Re: freeradius with multiple ldap servers
Hello Ivan and Alan Thanks a lot for tolerating my pestering. It has worked. The problem was with the PAP module. The auto header detection was turned off. It works perfectly now. Thanks Sambuddho On Mon, 2008-07-07 at 10:08 +0100, Ivan Kalik wrote: > > Does that mean that I cannot authenticate against a LDAP server from a > >freeradius server using cleartext passwords. > > But you are not using cleartext passwords. Passwords in ldap are > encrypted. > > >So the freeradius client > >needs to send the password in encrypted format. But other programs which > >using LDAP server to authenticate (eg. the pam_ldap ) takes as input the > >cleartext password. Is there a solution to this ? > > You need to add a header to the userPassword field. If you don't know > what password header is and how to do that, ask on the ldap list. > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with multiple ldap servers
Hello Ivan The ldap database has passwords have the '{crypt}' header. What I meant by cleartext passwords is that I am typing in the password in clear text in the radtest program. Thanks Sambuddho On Mon, 2008-07-07 at 10:08 +0100, Ivan Kalik wrote: > > Does that mean that I cannot authenticate against a LDAP server from a > >freeradius server using cleartext passwords. > > But you are not using cleartext passwords. Passwords in ldap are > encrypted. > > >So the freeradius client > >needs to send the password in encrypted format. But other programs which > >using LDAP server to authenticate (eg. the pam_ldap ) takes as input the > >cleartext password. Is there a solution to this ? > > You need to add a header to the userPassword field. If you don't know > what password header is and how to do that, ask on the ldap list. > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with multiple ldap servers
> Does that mean that I cannot authenticate against a LDAP server from a >freeradius server using cleartext passwords. But you are not using cleartext passwords. Passwords in ldap are encrypted. >So the freeradius client >needs to send the password in encrypted format. But other programs which >using LDAP server to authenticate (eg. the pam_ldap ) takes as input the >cleartext password. Is there a solution to this ? You need to add a header to the userPassword field. If you don't know what password header is and how to do that, ask on the ldap list. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with multiple ldap servers
Hi, > I went through the documentation on the website and in the doc/ > directory in the source distribution. I read through the > ldap_howto.txt. Is that the example you refer to ? (Thats the only one I > found with the source distribution). It had many components that I dont > require. I scrolled down the find the freeradius configuration. But I am > still now clear how to exactly tailor it for my needs. Is there an > example / url I can use as reference ? Am I looking at the wrong > place ? first basic question. why did you add an authenticate and authorise section to radiusd.conf? that stuff is already in the sites-enabled/default file - which gets read and used on server startup. if you have to edit such entries, edit them in the right place. radiusd.conf now is a very basic file which sets up logging, imports other conf files and a few other mundane things. what you COULD do, and what is 'reasonable' is to rename the sites-enabled/default file to something like sites-enabled/my-service and then edit it for your required service. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with multiple ldap servers
Hello Alan I went through the documentation on the website and in the doc/ directory in the source distribution. I read through the ldap_howto.txt. Is that the example you refer to ? (Thats the only one I found with the source distribution). It had many components that I dont require. I scrolled down the find the freeradius configuration. But I am still now clear how to exactly tailor it for my needs. Is there an example / url I can use as reference ? Am I looking at the wrong place ? Thanks Sambuddho On Sun, 2008-07-06 at 19:15 +0200, Alan DeKok wrote: > Sambuddho Chakravarty wrote: > > My intent is not to pester you with my queries but the problem is still > > what it was initially. Ill once again tell you the configuration that I > > am using. > > The difficulty I'm having is being *able* to help you. At this point > it's clear that the documentation isn't helping you, and neither are the > answers on this list. > > > radiusd.conf--- > > > > > > /* Most of the stuff is untouched. > > */ > > > > /* Added authenticate{} and authorize{} section */ > > Why? Have you even bothered trying to understand how the server > works? Are you completely un-aware of the existing documentation and > sample configuration files? > > You seem insistent on ignoring the examples, ignoring the > documentation, and ignoring the responses on this list. > > > Please point me out what may have possibly gone wrong. > > We did. You were given clear directions on what to do. You failed to > follow the directions. > > At this point, I have to say that there's no point in you continuing > to post questions until you've managed to follow the instructions to > your previous questions. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with multiple ldap servers
Sambuddho Chakravarty wrote: > My intent is not to pester you with my queries but the problem is still > what it was initially. Ill once again tell you the configuration that I > am using. The difficulty I'm having is being *able* to help you. At this point it's clear that the documentation isn't helping you, and neither are the answers on this list. > radiusd.conf--- > > > /* Most of the stuff is untouched. > */ > > /* Added authenticate{} and authorize{} section */ Why? Have you even bothered trying to understand how the server works? Are you completely un-aware of the existing documentation and sample configuration files? You seem insistent on ignoring the examples, ignoring the documentation, and ignoring the responses on this list. > Please point me out what may have possibly gone wrong. We did. You were given clear directions on what to do. You failed to follow the directions. At this point, I have to say that there's no point in you continuing to post questions until you've managed to follow the instructions to your previous questions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with multiple ldap servers
