Re: freeradius with multiple ldap servers
Hello Ivan and Alan Thanks a lot for tolerating my pestering. It has worked. The problem was with the PAP module. The auto header detection was turned off. It works perfectly now. Thanks Sambuddho On Mon, 2008-07-07 at 10:08 +0100, Ivan Kalik wrote: > > Does that mean that I cannot authenticate against a LDAP server from a > >freeradius server using cleartext passwords. > > But you are not using cleartext passwords. Passwords in ldap are > encrypted. > > >So the freeradius client > >needs to send the password in encrypted format. But other programs which > >using LDAP server to authenticate (eg. the pam_ldap ) takes as input the > >cleartext password. Is there a solution to this ? > > You need to add a header to the userPassword field. If you don't know > what password header is and how to do that, ask on the ldap list. > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with multiple ldap servers
Hello Ivan
The ldap database has passwords have the '{crypt}' header. What I meant
by cleartext passwords is that I am typing in the password in clear text
in the radtest program.
Thanks
Sambuddho
On Mon, 2008-07-07 at 10:08 +0100, Ivan Kalik wrote:
> > Does that mean that I cannot authenticate against a LDAP server from a
> >freeradius server using cleartext passwords.
>
> But you are not using cleartext passwords. Passwords in ldap are
> encrypted.
>
> >So the freeradius client
> >needs to send the password in encrypted format. But other programs which
> >using LDAP server to authenticate (eg. the pam_ldap ) takes as input the
> >cleartext password. Is there a solution to this ?
>
> You need to add a header to the userPassword field. If you don't know
> what password header is and how to do that, ask on the ldap list.
>
> Ivan Kalik
> Kalik Informatika ISP
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with multiple ldap servers
> Does that mean that I cannot authenticate against a LDAP server from a >freeradius server using cleartext passwords. But you are not using cleartext passwords. Passwords in ldap are encrypted. >So the freeradius client >needs to send the password in encrypted format. But other programs which >using LDAP server to authenticate (eg. the pam_ldap ) takes as input the >cleartext password. Is there a solution to this ? You need to add a header to the userPassword field. If you don't know what password header is and how to do that, ask on the ldap list. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with multiple ldap servers
Hi, > I went through the documentation on the website and in the doc/ > directory in the source distribution. I read through the > ldap_howto.txt. Is that the example you refer to ? (Thats the only one I > found with the source distribution). It had many components that I dont > require. I scrolled down the find the freeradius configuration. But I am > still now clear how to exactly tailor it for my needs. Is there an > example / url I can use as reference ? Am I looking at the wrong > place ? first basic question. why did you add an authenticate and authorise section to radiusd.conf? that stuff is already in the sites-enabled/default file - which gets read and used on server startup. if you have to edit such entries, edit them in the right place. radiusd.conf now is a very basic file which sets up logging, imports other conf files and a few other mundane things. what you COULD do, and what is 'reasonable' is to rename the sites-enabled/default file to something like sites-enabled/my-service and then edit it for your required service. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with multiple ldap servers
Hello Alan
I went through the documentation on the website and in the doc/
directory in the source distribution. I read through the
ldap_howto.txt. Is that the example you refer to ? (Thats the only one I
found with the source distribution). It had many components that I dont
require. I scrolled down the find the freeradius configuration. But I am
still now clear how to exactly tailor it for my needs. Is there an
example / url I can use as reference ? Am I looking at the wrong
place ?
Thanks
Sambuddho
On Sun, 2008-07-06 at 19:15 +0200, Alan DeKok wrote:
> Sambuddho Chakravarty wrote:
> > My intent is not to pester you with my queries but the problem is still
> > what it was initially. Ill once again tell you the configuration that I
> > am using.
>
> The difficulty I'm having is being *able* to help you. At this point
> it's clear that the documentation isn't helping you, and neither are the
> answers on this list.
>
> > radiusd.conf---
> >
> >
> > /* Most of the stuff is untouched.
> > */
> >
> > /* Added authenticate{} and authorize{} section */
>
> Why? Have you even bothered trying to understand how the server
> works? Are you completely un-aware of the existing documentation and
> sample configuration files?
>
> You seem insistent on ignoring the examples, ignoring the
> documentation, and ignoring the responses on this list.
>
> > Please point me out what may have possibly gone wrong.
>
> We did. You were given clear directions on what to do. You failed to
> follow the directions.
>
> At this point, I have to say that there's no point in you continuing
> to post questions until you've managed to follow the instructions to
> your previous questions.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with multiple ldap servers
Sambuddho Chakravarty wrote:
> My intent is not to pester you with my queries but the problem is still
> what it was initially. Ill once again tell you the configuration that I
> am using.
The difficulty I'm having is being *able* to help you. At this point
it's clear that the documentation isn't helping you, and neither are the
answers on this list.
> radiusd.conf---
>
>
> /* Most of the stuff is untouched.
> */
>
> /* Added authenticate{} and authorize{} section */
Why? Have you even bothered trying to understand how the server
works? Are you completely un-aware of the existing documentation and
sample configuration files?
You seem insistent on ignoring the examples, ignoring the
documentation, and ignoring the responses on this list.
> Please point me out what may have possibly gone wrong.
We did. You were given clear directions on what to do. You failed to
follow the directions.
At this point, I have to say that there's no point in you continuing
to post questions until you've managed to follow the instructions to
your previous questions.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with multiple ldap servers
Hello Alan and Ivan
My intent is not to pester you with my queries but the problem is still
what it was initially. Ill once again tell you the configuration that I
am using.
radiusd.conf---
/* Most of the stuff is untouched.
*/
/* Added authenticate{} and authorize{} section */
authenticate {
ldap1
ldap2
}
authorize{
ldap1
ldap2
}
-module/ldap--
ldap ldap1{
#
# Note that this needs to match the name in the LDAP
# server certificate, if you're using ldaps.
server = ""
identity = "."
password = .
basedn = "ou=People,dc=example,dc=com"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
ldap_connections_number = 5
password_header="{crypt}"
password_attribute=userPassword
password_radius_attribute=Crypt-Password
.
}
ldap ldap1{
#
# Note that this needs to match the name in the LDAP
# server certificate, if you're using ldaps.
server = ""
identity = "."
password = .
basedn = "ou=People,dc=example,dc=com"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
ldap_connections_number = 5
password_header="{crypt}"
password_attribute=userPassword
password_radius_attribute=Crypt-Password
.
}
'users' and 'client' file is unchanged.
I run the server with the following command line options. 'radiusd -X'
To test I run the radtest tool with the following option.
radtest catch "catchall" localhost 2 testing123
Here catch and catchall are user and password in the LDAP database
created from a unix account on the host hosting the LDAP database. The
migration from the regular unix /etc/passwd to the LDIF file was done
using the migration tools.
The reply received was rad_recv: Access-Reject. The following was the
debug output from the server.
rlm_ldap: performing search in ou=People,dc=example,dc=com, with filter
(uid=catch)
rlm_ldap: Added User-Password = $1$FYblmPWy$fmgebhCOLpHvhdECNP4EG0 in
check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user catch authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap2] returns ok
!!!
!!!Replacing User-Password in config items with
Cleartext-Password. !!!
!!!
!!! Please update your configuration so that the "known
good" !!!
!!! clear text password is in Cleartext-Password, and not in
User-Password. !!!
!!!
auth: type Local
auth: user supplied User-Password does NOT match local User-Password
auth: Failed to validate the user.
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> catch
attr_filter: Matched entry DEFAULT at line 11
Please point me out what may have possibly gone wrong.
Another observation :
1. When I try to test using the username 'try' stored in the other ldap
database, it doesn't search in the other LDAP server but only searches
in the one which doesn't have it and fails.
2. The problem in (1) doesn't occur when I comment out the
'password_attribute' line in the modules/ldap file. It then searches the
appropriate LDAP database , however fails with the following output.
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind failed with invalid credentials
Please advice.
Thanks
Sambuddho
On Sun, 2008-07-06 at 08:06 +0200, Alan DeKok wrote:
> Sambuddho Chakravarty wrote:
> > Does that mean that I cannot authenticate against a LDAP server from a
> > freeradius server using cleartext passwords.
>
> No. That is not what he said.
>
> > So the freeradius client
> > needs to send the password in encrypted format.
>
> No. That is not what he said.
>
> > But other programs which
> > using LDAP server to authenticate (eg. the pam_ldap ) takes as input the
> > cleartext password.
>
> We know. We've been doing this for years.
>
> > Is there a solution to this ?
>
> Do what Ivan said.
>
> > Maybe I am mistaken somewhere.
>
> Lots.
>
> > Please let me know.
>
> We're trying to help you. It's not working.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with multiple ldap servers
Sambuddho Chakravarty wrote: > Does that mean that I cannot authenticate against a LDAP server from a > freeradius server using cleartext passwords. No. That is not what he said. > So the freeradius client > needs to send the password in encrypted format. No. That is not what he said. > But other programs which > using LDAP server to authenticate (eg. the pam_ldap ) takes as input the > cleartext password. We know. We've been doing this for years. > Is there a solution to this ? Do what Ivan said. > Maybe I am mistaken somewhere. Lots. > Please let me know. We're trying to help you. It's not working. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with multiple ldap servers
Interestingly the bind as the root DN works with password supplied in
clear-text through the ldap {} module...
Thanks
Sambuddho
On Sat, 2008-07-05 at 18:03 -0400, Sambuddho Chakravarty wrote:
> Hello Ivan
> Does that mean that I cannot authenticate against a LDAP server from a
> freeradius server using cleartext passwords. So the freeradius client
> needs to send the password in encrypted format. But other programs which
> using LDAP server to authenticate (eg. the pam_ldap ) takes as input the
> cleartext password. Is there a solution to this ? Maybe I am mistaken
> somewhere . Please let me know.
> Thanks
> Sambuddho
> On Fri, 2008-07-04 at 09:56 +0100, Ivan Kalik wrote:
> > > Problem still persists. What do you mean by the {crypt} header.
> >
> > >From RFC2256:
> >
> > 5.36. userPassword
> >
> > ( 2.5.4.35 NAME 'userPassword' EQUALITY octetStringMatch
> > SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} )
> >
> >Passwords are stored using an Octet String syntax and are not
> >encrypted.
