> working fine. I know I have been bothering using trivial question. But
>> any help would be appreciated :-)
>>
>> Thanks in advance.
>> Sambuddho
>>
>>
>>
>> On Tue, 2008-07-01 at 22:33 +0200, Alan DeKok wrote:
>> > Sambuddho Chakravarty wrote:
>> > > This is exactly what I did . I forgot to put the separate module names
>> >
>> > The consistent problems you see make me think that the issue is more
>> > than "forgot".
>> >
>> > > And now when I try to start the server this is what the error I see :
>> > >
>> > >
>> > > server {
>> > > modules {
>> > > Module: Checking authenticate {...} for more modules to load
>> > > //etc/raddb/modules/ldap1[29]: Failed to link to module 'rlm_ldap':
>> >
>> > So was that module built? Apparently not...
>> >
>> > > When trying with a single server ,it matches the radius request against
>> > > rlm_pap and not rlm_ldap. I am confused.
>> >
>> > Perhaps reading the debug output (and that of "configure" and "make")
>> > would help.
>> >
>> > Alan DeKok.
>> > -
>> > List info/subscr
Re: freeradius with multiple ldap servers
Hello
I think I know what the problem is. The radius server is looking up
using cleartext password , while the LDAP data base stores the hashed
passwords. How can I force the radiuse server to search for the password
as a hashed value (rather than searching for the clear-text value) ?
Thanks
Sambuddho
On Wed, 2008-07-02 at 17:09 -0400, Sambuddho Chakravarty wrote:
> Hello Alan
> I made sure this time that rlm_ldap was compiled. Now the following is
> the configuration
>
> --/etc/raddb/modules/ldap---
>
> ldap ldap1 {
> server = "a.b.c.d"
> ...
> }
>
> ldap ldap2 {
> server = "w.x.y.z"
> ...
> }
>
> -/etc/raddb/radiusd.conf-
>
>
> authorize {
>ldap1
>
> ldap2
>
> }
>
>authenticate {
> ldap1
> ldap2
> }
>
>
>
> When I execute /sbin/radiusd -X
>
> It shows instantiating module ldap1 and module ldap2
>
>
> Module: Instantiating ldap2
> ldap ldap1 {
> server = "a.b.c.d"
> port = 389
>
> Module: Instantiating ldap2
> ldap ldap2 {
> server = "w.x.y.z"
> port = 389
>
>
> When sending a radtest request using the following command (from the
> same machine as one which is running the server)
>
> $ radtest user "secret" localhost 2 testing123
>
> I get ACCESS-REJECT reply from the sever.
>
> On the server the logs show something like this
> ---
> It shows binding to both LDAP servers one by one through something like
> this :
>
> rlm_ldap: performing user authorization for catch
> WARNING: Deprecated conditional expansion ":-". See "man unlang" for
> details
> expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch)
> expand: ou=People,dc=example,dc=example ->
> ou=People,dc=example,dc=example
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to 30.0.0.2:389, authentication 0
> rlm_ldap: bind as / to 30.0.0.2:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: performing search in ou=People,dc=example,dc=example, with
> filter (uid=catch)
> rlm_ldap: object not found or got ambiguous search result
> rlm_ldap: search failed
> rlm_ldap: ldap_release_conn: Release Id: 0
> ++[ldap1] returns notfound
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for catch
> WARNING: Deprecated conditional expansion ":-". See "man unlang" for
> details
> expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch)
> expand: ou=People,dc=example,dc=example ->
> ou=People,dc=example,dc=example
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to 10.0.0.1:389, authentication 0
> rlm_ldap: bind as / to 10.0.0.1:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: performing search in ou=People,dc=example,dc=example, with
> filter (uid=catch)
> rlm_ldap: object not found or got ambiguous search result
> rlm_ldap: search failed
> rlm_ldap: ldap_release_conn: Release Id: 0
> ++[ldap2] returns notfound
>
> auth: No authenticate method (Auth-Type) configuration found for the
> request: Rejecting the user
> auth: Failed to validate the user.
>
> You can see it is attempting to search both databases but fails. If I
> use a simple telnet or ssh to authenticate against the LDAP server it
> logs in fine. LDAP client login against the LDAP server is otherwise
> working fine. I know I have been bothering using trivial question. But
> any help would be appreciated :-)
>
> Thanks in advance.