Hello Alan and Ivan My intent is not to pester you with my queries but the problem is still what it was initially. Ill once again tell you the configuration that I am using. radiusd.conf--- /* Most of the stuff is untouched. */ /* Added authenticate{} and authorize{} section */ authenticate { ldap1 ldap2 } authorize{ ldap1 ldap2 } -module/ldap-- ldap ldap1{ # # Note that this needs to match the name in the LDAP # server certificate, if you're using ldaps. server = "" identity = "." password = . basedn = "ou=People,dc=example,dc=com" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" ldap_connections_number = 5 password_header="{crypt}" password_attribute=userPassword password_radius_attribute=Crypt-Password . } ldap ldap1{ # # Note that this needs to match the name in the LDAP # server certificate, if you're using ldaps. server = "" identity = "." password = . basedn = "ou=People,dc=example,dc=com" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" ldap_connections_number = 5 password_header="{crypt}" password_attribute=userPassword password_radius_attribute=Crypt-Password . } 'users' and 'client' file is unchanged. I run the server with the following command line options. 'radiusd -X' To test I run the radtest tool with the following option. radtest catch "catchall" localhost 2 testing123 Here catch and catchall are user and password in the LDAP database created from a unix account on the host hosting the LDAP database. The migration from the regular unix /etc/passwd to the LDIF file was done using the migration tools. The reply received was rad_recv: Access-Reject. The following was the debug output from the server. rlm_ldap: performing search in ou=People,dc=example,dc=com, with filter (uid=catch) rlm_ldap: Added User-Password = $1$FYblmPWy$fmgebhCOLpHvhdECNP4EG0 in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user catch authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap2] returns ok !!! !!!Replacing User-Password in config items with Cleartext-Password. !!! !!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!! auth: type Local auth: user supplied User-Password does NOT match local User-Password auth: Failed to validate the user. Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> catch attr_filter: Matched entry DEFAULT at line 11 Please point me out what may have possibly gone wrong. Another observation : 1. When I try to test using the username 'try' stored in the other ldap database, it doesn't search in the other LDAP server but only searches in the one which doesn't have it and fails. 2. The problem in (1) doesn't occur when I comment out the 'password_attribute' line in the modules/ldap file. It then searches the appropriate LDAP database , however fails with the following output. rlm_ldap: waiting for bind result ... rlm_ldap: Bind failed with invalid credentials Please advice. Thanks Sambuddho On Sun, 2008-07-06 at 08:06 +0200, Alan DeKok wrote: > Sambuddho Chakravarty wrote: > > Does that mean that I cannot authenticate against a LDAP server from a > > freeradius server using cleartext passwords. > > No. That is not what he said. > > > So the freeradius client > > needs to send the password in encrypted format. > > No. That is not what he said. > > > But other programs which > > using LDAP server to authenticate (eg. the pam_ldap ) takes as input the > > cleartext password. > > We know. We've been doing this for years. > > > Is there a solution to this ? > > Do what Ivan said. > > > Maybe I am mistaken somewhere. > > Lots. > > > Please let me know. > > We're trying to help you. It's not working. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with multiple ldap servers
Sambuddho Chakravarty wrote: > Does that mean that I cannot authenticate against a LDAP server from a > freeradius server using cleartext passwords. No. That is not what he said. > So the freeradius client > needs to send the password in encrypted format. No. That is not what he said. > But other programs which > using LDAP server to authenticate (eg. the pam_ldap ) takes as input the > cleartext password. We know. We've been doing this for years. > Is there a solution to this ? Do what Ivan said. > Maybe I am mistaken somewhere. Lots. > Please let me know. We're trying to help you. It's not working. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with multiple ldap servers
Interestingly the bind as the root DN works with password supplied in clear-text through the ldap {} module... Thanks Sambuddho On Sat, 2008-07-05 at 18:03 -0400, Sambuddho Chakravarty wrote: > Hello Ivan > Does that mean that I cannot authenticate against a LDAP server from a > freeradius server using cleartext passwords. So the freeradius client > needs to send the password in encrypted format. But other programs which > using LDAP server to authenticate (eg. the pam_ldap ) takes as input the > cleartext password. Is there a solution to this ? Maybe I am mistaken > somewhere . Please let me know. > Thanks > Sambuddho > On Fri, 2008-07-04 at 09:56 +0100, Ivan Kalik wrote: > > > Problem still persists. What do you mean by the {crypt} header. > > > > >From RFC2256: > > > > 5.36. userPassword > > > > ( 2.5.4.35 NAME 'userPassword' EQUALITY octetStringMatch > > SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} ) > > > >Passwords are stored using an Octet String syntax and are not > >encrypted. > > > > Since you are intent on violating RFC you need to add a password header > > to indicate what type of encryption is used. > > > > >rlm_ldap: waiting for bind result ... > > >rlm_ldap: Bind failed with invalid credentials > > >++[ldap1] returns reject > > >auth: Failed to validate the user. > > > > Without the header userPassword is treated as clear text (not crypted > > value) and that does't match. > > > > Ivan Kalik > > Kalik Informatika ISP > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with multiple ldap servers
Hello Ivan Does that mean that I cannot authenticate against a LDAP server from a freeradius server using cleartext passwords. So the freeradius client needs to send the password in encrypted format. But other programs which using LDAP server to authenticate (eg. the pam_ldap ) takes as input the cleartext password. Is there a solution to this ? Maybe I am mistaken somewhere . Please let me know. Thanks Sambuddho On Fri, 2008-07-04 at 09:56 +0100, Ivan Kalik wrote: > > Problem still persists. What do you mean by the {crypt} header. > > >From RFC2256: > > 5.36. userPassword > > ( 2.5.4.35 NAME 'userPassword' EQUALITY octetStringMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} ) > >Passwords are stored using an Octet String syntax and are not >encrypted. > > Since you are intent on violating RFC you need to add a password header > to indicate what type of encryption is used. > > >rlm_ldap: waiting for bind result ... > >rlm_ldap: Bind failed with invalid credentials > >++[ldap1] returns reject > >auth: Failed to validate the user. > > Without the header userPassword is treated as clear text (not crypted > value) and that does't match. > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with multiple ldap servers
> Problem still persists. What do you mean by the {crypt} header. >From RFC2256: 5.36. userPassword ( 2.5.4.35 NAME 'userPassword' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} ) Passwords are stored using an Octet String syntax and are not encrypted. Since you are intent on violating RFC you need to add a password header to indicate what type of encryption is used. >rlm_ldap: waiting for bind result ... >rlm_ldap: Bind failed with invalid credentials >++[ldap1] returns reject >auth: Failed to validate the user. Without the header userPassword is treated as clear text (not crypted value) and that does't match. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with multiple ldap servers