> >
> > Since you are intent on violating RFC you need to add a password header
> > to indicate what type of encryption is used.
> >
> > >rlm_ldap: waiting for bind result ...
> > >rlm_ldap: Bind failed with invalid credentials
> > >++[ldap1] returns reject
> > >auth: Failed to validate the user.
> >
> > Without the header userPassword is treated as clear text (not crypted
> > value) and that does't match.
> >
> > Ivan Kalik
> > Kalik Informatika ISP
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with multiple ldap servers
Hello Ivan
Does that mean that I cannot authenticate against a LDAP server from a
freeradius server using cleartext passwords. So the freeradius client
needs to send the password in encrypted format. But other programs which
using LDAP server to authenticate (eg. the pam_ldap ) takes as input the
cleartext password. Is there a solution to this ? Maybe I am mistaken
somewhere . Please let me know.
Thanks
Sambuddho
On Fri, 2008-07-04 at 09:56 +0100, Ivan Kalik wrote:
> > Problem still persists. What do you mean by the {crypt} header.
>
> >From RFC2256:
>
> 5.36. userPassword
>
> ( 2.5.4.35 NAME 'userPassword' EQUALITY octetStringMatch
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} )
>
>Passwords are stored using an Octet String syntax and are not
>encrypted.
>
> Since you are intent on violating RFC you need to add a password header
> to indicate what type of encryption is used.
>
> >rlm_ldap: waiting for bind result ...
> >rlm_ldap: Bind failed with invalid credentials
> >++[ldap1] returns reject
> >auth: Failed to validate the user.
>
> Without the header userPassword is treated as clear text (not crypted
> value) and that does't match.
>
> Ivan Kalik
> Kalik Informatika ISP
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with multiple ldap servers
> Problem still persists. What do you mean by the {crypt} header.
>From RFC2256:
5.36. userPassword
( 2.5.4.35 NAME 'userPassword' EQUALITY octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} )
Passwords are stored using an Octet String syntax and are not
encrypted.
Since you are intent on violating RFC you need to add a password header
to indicate what type of encryption is used.
>rlm_ldap: waiting for bind result ...
>rlm_ldap: Bind failed with invalid credentials
>++[ldap1] returns reject
>auth: Failed to validate the user.
Without the header userPassword is treated as clear text (not crypted
value) and that does't match.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with multiple ldap servers
Hello Ivan
Problem still persists. What do you mean by the {crypt} header. These
are simple /etc/passwd file converted into a ldif database using LDAP
Migration Scripts from padl.com
This is what the logs look like
(supplied clear
text passwd - from
radtest)
rlm_ldap: bind as uid=try,ou=People,dc=example,dc=com/trialanderror to
30.0.0.2:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind failed with invalid credentials
++[ldap1] returns reject
auth: Failed to validate the user.
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> try
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Thanks
Sambuddho
On Wed, 2008-07-02 at 23:45 +0100, Ivan Kalik wrote:
> http://wiki.freeradius.org/index.php/Rlm_ldap
>
> See use of password_header and password_attribute.
>
> Ivan Kalik
> Kalik Informatika ISP
>
>
> Dana 2/7/2008, "Sambuddho Chakravarty" <[EMAIL PROTECTED]> piše:
>
> >Hello
> > I think I know what the problem is. The radius server is looking up
> >using cleartext password , while the LDAP data base stores the hashed
> >passwords. How can I force the radiuse server to search for the password
> >as a hashed value (rather than searching for the clear-text value) ?
> >
> >Thanks
> >Sambuddho
> >On Wed, 2008-07-02 at 17:09 -0400, Sambuddho Chakravarty wrote:
> >> Hello Alan
> >> I made sure this time that rlm_ldap was compiled. Now the following is
> >> the configuration
> >>
> >> --/etc/raddb/modules/ldap---
> >>
> >> ldap ldap1 {
> >>server = "a.b.c.d"
> >>...
> >>}
> >>
> >> ldap ldap2 {
> >>server = "w.x.y.z"
> >>...
> >>}
> >>
> >> -/etc/raddb/radiusd.conf-
> >>
> >>
> >> authorize {
> >>ldap1
> >>
> >> ldap2
> >>
> >> }
> >>
> >>authenticate {
> >> ldap1
> >> ldap2
> >> }
> >>
> >>
> >>
> >> When I execute /sbin/radiusd -X
> >>
> >> It shows instantiating module ldap1 and module ldap2
> >>
> >>
> >> Module: Instantiating ldap2
> >> ldap ldap1 {
> >> server = "a.b.c.d"
> >> port = 389
> >>
> >> Module: Instantiating ldap2
> >> ldap ldap2 {
> >> server = "w.x.y.z"
> >> port = 389
> >>
> >>
> >> When sending a radtest request using the following command (from the
> >> same machine as one which is running the server)
> >>
> >> $ radtest user "secret" localhost 2 testing123
> >>
> >> I get ACCESS-REJECT reply from the sever.
> >>
> >> On the server the logs show something like this
> >> ---
> >> It shows binding to both LDAP servers one by one through something like
> >> this :
> >>
> >> rlm_ldap: performing user authorization for catch
> >> WARNING: Deprecated conditional expansion ":-". See "man unlang" for
> >> details
> >> expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch)
> >> expand: ou=People,dc=example,dc=example ->
> >> ou=People,dc=example,dc=example
> >> rlm_ldap: ldap_get_conn: Checking Id: 0
> >> rlm_ldap: ldap_get_conn: Got Id: 0
> >> rlm_ldap: attempting LDAP reconnection
> >> rlm_ldap: (re)connect to 30.0.0.2:389, authentication 0
> >> rlm_ldap: bind as / to 30.0.0.2:389
> >> rlm_ldap: waiting for bind result ...
> >> rlm_ldap: Bind was successful
> >> rlm_ldap: performing search in ou=People,dc=example,dc=example, with
> >> filter (uid=catch)
> >> rlm_ldap: object not found or got ambiguous search result
> >> rlm_ldap: search failed
> >> rlm_ldap: ldap_release_conn: Release Id: 0
> >> ++[ldap1] returns notfound
> >> rlm_ldap: - authorize
> >> rlm_ldap: performing user authorization for catch
> >> WARNING: Deprecated conditional expansion ":-". See "man unlang" for
> >> details
> >> expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch)
> >> expand: ou=People,dc=example,dc=example ->
> >> ou=People,dc=example,dc=example
> >> rlm_ldap: ldap_get_conn: Checking Id: 0
> >> rlm_ldap: ldap_get_conn: Got Id: 0
> >> rlm_ldap: attempting LDAP reconnection
> >> rlm_ldap: (re)connect to 10.0.0.1:389, authentication 0
> >> rlm_ldap: bind as / to 10.0.0.1:389
> >> rlm_ldap: waiting for bind result ...
> >> rlm_ldap: Bind was successful
> >> rlm_ldap: performing search in ou=People,dc=example,dc=example, with
> >> filter (uid=catch)
> >> rlm_ldap: object not found or got ambiguous search result
> >> rlm_ldap: search failed
> >> rlm_ldap: ldap_release_conn: Release Id: 0
> >> ++[ldap2] returns notfound
> >>
> >> auth: No authenticate method (Auth-Type) configuration found for the
> >> request: Rejecting the user
> >> auth: Failed to validate the user.
> >>
> >> You can see it is attempting to search both databases but fails. If I
> >> use a simple telnet or ssh to authenticate against the LDAP server it
> >> logs in fi
Re: Freeradius-Users Digest, Vol 39, Issue 18 topic 5: freeradius with multiple ldap servers
.
> >
> > Andy
> >
> >
> > [EMAIL PROTECTED] wrote:
> > > Send Freeradius-Users mailing list submissions to
> > > freeradius-users@lists.freeradius.org
> > >
> > > To subscribe or unsubscribe via the World Wide Web, visit
> > > http://lists.freeradius.org/mailman/listinfo/freeradius-users
> > > or, via email, send a message with subject or body 'help' to
> > > [EMAIL PROTECTED]
> > >
> > > You can reach the person managing the list at
> > > [EMAIL PROTECTED]
> > >
> > > When replying, please edit your Subject line so it is more specific
> > > than "Re: Contents of Freeradius-Users digest..."
> > >
> > >
> > > Today's Topics:
> > >
> > >1. Re: =?UTF-8?Q?freeradius-proxy_+_PAP_works,
> > > _PEAP_and_the_rest_doesn=C2=B4t?= ([EMAIL PROTECTED])
> > >2. Re: freeradius-proxy + PAP works, PEAP and the rest doesn?t
> > > (Alan DeKok)
> > >3. Re: freeradius-proxy + PAP works, PEAP and the rest doesn?t
> > > (Ivan Kalik)
> > >4. Re: sqlippool (Ivan Kalik)
> > >5. Re: freeradius with multiple ldap servers (Sambuddho Chakravarty)
> > >6.
> > >
> > > Re:=?UTF-8?Q?freeradius-proxy_+_PAP_works,_PEAP_and_the_rest_doesn=C2=B4t?=
> > > ([EMAIL PROTECTED])
> > >
> > >
> > > --
> > >
> > > Message: 5
> > > Date: Thu, 03 Jul 2008 12:50:25 -0400
> > > From: Sambuddho Chakravarty <[EMAIL PROTECTED]>
> > > Subject: Re: freeradius with multiple ldap servers
> > > To: FreeRadius users mailing list
> > >
> > > Message-ID: <[EMAIL PROTECTED]>
> > > Content-Type: text/plain; charset=utf-8
> > >
> > > Hello Ivan
> > > But I don't have a field in the database by that name . The name of the
> > > field is "userPassword" . This is what the openLDAP migration scripts
> > > generated. Please let me know what mistake I am doing . Also , my
> > > question on failover. Is the failover used when the first LDAP server is
> > > down / unresponsive to connection attempts or when it is not able to
> > > authenticate (example bad username / password) ?
> > >
> > > Thanks
> > > Sambuddho
> > > On Thu, 2008-07-03 at 10:24 +0100, Ivan Kalik wrote:
> > >
> > >> Password (radius) attribute should be Crypt-Password not User-Password.
