RE: Freeradius - LDAP Authenication
Kris and List Still having no luck getting rlm_ldap to work. I used a packet sniffer to check traffic and all I see is a SYN packet to the ldap and the a SYN back to the radius followed by a RST packet from the radius server to the ldap. Cannot decipher any user details in the first packet so I assume none are being sent. I searched the archives for this and came across a patch for ver 0.6, can I assume that this was rolled into subsequent versions? Not sure on how to proceed any other pointers any one? Thanks Simon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kris Benson Sent: Wednesday, August 10, 2005 2:20 PM To: FreeRadius users mailing list Cc: 'FreeRadius users mailing list' Subject: Re: Freeradius - LDAP Authenication FreeRadius users mailing list freeradius-users@lists.freeradius.org on August 10, 2005 at 11:17 -0800 wrote: I think I'm at the end of my abilities here, but will make a couple more comments. First off, I'm nowhere near being an LDAP pro, but what's up with the o=mayrmount.edu.o=marymount.edu ? There are two things that stick out to me here -- first off, the '.' between the elements... I'm used to seeing a comma. Second, the duplication of the o=. Do you *really* have a child element named the same as its parent? We do indeed have a child with the same name as the parent and they both have . in them. Fun Hey For sure one other idea, then... If your structure is this: o=marymount.edu. | - o=marymount.edu. should this maybe be o=marymount.edu.,o=marymount.edu. ? (note trailing periods, making an FQDN) Or perhaps if your structure is this: o=marymount.edu | - o=marymount.edu should this maybe be o=marymount.edu,o=marymount.edu ? Just a thought... your original looks like a typo, based on the fact that the two fields are not being joined by a comma. HTH, -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius - LDAP Authenication
Kris, Thanks for the configs, however I still cannot get this to work, I'm still seeing:- Aug 10 07:06:21 2005 : Debug: rlm_ldap: bind as uid=sbarnes,ou=people,o=marymount.edu.o=marymount.edu/cortina to info.marymount.edu:389 Wed Aug 10 07:06:21 2005 : Error: rlm_ldap: uid=sbarnes,ou=people,o=marymount.edu.o=marymount.edu bind to info.marymount.edu:389 failed: Can't contact LDAP server Even tried authentication to the backup LDAP server. Is there anyway to test the ldap module by hand as it were? Also I was wondering if this was an attribute mapping problem, anyone with SUN One IPlanet Directory server got this to work? Thanks Simon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius - LDAP Authenication
FreeRadius users mailing list freeradius-users@lists.freeradius.org on August 10, 2005 at 05:34 -0800 wrote: Kris, Aug 10 07:06:21 2005 : Debug: rlm_ldap: bind as uid=sbarnes,ou=people,o=marymount.edu.o=marymount.edu/cortina to info.marymount.edu:389 Wed Aug 10 07:06:21 2005 : Error: rlm_ldap: uid=sbarnes,ou=people,o=marymount.edu.o=marymount.edu bind to info.marymount.edu:389 failed: Can't contact LDAP server Even tried authentication to the backup LDAP server. Is there anyway to test the ldap module by hand as it were? I think I'm at the end of my abilities here, but will make a couple more comments. First off, I'm nowhere near being an LDAP pro, but what's up with the o=mayrmount.edu.o=marymount.edu ? There are two things that stick out to me here -- first off, the '.' between the elements... I'm used to seeing a comma. Second, the duplication of the o=. Do you *really* have a child element named the same as its parent? I'm sorry I can't be of more assistance... but if ldapsearch works with the same binding credentials as FreeRadius (n.b. bind as the *user* sbarnes *not* as admin), then the issue looks to be something with the way FreeRadius the Sun software interact. Is there, by chance, a policy restricting number of connections per minute on the Sun server? FreeRadius likes to connect at least twice in the authentication process -- once to search the directory, again to bind as the user it found. -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius - LDAP Authenication
Hi Kris, Thanks for your input. I think I'm at the end of my abilities here, but will make a couple more comments. First off, I'm nowhere near being an LDAP pro, but what's up with the o=mayrmount.edu.o=marymount.edu ? There are two things that stick out to me here -- first off, the '.' between the elements... I'm used to seeing a comma. Second, the duplication of the o=. Do you *really* have a child element named the same as its parent? We do indeed have a child with the same name as the parent and they both have . in them. Fun Hey I'm sorry I can't be of more assistance... but if ldapsearch works with the same binding credentials as FreeRadius (n.b. bind as the *user* sbarnes *not* as admin), then the issue looks to be something with the way FreeRadius the Sun software interact. I'll try and investigate to see if there are differences between the Sun and openldap and how they interact with freeradius.. Any one else out there with SUN directory server / iplanet? Is there, by chance, a policy restricting number of connections per minute on the Sun server? FreeRadius likes to connect at least twice in the authentication process -- once to search the directory, again to bind as the user it found. As far as I know no policy restricting access request per minute, but I will check. Simon Barnes - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius - LDAP Authenication