Hello Ivan Problem still persists. What do you mean by the {crypt} header. These are simple /etc/passwd file converted into a ldif database using LDAP Migration Scripts from padl.com This is what the logs look like (supplied clear text passwd - from radtest) rlm_ldap: bind as uid=try,ou=People,dc=example,dc=com/trialanderror to 30.0.0.2:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind failed with invalid credentials ++[ldap1] returns reject auth: Failed to validate the user. Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> try attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Thanks Sambuddho On Wed, 2008-07-02 at 23:45 +0100, Ivan Kalik wrote: > http://wiki.freeradius.org/index.php/Rlm_ldap > > See use of password_header and password_attribute. > > Ivan Kalik > Kalik Informatika ISP > > > Dana 2/7/2008, "Sambuddho Chakravarty" <[EMAIL PROTECTED]> piše: > > >Hello > > I think I know what the problem is. The radius server is looking up > >using cleartext password , while the LDAP data base stores the hashed > >passwords. How can I force the radiuse server to search for the password > >as a hashed value (rather than searching for the clear-text value) ? > > > >Thanks > >Sambuddho > >On Wed, 2008-07-02 at 17:09 -0400, Sambuddho Chakravarty wrote: > >> Hello Alan > >> I made sure this time that rlm_ldap was compiled. Now the following is > >> the configuration > >> > >> --/etc/raddb/modules/ldap--- > >> > >> ldap ldap1 { > >>server = "a.b.c.d" > >>... > >>} > >> > >> ldap ldap2 { > >>server = "w.x.y.z" > >>... > >>} > >> > >> -/etc/raddb/radiusd.conf- > >> > >> > >> authorize { > >>ldap1 > >> > >> ldap2 > >> > >> } > >> > >>authenticate { > >> ldap1 > >> ldap2 > >> } > >> > >> > >> > >> When I execute /sbin/radiusd -X > >> > >> It shows instantiating module ldap1 and module ldap2 > >> > >> > >> Module: Instantiating ldap2 > >> ldap ldap1 { > >> server = "a.b.c.d" > >> port = 389 > >> > >> Module: Instantiating ldap2 > >> ldap ldap2 { > >> server = "w.x.y.z" > >> port = 389 > >> > >> > >> When sending a radtest request using the following command (from the > >> same machine as one which is running the server) > >> > >> $ radtest user "secret" localhost 2 testing123 > >> > >> I get ACCESS-REJECT reply from the sever. > >> > >> On the server the logs show something like this > >> --- > >> It shows binding to both LDAP servers one by one through something like > >> this : > >> > >> rlm_ldap: performing user authorization for catch > >> WARNING: Deprecated conditional expansion ":-". See "man unlang" for > >> details > >> expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch) > >> expand: ou=People,dc=example,dc=example -> > >> ou=People,dc=example,dc=example > >> rlm_ldap: ldap_get_conn: Checking Id: 0 > >> rlm_ldap: ldap_get_conn: Got Id: 0 > >> rlm_ldap: attempting LDAP reconnection > >> rlm_ldap: (re)connect to 30.0.0.2:389, authentication 0 > >> rlm_ldap: bind as / to 30.0.0.2:389 > >> rlm_ldap: waiting for bind result ... > >> rlm_ldap: Bind was successful > >> rlm_ldap: performing search in ou=People,dc=example,dc=example, with > >> filter (uid=catch) > >> rlm_ldap: object not found or got ambiguous search result > >> rlm_ldap: search failed > >> rlm_ldap: ldap_release_conn: Release Id: 0 > >> ++[ldap1] returns notfound > >> rlm_ldap: - authorize > >> rlm_ldap: performing user authorization for catch > >> WARNING: Deprecated conditional expansion ":-". See "man unlang" for > >> details > >> expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch) > >> expand: ou=People,dc=example,dc=example -> > >> ou=People,dc=example,dc=example > >> rlm_ldap: ldap_get_conn: Checking Id: 0 > >> rlm_ldap: ldap_get_conn: Got Id: 0 > >> rlm_ldap: attempting LDAP reconnection > >> rlm_ldap: (re)connect to 10.0.0.1:389, authentication 0 > >> rlm_ldap: bind as / to 10.0.0.1:389 > >> rlm_ldap: waiting for bind result ... > >> rlm_ldap: Bind was successful > >> rlm_ldap: performing search in ou=People,dc=example,dc=example, with > >> filter (uid=catch) > >> rlm_ldap: object not found or got ambiguous search result > >> rlm_ldap: search failed > >> rlm_ldap: ldap_release_conn: Release Id: 0 > >> ++[ldap2] returns notfound > >> > >> auth: No authenticate method (Auth-Type) configuration found for the > >> request: Rejecting the user > >> auth: Failed to validate the user. > >> > >> You can see it is attempting to search both databases but fails. If I > >> use a simple telnet or ssh to authenticate against the LDAP server it > >> logs in fi
Re: Freeradius-Users Digest, Vol 39, Issue 18 topic 5: freeradius with multiple ldap servers
. > > > > Andy > > > > > > [EMAIL PROTECTED] wrote: > > > Send Freeradius-Users mailing list submissions to > > > freeradius-users@lists.freeradius.org > > > > > > To subscribe or unsubscribe via the World Wide Web, visit > > > http://lists.freeradius.org/mailman/listinfo/freeradius-users > > > or, via email, send a message with subject or body 'help' to > > > [EMAIL PROTECTED] > > > > > > You can reach the person managing the list at > > > [EMAIL PROTECTED] > > > > > > When replying, please edit your Subject line so it is more specific > > > than "Re: Contents of Freeradius-Users digest..." > > > > > > > > > Today's Topics: > > > > > >1. Re: =?UTF-8?Q?freeradius-proxy_+_PAP_works, > > > _PEAP_and_the_rest_doesn=C2=B4t?= ([EMAIL PROTECTED]) > > >2. Re: freeradius-proxy + PAP works, PEAP and the rest doesn?t > > > (Alan DeKok) > > >3. Re: freeradius-proxy + PAP works, PEAP and the rest doesn?t > > > (Ivan Kalik) > > >4. Re: sqlippool (Ivan Kalik) > > >5. Re: freeradius with multiple ldap servers (Sambuddho Chakravarty) > > >6. > > > > > > Re:=?UTF-8?Q?freeradius-proxy_+_PAP_works,_PEAP_and_the_rest_doesn=C2=B4t?= > > > ([EMAIL PROTECTED]) > > > > > > > > > -- > > > > > > Message: 5 > > > Date: Thu, 03 Jul 2008 12:50:25 -0400 > > > From: Sambuddho Chakravarty <[EMAIL PROTECTED]> > > > Subject: Re: freeradius with multiple ldap servers > > > To: FreeRadius users mailing list > > > > > > Message-ID: <[EMAIL PROTECTED]> > > > Content-Type: text/plain; charset=utf-8 > > > > > > Hello Ivan > > > But I don't have a field in the database by that name . The name of the > > > field is "userPassword" . This is what the openLDAP migration scripts > > > generated. Please let me know what mistake I am doing . Also , my > > > question on failover. Is the failover used when the first LDAP server is > > > down / unresponsive to connection attempts or when it is not able to > > > authenticate (example bad username / password) ? > > > > > > Thanks > > > Sambuddho > > > On Thu, 2008-07-03 at 10:24 +0100, Ivan Kalik wrote: > > > > > >> Password (radius) attribute should be Crypt-Password not User-Password. > > >> > > >> Ivan Kalik > > >> Kalik Informatika ISP > > >> > > >> > > >> Dana 3/7/2008, "Sambuddho Chakravarty" <[EMAIL PROTECTED]> pi?e: > > >> > > >> > > >>> Hello > > >>> > > >>> I set the password_header to = {crypt} and password_attribute to > > >>> "userPassword" (Thats the name of the field in the database). Now this > > >>> is what the logs show, > > >>> > > >>> rlm_ldap: performing search in ou=People,dc=example,dc=com, with filter > > >>> (uid=try) > > >>> rlm_ldap: Added User-Password = $1$n48a7wCp$RfvlOx1pZgiVNfmMmA2xS. in > > >>> check items > > >>> rlm_ldap: looking for check items in directory... > > >>> rlm_ldap: looking for reply items in directory... > > >>> rlm_ldap: user try authorized to use remote access > > >>> rlm_ldap: ldap_release_conn: Release Id: 0 > > >>> +++[ldap1] returns ok > > >>> ++- policy redundant returns ok > > >>> !!! > > >>> !!!Replacing User-Password in config items with > > >>> Cleartext-Password. !!! > > >>> !!! > > >>> !!! Please update your configuration so that the "known > > >>> good" !!! > > >>> !!! clear text password is in Cleartext-Password, and not in > > >>> User-Password. !!! > > >>> !!! > > >>> auth: type Local > > >>> auth: user supplied User-Password does NOT match local User-Password > > >>> auth: Failed to validate the user. > > >>> Found Post-Auth-Type Reject > > >