> > >>
> > >> Ivan Kalik
> > >> Kalik Informatika ISP
> > >>
> > >>
> > >> Dana 3/7/2008, "Sambuddho Chakravarty" <[EMAIL PROTECTED]> pi?e:
> > >>
> > >>
> > >>> Hello
> > >>>
> > >>> I set the password_header to = {crypt} and password_attribute to
> > >>> "userPassword" (Thats the name of the field in the database). Now this
> > >>> is what the logs show,
> > >>>
> > >>> rlm_ldap: performing search in ou=People,dc=example,dc=com, with filter
> > >>> (uid=try)
> > >>> rlm_ldap: Added User-Password = $1$n48a7wCp$RfvlOx1pZgiVNfmMmA2xS. in
> > >>> check items
> > >>> rlm_ldap: looking for check items in directory...
> > >>> rlm_ldap: looking for reply items in directory...
> > >>> rlm_ldap: user try authorized to use remote access
> > >>> rlm_ldap: ldap_release_conn: Release Id: 0
> > >>> +++[ldap1] returns ok
> > >>> ++- policy redundant returns ok
> > >>> !!!
> > >>> !!!Replacing User-Password in config items with
> > >>> Cleartext-Password. !!!
> > >>> !!!
> > >>> !!! Please update your configuration so that the "known
> > >>> good" !!!
> > >>> !!! clear text password is in Cleartext-Password, and not in
> > >>> User-Password. !!!
> > >>> !!!
> > >>> auth: type Local
> > >>> auth: user supplied User-Password does NOT match local User-Password
> > >>> auth: Failed to validate the user.
> > >>> Found Post-Auth-Type Reject
> > >
Re: Freeradius-Users Digest, Vol 39, Issue 18 topic 5: freeradius with multiple ldap servers
Hi Andy
Thanks a lot. The problem is that I have a file named ldap
inside /etc/raddb/modules directory and it has two ldap modules , ldap1
and ldap2.
ldap ldap1 {
server =
identity = (set the appropriate CN)
password = password for the above CN
basedn = "ou=People,dc=example,dc=com"
...
}
ldap ldap1 {
server =
identity = (set the appropriate CN)
password = password for the above CN
basedn = "ou=People,dc=example,dc=com"
...
}
The first server has a user named 'try' and the second one has one named
'catch'.
When I try to perform authentication using radtest tool with the
username and password (say for try ) , it searches it in the LDAP server
which doesn't have it and doesn't search the one which actually has the
username. When I try with username 'catch' , it finds the username and
the password but then it goes into
auth: type Local
and fails.
WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch)
expand: ou=People,dc=example,dc=com ->
ou=People,dc=example,dc=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=People,dc=example,dc=com, with filter
(uid=catch)
rlm_ldap: Added User-Password = $1$FYblmPWy$fmgebhCOLpHvhdECNP4EG0 in
check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user catch authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap2] returns ok
!!!
!!!Replacing User-Password in config items with
Cleartext-Password. !!!
!!!
!!! Please update your configuration so that the "known
good" !!!
!!! clear text password is in Cleartext-Password, and not in
User-Password. !!!
!!!
auth: type Local
auth: user supplied User-Password does NOT match local User-Password
auth: Failed to validate the user.
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> catch
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Sending Access-Reject of id 48 to 127.0.0.1 port 1025
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 2 ID 48 with timestamp +39
Ready to process requests.
I know its trivial but I am now struggling with this for a long time.
(Freeradius version : 2.05)
Thanks
Sambuddho
On Thu, 2008-07-03 at 12:35 -0700, Andy An wrote:
> Hi Sambuddho:
>
> I met similar problem a few weeks ago.
> You need to set the ldap identity/password for your freeRadius server at
> modules/ldap:
> e.g. mine is like:
>
> server = "ldap.xxx.ca"
> identity = "cn=radius,ou=Applications,dc=xxx,dc=ca"
> password = "password"
> basedn = "ou=People,dc=xxx,dc=ca"
>
> The default setting is "read-only" anonymous search(i.e. without
> identity/password setting) and it will fail because ldap server does not
> allow anonymous search for other user's password.
> Hope this is helpful.
>
> Andy
>
>
> [EMAIL PROTECTED] wrote:
> > Send Freeradius-Users mailing list submissions to
> > freeradius-users@lists.freeradius.org
> >
> > To subscribe or unsubscribe via the World Wide Web, visit
> > http://lists.freeradius.org/mailman/listinfo/freeradius-users
> > or, via email, send a message with subject or body 'help' to
> > [EMAIL PROTECTED]
> >
> > You can reach the person managing the list at
> > [EMAIL PROTECTED]
> >
> > When replying, please edit your Subject line so it is more specific
> > than "Re: Contents of Freeradius-Users digest..."
> >
> >
> > Today's Topics:
> >
> > 1. Re: =?UTF-8?Q?freeradius-proxy_+_PAP_works,
> > _PEAP_and_the_rest_doesn=C2=B4t?= ([EMAIL PROTECTED])
> >2. Re: freeradius-proxy + PAP works, PEAP and the rest doesn?t
> > (Alan DeKok)
> >3. Re: freeradius-proxy + PAP works, PEAP and the rest doesn?t
> > (Ivan Kalik)
> >4. Re: sqlippool (Ivan Kalik)
> > 5. Re: freeradius with multiple ldap servers (Sambuddho Chakravarty)
> >6.
> >
> > Re:=?UTF-8?Q?freeradius-proxy_+_PAP_works,_PEAP_and_the_rest_doesn=C2=B4t?=
> > ([EMAIL PROTECTED])
> >
> &g
Re: freeradius with multiple ldap servers
> But I don't have a field in the database by that name . No, you don't. I am talking about ldap section of radiusd.conf. You need to set the appropriate radius password attribute. http://wiki.freeradius.org/index.php/Rlm_ldap >Also , my >question on failover. Is the failover used when the first LDAP server is >down / unresponsive to connection attempts or when it is not able to >authenticate (example bad username / password) ? > No response or no user in that ldap database. If the user is present but password is wrong user will be rejected. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 39, Issue 18 topic 5: freeradius with multiple ldap servers
Hi Sambuddho:
I met similar problem a few weeks ago.
You need to set the ldap identity/password for your freeRadius server at modules/ldap:
e.g. mine is like:
server = "ldap.xxx.ca"
identity = "cn=radius,ou=Applications,dc=xxx,dc=ca"
password = "password"
basedn = "ou=People,dc=xxx,dc=ca"
The default setting is "read-only" anonymous search(i.e. without
identity/password setting) and it will fail because ldap server does not
allow anonymous search for other user's password.
Hope this is helpful.
Andy
[EMAIL PROTECTED] wrote:
Send Freeradius-Users mailing list submissions to
freeradius-users@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
[EMAIL PROTECTED]
You can reach the person managing the list at
[EMAIL PROTECTED]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. Re: =?UTF-8?Q?freeradius-proxy_+_PAP_works,
_PEAP_and_the_rest_doesn=C2=B4t?= ([EMAIL PROTECTED])
2. Re: freeradius-proxy + PAP works, PEAP and the rest doesn?t
(Alan DeKok)
3. Re: freeradius-proxy + PAP works, PEAP and the rest doesn?t
(Ivan Kalik)
4. Re: sqlippool (Ivan Kalik)
5. Re: freeradius with multiple ldap servers (Sambuddho Chakravarty)
6.
Re:=?UTF-8?Q?freeradius-proxy_+_PAP_works,_PEAP_and_the_rest_doesn=C2=B4t?=
([EMAIL PROTECTED])
--
Message: 5
Date: Thu, 03 Jul 2008 12:50:25 -0400
From: Sambuddho Chakravarty <[EMAIL PROTECTED]>
Subject: Re: freeradius with multiple ldap servers
To: FreeRadius users mailing list
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=utf-8
Hello Ivan
But I don't have a field in the database by that name . The name of the
field is "userPassword" . This is what the openLDAP migration scripts
generated. Please let me know what mistake I am doing . Also , my
question on failover. Is the failover used when the first LDAP server is
down / unresponsive to connection attempts or when it is not able to
authenticate (example bad username / password) ?
Thanks
Sambuddho
On Thu, 2008-07-03 at 10:24 +0100, Ivan Kalik wrote:
Password (radius) attribute should be Crypt-Password not User-Password.
Ivan Kalik
Kalik Informatika ISP
Dana 3/7/2008, "Sambuddho Chakravarty" <[EMAIL PROTECTED]> pi?e:
Hello
I set the password_header to = {crypt} and password_attribute to
"userPassword" (Thats the name of the field in the database). Now this
is what the logs show,
rlm_ldap: performing search in ou=People,dc=example,dc=com, with filter
(uid=try)
rlm_ldap: Added User-Password = $1$n48a7wCp$RfvlOx1pZgiVNfmMmA2xS. in
check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user try authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
+++[ldap1] returns ok
++- policy redundant returns ok
!!!
!!!Replacing User-Password in config items with
Cleartext-Password. !!!
!!!
!!! Please update your configuration so that the "known
good" !!!
!!! clear text password is in Cleartext-Password, and not in
User-Password. !!!
!!!
auth: type Local
auth: user supplied User-Password does NOT match local User-Password
auth: Failed to validate the user.
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> try
attr_filter: Matched entry DEFAULT at line 11
My guess is authorize{} worked but not authenticate {}. Also , I see
both modules ldap1 and ldap2 being loaded but whenever I try to
authenticate with the username/password that is found in ldap2 , the
radius server never attempts to connect to the other LDAP server.
Instead it search for the entries in the "ldap1"'s server only.
Any suggestions ?
Thanks
Sambuddho
On Wed, 2008-07-02 at 23:45 +0100, Ivan Kalik wrote:
http://wiki.freeradius.org/index.php/Rlm_ldap
See use of password_header and password_attribute.
Ivan Kalik
Kalik Informatika ISP
Dana 2/7/2008, "Sambuddho Chakravarty" <[EMAIL PROTECTED]> pi??e:
Hello
I think I know what the problem is. The radius server is looking up
using cleartext password , while the LDAP data base stores the hashed
passwords. How can I force the radiuse server to search for the password
as a hashed value (rather than searching for the clear-text value) ?
Tha
Re: freeradius with multiple ldap servers
Hello Ivan
But I don't have a field in the database by that name . The name of the
field is "userPassword" . This is what the openLDAP migration scripts
generated. Please let me know what mistake I am doing . Also , my
question on failover. Is the failover used when the first LDAP server is
down / unresponsive to connection attempts or when it is not able to
authenticate (example bad username / password) ?