> Sambuddho
>
>
>
> On Tue, 2008-07-01 at 22:33 +0200, Alan DeKok wrote:
> > Sambuddho Chakravarty wrote:
> > > This is exactly what I did . I forgot to put the separate module names
> >
> > The consistent problems you see make me think that the issue is more
> > than "forgot".
> >
> > > And now when I try to start the server this is what the error I see :
> > >
> > >
> > > server {
> > > modules {
> > > Module: Checking authenticate {...} for more modules to load
> > > //etc/raddb/modules/ldap1[29]: Failed to link to module 'rlm_ldap':
> >
> > So was that module built? Apparently not...
> >
> > > When trying with a single server ,it matches the radius request against
> > > rlm_pap and not rlm_ldap. I am confused.
> >
> > Perhaps reading the debug output (and that of "configure" and "make")
> > would help.
> >
> > Alan DeKok.
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with multiple ldap servers
Hello Alan
I made sure this time that rlm_ldap was compiled. Now the following is
the configuration
--/etc/raddb/modules/ldap---
ldap ldap1 {
server = "a.b.c.d"
...
}
ldap ldap2 {
server = "w.x.y.z"
...
}
-/etc/raddb/radiusd.conf-
authorize {
ldap1
ldap2
}
authenticate {
ldap1
ldap2
}
When I execute /sbin/radiusd -X
It shows instantiating module ldap1 and module ldap2
Module: Instantiating ldap2
ldap ldap1 {
server = "a.b.c.d"
port = 389
Module: Instantiating ldap2
ldap ldap2 {
server = "w.x.y.z"
port = 389
When sending a radtest request using the following command (from the
same machine as one which is running the server)
$ radtest user "secret" localhost 2 testing123
I get ACCESS-REJECT reply from the sever.
On the server the logs show something like this
---
It shows binding to both LDAP servers one by one through something like
this :
rlm_ldap: performing user authorization for catch
WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch)
expand: ou=People,dc=example,dc=example ->
ou=People,dc=example,dc=example
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 30.0.0.2:389, authentication 0
rlm_ldap: bind as / to 30.0.0.2:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=People,dc=example,dc=example, with
filter (uid=catch)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap1] returns notfound
rlm_ldap: - authorize
rlm_ldap: performing user authorization for catch
WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch)
expand: ou=People,dc=example,dc=example ->
ou=People,dc=example,dc=example
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 10.0.0.1:389, authentication 0
rlm_ldap: bind as / to 10.0.0.1:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=People,dc=example,dc=example, with
filter (uid=catch)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap2] returns notfound
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
You can see it is attempting to search both databases but fails. If I
use a simple telnet or ssh to authenticate against the LDAP server it
logs in fine. LDAP client login against the LDAP server is otherwise
working fine. I know I have been bothering using trivial question. But
any help would be appreciated :-)
Thanks in advance.
Sambuddho
On Tue, 2008-07-01 at 22:33 +0200, Alan DeKok wrote:
> Sambuddho Chakravarty wrote:
> > This is exactly what I did . I forgot to put the separate module names
>
> The consistent problems you see make me think that the issue is more
> than "forgot".
>
> > And now when I try to start the server this is what the error I see :
> >
> >
> > server {
> > modules {
> > Module: Checking authenticate {...} for more modules to load
> > //etc/raddb/modules/ldap1[29]: Failed to link to module 'rlm_ldap':
>
> So was that module built? Apparently not...
>
> > When trying with a single server ,it matches the radius request against
> > rlm_pap and not rlm_ldap. I am confused.
>
> Perhaps reading the debug output (and that of "configure" and "make")
> would help.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with multiple ldap servers
Sambuddho Chakravarty wrote:
> This is exactly what I did . I forgot to put the separate module names
The consistent problems you see make me think that the issue is more
than "forgot".
> And now when I try to start the server this is what the error I see :
>
>
> server {
> modules {
> Module: Checking authenticate {...} for more modules to load
> //etc/raddb/modules/ldap1[29]: Failed to link to module 'rlm_ldap':
So was that module built? Apparently not...
> When trying with a single server ,it matches the radius request against
> rlm_pap and not rlm_ldap. I am confused.