Re: Freeradius-Users Digest, Vol 39, Issue 18 topic 5: freeradius with multiple ldap servers
Hi Andy Thanks a lot. The problem is that I have a file named ldap inside /etc/raddb/modules directory and it has two ldap modules , ldap1 and ldap2. ldap ldap1 { server = identity = (set the appropriate CN) password = password for the above CN basedn = "ou=People,dc=example,dc=com" ... } ldap ldap1 { server = identity = (set the appropriate CN) password = password for the above CN basedn = "ou=People,dc=example,dc=com" ... } The first server has a user named 'try' and the second one has one named 'catch'. When I try to perform authentication using radtest tool with the username and password (say for try ) , it searches it in the LDAP server which doesn't have it and doesn't search the one which actually has the username. When I try with username 'catch' , it finds the username and the password but then it goes into auth: type Local and fails. WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch) expand: ou=People,dc=example,dc=com -> ou=People,dc=example,dc=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,dc=example,dc=com, with filter (uid=catch) rlm_ldap: Added User-Password = $1$FYblmPWy$fmgebhCOLpHvhdECNP4EG0 in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user catch authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap2] returns ok !!! !!!Replacing User-Password in config items with Cleartext-Password. !!! !!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!! auth: type Local auth: user supplied User-Password does NOT match local User-Password auth: Failed to validate the user. Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> catch attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 48 to 127.0.0.1 port 1025 Finished request 2. Going to the next request Waking up in 4.9 seconds. Cleaning up request 2 ID 48 with timestamp +39 Ready to process requests. I know its trivial but I am now struggling with this for a long time. (Freeradius version : 2.05) Thanks Sambuddho On Thu, 2008-07-03 at 12:35 -0700, Andy An wrote: > Hi Sambuddho: > > I met similar problem a few weeks ago. > You need to set the ldap identity/password for your freeRadius server at > modules/ldap: > e.g. mine is like: > > server = "ldap.xxx.ca" > identity = "cn=radius,ou=Applications,dc=xxx,dc=ca" > password = "password" > basedn = "ou=People,dc=xxx,dc=ca" > > The default setting is "read-only" anonymous search(i.e. without > identity/password setting) and it will fail because ldap server does not > allow anonymous search for other user's password. > Hope this is helpful. > > Andy > > > [EMAIL PROTECTED] wrote: > > Send Freeradius-Users mailing list submissions to > > freeradius-users@lists.freeradius.org > > > > To subscribe or unsubscribe via the World Wide Web, visit > > http://lists.freeradius.org/mailman/listinfo/freeradius-users > > or, via email, send a message with subject or body 'help' to > > [EMAIL PROTECTED] > > > > You can reach the person managing the list at > > [EMAIL PROTECTED] > > > > When replying, please edit your Subject line so it is more specific > > than "Re: Contents of Freeradius-Users digest..." > > > > > > Today's Topics: > > > > 1. Re: =?UTF-8?Q?freeradius-proxy_+_PAP_works, > > _PEAP_and_the_rest_doesn=C2=B4t?= ([EMAIL PROTECTED]) > >2. Re: freeradius-proxy + PAP works, PEAP and the rest doesn?t > > (Alan DeKok) > >3. Re: freeradius-proxy + PAP works, PEAP and the rest doesn?t > > (Ivan Kalik) > >4. Re: sqlippool (Ivan Kalik) > > 5. Re: freeradius with multiple ldap servers (Sambuddho Chakravarty) > >6. > > > > Re:=?UTF-8?Q?freeradius-proxy_+_PAP_works,_PEAP_and_the_rest_doesn=C2=B4t?= > > ([EMAIL PROTECTED]) > > > &g
Re: freeradius with multiple ldap servers
> But I don't have a field in the database by that name . No, you don't. I am talking about ldap section of radiusd.conf. You need to set the appropriate radius password attribute. http://wiki.freeradius.org/index.php/Rlm_ldap >Also , my >question on failover. Is the failover used when the first LDAP server is >down / unresponsive to connection attempts or when it is not able to >authenticate (example bad username / password) ? > No response or no user in that ldap database. If the user is present but password is wrong user will be rejected. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 39, Issue 18 topic 5: freeradius with multiple ldap servers
Hi Sambuddho: I met similar problem a few weeks ago. You need to set the ldap identity/password for your freeRadius server at modules/ldap: e.g. mine is like: server = "ldap.xxx.ca" identity = "cn=radius,ou=Applications,dc=xxx,dc=ca" password = "password" basedn = "ou=People,dc=xxx,dc=ca" The default setting is "read-only" anonymous search(i.e. without identity/password setting) and it will fail because ldap server does not allow anonymous search for other user's password. Hope this is helpful. Andy [EMAIL PROTECTED] wrote: Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED] You can reach the person managing the list at [EMAIL PROTECTED] When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeradius-Users digest..." Today's Topics: 1. Re: =?UTF-8?Q?freeradius-proxy_+_PAP_works, _PEAP_and_the_rest_doesn=C2=B4t?= ([EMAIL PROTECTED]) 2. Re: freeradius-proxy + PAP works, PEAP and the rest doesn?t (Alan DeKok) 3. Re: freeradius-proxy + PAP works, PEAP and the rest doesn?t (Ivan Kalik) 4. Re: sqlippool (Ivan Kalik) 5. Re: freeradius with multiple ldap servers (Sambuddho Chakravarty) 6. Re:=?UTF-8?Q?freeradius-proxy_+_PAP_works,_PEAP_and_the_rest_doesn=C2=B4t?= ([EMAIL PROTECTED]) -- Message: 5 Date: Thu, 03 Jul 2008 12:50:25 -0400 From: Sambuddho Chakravarty <[EMAIL PROTECTED]> Subject: Re: freeradius with multiple ldap servers To: FreeRadius users mailing list Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=utf-8 Hello Ivan But I don't have a field in the database by that name . The name of the field is "userPassword" . This is what the openLDAP migration scripts generated. Please let me know what mistake I am doing . Also , my question on failover. Is the failover used when the first LDAP server is down / unresponsive to connection attempts or when it is not able to authenticate (example bad username / password) ? Thanks Sambuddho On Thu, 2008-07-03 at 10:24 +0100, Ivan Kalik wrote: Password (radius) attribute should be Crypt-Password not User-Password. Ivan Kalik Kalik Informatika ISP Dana 3/7/2008, "Sambuddho Chakravarty" <[EMAIL PROTECTED]> pi?e: Hello I set the password_header to = {crypt} and password_attribute to "userPassword" (Thats the name of the field in the database). Now this is what the logs show, rlm_ldap: performing search in ou=People,dc=example,dc=com, with filter (uid=try) rlm_ldap: Added User-Password = $1$n48a7wCp$RfvlOx1pZgiVNfmMmA2xS. in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user try authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 +++[ldap1] returns ok ++- policy redundant returns ok !!! !!!Replacing User-Password in config items with Cleartext-Password. !!! !!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!! auth: type Local auth: user supplied User-Password does NOT match local User-Password auth: Failed to validate the user. Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> try attr_filter: Matched entry DEFAULT at line 11 My guess is authorize{} worked but not authenticate {}. Also , I see both modules ldap1 and ldap2 being loaded but whenever I try to authenticate with the username/password that is found in ldap2 , the radius server never attempts to connect to the other LDAP server. Instead it search for the entries in the "ldap1"'s server only. Any suggestions ? Thanks Sambuddho On Wed, 2008-07-02 at 23:45 +0100, Ivan Kalik wrote: http://wiki.freeradius.org/index.php/Rlm_ldap See use of password_header and password_attribute. Ivan Kalik Kalik Informatika ISP Dana 2/7/2008, "Sambuddho Chakravarty" <[EMAIL PROTECTED]> pi??e: Hello I think I know what the problem is. The radius server is looking up using cleartext password , while the LDAP data base stores the hashed passwords. How can I force the radiuse server to search for the password as a hashed value (rather than searching for the clear-text value) ? Tha