Thanks
Sambuddho
On Thu, 2008-07-03 at 10:24 +0100, Ivan Kalik wrote:
> Password (radius) attribute should be Crypt-Password not User-Password.
>
> Ivan Kalik
> Kalik Informatika ISP
>
>
> Dana 3/7/2008, "Sambuddho Chakravarty" <[EMAIL PROTECTED]> piše:
>
> >Hello
> >
> >I set the password_header to = {crypt} and password_attribute to
> >"userPassword" (Thats the name of the field in the database). Now this
> >is what the logs show,
> >
> >rlm_ldap: performing search in ou=People,dc=example,dc=com, with filter
> >(uid=try)
> >rlm_ldap: Added User-Password = $1$n48a7wCp$RfvlOx1pZgiVNfmMmA2xS. in
> >check items
> >rlm_ldap: looking for check items in directory...
> >rlm_ldap: looking for reply items in directory...
> >rlm_ldap: user try authorized to use remote access
> >rlm_ldap: ldap_release_conn: Release Id: 0
> >+++[ldap1] returns ok
> >++- policy redundant returns ok
> >!!!
> >!!!Replacing User-Password in config items with
> >Cleartext-Password. !!!
> >!!!
> >!!! Please update your configuration so that the "known
> >good" !!!
> >!!! clear text password is in Cleartext-Password, and not in
> >User-Password. !!!
> >!!!
> >auth: type Local
> >auth: user supplied User-Password does NOT match local User-Password
> >auth: Failed to validate the user.
> > Found Post-Auth-Type Reject
> >+- entering group REJECT
> >expand: %{User-Name} -> try
> > attr_filter: Matched entry DEFAULT at line 11
> >
> >
> >
> >My guess is authorize{} worked but not authenticate {}. Also , I see
> >both modules ldap1 and ldap2 being loaded but whenever I try to
> >authenticate with the username/password that is found in ldap2 , the
> >radius server never attempts to connect to the other LDAP server.
> >Instead it search for the entries in the "ldap1"'s server only.
> >
> >Any suggestions ?
> >
> >Thanks
> >Sambuddho
> >
> >
> >On Wed, 2008-07-02 at 23:45 +0100, Ivan Kalik wrote:
> >> http://wiki.freeradius.org/index.php/Rlm_ldap
> >>
> >> See use of password_header and password_attribute.
> >>
> >> Ivan Kalik
> >> Kalik Informatika ISP
> >>
> >>
> >> Dana 2/7/2008, "Sambuddho Chakravarty" <[EMAIL PROTECTED]> piĹĄe:
> >>
> >> >Hello
> >> > I think I know what the problem is. The radius server is looking up
> >> >using cleartext password , while the LDAP data base stores the hashed
> >> >passwords. How can I force the radiuse server to search for the password
> >> >as a hashed value (rather than searching for the clear-text value) ?
> >> >
> >> >Thanks
> >> >Sambuddho
> >> >On Wed, 2008-07-02 at 17:09 -0400, Sambuddho Chakravarty wrote:
> >> >> Hello Alan
> >> >> I made sure this time that rlm_ldap was compiled. Now the following is
> >> >> the configuration
> >> >>
> >> >> --/etc/raddb/modules/ldap---
> >> >>
> >> >> ldap ldap1 {
> >> >> server = "a.b.c.d"
> >> >> ...
> >> >> }
> >> >>
> >> >> ldap ldap2 {
> >> >> server = "w.x.y.z"
> >> >> ...
> >> >> }
> >> >>
> >> >> -/etc/raddb/radiusd.conf-
> >> >>
> >> >>
> >> >> authorize {
> >> >>ldap1
> >> >>
> >> >> ldap2
> >> >>
> >> >> }
> >> >>
> >> >>authenticate {
> >> >> ldap1
> >> >> ldap2
> >> >> }
> >> >>
> >> >>
> >> >>
> >> >> When I execute /sbin/radiusd -X
> >> >>
> >> >> It shows instantiating module ldap1 and module ldap2
> >> >>
> >> >>
> >> >> Module: Instantiating ldap2
> >> >> ldap ldap1 {
> >> >> server = "a.b.c.d"
> >> >> port = 389
> >> >>
> >> >> Module: Instantiating ldap2
> >> >> ldap ldap2 {
> >> >> server = "w.x.y.z"
> >> >> port = 389
> >> >>
> >> >>
> >> >> When sending a radtest request using the following command (from the
> >> >> same machine as one which is running the server)
> >> >>
> >> >> $ radtest user "secret" localhost 2 testing123
> >> >>
> >> >> I get ACCESS-REJECT reply from the sever.
> >> >>
> >> >> On the server the logs show something like this
> >> >> ---
> >> >> It shows binding to both LDAP servers one by one through something like
> >> >> this :
> >> >>
> >> >> rlm_ldap: performing user authorization for catch
> >> >> WARNING: Deprecated conditional expansion ":-". See "man unlang" for
> >> >> details
> >> >>
Re: freeradius with multiple ldap servers
Password (radius) attribute should be Crypt-Password not User-Password.
Ivan Kalik
Kalik Informatika ISP
Dana 3/7/2008, "Sambuddho Chakravarty" <[EMAIL PROTECTED]> piše:
>Hello
>
>I set the password_header to = {crypt} and password_attribute to
>"userPassword" (Thats the name of the field in the database). Now this
>is what the logs show,
>
>rlm_ldap: performing search in ou=People,dc=example,dc=com, with filter
>(uid=try)
>rlm_ldap: Added User-Password = $1$n48a7wCp$RfvlOx1pZgiVNfmMmA2xS. in
>check items
>rlm_ldap: looking for check items in directory...
>rlm_ldap: looking for reply items in directory...
>rlm_ldap: user try authorized to use remote access
>rlm_ldap: ldap_release_conn: Release Id: 0
>+++[ldap1] returns ok
>++- policy redundant returns ok
>!!!
>!!!Replacing User-Password in config items with
>Cleartext-Password. !!!
>!!!
>!!! Please update your configuration so that the "known
>good" !!!
>!!! clear text password is in Cleartext-Password, and not in
>User-Password. !!!
>!!!
>auth: type Local
>auth: user supplied User-Password does NOT match local User-Password
>auth: Failed to validate the user.
> Found Post-Auth-Type Reject
>+- entering group REJECT
>expand: %{User-Name} -> try
> attr_filter: Matched entry DEFAULT at line 11
>
>
>
>My guess is authorize{} worked but not authenticate {}. Also , I see
>both modules ldap1 and ldap2 being loaded but whenever I try to
>authenticate with the username/password that is found in ldap2 , the
>radius server never attempts to connect to the other LDAP server.
>Instead it search for the entries in the "ldap1"'s server only.
>
>Any suggestions ?
>
>Thanks
>Sambuddho
>
>
>On Wed, 2008-07-02 at 23:45 +0100, Ivan Kalik wrote:
>> http://wiki.freeradius.org/index.php/Rlm_ldap
>>
>> See use of password_header and password_attribute.
>>
>> Ivan Kalik
>> Kalik Informatika ISP
>>
>>
>> Dana 2/7/2008, "Sambuddho Chakravarty" <[EMAIL PROTECTED]> piĹĄe:
>>
>> >Hello
>> > I think I know what the problem is. The radius server is looking up
>> >using cleartext password , while the LDAP data base stores the hashed
>> >passwords. How can I force the radiuse server to search for the password
>> >as a hashed value (rather than searching for the clear-text value) ?
>> >
>> >Thanks
>> >Sambuddho
>> >On Wed, 2008-07-02 at 17:09 -0400, Sambuddho Chakravarty wrote:
>> >> Hello Alan
>> >> I made sure this time that rlm_ldap was compiled. Now the following is
>> >> the configuration
>> >>
>> >> --/etc/raddb/modules/ldap---
>> >>
>> >> ldap ldap1 {
>> >> server = "a.b.c.d"
>> >> ...
>> >> }
>> >>
>> >> ldap ldap2 {
>> >> server = "w.x.y.z"
>> >> ...
>> >> }
>> >>
>> >> -/etc/raddb/radiusd.conf-
>> >>
>> >>
>> >> authorize {
>> >>ldap1
>> >>
>> >> ldap2
>> >>
>> >> }
>> >>
>> >>authenticate {
>> >> ldap1
>> >> ldap2
>> >> }
>> >>
>> >>
>> >>
>> >> When I execute /sbin/radiusd -X
>> >>
>> >> It shows instantiating module ldap1 and module ldap2
>> >>
>> >>
>> >> Module: Instantiating ldap2
>> >> ldap ldap1 {
>> >> server = "a.b.c.d"
>> >> port = 389
>> >>
>> >> Module: Instantiating ldap2
>> >> ldap ldap2 {
>> >> server = "w.x.y.z"
>> >> port = 389
>> >>
>> >>
>> >> When sending a radtest request using the following command (from the
>> >> same machine as one which is running the server)
>> >>
>> >> $ radtest user "secret" localhost 2 testing123
>> >>
>> >> I get ACCESS-REJECT reply from the sever.
>> >>
>> >> On the server the logs show something like this
>> >> ---
>> >> It shows binding to both LDAP servers one by one through something like
>> >> this :
>> >>
>> >> rlm_ldap: performing user authorization for catch
>> >> WARNING: Deprecated conditional expansion ":-". See "man unlang" for
>> >> details
>> >> expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch)
>> >> expand: ou=People,dc=example,dc=example ->
>> >> ou=People,dc=example,dc=example
>> >> rlm_ldap: ldap_get_conn: Checking Id: 0
>> >> rlm_ldap: ldap_get_conn: Got Id: 0
>> >> rlm_ldap: attempting LDAP reconnection
>> >> rlm_ldap: (re)connect to 30.0.0.2:389, authentication 0
>> >> rlm_ldap: bind as / to 30.0.0.2:389
>> >> rlm_ldap: waiting for bind result ...