Perhaps reading the debug output (and that of "configure" and "make")
would help.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with multiple ldap servers
Hello
This is exactly what I did . I forgot to put the separate module names
here in the email it like this
/etc/raddb/modules/ldap1
ldap ldap1{
...
}
/etc/raddb/modules/ldap2---
ldap ldap2{
..
}
Or is it that it should be one file ?
And now when I try to start the server this is what the error I see :
server {
modules {
Module: Checking authenticate {...} for more modules to load
//etc/raddb/modules/ldap1[29]: Failed to link to module 'rlm_ldap':
rlm_ldap.so: cannot open shared object file: No such file or directory
//etc/raddb/radiusd.conf[744]: Failed to find module "ldap1".
//etc/raddb/radiusd.conf[743]: Errors parsing authenticate section.
}
}
The radius.conf has this :
authorize {
redundant {
ldap1
ldap2
}
}
authenticate {
ldap1
ldap2
}
Rest of radius.conf is untouched.
When trying with a single server ,it matches the radius request against
rlm_pap and not rlm_ldap. I am confused.
Thanks
Sambuddho
On Tue, 2008-07-01 at 09:26 +0200, Alan DeKok wrote:
> Sambuddho Chakravarty wrote:
> > Hello
> > But this never really worked. I did exactly this . The ldap1 and ldap2
> > are files with the follwoing
> >
> > /etc/raddb/modules/ldap1
> >
> > ldap {
> ...
> > /etc/raddb/modules/ldap2---
> >
> > ldap {
>
> You have two modules named "ldap". Go read the comments at the top of
> the "modules" section in radiusd.conf.
>
> And before you go any further, PLEASE read the comments in the
> configuration files. You have been told to do this before, and it's
> clear that you either haven't done so, or you haven't understood them.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with multiple ldap servers
ldap ldap1 {
..
}
ldap ldap2 {
..
}
Ivan Kalik
Kalik Informatika ISP
Dana 1/7/2008, "Sambuddho Chakravarty" <[EMAIL PROTECTED]> piše:
>Hello
> But this never really worked. I did exactly this . The ldap1 and ldap2
>are files with the follwoing
>
>/etc/raddb/modules/ldap1
>
>ldap {
>server = "30.0.0.2"
>basedn = "ou=People,cu=example,c=com"
>filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
>port = 389
>ldap_connections_number = 5
>
>timeout = 40
>
>timelimit = 30
> net_timeout = 10
>tls {
>start_tls = no
>
> require_cert = "demand"
>}
>
>dictionary_mapping = ${confdir}/ldap.attrmap
>edir_account_policy_check = no
>}
>
>
>/etc/raddb/modules/ldap2---
>
>ldap {
>server = "10.0.0.1"
>basedn = "ou=People,cu=example,c=com"
>filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
>port = 389
>ldap_connections_number = 5
>
>timeout = 40
>
>timelimit = 30
> net_timeout = 10
>tls {
>start_tls = no
>
> require_cert = "demand"
>}
>
>dictionary_mapping = ${confdir}/ldap.attrmap
>edir_account_policy_check = no
>}
>
>--
>
>The only difference in both files is the LDAP server IP address . When I
>did as I mentioned in my previous email and executed /sbin/radiusd -X -C
>the execution ended with the following error
>
>
> Module: Checking authenticate {...} for more modules to load
>//etc/raddb/radiusd.conf[757]: Failed to find module "ldap1".
>//etc/raddb/radiusd.conf[756]: Errors parsing authenticate section.
> }
>
>
>Also , one more observation, when having a single LDAP server and when
>it actually worked fine, the debug messages showed
>
>found rlm_pap. While I think it should be showing rlm_ldap . Why is this
>so. But authentication worked fine and the client received a
>ACCESS-ACCEPT message as reply.
>
>Thanks
>Sambuddho
>
>
>
>
>On Thu, 2008-06-19 at 13:50 -0400, Sambuddho Chakravarty wrote:
>> Do you mean something like this
>>
>> authorize {
>> redundant {
>> ldap1
>> ldap2
>> }
>> }
>>
>>authenticate {
>> ldap1
>> ldap2
>> }
>>
>> The reason I list them here is to use them for authentication against
>> multiple LDAP servers whose configuration information is in the two
>> files modules/ldap1 and modules/ldap2. Does this look valid ?