Re: freeradius with multiple ldap servers
Hello Ivan But I don't have a field in the database by that name . The name of the field is "userPassword" . This is what the openLDAP migration scripts generated. Please let me know what mistake I am doing . Also , my question on failover. Is the failover used when the first LDAP server is down / unresponsive to connection attempts or when it is not able to authenticate (example bad username / password) ? Thanks Sambuddho On Thu, 2008-07-03 at 10:24 +0100, Ivan Kalik wrote: > Password (radius) attribute should be Crypt-Password not User-Password. > > Ivan Kalik > Kalik Informatika ISP > > > Dana 3/7/2008, "Sambuddho Chakravarty" <[EMAIL PROTECTED]> piše: > > >Hello > > > >I set the password_header to = {crypt} and password_attribute to > >"userPassword" (Thats the name of the field in the database). Now this > >is what the logs show, > > > >rlm_ldap: performing search in ou=People,dc=example,dc=com, with filter > >(uid=try) > >rlm_ldap: Added User-Password = $1$n48a7wCp$RfvlOx1pZgiVNfmMmA2xS. in > >check items > >rlm_ldap: looking for check items in directory... > >rlm_ldap: looking for reply items in directory... > >rlm_ldap: user try authorized to use remote access > >rlm_ldap: ldap_release_conn: Release Id: 0 > >+++[ldap1] returns ok > >++- policy redundant returns ok > >!!! > >!!!Replacing User-Password in config items with > >Cleartext-Password. !!! > >!!! > >!!! Please update your configuration so that the "known > >good" !!! > >!!! clear text password is in Cleartext-Password, and not in > >User-Password. !!! > >!!! > >auth: type Local > >auth: user supplied User-Password does NOT match local User-Password > >auth: Failed to validate the user. > > Found Post-Auth-Type Reject > >+- entering group REJECT > >expand: %{User-Name} -> try > > attr_filter: Matched entry DEFAULT at line 11 > > > > > > > >My guess is authorize{} worked but not authenticate {}. Also , I see > >both modules ldap1 and ldap2 being loaded but whenever I try to > >authenticate with the username/password that is found in ldap2 , the > >radius server never attempts to connect to the other LDAP server. > >Instead it search for the entries in the "ldap1"'s server only. > > > >Any suggestions ? > > > >Thanks > >Sambuddho > > > > > >On Wed, 2008-07-02 at 23:45 +0100, Ivan Kalik wrote: > >> http://wiki.freeradius.org/index.php/Rlm_ldap > >> > >> See use of password_header and password_attribute. > >> > >> Ivan Kalik > >> Kalik Informatika ISP > >> > >> > >> Dana 2/7/2008, "Sambuddho Chakravarty" <[EMAIL PROTECTED]> piĹĄe: > >> > >> >Hello > >> > I think I know what the problem is. The radius server is looking up > >> >using cleartext password , while the LDAP data base stores the hashed > >> >passwords. How can I force the radiuse server to search for the password > >> >as a hashed value (rather than searching for the clear-text value) ? > >> > > >> >Thanks > >> >Sambuddho > >> >On Wed, 2008-07-02 at 17:09 -0400, Sambuddho Chakravarty wrote: > >> >> Hello Alan > >> >> I made sure this time that rlm_ldap was compiled. Now the following is > >> >> the configuration > >> >> > >> >> --/etc/raddb/modules/ldap--- > >> >> > >> >> ldap ldap1 { > >> >> server = "a.b.c.d" > >> >> ... > >> >> } > >> >> > >> >> ldap ldap2 { > >> >> server = "w.x.y.z" > >> >> ... > >> >> } > >> >> > >> >> -/etc/raddb/radiusd.conf- > >> >> > >> >> > >> >> authorize { > >> >>ldap1 > >> >> > >> >> ldap2 > >> >> > >> >> } > >> >> > >> >>authenticate { > >> >> ldap1 > >> >> ldap2 > >> >> } > >> >> > >> >> > >> >> > >> >> When I execute /sbin/radiusd -X > >> >> > >> >> It shows instantiating module ldap1 and module ldap2 > >> >> > >> >> > >> >> Module: Instantiating ldap2 > >> >> ldap ldap1 { > >> >> server = "a.b.c.d" > >> >> port = 389 > >> >> > >> >> Module: Instantiating ldap2 > >> >> ldap ldap2 { > >> >> server = "w.x.y.z" > >> >> port = 389 > >> >> > >> >> > >> >> When sending a radtest request using the following command (from the > >> >> same machine as one which is running the server) > >> >> > >> >> $ radtest user "secret" localhost 2 testing123 > >> >> > >> >> I get ACCESS-REJECT reply from the sever. > >> >> > >> >> On the server the logs show something like this > >> >> --- > >> >> It shows binding to both LDAP servers one by one through something like > >> >> this : > >> >> > >> >> rlm_ldap: performing user authorization for catch > >> >> WARNING: Deprecated conditional expansion ":-". See "man unlang" for > >> >> details > >> >>
Re: freeradius with multiple ldap servers
Password (radius) attribute should be Crypt-Password not User-Password. Ivan Kalik Kalik Informatika ISP Dana 3/7/2008, "Sambuddho Chakravarty" <[EMAIL PROTECTED]> piše: >Hello > >I set the password_header to = {crypt} and password_attribute to >"userPassword" (Thats the name of the field in the database). Now this >is what the logs show, > >rlm_ldap: performing search in ou=People,dc=example,dc=com, with filter >(uid=try) >rlm_ldap: Added User-Password = $1$n48a7wCp$RfvlOx1pZgiVNfmMmA2xS. in >check items >rlm_ldap: looking for check items in directory... >rlm_ldap: looking for reply items in directory... >rlm_ldap: user try authorized to use remote access >rlm_ldap: ldap_release_conn: Release Id: 0 >+++[ldap1] returns ok >++- policy redundant returns ok >!!! >!!!Replacing User-Password in config items with >Cleartext-Password. !!! >!!! >!!! Please update your configuration so that the "known >good" !!! >!!! clear text password is in Cleartext-Password, and not in >User-Password. !!! >!!! >auth: type Local >auth: user supplied User-Password does NOT match local User-Password >auth: Failed to validate the user. > Found Post-Auth-Type Reject >+- entering group REJECT >expand: %{User-Name} -> try > attr_filter: Matched entry DEFAULT at line 11 > > > >My guess is authorize{} worked but not authenticate {}. Also , I see >both modules ldap1 and ldap2 being loaded but whenever I try to >authenticate with the username/password that is found in ldap2 , the >radius server never attempts to connect to the other LDAP server. >Instead it search for the entries in the "ldap1"'s server only. > >Any suggestions ? > >Thanks >Sambuddho > > >On Wed, 2008-07-02 at 23:45 +0100, Ivan Kalik wrote: >> http://wiki.freeradius.org/index.php/Rlm_ldap >> >> See use of password_header and password_attribute. >> >> Ivan