>> >> rlm_ldap: Bind was successful
>> >> rlm_ldap: performing search in ou=People,dc=example,dc=example, with
>> >> filter (uid=catch)
>> >> rlm_ldap: object not found or got ambiguous search result
>> >> rlm_ldap: search failed
>> >> rlm_ldap: ldap_release_conn: Release Id: 0
>> >> ++[ldap1] returns notfound
>> >> rlm_ldap: - authorize
>> >> rlm_ldap
Re: freeradius with multiple ldap servers
Hello ,
Maybe I didn't as the correct question previously. Is it that failover
works only when the first LDAP server is not reachable ? In my case both
servers are reachable. I want to configure a case where if the login
fails in one of the servers , the other one is tried.
Thanks
Sambuddho
On Wed, 2008-07-02 at 23:45 +0100, Ivan Kalik wrote:
> http://wiki.freeradius.org/index.php/Rlm_ldap
>
> See use of password_header and password_attribute.
>
> Ivan Kalik
> Kalik Informatika ISP
>
>
> Dana 2/7/2008, "Sambuddho Chakravarty" <[EMAIL PROTECTED]> piše:
>
> >Hello
> > I think I know what the problem is. The radius server is looking up
> >using cleartext password , while the LDAP data base stores the hashed
> >passwords. How can I force the radiuse server to search for the password
> >as a hashed value (rather than searching for the clear-text value) ?
> >
> >Thanks
> >Sambuddho
> >On Wed, 2008-07-02 at 17:09 -0400, Sambuddho Chakravarty wrote:
> >> Hello Alan
> >> I made sure this time that rlm_ldap was compiled. Now the following is
> >> the configuration
> >>
> >> --/etc/raddb/modules/ldap---
> >>
> >> ldap ldap1 {
> >>server = "a.b.c.d"
> >>...
> >>}
> >>
> >> ldap ldap2 {
> >>server = "w.x.y.z"
> >>...
> >>}
> >>
> >> -/etc/raddb/radiusd.conf-
> >>
> >>
> >> authorize {
> >>ldap1
> >>
> >> ldap2
> >>
> >> }
> >>
> >>authenticate {
> >> ldap1
> >> ldap2
> >> }
> >>
> >>
> >>
> >> When I execute /sbin/radiusd -X
> >>
> >> It shows instantiating module ldap1 and module ldap2
> >>
> >>
> >> Module: Instantiating ldap2
> >> ldap ldap1 {
> >> server = "a.b.c.d"
> >> port = 389
> >>
> >> Module: Instantiating ldap2
> >> ldap ldap2 {
> >> server = "w.x.y.z"
> >> port = 389
> >>
> >>
> >> When sending a radtest request using the following command (from the
> >> same machine as one which is running the server)
> >>
> >> $ radtest user "secret" localhost 2 testing123
> >>
> >> I get ACCESS-REJECT reply from the sever.
> >>
> >> On the server the logs show something like this
> >> ---
> >> It shows binding to both LDAP servers one by one through something like
> >> this :
> >>
> >> rlm_ldap: performing user authorization for catch
> >> WARNING: Deprecated conditional expansion ":-". See "man unlang" for
> >> details
> >> expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch)
> >> expand: ou=People,dc=example,dc=example ->
> >> ou=People,dc=example,dc=example
> >> rlm_ldap: ldap_get_conn: Checking Id: 0
> >> rlm_ldap: ldap_get_conn: Got Id: 0
> >> rlm_ldap: attempting LDAP reconnection
> >> rlm_ldap: (re)connect to 30.0.0.2:389, authentication 0
> >> rlm_ldap: bind as / to 30.0.0.2:389
> >> rlm_ldap: waiting for bind result ...
> >> rlm_ldap: Bind was successful
> >> rlm_ldap: performing search in ou=People,dc=example,dc=example, with
> >> filter (uid=catch)
> >> rlm_ldap: object not found or got ambiguous search result
> >> rlm_ldap: search failed
> >> rlm_ldap: ldap_release_conn: Release Id: 0
> >> ++[ldap1] returns notfound
> >> rlm_ldap: - authorize
> >> rlm_ldap: performing user authorization for catch
> >> WARNING: Deprecated conditional expansion ":-". See "man unlang" for
> >> details
> >> expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch)
> >> expand: ou=People,dc=example,dc=example ->
> >> ou=People,dc=example,dc=example
> >> rlm_ldap: ldap_get_conn: Checking Id: 0
> >> rlm_ldap: ldap_get_conn: Got Id: 0
> >> rlm_ldap: attempting LDAP reconnection
> >> rlm_ldap: (re)connect to 10.0.0.1:389, authentication 0
> >> rlm_ldap: bind as / to 10.0.0.1:389
> >> rlm_ldap: waiting for bind result ...
> >> rlm_ldap: Bind was successful
> >> rlm_ldap: performing search in ou=People,dc=example,dc=example, with
> >> filter (uid=catch)
> >> rlm_ldap: object not found or got ambiguous search result
> >> rlm_ldap: search failed
> >> rlm_ldap: ldap_release_conn: Release Id: 0
> >> ++[ldap2] returns notfound
> >>
> >> auth: No authenticate method (Auth-Type) configuration found for the
> >> request: Rejecting the user
> >> auth: Failed to validate the user.
> >>
> >> You can see it is attempting to search both databases but fails. If I
> >> use a simple telnet or ssh to authenticate against the LDAP server it
> >> logs in fine. LDAP client login against the LDAP server is otherwise
> >> working fine. I know I have been bothering using trivial question. But
> >> any help would be appreciated :-)
> >>
> >> Thanks in advance.
> >> Sambuddho
> >>
> >>
> >>
> >> On Tue, 2008-07-01 at 22:33 +0200, Alan DeKok wrote:
> >> > Sambuddho Chakravarty wrote:
> >> > > This is exactly what I did . I forgot to put the separate module names
> >> >
> >> > The consistent problems you see make me think that the issue is more
> >> > than "forgot".
Re: freeradius with multiple ldap servers
Hello
I set the password_header to = {crypt} and password_attribute to
"userPassword" (Thats the name of the field in the database). Now this
is what the logs show,
rlm_ldap: performing search in ou=People,dc=example,dc=com, with filter
(uid=try)
rlm_ldap: Added User-Password = $1$n48a7wCp$RfvlOx1pZgiVNfmMmA2xS. in
check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user try authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
+++[ldap1] returns ok
++- policy redundant returns ok
!!!
!!!Replacing User-Password in config items with
Cleartext-Password. !!!
!!!
!!! Please update your configuration so that the "known
good" !!!
!!! clear text password is in Cleartext-Password, and not in
User-Password. !!!
!!!
auth: type Local
auth: user supplied User-Password does NOT match local User-Password
auth: Failed to validate the user.
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> try
attr_filter: Matched entry DEFAULT at line 11
My guess is authorize{} worked but not authenticate {}. Also , I see
both modules ldap1 and ldap2 being loaded but whenever I try to
authenticate with the username/password that is found in ldap2 , the
radius server never attempts to connect to the other LDAP server.
Instead it search for the entries in the "ldap1"'s server only.
Any suggestions ?
Thanks
Sambuddho
On Wed, 2008-07-02 at 23:45 +0100, Ivan Kalik wrote:
> http://wiki.freeradius.org/index.php/Rlm_ldap
>
> See use of password_header and password_attribute.
>
> Ivan Kalik
> Kalik Informatika ISP
>
>
> Dana 2/7/2008, "Sambuddho Chakravarty" <[EMAIL PROTECTED]> piše:
>
> >Hello
> > I think I know what the problem is. The radius server is looking up
> >using cleartext password , while the LDAP data base stores the hashed
> >passwords. How can I force the radiuse server to search for the password
> >as a hashed value (rather than searching for the clear-text value) ?
> >
> >Thanks
> >Sambuddho
> >On Wed, 2008-07-02 at 17:09 -0400, Sambuddho Chakravarty wrote:
> >> Hello Alan
> >> I made sure this time that rlm_ldap was compiled. Now the following is
> >> the configuration
> >>
> >> --/etc/raddb/modules/ldap---
> >>
> >> ldap ldap1 {
> >>server = "a.b.c.d"
> >>...
> >>}
> >>
> >> ldap ldap2 {
> >>server = "w.x.y.z"
> >>...
> >>}
> >>
> >> -/etc/raddb/radiusd.conf-
> >>
> >>
> >> authorize {
> >>ldap1
> >>
> >> ldap2
> >>
> >> }
> >>
> >>authenticate {
> >> ldap1
> >> ldap2
> >> }
> >>
> >>
> >>
> >> When I execute /sbin/radiusd -X
> >>
> >> It shows instantiating module ldap1 and module ldap2
> >>
> >>
> >> Module: Instantiating ldap2
> >> ldap ldap1 {
> >> server = "a.b.c.d"
> >> port = 389
> >>
> >> Module: Instantiating ldap2
> >> ldap ldap2 {
> >> server = "w.x.y.z"
> >> port = 389
> >>
> >>
> >> When sending a radtest request using the following command (from the
> >> same machine as one which is running the server)
> >>
> >> $ radtest user "secret" localhost 2 testing123
> >>
> >> I get ACCESS-REJECT reply from the sever.
> >>
> >> On the server the logs show something like this
> >> ---
> >> It shows binding to both LDAP servers one by one through something like
> >> this :
> >>
> >> rlm_ldap: performing user authorization for catch
> >> WARNING: Deprecated conditional expansion ":-". See "man unlang" for
> >> details
> >> expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch)
> >> expand: ou=People,dc=example,dc=example ->
> >> ou=People,dc=example,dc=example
> >> rlm_ldap: ldap_get_conn: Checking Id: 0
> >> rlm_ldap: ldap_get_conn: Got Id: 0
> >> rlm_ldap: attempting LDAP reconnection
> >> rlm_ldap: (re)connect to 30.0.0.2:389, authentication 0
> >> rlm_ldap: bind as / to 30.0.0.2:389
> >> rlm_ldap: waiting for bind result ...
> >> rlm_ldap: Bind was successful
> >> rlm_ldap: performing search in ou=People,dc=example,dc=example, with
> >> filter (uid=catch)
> >> rlm_ldap: object not found or got ambiguous search result
> >> rlm_ldap: search failed
> >> rlm_ldap: ldap_release_conn: Release Id: 0
> >> ++[ldap1] returns notfound
> >> rlm_ldap: - authorize
> >> rlm_ldap: performing user authorization for catch
> >> WARNING: Deprecated conditional expansion ":-". See "man unlang" for
> >> details
> >> expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch)
> >> expand: ou=People,dc=example,dc=example ->
> >> ou=People,dc=example,dc=example
> >> rlm_ldap: ld
Re: freeradius with multiple ldap servers
http://wiki.freeradius.org/index.php/Rlm_ldap
See use of password_header and password_attribute.