>>
>> Thanks
>> Sambuddho
>>
>> On Thu, 2008-06-19 at 09:35 +0200, Alan DeKok wrote:
>> > Sambuddho Chakravarty wrote:
>> > > Yes , but on a freeradius-2.05 , when I create a separate authenticate
>> > > {} and authorize {} subsection and plug in the following :
>> > >
>> > > authorize {
>> > >Autz-Type LDAP {
>> >
>> > You don't need to use Autz-Type in 2.0.
>> >
>> > > authenticate {
>> > >Auth-Type LDAP{
>> > > redundant{
>> >
>> > Don't use redundant sections here. Just list the two LDAP modules
>> > independently. The LDAP server that was used in the authorize section
>> > will ensure that it is also used in the authenticate section.
>> >
>> > > ${confdir}/modules/ldap1
>> >
>> > And I hope that's not what I think it is.
>> >
>> > > It doesn't work.
>> >
>> > See the FAQ for "it doesn't work".
>> >
>> > > Here the ldap1 and ldap2 are two separate files in
>> > > the /etc/raddb/modules directory and have separate ldap server IP
>> > > addresses. Can anyone please point out to me where I am going wrong ?
>> >
>> > Lots. The major one is that you are putting the module
>> > *configuration* into the authorize and authenticate sections. I have no
>> > idea why you think that's a good idea. The examples included in the
>> > server DO NOT DO THIS.
>> >
>> > The files in the "modules" directory belong in the "modules" section
>> > of radiusd.conf. This is documented in the comments, and in many examples.
>> >
>> > The entries in the "authorize" and "authenticate" sections are simply
>> > a one-word reference to the name of a module. Again, this is documented
>> > in the comments and in many examples.
>> >
>> > Alan DeKok.
>> > -
>> > List info/subscribe/unsubscribe? See
>> > http://www.freeradius.org/list/users.html
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with multiple ldap servers
Sambuddho Chakravarty wrote:
> Hello
> But this never really worked. I did exactly this . The ldap1 and ldap2
> are files with the follwoing
>
> /etc/raddb/modules/ldap1
>
> ldap {
...
> /etc/raddb/modules/ldap2---
>
> ldap {
You have two modules named "ldap". Go read the comments at the top of
the "modules" section in radiusd.conf.
And before you go any further, PLEASE read the comments in the
configuration files. You have been told to do this before, and it's
clear that you either haven't done so, or you haven't understood them.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with multiple ldap servers
Hello
But this never really worked. I did exactly this . The ldap1 and ldap2
are files with the follwoing
/etc/raddb/modules/ldap1
ldap {
server = "30.0.0.2"
basedn = "ou=People,cu=example,c=com"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
port = 389
ldap_connections_number = 5
timeout = 40
timelimit = 30
net_timeout = 10
tls {
start_tls = no
require_cert = "demand"
}
dictionary_mapping = ${confdir}/ldap.attrmap
edir_account_policy_check = no
}
/etc/raddb/modules/ldap2---
ldap {
server = "10.0.0.1"
basedn = "ou=People,cu=example,c=com"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
port = 389
ldap_connections_number = 5
timeout = 40
timelimit = 30
net_timeout = 10
tls {
start_tls = no
require_cert = "demand"
}
dictionary_mapping = ${confdir}/ldap.attrmap
edir_account_policy_check = no
}
--
The only difference in both files is the LDAP server IP address . When I
did as I mentioned in my previous email and executed /sbin/radiusd -X -C
the execution ended with the following error
Module: Checking authenticate {...} for more modules to load
//etc/raddb/radiusd.conf[757]: Failed to find module "ldap1".
//etc/raddb/radiusd.conf[756]: Errors parsing authenticate section.
}
Also , one more observation, when having a single LDAP server and when
it actually worked fine, the debug messages showed
found rlm_pap. While I think it should be showing rlm_ldap . Why is this
so. But authentication worked fine and the client received a
ACCESS-ACCEPT message as reply.