Kalik >> Kalik Informatika ISP >> >> >> Dana 2/7/2008, "Sambuddho Chakravarty" <[EMAIL PROTECTED]> piĹĄe: >> >> >Hello >> > I think I know what the problem is. The radius server is looking up >> >using cleartext password , while the LDAP data base stores the hashed >> >passwords. How can I force the radiuse server to search for the password >> >as a hashed value (rather than searching for the clear-text value) ? >> > >> >Thanks >> >Sambuddho >> >On Wed, 2008-07-02 at 17:09 -0400, Sambuddho Chakravarty wrote: >> >> Hello Alan >> >> I made sure this time that rlm_ldap was compiled. Now the following is >> >> the configuration >> >> >> >> --/etc/raddb/modules/ldap--- >> >> >> >> ldap ldap1 { >> >> server = "a.b.c.d" >> >> ... >> >> } >> >> >> >> ldap ldap2 { >> >> server = "w.x.y.z" >> >> ... >> >> } >> >> >> >> -/etc/raddb/radiusd.conf- >> >> >> >> >> >> authorize { >> >>ldap1 >> >> >> >> ldap2 >> >> >> >> } >> >> >> >>authenticate { >> >> ldap1 >> >> ldap2 >> >> } >> >> >> >> >> >> >> >> When I execute /sbin/radiusd -X >> >> >> >> It shows instantiating module ldap1 and module ldap2 >> >> >> >> >> >> Module: Instantiating ldap2 >> >> ldap ldap1 { >> >> server = "a.b.c.d" >> >> port = 389 >> >> >> >> Module: Instantiating ldap2 >> >> ldap ldap2 { >> >> server = "w.x.y.z" >> >> port = 389 >> >> >> >> >> >> When sending a radtest request using the following command (from the >> >> same machine as one which is running the server) >> >> >> >> $ radtest user "secret" localhost 2 testing123 >> >> >> >> I get ACCESS-REJECT reply from the sever. >> >> >> >> On the server the logs show something like this >> >> --- >> >> It shows binding to both LDAP servers one by one through something like >> >> this : >> >> >> >> rlm_ldap: performing user authorization for catch >> >> WARNING: Deprecated conditional expansion ":-". See "man unlang" for >> >> details >> >> expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch) >> >> expand: ou=People,dc=example,dc=example -> >> >> ou=People,dc=example,dc=example >> >> rlm_ldap: ldap_get_conn: Checking Id: 0 >> >> rlm_ldap: ldap_get_conn: Got Id: 0 >> >> rlm_ldap: attempting LDAP reconnection >> >> rlm_ldap: (re)connect to 30.0.0.2:389, authentication 0 >> >> rlm_ldap: bind as / to 30.0.0.2:389 >> >> rlm_ldap: waiting for bind result ... >> >> rlm_ldap: Bind was successful >> >> rlm_ldap: performing search in ou=People,dc=example,dc=example, with >> >> filter (uid=catch) >> >> rlm_ldap: object not found or got ambiguous search result >> >> rlm_ldap: search failed >> >> rlm_ldap: ldap_release_conn: Release Id: 0 >> >> ++[ldap1] returns notfound >> >> rlm_ldap: - authorize >> >> rlm_ldap
Re: freeradius with multiple ldap servers
Hello , Maybe I didn't as the correct question previously. Is it that failover works only when the first LDAP server is not reachable ? In my case both servers are reachable. I want to configure a case where if the login fails in one of the servers , the other one is tried. Thanks Sambuddho On Wed, 2008-07-02 at 23:45 +0100, Ivan Kalik wrote: > http://wiki.freeradius.org/index.php/Rlm_ldap > > See use of password_header and password_attribute. > > Ivan Kalik > Kalik Informatika ISP > > > Dana 2/7/2008, "Sambuddho Chakravarty" <[EMAIL PROTECTED]> piše: > > >Hello > > I think I know what the problem is. The radius server is looking up > >using cleartext password , while the LDAP data base stores the hashed > >passwords. How can I force the radiuse server to search for the password > >as a hashed value (rather than searching for the clear-text value) ? > > > >Thanks > >Sambuddho > >On Wed, 2008-07-02 at 17:09 -0400, Sambuddho Chakravarty wrote: > >> Hello Alan > >> I made sure this time that rlm_ldap was compiled. Now the following is > >> the configuration > >> > >> --/etc/raddb/modules/ldap--- > >> > >> ldap ldap1 { > >>server = "a.b.c.d" > >>... > >>} > >> > >> ldap ldap2 { > >>server = "w.x.y.z" > >>... > >>} > >> > >> -/etc/raddb/radiusd.conf- > >> > >> > >> authorize { > >>ldap1 > >> > >> ldap2 > >> > >> } > >> > >>authenticate { > >> ldap1 > >> ldap2 > >> } > >> > >> > >> > >> When I execute /sbin/radiusd -X > >> > >> It shows instantiating module ldap1 and module ldap2 > >> > >> > >> Module: Instantiating ldap2 > >> ldap ldap1 { > >> server = "a.b.c.d" > >> port = 389 > >> > >> Module: Instantiating ldap2 > >> ldap ldap2 { > >> server = "w.x.y.z" > >> port = 389 > >> > >> > >> When sending a radtest request using the following command (from the > >> same machine as one which is running the server) > >> > >> $ radtest user "secret" localhost 2 testing123 > >> > >> I get ACCESS-REJECT reply from the sever. > >> > >> On the server the logs show something like this > >> --- > >> It shows binding to both LDAP servers one by one through something like > >> this : > >> > >> rlm_ldap: performing user authorization for catch > >> WARNING: Deprecated conditional expansion ":-". See "man unlang" for > >> details > >> expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch) > >> expand: ou=People,dc=example,dc=example -> > >> ou=People,dc=example,dc=example > >> rlm_ldap: ldap_get_conn: Checking Id: 0 > >> rlm_ldap: ldap_get_conn: Got Id: 0 > >> rlm_ldap: attempting LDAP reconnection > >> rlm_ldap: (re)connect to 30.0.0.2:389, authentication 0 > >> rlm_ldap: bind as / to 30.0.0.2:389 > >> rlm_ldap: waiting for bind result ... > >> rlm_ldap: Bind was successful > >> rlm_ldap: performing search in ou=People,dc=example,dc=example, with > >> filter (uid=catch) > >> rlm_ldap: object not found or got ambiguous search result > >> rlm_ldap: search failed > >> rlm_ldap: ldap_release_conn: Release Id: 0 > >> ++[ldap1] returns notfound > >> rlm_ldap: - authorize > >> rlm_ldap: performing user authorization for catch > >> WARNING: Deprecated conditional expansion ":-". See "man unlang" for > >> details > >> expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch) > >> expand: ou=People,dc=example,dc=example -> > >> ou=People,dc=example,dc=example > >> rlm_ldap: ldap_get_conn: Checking Id: 0 > >> rlm_ldap: ldap_get_conn: Got Id: 0 > >> rlm_ldap: attempting LDAP reconnection > >> rlm_ldap: (re)connect to 10.0.0.1:389, authentication 0 > >> rlm_ldap: bind as / to 10.0.0.1:389 > >> rlm_ldap: waiting for bind result ... > >> rlm_ldap: Bind was successful > >> rlm_ldap: performing search in ou=People,dc=example,dc=example, with > >> filter (uid=catch) > >> rlm_ldap: object not found or got ambiguous search result > >> rlm_ldap: search failed > >> rlm_ldap: ldap_release_conn: Release Id: 0 > >> ++[ldap2] returns notfound > >> > >> auth: No authenticate method (Auth-Type) configuration found for the > >> request: Rejecting the user > >> auth: Failed to validate the user. > >> > >> You can see it is attempting to search both databases but fails. If I > >> use a simple telnet or ssh to authenticate against the LDAP server it > >> logs in fine. LDAP client login against the LDAP server is otherwise > >> working fine. I know I have been bothering using trivial question. But > >> any help would be appreciated :-) > >> > >> Thanks in advance. > >> Sambuddho > >> > >> > >> > >> On Tue, 2008-07-01 at 22:33 +0200, Alan DeKok wrote: > >> > Sambuddho Chakravarty wrote: > >> > > This is exactly what I did . I forgot to put the separate module names > >> > > >> > The consistent problems you see make me think that the issue is more > >> > than "forgot".