Ivan Kalik
Kalik Informatika ISP
Dana 2/7/2008, "Sambuddho Chakravarty" <[EMAIL PROTECTED]> piše:
>Hello
> I think I know what the problem is. The radius server is looking up
>using cleartext password , while the LDAP data base stores the hashed
>passwords. How can I force the radiuse server to search for the password
>as a hashed value (rather than searching for the clear-text value) ?
>
>Thanks
>Sambuddho
>On Wed, 2008-07-02 at 17:09 -0400, Sambuddho Chakravarty wrote:
>> Hello Alan
>> I made sure this time that rlm_ldap was compiled. Now the following is
>> the configuration
>>
>> --/etc/raddb/modules/ldap---
>>
>> ldap ldap1 {
>> server = "a.b.c.d"
>> ...
>> }
>>
>> ldap ldap2 {
>> server = "w.x.y.z"
>> ...
>> }
>>
>> -/etc/raddb/radiusd.conf-
>>
>>
>> authorize {
>>ldap1
>>
>> ldap2
>>
>> }
>>
>>authenticate {
>> ldap1
>> ldap2
>> }
>>
>>
>>
>> When I execute /sbin/radiusd -X
>>
>> It shows instantiating module ldap1 and module ldap2
>>
>>
>> Module: Instantiating ldap2
>> ldap ldap1 {
>> server = "a.b.c.d"
>> port = 389
>>
>> Module: Instantiating ldap2
>> ldap ldap2 {
>> server = "w.x.y.z"
>> port = 389
>>
>>
>> When sending a radtest request using the following command (from the
>> same machine as one which is running the server)
>>
>> $ radtest user "secret" localhost 2 testing123
>>
>> I get ACCESS-REJECT reply from the sever.
>>
>> On the server the logs show something like this
>> ---
>> It shows binding to both LDAP servers one by one through something like
>> this :
>>
>> rlm_ldap: performing user authorization for catch
>> WARNING: Deprecated conditional expansion ":-". See "man unlang" for
>> details
>> expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch)
>> expand: ou=People,dc=example,dc=example ->
>> ou=People,dc=example,dc=example
>> rlm_ldap: ldap_get_conn: Checking Id: 0
>> rlm_ldap: ldap_get_conn: Got Id: 0
>> rlm_ldap: attempting LDAP reconnection
>> rlm_ldap: (re)connect to 30.0.0.2:389, authentication 0
>> rlm_ldap: bind as / to 30.0.0.2:389
>> rlm_ldap: waiting for bind result ...
>> rlm_ldap: Bind was successful
>> rlm_ldap: performing search in ou=People,dc=example,dc=example, with
>> filter (uid=catch)
>> rlm_ldap: object not found or got ambiguous search result
>> rlm_ldap: search failed
>> rlm_ldap: ldap_release_conn: Release Id: 0
>> ++[ldap1] returns notfound
>> rlm_ldap: - authorize
>> rlm_ldap: performing user authorization for catch
>> WARNING: Deprecated conditional expansion ":-". See "man unlang" for
>> details
>> expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch)
>> expand: ou=People,dc=example,dc=example ->
>> ou=People,dc=example,dc=example
>> rlm_ldap: ldap_get_conn: Checking Id: 0
>> rlm_ldap: ldap_get_conn: Got Id: 0
>> rlm_ldap: attempting LDAP reconnection
>> rlm_ldap: (re)connect to 10.0.0.1:389, authentication 0
>> rlm_ldap: bind as / to 10.0.0.1:389
>> rlm_ldap: waiting for bind result ...
>> rlm_ldap: Bind was successful
>> rlm_ldap: performing search in ou=People,dc=example,dc=example, with
>> filter (uid=catch)
>> rlm_ldap: object not found or got ambiguous search result
>> rlm_ldap: search failed
>> rlm_ldap: ldap_release_conn: Release Id: 0
>> ++[ldap2] returns notfound
>>
>> auth: No authenticate method (Auth-Type) configuration found for the
>> request: Rejecting the user
>> auth: Failed to validate the user.
>>
>> You can see it is attempting to search both databases but fails. If I
>> use a simple telnet or ssh to authenticate against the LDAP server it
>> logs in fine. LDAP client login against the LDAP server is otherwise
>> working fine. I know I have been bothering using trivial question. But
>> any help would be appreciated :-)
>>
>> Thanks in advance.
>> Sambuddho
>>
>>
>>
>> On Tue, 2008-07-01 at 22:33 +0200, Alan DeKok wrote:
>> > Sambuddho Chakravarty wrote:
>> > > This is exactly what I did . I forgot to put the separate module names
>> >
>> > The consistent problems you see make me think that the issue is more
>> > than "forgot".
>> >
>> > > And now when I try to start the server this is what the error I see :
>> > >
>> > >
>> > > server {
>> > > modules {
>> > > Module: Checking authenticate {...} for more modules to load
>> > > //etc/raddb/modules/ldap1[29]: Failed to link to module 'rlm_ldap':
>> >
>> > So was that module built? Apparently not...
>> >
>> > > When trying with a single server ,it matches the radius request against
>> > > rlm_pap and not rlm_ldap. I am confused.
>> >
>> > Perhaps reading the debug output (and that of "configure" and "make")
>> > would help.
>> >
>> > Alan DeKok.
>> > -
>> > List info/subscr
Re: freeradius with multiple ldap servers
Hello
I think I know what the problem is. The radius server is looking up
using cleartext password , while the LDAP data base stores the hashed
passwords. How can I force the radiuse server to search for the password
as a hashed value (rather than searching for the clear-text value) ?
Thanks
Sambuddho
On Wed, 2008-07-02 at 17:09 -0400, Sambuddho Chakravarty wrote:
> Hello Alan
> I made sure this time that rlm_ldap was compiled. Now the following is
> the configuration
>
> --/etc/raddb/modules/ldap---
>
> ldap ldap1 {
> server = "a.b.c.d"
> ...
> }
>
> ldap ldap2 {
> server = "w.x.y.z"
> ...
> }
>
> -/etc/raddb/radiusd.conf-
>
>
> authorize {
>ldap1
>
> ldap2
>
> }
>
>authenticate {
> ldap1
> ldap2
> }
>
>
>
> When I execute /sbin/radiusd -X
>
> It shows instantiating module ldap1 and module ldap2
>
>
> Module: Instantiating ldap2
> ldap ldap1 {
> server = "a.b.c.d"
> port = 389
>
> Module: Instantiating ldap2
> ldap ldap2 {
> server = "w.x.y.z"
> port = 389
>
>
> When sending a radtest request using the following command (from the
> same machine as one which is running the server)
>
> $ radtest user "secret" localhost 2 testing123
>
> I get ACCESS-REJECT reply from the sever.
>
> On the server the logs show something like this
> ---
> It shows binding to both LDAP servers one by one through something like
> this :
>
> rlm_ldap: performing user authorization for catch
> WARNING: Deprecated conditional expansion ":-". See "man unlang" for
> details
> expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch)
> expand: ou=People,dc=example,dc=example ->
> ou=People,dc=example,dc=example
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to 30.0.0.2:389, authentication 0
> rlm_ldap: bind as / to 30.0.0.2:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: performing search in ou=People,dc=example,dc=example, with
> filter (uid=catch)
> rlm_ldap: object not found or got ambiguous search result
> rlm_ldap: search failed
> rlm_ldap: ldap_release_conn: Release Id: 0
> ++[ldap1] returns notfound
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for catch
> WARNING: Deprecated conditional expansion ":-". See "man unlang" for
> details
> expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch)
> expand: ou=People,dc=example,dc=example ->
> ou=People,dc=example,dc=example
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to 10.0.0.1:389, authentication 0
> rlm_ldap: bind as / to 10.0.0.1:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: performing search in ou=People,dc=example,dc=example, with
> filter (uid=catch)
> rlm_ldap: object not found or got ambiguous search result
> rlm_ldap: search failed
> rlm_ldap: ldap_release_conn: Release Id: 0
> ++[ldap2] returns notfound
>
> auth: No authenticate method (Auth-Type) configuration found for the
> request: Rejecting the user
> auth: Failed to validate the user.
>
> You can see it is attempting to search both databases but fails. If I
> use a simple telnet or ssh to authenticate against the LDAP server it
> logs in fine. LDAP client login against the LDAP server is otherwise
> working fine. I know I have been bothering using trivial question. But
> any help would be appreciated :-)
>
> Thanks in advance.
> Sambuddho
>
>
>
> On Tue, 2008-07-01 at 22:33 +0200, Alan DeKok wrote:
> > Sambuddho Chakravarty wrote:
> > > This is exactly what I did . I forgot to put the separate module names
> >
> > The consistent problems you see make me think that the issue is more
> > than "forgot".
> >
> > > And now when I try to start the server this is what the error I see :
> > >
> > >
> > > server {
> > > modules {
> > > Module: Checking authenticate {...} for more modules to load
> > > //etc/raddb/modules/ldap1[29]: Failed to link to module 'rlm_ldap':
> >
> > So was that module built? Apparently not...
> >
> > > When trying with a single server ,it matches the radius request against
> > > rlm_pap and not rlm_ldap. I am confused.
> >
> > Perhaps reading the debug output (and that of "configure" and "make")
> > would help.
> >
> > Alan DeKok.
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with multiple ldap servers
Hello Alan
I made sure this time that rlm_ldap was compiled. Now the following is
the configuration
--/etc/raddb/modules/ldap---
ldap ldap1 {
server = "a.b.c.d"
...
}
ldap ldap2 {
server = "w.x.y.z"
...
}
-/etc/raddb/radiusd.conf-
authorize {
ldap1
ldap2
}
authenticate {
ldap1
ldap2
}
When I execute /sbin/radiusd -X
It shows instantiating module ldap1 and module ldap2
Module: Instantiating ldap2
ldap ldap1 {
server = "a.b.c.d"
port = 389
Module: Instantiating ldap2
ldap ldap2 {
server = "w.x.y.z"
port = 389
When sending a radtest request using the following command (from the
same machine as one which is running the server)
$ radtest user "secret" localhost 2 testing123
I get ACCESS-REJECT reply from the sever.