FreeRadius users mailing list freeradius-users@lists.freeradius.org on August 10, 2005 at 11:17 -0800 wrote: I think I'm at the end of my abilities here, but will make a couple more comments. First off, I'm nowhere near being an LDAP pro, but what's up with the o=mayrmount.edu.o=marymount.edu ? There are two things that stick out to me here -- first off, the '.' between the elements... I'm used to seeing a comma. Second, the duplication of the o=. Do you *really* have a child element named the same as its parent? We do indeed have a child with the same name as the parent and they both have . in them. Fun Hey For sure one other idea, then... If your structure is this: o=marymount.edu. | - o=marymount.edu. should this maybe be o=marymount.edu.,o=marymount.edu. ? (note trailing periods, making an FQDN) Or perhaps if your structure is this: o=marymount.edu | - o=marymount.edu should this maybe be o=marymount.edu,o=marymount.edu ? Just a thought... your original looks like a typo, based on the fact that the two fields are not being joined by a comma. HTH, -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius - LDAP Authenication
Well, having just looked at your config again, I'm wondering if it isn't this filter: ldap: filter = ((objectClass=aRadiusAccount)(uid=%u)) is that 'a' supposed to be there? Also, have you custom defined the LDAP schmea for this objectclass? If not, I don't believe the 'aRadiusAccount' is valid, at least not in the standard OpenLDAP w/FreeRadius extensions schema that I have. What if you start by removing that part of the filter and just searching for the uid? Hi Kris, I have tried changing the LDAP filter by removing the a and also tried a plain filter just for uid, still getting the same error. In addition I also tried a different ldap account which tests successfully using LDAP search. I am now at a loss, if anyone has a working config that they wouldn't mind sharing that would be much appreciated. Thanks Simon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius - LDAP Authenication
FreeRadius users mailing list freeradius-users@lists.freeradius.org on August 8, 2005 at 07:32 -0800 wrote: I am now at a loss, if anyone has a working config that they wouldn't mind sharing that would be much appreciated. Here's mine: radiusd.conf section ldap { server = localhost identity = cn=radiusadmin,ou=roleaccounts,dc=sd57,dc=bc,dc=ca password = neveryoumind basedn = dc=sd57,dc=bc,dc=ca filter = (mail=%{User-Name}) start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 groupname_attribute = cn groupmembership_filter = (|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) #groupmembership_attribute = WirelessUsers timeout = 4 timelimit = 3 net_timeout = 1 # compare_check_items = yes # do_xlat = yes # access_attr_used_for_allow = yes } users file DEFAULT Ldap-Group == NetworkAccessWireless, Auth-Type = LDAP Class = %l, Reply-Message = %u, Fall-Through = 1 ldap LDIF (passwords removed to protect the innocent) dn: dc=sd57,dc=bc,dc=ca dc: sd57 objectClass: dcObject objectClass: organizationalUnit ou: Ess Dee Five Seven dn: ou=roleaccounts,dc=sd57,dc=bc,dc=ca ou: roleaccounts objectClass: organizationalUnit dn: cn=ldapadmin,ou=roleaccounts,dc=sd57,dc=bc,dc=ca objectClass: person cn: ldapadmin sn: AdminAcct userPassword: {CRYPT}* dn: cn=radiusadmin,ou=roleaccounts,dc=sd57,dc=bc,dc=ca objectClass: person cn: radiusadmin sn: AdminAcct userPassword: {CRYPT}* dn: ou=techstaff,dc=sd57,dc=bc,dc=ca ou: techstaff objectClass: organizationalUnit dn: cn=NetworkAccessWireless,dc=sd57,dc=bc,dc=ca objectClass: top objectClass: groupOfNames member: uid=kbenson,ou=techstaff,dc=sd57,dc=bc,dc=ca cn: NetworkAccessWireless dn: uid=kbenson,ou=techstaff,dc=sd57,dc=bc,dc=ca sn: Benson mail: [EMAIL PROTECTED] cn: Kris Benson gidNumber: 100 homeDirectory: /home/staff/kbenson objectClass: inetOrgPerson objectClass: posixAccount uidNumber: 3 userPassword: {CRYPT}* uid: kbenson Let me know if there's anything else you would like to see... -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius - LDAP Authenication
FreeRadius users mailing list freeradius-users@lists.freeradius.org on August 5, 2005 at 08:12 -0800 wrote: rlm_ldap: - authorize rlm_ldap: performing user authorization for testuser radius_xlat: '((objectClass=aRadiusAccount)(uid=testuser))' radius_xlat: 'o=marymount.edu,o=marymount.edu' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 198.100.0.18:389, authentication 0 rlm_ldap: bind as cn=account mgr/* to 198.100.0.18:389 rlm_ldap: cn=directory manager bind to 198.100.0.18:389 failed: Can't contact LDAP server rlm_ldap: (re)connection attempt failed rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 Here's the section of your debug where the problem lies. note this line: rlm_ldap: cn=directory manager bind to 198.100.0.18:389 failed: Can't contact LDAP server Have you double checked the IP address? I'm not sure on how descriptive the error messages are -- perhaps double check that the admin user/password also works -- start by making it the full dn of the admin user in the 'identity' field. If you this doesn't work, let me know and we can go from there... -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius - LDAP Authenication