Thanks
Sambuddho
On Thu, 2008-06-19 at 13:50 -0400, Sambuddho Chakravarty wrote:
> Do you mean something like this
>
> authorize {
> redundant {
>ldap1
> ldap2
> }
> }
>
>authenticate {
> ldap1
> ldap2
> }
>
> The reason I list them here is to use them for authentication against
> multiple LDAP servers whose configuration information is in the two
> files modules/ldap1 and modules/ldap2. Does this look valid ?
>
> Thanks
> Sambuddho
>
> On Thu, 2008-06-19 at 09:35 +0200, Alan DeKok wrote:
> > Sambuddho Chakravarty wrote:
> > > Yes , but on a freeradius-2.05 , when I create a separate authenticate
> > > {} and authorize {} subsection and plug in the following :
> > >
> > > authorize {
> > >Autz-Type LDAP {
> >
> > You don't need to use Autz-Type in 2.0.
> >
> > > authenticate {
> > >Auth-Type LDAP{
> > > redundant{
> >
> > Don't use redundant sections here. Just list the two LDAP modules
> > independently. The LDAP server that was used in the authorize section
> > will ensure that it is also used in the authenticate section.
> >
> > > ${confdir}/modules/ldap1
> >
> > And I hope that's not what I think it is.
> >
> > > It doesn't work.
> >
> > See the FAQ for "it doesn't work".
> >
> > > Here the ldap1 and ldap2 are two separate files in
> > > the /etc/raddb/modules directory and have separate ldap server IP
> > > addresses. Can anyone please point out to me where I am going wrong ?
> >
> > Lots. The major one is that you are putting the module
> > *configuration* into the authorize and authenticate sections. I have no
> > idea why you think that's a good idea. The examples included in the
> > server DO NOT DO THIS.
> >
> > The files in the "modules" directory belong in the "modules" section
> > of radiusd.conf. This is documented in the comments, and in many examples.
> >
> > The entries in the "authorize" and "authenticate" sections are simply
> > a one-word reference to the name of a module. Again, this is documented
> > in the comments and in many examples.
> >
> > Alan DeKok.
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with multiple ldap servers
Sambuddho Chakravarty wrote: > Do you mean something like this Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with multiple ldap servers
Do you mean something like this
authorize {
redundant {
ldap1
ldap2
}
}
authenticate {
ldap1
ldap2
}
The reason I list them here is to use them for authentication against
multiple LDAP servers whose configuration information is in the two
files modules/ldap1 and modules/ldap2. Does this look valid ?
Thanks
Sambuddho
On Thu, 2008-06-19 at 09:35 +0200, Alan DeKok wrote:
> Sambuddho Chakravarty wrote:
> > Yes , but on a freeradius-2.05 , when I create a separate authenticate
> > {} and authorize {} subsection and plug in the following :
> >
> > authorize {
> >Autz-Type LDAP {
>
> You don't need to use Autz-Type in 2.0.
>
> > authenticate {
> >Auth-Type LDAP{
> > redundant{
>
> Don't use redundant sections here. Just list the two LDAP modules
> independently. The LDAP server that was used in the authorize section
> will ensure that it is also used in the authenticate section.
>
> > ${confdir}/modules/ldap1
>
> And I hope that's not what I think it is.
>
> > It doesn't work.
>
> See the FAQ for "it doesn't work".
>
> > Here the ldap1 and ldap2 are two separate files in
> > the /etc/raddb/modules directory and have separate ldap server IP
> > addresses. Can anyone please point out to me where I am going wrong ?
>
> Lots. The major one is that you are putting the module
> *configuration* into the authorize and authenticate sections. I have no
> idea why you think that's a good idea. The examples included in the
> server DO NOT DO THIS.
>
> The files in the "modules" directory belong in the "modules" section
> of radiusd.conf. This is documented in the comments, and in many examples.
>
> The entries in the "authorize" and "authenticate" sections are simply
> a one-word reference to the name of a module. Again, this is documented
> in the comments and in many examples.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with multiple ldap servers
Sambuddho Chakravarty wrote:
> Yes , but on a freeradius-2.05 , when I create a separate authenticate
> {} and authorize {} subsection and plug in the following :
>
> authorize {
>Autz-Type LDAP {
You don't need to use Autz-Type in 2.0.
> authenticate {
>Auth-Type LDAP{
> redundant{
Don't use redundant sections here. Just list the two LDAP modules
independently. The LDAP server that was used in the authorize section
will ensure that it is also used in the authenticate section.