On the server the logs show something like this
---
It shows binding to both LDAP servers one by one through something like
this :
rlm_ldap: performing user authorization for catch
WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch)
expand: ou=People,dc=example,dc=example ->
ou=People,dc=example,dc=example
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 30.0.0.2:389, authentication 0
rlm_ldap: bind as / to 30.0.0.2:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=People,dc=example,dc=example, with
filter (uid=catch)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap1] returns notfound
rlm_ldap: - authorize
rlm_ldap: performing user authorization for catch
WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch)
expand: ou=People,dc=example,dc=example ->
ou=People,dc=example,dc=example
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 10.0.0.1:389, authentication 0
rlm_ldap: bind as / to 10.0.0.1:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=People,dc=example,dc=example, with
filter (uid=catch)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap2] returns notfound
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
You can see it is attempting to search both databases but fails. If I
use a simple telnet or ssh to authenticate against the LDAP server it
logs in fine. LDAP client login against the LDAP server is otherwise
working fine. I know I have been bothering using trivial question. But
any help would be appreciated :-)
Thanks in advance.
Sambuddho
On Tue, 2008-07-01 at 22:33 +0200, Alan DeKok wrote:
> Sambuddho Chakravarty wrote:
> > This is exactly what I did . I forgot to put the separate module names
>
> The consistent problems you see make me think that the issue is more
> than "forgot".
>
> > And now when I try to start the server this is what the error I see :
> >
> >
> > server {
> > modules {
> > Module: Checking authenticate {...} for more modules to load
> > //etc/raddb/modules/ldap1[29]: Failed to link to module 'rlm_ldap':
>
> So was that module built? Apparently not...
>
> > When trying with a single server ,it matches the radius request against
> > rlm_pap and not rlm_ldap. I am confused.
>
> Perhaps reading the debug output (and that of "configure" and "make")
> would help.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with multiple ldap servers
Sambuddho Chakravarty wrote:
> This is exactly what I did . I forgot to put the separate module names
The consistent problems you see make me think that the issue is more
than "forgot".
> And now when I try to start the server this is what the error I see :
>
>
> server {
> modules {
> Module: Checking authenticate {...} for more modules to load
> //etc/raddb/modules/ldap1[29]: Failed to link to module 'rlm_ldap':
So was that module built? Apparently not...
> When trying with a single server ,it matches the radius request against
> rlm_pap and not rlm_ldap. I am confused.
Perhaps reading the debug output (and that of "configure" and "make")
would help.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with multiple ldap servers
Hello
This is exactly what I did . I forgot to put the separate module names
here in the email it like this
/etc/raddb/modules/ldap1
ldap ldap1{
...
}
/etc/raddb/modules/ldap2---
ldap ldap2{
..
}
Or is it that it should be one file ?
And now when I try to start the server this is what the error I see :
server {
modules {
Module: Checking authenticate {...} for more modules to load
//etc/raddb/modules/ldap1[29]: Failed to link to module 'rlm_ldap':
rlm_ldap.so: cannot open shared object file: No such file or directory
//etc/raddb/radiusd.conf[744]: Failed to find module "ldap1".
//etc/raddb/radiusd.conf[743]: Errors parsing authenticate section.
}
}
The radius.conf has this :
authorize {
redundant {
ldap1
ldap2
}
}
authenticate {
ldap1
ldap2
}
Rest of radius.conf is untouched.
When trying with a single server ,it matches the radius request against
rlm_pap and not rlm_ldap. I am confused.
Thanks
Sambuddho
On Tue, 2008-07-01 at 09:26 +0200, Alan DeKok wrote:
> Sambuddho Chakravarty wrote:
> > Hello
> > But this never really worked. I did exactly this . The ldap1 and ldap2
> > are files with the follwoing
> >
> > /etc/raddb/modules/ldap1
> >
> > ldap {
> ...
> > /etc/raddb/modules/ldap2---
> >
> > ldap {
>
> You have two modules named "ldap". Go read the comments at the top of
> the "modules" section in radiusd.conf.
>
> And before you go any further, PLEASE read the comments in the
> configuration files. You have been told to do this before, and it's
> clear that you either haven't done so, or you haven't understood them.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with multiple ldap servers
ldap ldap1 {
..
}
ldap ldap2 {
..
}
Ivan Kalik
Kalik Informatika ISP
Dana 1/7/2008, "Sambuddho Chakravarty" <[EMAIL PROTECTED]> piše:
>Hello
> But this never really worked. I did exactly this . The ldap1 and ldap2
>are files with the follwoing
>
>/etc/raddb/modules/ldap1
>
>ldap {
>server = "30.0.0.2"
>basedn = "ou=People,cu=example,c=com"
>filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
>port = 389
>ldap_connections_number = 5
>
>timeout = 40
>
>timelimit = 30
> net_timeout = 10
>tls {
>start_tls = no
>
> require_cert = "demand"
>}
>
>dictionary_mapping = ${confdir}/ldap.attrmap
>edir_account_policy_check = no
>}
>
>
>/etc/raddb/modules/ldap2---
>
>ldap {
>server = "10.0.0.1"
>basedn = "ou=People,cu=example,c=com"
>filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
>port = 389
>ldap_connections_number = 5
>
>timeout = 40
>
>timelimit = 30
> net_timeout = 10
>tls {
>start_tls = no
>
> require_cert = "demand"
>}
>
>dictionary_mapping = ${confdir}/ldap.attrmap
>edir_account_policy_check = no
>}
>
>--
>
>The only difference in both files is the LDAP server IP address . When I
>did as I mentioned in my previous email and executed /sbin/radiusd -X -C
>the execution ended with the following error
>
>
> Module: Checking authenticate {...} for more modules to load
>//etc/raddb/radiusd.conf[757]: Failed to find module "ldap1".
>//etc/raddb/radiusd.conf[756]: Errors parsing authenticate section.
> }
>
>
>Also , one more observation, when having a single LDAP server and when
>it actually worked fine, the debug messages showed
>
>found rlm_pap. While I think it should be showing rlm_ldap . Why is this
>so. But authentication worked fine and the client received a
>ACCESS-ACCEPT message as reply.
>
>Thanks
>Sambuddho
>
>
>
>
>On Thu, 2008-06-19 at 13:50 -0400, Sambuddho Chakravarty wrote:
>> Do you mean something like this
>>
>> authorize {
>> redundant {
>> ldap1
>> ldap2
>> }
>> }
>>
>>authenticate {
>> ldap1
>> ldap2
>> }
>>
>> The reason I list them here is to use them for authentication against
>> multiple LDAP servers whose configuration information is in the two
>> files modules/ldap1 and modules/ldap2. Does this look valid ?
>>
>> Thanks
>> Sambuddho
>>
>> On Thu, 2008-06-19 at 09:35 +0200, Alan DeKok wrote:
>> > Sambuddho Chakravarty wrote:
>> > > Yes , but on a freeradius-2.05 , when I create a separate authenticate
>> > > {} and authorize {} subsection and plug in the following :
>> > >
>> > > authorize {
>> > >Autz-Type LDAP {
>> >
>> > You don't need to use Autz-Type in 2.0.
>> >
>> > > authenticate {
>> > >Auth-Type LDAP{
>> > > redundant{
>> >
>> > Don't use redundant sections here. Just list the two LDAP modules
>> > independently. The LDAP server that was used in the authorize section
>> > will ensure that it is also used in the authenticate section.
>> >
>> > > ${confdir}/modules/ldap1
>> >
>> > And I hope that's not what I think it is.
>> >
>> > > It doesn't work.
>> >
>> > See the FAQ for "it doesn't work".
>> >
>> > > Here the ldap1 and ldap2 are two separate files in
>> > > the /etc/raddb/modules directory and have separate ldap server IP
>> > > addresses. Can anyone please point out to me where I am going wrong ?
>> >
>> > Lots. The major one is that you are putting the module
>> > *configuration* into the authorize and authenticate sections. I have no
>> > idea why you think that's a good idea. The examples included in the
>> > server DO NOT DO THIS.
>> >
>> > The files in the "modules" directory belong in the "modules" section
>> > of radiusd.conf. This is documented in the comments, and in many examples.
>> >
>> > The entries in the "authorize" and "authenticate" sections are simply
>> > a one-word reference to the name of a module. Again, this is documented
>> > in the comments and in many examples.
>> >
>> > Alan DeKok.
>> > -
>> > List info/subscribe/unsubscribe? See
>> > http://www.freeradius.org/list/users.html
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with multiple ldap servers
Sambuddho Chakravarty wrote:
> Hello
> But this never really worked. I did exactly this . The ldap1 and ldap2
> are files with the follwoing
>
> /etc/raddb/modules/ldap1
>
> ldap {
...
> /etc/raddb/modules/ldap2---
>
> ldap {
You have two modules named "ldap". Go read the comments at the top of
the "modules" section in radiusd.conf.
And before you go any further, PLEASE read the comments in the
configuration files. You have been told to do this before, and it's
clear that you either haven't done so, or you haven't understood them.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with multiple ldap servers
Hello
But this never really worked. I did exactly this . The ldap1 and ldap2
are files with the follwoing
/etc/raddb/modules/ldap1
ldap {
server = "30.0.0.2"
basedn = "ou=People,cu=example,c=com"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
port = 389
ldap_connections_number = 5
timeout = 40
timelimit = 30
net_timeout = 10
tls {
start_tls = no
require_cert = "demand"
}
dictionary_mapping = ${confdir}/ldap.attrmap
edir_account_policy_check = no
}
/etc/raddb/modules/ldap2---
ldap {
server = "10.0.0.1"
basedn = "ou=People,cu=example,c=com"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
port = 389
ldap_connections_number = 5
timeout = 40
timelimit = 30
net_timeout = 10
tls {
start_tls = no
require_cert = "demand"
}
dictionary_mapping = ${confdir}/ldap.attrmap
edir_account_policy_check = no
}
--
The only difference in both files is the LDAP server IP address . When I
did as I mentioned in my previous email and executed /sbin/radiusd -X -C
the execution ended with the following error
Module: Checking authenticate {...} for more modules to load
//etc/raddb/radiusd.conf[757]: Failed to find module "ldap1".