Re: freeradius with multiple ldap servers
Hello I set the password_header to = {crypt} and password_attribute to "userPassword" (Thats the name of the field in the database). Now this is what the logs show, rlm_ldap: performing search in ou=People,dc=example,dc=com, with filter (uid=try) rlm_ldap: Added User-Password = $1$n48a7wCp$RfvlOx1pZgiVNfmMmA2xS. in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user try authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 +++[ldap1] returns ok ++- policy redundant returns ok !!! !!!Replacing User-Password in config items with Cleartext-Password. !!! !!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!! auth: type Local auth: user supplied User-Password does NOT match local User-Password auth: Failed to validate the user. Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> try attr_filter: Matched entry DEFAULT at line 11 My guess is authorize{} worked but not authenticate {}. Also , I see both modules ldap1 and ldap2 being loaded but whenever I try to authenticate with the username/password that is found in ldap2 , the radius server never attempts to connect to the other LDAP server. Instead it search for the entries in the "ldap1"'s server only. Any suggestions ? Thanks Sambuddho On Wed, 2008-07-02 at 23:45 +0100, Ivan Kalik wrote: > http://wiki.freeradius.org/index.php/Rlm_ldap > > See use of password_header and password_attribute. > > Ivan Kalik > Kalik Informatika ISP > > > Dana 2/7/2008, "Sambuddho Chakravarty" <[EMAIL PROTECTED]> piše: > > >Hello > > I think I know what the problem is. The radius server is looking up > >using cleartext password , while the LDAP data base stores the hashed > >passwords. How can I force the radiuse server to search for the password > >as a hashed value (rather than searching for the clear-text value) ? > > > >Thanks > >Sambuddho > >On Wed, 2008-07-02 at 17:09 -0400, Sambuddho Chakravarty wrote: > >> Hello Alan > >> I made sure this time that rlm_ldap was compiled. Now the following is > >> the configuration > >> > >> --/etc/raddb/modules/ldap--- > >> > >> ldap ldap1 { > >>server = "a.b.c.d" > >>... > >>} > >> > >> ldap ldap2 { > >>server = "w.x.y.z" > >>... > >>} > >> > >> -/etc/raddb/radiusd.conf- > >> > >> > >> authorize { > >>ldap1 > >> > >> ldap2 > >> > >> } > >> > >>authenticate { > >> ldap1 > >> ldap2 > >> } > >> > >> > >> > >> When I execute /sbin/radiusd -X > >> > >> It shows instantiating module ldap1 and module ldap2 > >> > >> > >> Module: Instantiating ldap2 > >> ldap ldap1 { > >> server = "a.b.c.d" > >> port = 389 > >> > >> Module: Instantiating ldap2 > >> ldap ldap2 { > >> server = "w.x.y.z" > >> port = 389 > >> > >> > >> When sending a radtest request using the following command (from the > >> same machine as one which is running the server) > >> > >> $ radtest user "secret" localhost 2 testing123 > >> > >> I get ACCESS-REJECT reply from the sever. > >> > >> On the server the logs show something like this > >> --- > >> It shows binding to both LDAP servers one by one through something like > >> this : > >> > >> rlm_ldap: performing user authorization for catch > >> WARNING: Deprecated conditional expansion ":-". See "man unlang" for > >> details > >> expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch) > >> expand: ou=People,dc=example,dc=example -> > >> ou=People,dc=example,dc=example > >> rlm_ldap: ldap_get_conn: Checking Id: 0 > >> rlm_ldap: ldap_get_conn: Got Id: 0 > >> rlm_ldap: attempting LDAP reconnection > >> rlm_ldap: (re)connect to 30.0.0.2:389, authentication 0 > >> rlm_ldap: bind as / to 30.0.0.2:389 > >> rlm_ldap: waiting for bind result ... > >> rlm_ldap: Bind was successful > >> rlm_ldap: performing search in ou=People,dc=example,dc=example, with > >> filter (uid=catch) > >> rlm_ldap: object not found or got ambiguous search result > >> rlm_ldap: search failed > >> rlm_ldap: ldap_release_conn: Release Id: 0 > >> ++[ldap1] returns notfound > >> rlm_ldap: - authorize > >> rlm_ldap: performing user authorization for catch > >> WARNING: Deprecated conditional expansion ":-". See "man unlang" for > >> details > >> expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch) > >> expand: ou=People,dc=example,dc=example -> > >> ou=People,dc=example,dc=example > >> rlm_ldap: ld
Re: freeradius with multiple ldap servers
http://wiki.freeradius.org/index.php/Rlm_ldap See use of password_header and password_attribute. Ivan Kalik Kalik Informatika ISP Dana 2/7/2008, "Sambuddho Chakravarty" <[EMAIL PROTECTED]> piše: >Hello > I think I know what the problem is. The radius server is looking up >using cleartext password , while the LDAP data base stores the hashed >passwords. How can I force the radiuse server to search for the password >as a hashed value (rather than searching for the clear-text value) ? > >Thanks >Sambuddho >On Wed, 2008-07-02 at 17:09 -0400, Sambuddho Chakravarty wrote: >> Hello Alan >> I made sure this time that rlm_ldap was compiled. Now the following is >> the configuration >> >> --/etc/raddb/modules/ldap--- >> >> ldap ldap1 { >> server = "a.b.c.d" >> ... >> } >> >> ldap ldap2 { >> server = "w.x.y.z" >> ... >> } >> >> -/etc/raddb/radiusd.conf- >> >> >> authorize { >>ldap1 >> >> ldap2 >> >> } >> >>authenticate { >> ldap1 >> ldap2 >> } >> >> >> >> When I execute /sbin/radiusd -X >> >> It shows instantiating module ldap1 and module ldap2 >> >> >> Module: Instantiating ldap2 >> ldap ldap1 { >> server = "a.b.c.d" >> port = 389 >> >> Module: Instantiating ldap2 >> ldap ldap2 { >> server = "w.x.y.z" >> port = 389 >> >> >> When sending a radtest request using the following command (from the >> same machine as one which is running the server) >> >> $ radtest user "secret" localhost 2 testing123 >> >> I get ACCESS-REJECT reply from the sever. >> >> On the server the logs show something like this >> --- >> It shows binding to both LDAP servers one by one through something like >> this : >> >> rlm_ldap: performing user authorization for catch >> WARNING: Deprecated conditional expansion ":-". See "man unlang" for >> details >> expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch) >> expand: ou=People,dc=example,dc=example -> >> ou=People,dc=example,dc=example >> rlm_ldap: ldap_get_conn: Checking Id: 0 >> rlm_ldap: ldap_get_conn: Got Id: 0 >> rlm_ldap: attempting LDAP reconnection >> rlm_ldap: (re)connect to 30.0.0.2:389, authentication 