> ${confdir}/modules/ldap1
And I hope that's not what I think it is.
> It doesn't work.
See the FAQ for "it doesn't work".
> Here the ldap1 and ldap2 are two separate files in
> the /etc/raddb/modules directory and have separate ldap server IP
> addresses. Can anyone please point out to me where I am going wrong ?
Lots. The major one is that you are putting the module
*configuration* into the authorize and authenticate sections. I have no
idea why you think that's a good idea. The examples included in the
server DO NOT DO THIS.
The files in the "modules" directory belong in the "modules" section
of radiusd.conf. This is documented in the comments, and in many examples.
The entries in the "authorize" and "authenticate" sections are simply
a one-word reference to the name of a module. Again, this is documented
in the comments and in many examples.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with multiple ldap servers
Yes , but on a freeradius-2.05 , when I create a separate authenticate
{} and authorize {} subsection and plug in the following :
authorize {
Autz-Type LDAP {
redundant {
${confdir}/modules/ldap1
${confdir}/modules/ldap2
}
}
}
authenticate {
Auth-Type LDAP{
redundant{
${confdir}/modules/ldap1
${confdir}/modules/ldap2
}
}
}
It doesn't work. Here the ldap1 and ldap2 are two separate files in
the /etc/raddb/modules directory and have separate ldap server IP
addresses. Can anyone please point out to me where I am going wrong ?
Thanks
Sambuddho
On Sun, 2008-06-15 at 01:55 -0700, Chris wrote:
> As in:
>
> redundant {
> ldap1
> ldap2
> }
>
> On Jun 15, 2008, at 1:08 AM, Ivan Kalik wrote:
>
> > http://www.freeradius.org/radiusd/man/unlang.html
> >
> > Ivan Kalik
> > Kalik Informatika ISP
> >
> >
> > Dana 15/6/2008, "Sambuddho Chakravarty" <[EMAIL PROTECTED]> piše:
> >
> >> Hello All
> >> Will creating multiple instances of the /etc/raddb/modules/ldap1
> >> and /etc/raddb/modules/ldap2 each with different LDAP server
> >> addresses
> >> and database information work for having a user authenticate against
> >> either of the two LDAP servers. By that I mean that say our user
> >> 'try'
> >> tries to authenticate and sends the radius server an authentication
> >> request message, then, by having two files /etc/raddb/modules/ldap1
> >> and /etc/raddb/modules/ldap2 cause the server to connect to both the
> >> servers and check for authentication ? If no then can anyone please
> >> suggest what is the way for doing this ?
> >>
> >> Thanks
> >> Sambuddho
> >>
> >> -
> >> List info/subscribe/unsubscribe? See
> >> http://www.freeradius.org/list/users.html
> >>
> >>
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with multiple ldap servers
As in:
redundant {
ldap1
ldap2
}
On Jun 15, 2008, at 1:08 AM, Ivan Kalik wrote:
http://www.freeradius.org/radiusd/man/unlang.html
Ivan Kalik
Kalik Informatika ISP
Dana 15/6/2008, "Sambuddho Chakravarty" <[EMAIL PROTECTED]> piše:
Hello All
Will creating multiple instances of the /etc/raddb/modules/ldap1
and /etc/raddb/modules/ldap2 each with different LDAP server
addresses
and database information work for having a user authenticate against
either of the two LDAP servers. By that I mean that say our user
'try'
tries to authenticate and sends the radius server an authentication
request message, then, by having two files /etc/raddb/modules/ldap1
and /etc/raddb/modules/ldap2 cause the server to connect to both the
servers and check for authentication ? If no then can anyone please
suggest what is the way for doing this ?