server (running on another machine). I have the vpn talking successfully to freeradius, but I cannot get the onward connection to the LDAP to work. I have validated that the server running freeradius is able to talk to the ldap by using ldapsearch. rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 198.100.0.18:389, authentication 0 rlm_ldap: bind as cn=account mgr/* to 198.100.0.18:389 rlm_ldap: cn=directory manager bind to 198.100.0.18:389 failed: Can't contact LDAP server rlm_ldap: (re)connection attempt failed This is pretty clear that it cannot connect. What does your ldapsearch command look like? Perhaps, you have the wrong port or ip in your config? What does telnet 198.100.0.18 389 show you? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius - LDAP Authenication
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dusty Doris Sent: Friday, August 05, 2005 11:57 AM To: FreeRadius users mailing list Subject: Re: Freeradius - LDAP Authenication This is pretty clear that it cannot connect. What does your ldapsearch command look like? Perhaps, you have the wrong port or ip in your config? What does telnet 198.100.0.18 389 show you? Hi Dusty and Kris, The ip address I am using for the ldap is correct, when using ldapsearch ldapsearch -h 198.100.0.18 -b ou=people,o=marymount.edu,o=marymount.edu -D cn=directory manager -W I can connect and get prompted for the password, after which I get a complete dump of the LDAP. I did a tcpdump on the freeradius machine and this is the output tcpdump: listening on dc0 11:32:59.115890 morris.marymount.edu.34613 cooper.marymount.edu.ldap: S 3685972564:3685972564(0) win 16384 mss 1460,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 1366456907 0 (DF) 11:32:59.116137 cooper.marymount.edu.ldap morris.marymount.edu.34613: S 3939941434:3939941434(0) ack 3685972565 win 49232 nop,nop,timestamp 48298597 1366456907,mss 1460,nop,wscale 0,nop,nop,sackOK (DF) 11:32:59.116222 morris.marymount.edu.34613 cooper.marymount.edu.ldap: . ack 1 win 16384 nop,nop,timestamp 1366456907 48298597 (DF) 11:32:59.116312 morris.marymount.edu.34613 cooper.marymount.edu.ldap: F 1:1(0) ack 1 win 16384 nop,nop,timestamp 1366456907 48298597 (DF) 11:32:59.116427 cooper.marymount.edu.ldap morris.marymount.edu.34613: . ack 2 win 49232 nop,nop,timestamp 48298597 1366456907 (DF) 11:32:59.117917 cooper.marymount.edu.ldap morris.marymount.edu.34613: F 1:1(0) ack 2 win 49232 nop,nop,timestamp 48298597 1366456907 (DF) 11:32:59.117987 morris.marymount.edu.34613 cooper.marymount.edu.ldap: . ack 2 win 16383 nop,nop,timestamp 1366456907 48298597 (DF) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius - LDAP Authenication
FreeRadius users mailing list freeradius-users@lists.freeradius.org on August 5, 2005 at 09:58 -0800 wrote: This is pretty clear that it cannot connect. What does your ldapsearch command look like? Perhaps, you have the wrong port or ip in your config? What does telnet 198.100.0.18 389 show you? Hi Dusty and Kris, The ip address I am using for the ldap is correct, when using ldapsearch ldapsearch -h 198.100.0.18 -b ou=people,o=marymount.edu,o=marymount.edu -D cn=directory manager -W I can connect and get prompted for the password, after which I get a complete dump of the LDAP. What if you change the identity portion of the radiusd.conf to be the full DN of the admin user? I have a sneaking suspicion that the can't connect may also include can't authenticate... So, assuming that the directory manager user is in the people ou, try this for the identity: cn=directory manager,ou=people,o-marymount.edu,o=marymount.edu -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius - LDAP Authenication
What if you change the identity portion of the radiusd.conf to be the full DN of the admin user? I have a sneaking suspicion that the can't connect may also include can't authenticate... So, assuming that the directory manager user is in the people ou, try this for the identity: cn=directory manager,ou=people,o-marymount.edu,o=marymount.edu Kris, I have tried various accounts my own and test accounts along with variations of the DN and I get the same errors. I'm at a loss as ldapsearch and telneting to the port all seem to work. Simon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius - LDAP Authenication
FreeRadius users mailing list freeradius-users@lists.freeradius.org on August 5, 2005 at 12:27 -0800 wrote: I have tried various accounts my own and test accounts along with variations of the DN and I get the same errors. I'm at a loss as ldapsearch and telneting to the port all seem to work. Well, having just looked at your config again, I'm wondering if it isn't this filter: ldap: filter = ((objectClass=aRadiusAccount)(uid=%u)) is that 'a' supposed to be there? Also, have you custom defined the LDAP schmea for this objectclass? If not, I don't believe the 'aRadiusAccount' is valid, at least not in the standard OpenLDAP w/FreeRadius extensions schema that I have. What if you start by removing that part of the filter and just searching for the uid? -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html