//etc/raddb/radiusd.conf[756]: Errors parsing authenticate section.
}
Also , one more observation, when having a single LDAP server and when
it actually worked fine, the debug messages showed
found rlm_pap. While I think it should be showing rlm_ldap . Why is this
so. But authentication worked fine and the client received a
ACCESS-ACCEPT message as reply.
Thanks
Sambuddho
On Thu, 2008-06-19 at 13:50 -0400, Sambuddho Chakravarty wrote:
> Do you mean something like this
>
> authorize {
> redundant {
>ldap1
> ldap2
> }
> }
>
>authenticate {
> ldap1
> ldap2
> }
>
> The reason I list them here is to use them for authentication against
> multiple LDAP servers whose configuration information is in the two
> files modules/ldap1 and modules/ldap2. Does this look valid ?
>
> Thanks
> Sambuddho
>
> On Thu, 2008-06-19 at 09:35 +0200, Alan DeKok wrote:
> > Sambuddho Chakravarty wrote:
> > > Yes , but on a freeradius-2.05 , when I create a separate authenticate
> > > {} and authorize {} subsection and plug in the following :
> > >
> > > authorize {
> > >Autz-Type LDAP {
> >
> > You don't need to use Autz-Type in 2.0.
> >
> > > authenticate {
> > >Auth-Type LDAP{
> > > redundant{
> >
> > Don't use redundant sections here. Just list the two LDAP modules
> > independently. The LDAP server that was used in the authorize section
> > will ensure that it is also used in the authenticate section.
> >
> > > ${confdir}/modules/ldap1
> >
> > And I hope that's not what I think it is.
> >
> > > It doesn't work.
> >
> > See the FAQ for "it doesn't work".
> >
> > > Here the ldap1 and ldap2 are two separate files in
> > > the /etc/raddb/modules directory and have separate ldap server IP
> > > addresses. Can anyone please point out to me where I am going wrong ?
> >
> > Lots. The major one is that you are putting the module
> > *configuration* into the authorize and authenticate sections. I have no
> > idea why you think that's a good idea. The examples included in the
> > server DO NOT DO THIS.
> >
> > The files in the "modules" directory belong in the "modules" section
> > of radiusd.conf. This is documented in the comments, and in many examples.
> >
> > The entries in the "authorize" and "authenticate" sections are simply
> > a one-word reference to the name of a module. Again, this is documented
> > in the comments and in many examples.
> >
> > Alan DeKok.
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with multiple ldap servers
Sambuddho Chakravarty wrote: > Do you mean something like this Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with multiple ldap servers
Do you mean something like this
authorize {
redundant {
ldap1
ldap2
}
}
authenticate {
ldap1
ldap2
}
The reason I list them here is to use them for authentication against
multiple LDAP servers whose configuration information is in the two
files modules/ldap1 and modules/ldap2. Does this look valid ?
Thanks
Sambuddho
On Thu, 2008-06-19 at 09:35 +0200, Alan DeKok wrote:
> Sambuddho Chakravarty wrote:
> > Yes , but on a freeradius-2.05 , when I create a separate authenticate
> > {} and authorize {} subsection and plug in the following :
> >
> > authorize {
> >Autz-Type LDAP {
>
> You don't need to use Autz-Type in 2.0.
>
> > authenticate {
> >Auth-Type LDAP{
> > redundant{
>
> Don't use redundant sections here. Just list the two LDAP modules
> independently. The LDAP server that was used in the authorize section
> will ensure that it is also used in the authenticate section.
>
> > ${confdir}/modules/ldap1
>
> And I hope that's not what I think it is.
>
> > It doesn't work.
>
> See the FAQ for "it doesn't work".
>
> > Here the ldap1 and ldap2 are two separate files in
> > the /etc/raddb/modules directory and have separate ldap server IP
> > addresses. Can anyone please point out to me where I am going wrong ?
>
> Lots. The major one is that you are putting the module
> *configuration* into the authorize and authenticate sections. I have no
> idea why you think that's a good idea. The examples included in the
> server DO NOT DO THIS.
>
> The files in the "modules" directory belong in the "modules" section
> of radiusd.conf. This is documented in the comments, and in many examples.
>
> The entries in the "authorize" and "authenticate" sections are simply
> a one-word reference to the name of a module. Again, this is documented
> in the comments and in many examples.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with multiple ldap servers
Sambuddho Chakravarty wrote:
> Yes , but on a freeradius-2.05 , when I create a separate authenticate
> {} and authorize {} subsection and plug in the following :
>
> authorize {
>Autz-Type LDAP {
You don't need to use Autz-Type in 2.0.
> authenticate {
>Auth-Type LDAP{
> redundant{
Don't use redundant sections here. Just list the two LDAP modules
independently. The LDAP server that was used in the authorize section
will ensure that it is also used in the authenticate section.
> ${confdir}/modules/ldap1
And I hope that's not what I think it is.
> It doesn't work.
See the FAQ for "it doesn't work".
> Here the ldap1 and ldap2 are two separate files in
> the /etc/raddb/modules directory and have separate ldap server IP
> addresses. Can anyone please point out to me where I am going wrong ?
Lots. The major one is that you are putting the module
*configuration* into the authorize and authenticate sections. I have no
idea why you think that's a good idea. The examples included in the
server DO NOT DO THIS.
The files in the "modules" directory belong in the "modules" section
of radiusd.conf. This is documented in the comments, and in many examples.
The entries in the "authorize" and "authenticate" sections are simply
a one-word reference to the name of a module. Again, this is documented
in the comments and in many examples.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with multiple ldap servers
Yes , but on a freeradius-2.05 , when I create a separate authenticate
{} and authorize {} subsection and plug in the following :
authorize {
Autz-Type LDAP {
redundant {
${confdir}/modules/ldap1
${confdir}/modules/ldap2
}
}
}
authenticate {
Auth-Type LDAP{
redundant{
${confdir}/modules/ldap1
${confdir}/modules/ldap2
}
}
}
It doesn't work. Here the ldap1 and ldap2 are two separate files in
the /etc/raddb/modules directory and have separate ldap server IP
addresses. Can anyone please point out to me where I am going wrong ?
Thanks
Sambuddho
On Sun, 2008-06-15 at 01:55 -0700, Chris wrote:
> As in:
>
> redundant {
> ldap1
> ldap2
> }
>
> On Jun 15, 2008, at 1:08 AM, Ivan Kalik wrote:
>
> > http://www.freeradius.org/radiusd/man/unlang.html
> >
> > Ivan Kalik
> > Kalik Informatika ISP
> >
> >
> > Dana 15/6/2008, "Sambuddho Chakravarty" <[EMAIL PROTECTED]> piše:
> >
> >> Hello All
> >> Will creating multiple instances of the /etc/raddb/modules/ldap1
> >> and /etc/raddb/modules/ldap2 each with different LDAP server
> >> addresses
> >> and database information work for having a user authenticate against
> >> either of the two LDAP servers. By that I mean that say our user
> >> 'try'
> >> tries to authenticate and sends the radius server an authentication
> >> request message, then, by having two files /etc/raddb/modules/ldap1
> >> and /etc/raddb/modules/ldap2 cause the server to connect to both the
> >> servers and check for authentication ? If no then can anyone please
> >> suggest what is the way for doing this ?
> >>
> >> Thanks
> >> Sambuddho
> >>
> >> -
> >> List info/subscribe/unsubscribe? See
> >> http://www.freeradius.org/list/users.html
> >>
> >>
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with multiple ldap servers
As in:
redundant {
ldap1
ldap2
}
On Jun 15, 2008, at 1:08 AM, Ivan Kalik wrote:
http://www.freeradius.org/radiusd/man/unlang.html
Ivan Kalik
Kalik Informatika ISP
Dana 15/6/2008, "Sambuddho Chakravarty" <[EMAIL PROTECTED]> piše:
Hello All
Will creating multiple instances of the /etc/raddb/modules/ldap1
and /etc/raddb/modules/ldap2 each with different LDAP server
addresses
and database information work for having a user authenticate against
either of the two LDAP servers. By that I mean that say our user
'try'
tries to authenticate and sends the radius server an authentication
request message, then, by having two files /etc/raddb/modules/ldap1
and /etc/raddb/modules/ldap2 cause the server to connect to both the
servers and check for authentication ? If no then can anyone please
suggest what is the way for doing this ?
Thanks
Sambuddho
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with multiple ldap servers
http://www.freeradius.org/radiusd/man/unlang.html Ivan Kalik Kalik Informatika ISP Dana 15/6/2008, "Sambuddho Chakravarty" <[EMAIL PROTECTED]> piše: >Hello All > Will creating multiple instances of the /etc/raddb/modules/ldap1 >and /etc/raddb/modules/ldap2 each with different LDAP server addresses >and database information work for having a user authenticate against >either of the two LDAP servers. By that I mean that say our user 'try' >tries to authenticate and sends the radius server an authentication >request message, then, by having two files /etc/raddb/modules/ldap1 >and /etc/raddb/modules/ldap2 cause the server to connect to both the >servers and check for authentication ? If no then can anyone please >suggest what is the way for doing this ? > >Thanks >Sambuddho > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius with multiple ldap servers
Hello All Will creating multiple instances of the /etc/raddb/modules/ldap1 and /etc/raddb/modules/ldap2 each with different LDAP server addresses and database information work for having a user authenticate against either of the two LDAP servers. By that I mean that say our user 'try' tries to authenticate and sends the radius server an authentication request message, then, by having two files /etc/raddb/modules/ldap1 and /etc/raddb/modules/ldap2 cause the server to connect to both the servers and check for authentication ? If no then can anyone please suggest what is the way for doing this ? Thanks Sambuddho - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with Multiple Ldap Servers
See doc/configurable_failover in the source tree. --Mike On Thu, 2004-09-16 at 08:23, Matthew Hunter wrote: > I have Freeradius configured with Ldap which works but I would like to > specify a secondary Ldap server incase the primary ldap goes down. How > would I go about doing that? Thanks > > Matt Hunter > Network Analyst > Waukesha County Technical College > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius with Multiple Ldap Servers
I have Freeradius configured with Ldap which works but I would like to specify a secondary Ldap server incase the primary ldap goes down. How would I go about doing that? Thanks Matt Hunter Network Analyst Waukesha County Technical College - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