Thanks
Sambuddho
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with multiple ldap servers
http://www.freeradius.org/radiusd/man/unlang.html Ivan Kalik Kalik Informatika ISP Dana 15/6/2008, "Sambuddho Chakravarty" <[EMAIL PROTECTED]> piše: >Hello All > Will creating multiple instances of the /etc/raddb/modules/ldap1 >and /etc/raddb/modules/ldap2 each with different LDAP server addresses >and database information work for having a user authenticate against >either of the two LDAP servers. By that I mean that say our user 'try' >tries to authenticate and sends the radius server an authentication >request message, then, by having two files /etc/raddb/modules/ldap1 >and /etc/raddb/modules/ldap2 cause the server to connect to both the >servers and check for authentication ? If no then can anyone please >suggest what is the way for doing this ? > >Thanks >Sambuddho > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius with multiple ldap servers
Hello All Will creating multiple instances of the /etc/raddb/modules/ldap1 and /etc/raddb/modules/ldap2 each with different LDAP server addresses and database information work for having a user authenticate against either of the two LDAP servers. By that I mean that say our user 'try' tries to authenticate and sends the radius server an authentication request message, then, by having two files /etc/raddb/modules/ldap1 and /etc/raddb/modules/ldap2 cause the server to connect to both the servers and check for authentication ? If no then can anyone please suggest what is the way for doing this ? Thanks Sambuddho - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple ldap servers
Jean Frontin wrote:
> After several hours of research I don't understand howto configure
> FreeRadius to use two ldap servers. With only one ldap server all is OK !
>
> I run FreeRadius 1.1.7 under Fedora core 8. Below I present you a
> radiusd.conf extract and a logof a session. In the og I put a start at
> the beginning of lines which I don't understand.
...
> modules {
> ldap ldap1 {
...
> authenticate {
> ...
> Auth-Type ldap_1 {
You didn't use the same name here. Use "ldap1", not "ldap_1".
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple ldap servers
Hello,
After several hours of research I don't understand howto configure
FreeRadius to use two ldap servers. With only one ldap server all is OK !
I run FreeRadius 1.1.7 under Fedora core 8. Below I present you a
radiusd.conf extract and a logof a session. In the og I put a start at
the beginning of lines which I don't understand.
Thanks you for your help
radiusd.conf extracts
modules {
ldap ldap1 {
...
}
ldap ldap2 {
...
}
...
}
authorize {
...
Autz-Type ldap_1 {
ldap1
}
Autz-Type ldap_2 {
ldap2
}
...
}
authenticate {
...
Auth-Type ldap_1 {
ldap1
}
Auth-Type ldap_2 {
ldap2
}
...
}
...
--- log extracts
rlm_ldap: Registering ldap_groupcmp for ldap1-Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap1
* rlm_ldap: Over-riding set_auth_type, as we're not listed in the
"authenticate" section.
...
rlm_ldap: Registering ldap_groupcmp for ldap2-Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap2
* rlm_ldap: Over-riding set_auth_type, as we're not listed in the
"authenticate" section.
...
modcall: leaving group authorize (returns ok) for request 0
* auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Login incorrect: [myname/password] (from client XXX port 0)
--
Jean Frontin
System team
I R I T
Université Paul-Sabatier
118, rte de Narbonne
31062 Toulouse cedex 9
France
tel (33)(0)5 61 55 63 03
mail [EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple Ldap servers
On Wed, 18 May 2005, Matthew Hunter wrote: How do I get freeradius to check both ldap servers for a user. I have ldap configured already for redundency but I want it to look at the first ldap server and if the user is not found then check the second ldap server. Yes. See doc/configurable_failover Matt Hunter Network Analyst Waukesha County Technical College - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple Ldap servers
"Matthew Hunter" <[EMAIL PROTECTED]> wrote: > How do I get freeradius to check both ldap servers for a user. I have > ldap configured already for redundency but I want it to look at the > first ldap server and if the user is not found then check the second > ldap server. doc/configurable_failover Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple Ldap servers
How do I get freeradius to check both ldap servers for a user. I have ldap configured already for redundency but I want it to look at the first ldap server and if the user is not found then check the second ldap server. Matt Hunter Network Analyst Waukesha County Technical College - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with Multiple Ldap Servers
See doc/configurable_failover in the source tree. --Mike On Thu, 2004-09-16 at 08:23, Matthew Hunter wrote: > I have Freeradius configured with Ldap which works but I would like to > specify a secondary Ldap server incase the primary ldap goes down. How > would I go about doing that? Thanks > > Matt Hunter > Network Analyst > Waukesha County Technical College > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius with Multiple Ldap Servers
I have Freeradius configured with Ldap which works but I would like to specify a secondary Ldap server incase the primary ldap goes down. How would I go about doing that? Thanks Matt Hunter Network Analyst Waukesha County Technical College - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