0 >> rlm_ldap: bind as / to 30.0.0.2:389 >> rlm_ldap: waiting for bind result ... >> rlm_ldap: Bind was successful >> rlm_ldap: performing search in ou=People,dc=example,dc=example, with >> filter (uid=catch) >> rlm_ldap: object not found or got ambiguous search result >> rlm_ldap: search failed >> rlm_ldap: ldap_release_conn: Release Id: 0 >> ++[ldap1] returns notfound >> rlm_ldap: - authorize >> rlm_ldap: performing user authorization for catch >> WARNING: Deprecated conditional expansion ":-". See "man unlang" for >> details >> expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch) >> expand: ou=People,dc=example,dc=example -> >> ou=People,dc=example,dc=example >> rlm_ldap: ldap_get_conn: Checking Id: 0 >> rlm_ldap: ldap_get_conn: Got Id: 0 >> rlm_ldap: attempting LDAP reconnection >> rlm_ldap: (re)connect to 10.0.0.1:389, authentication 0 >> rlm_ldap: bind as / to 10.0.0.1:389 >> rlm_ldap: waiting for bind result ... >> rlm_ldap: Bind was successful >> rlm_ldap: performing search in ou=People,dc=example,dc=example, with >> filter (uid=catch) >> rlm_ldap: object not found or got ambiguous search result >> rlm_ldap: search failed >> rlm_ldap: ldap_release_conn: Release Id: 0 >> ++[ldap2] returns notfound >> >> auth: No authenticate method (Auth-Type) configuration found for the >> request: Rejecting the user >> auth: Failed to validate the user. >> >> You can see it is attempting to search both databases but fails. If I >> use a simple telnet or ssh to authenticate against the LDAP server it >> logs in fine. LDAP client login against the LDAP server is otherwise >> working fine. I know I have been bothering using trivial question. But >> any help would be appreciated :-) >> >> Thanks in advance. >> Sambuddho >> >> >> >> On Tue, 2008-07-01 at 22:33 +0200, Alan DeKok wrote: >> > Sambuddho Chakravarty wrote: >> > > This is exactly what I did . I forgot to put the separate module names >> > >> > The consistent problems you see make me think that the issue is more >> > than "forgot". >> > >> > > And now when I try to start the server this is what the error I see : >> > > >> > > >> > > server { >> > > modules { >> > > Module: Checking authenticate {...} for more modules to load >> > > //etc/raddb/modules/ldap1[29]: Failed to link to module 'rlm_ldap': >> > >> > So was that module built? Apparently not... >> > >> > > When trying with a single server ,it matches the radius request against >> > > rlm_pap and not rlm_ldap. I am confused. >> > >> > Perhaps reading the debug output (and that of "configure" and "make") >> > would help. >> > >> > Alan DeKok. >> > - >> > List info/subscr
Re: freeradius with multiple ldap servers
Hello I think I know what the problem is. The radius server is looking up using cleartext password , while the LDAP data base stores the hashed passwords. How can I force the radiuse server to search for the password as a hashed value (rather than searching for the clear-text value) ? Thanks Sambuddho On Wed, 2008-07-02 at 17:09 -0400, Sambuddho Chakravarty wrote: > Hello Alan > I made sure this time that rlm_ldap was compiled. Now the following is > the configuration > > --/etc/raddb/modules/ldap--- > > ldap ldap1 { > server = "a.b.c.d" > ... > } > > ldap ldap2 { > server = "w.x.y.z" > ... > } > > -/etc/raddb/radiusd.conf- > > > authorize { >ldap1 > > ldap2 > > } > >authenticate { > ldap1 > ldap2 > } > > > > When I execute /sbin/radiusd -X > > It shows instantiating module ldap1 and module ldap2 > > > Module: Instantiating ldap2 > ldap ldap1 { > server = "a.b.c.d" > port = 389 > > Module: Instantiating ldap2 > ldap ldap2 { > server = "w.x.y.z" > port = 389 > > > When sending a radtest request using the following command (from the > same machine as one which is running the server) > > $ radtest user "secret" localhost 2 testing123 > > I get ACCESS-REJECT reply from the sever. > > On the server the logs show something like this > --- > It shows binding to both LDAP servers one by one through something like > this : > > rlm_ldap: performing user authorization for catch > WARNING: Deprecated conditional expansion ":-". See "man unlang" for > details > expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch) > expand: ou=People,dc=example,dc=example -> > ou=People,dc=example,dc=example > rlm_ldap: ldap_get_conn: Checking Id: 0 > rlm_ldap: ldap_get_conn: Got Id: 0 > rlm_ldap: attempting LDAP reconnection > rlm_ldap: (re)connect to 30.0.0.2:389, authentication 0 > rlm_ldap: bind as / to 30.0.0.2:389 > rlm_ldap: waiting for bind result ... > rlm_ldap: Bind was successful > rlm_ldap: performing search in ou=People,dc=example,dc=example, with > filter (uid=catch) > rlm_ldap: object not found or got ambiguous search result > rlm_ldap: search failed > rlm_ldap: ldap_release_conn: Release Id: 0 > ++[ldap1] returns notfound > rlm_ldap: - authorize > rlm_ldap: performing user authorization for catch > WARNING: Deprecated conditional expansion ":-". See "man unlang" for > details > expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch) > expand: ou=People,dc=example,dc=example -> > ou=People,dc=example,dc=example > rlm_ldap: ldap_get_conn: Checking Id: 0 > rlm_ldap: ldap_get_conn: Got Id: 0 > rlm_ldap: attempting LDAP reconnection > rlm_ldap: (re)connect to 10.0.0.1:389, authentication 0 > rlm_ldap: bind as / to 10.0.0.1:389 > rlm_ldap: waiting for bind result ... > rlm_ldap: Bind was successful > rlm_ldap: performing search in ou=People,dc=example,dc=example, with > filter (uid=catch) > rlm_ldap: object not found or got ambiguous search result > rlm_ldap: search failed > rlm_ldap: ldap_release_conn: Release Id: 0 > ++[ldap2] returns notfound > > auth: No authenticate method (Auth-Type) configuration found for the > request: Rejecting the user > auth: Failed to validate the user. > > You can see it is attempting to search both databases but fails. If I > use a simple telnet or ssh to authenticate against the LDAP server it > logs in fine. LDAP client login against the LDAP server is otherwise > working fine. I know I have been bothering using trivial question. But > any help would be appreciated :-) > > Thanks in advance. > Sambuddho > > > > On Tue, 2008-07-01 at 22:33 +0200, Alan DeKok wrote: > > Sambuddho Chakravarty wrote: > > > This is exactly what I did . I forgot to put the separate module names > > > > The consistent problems you see make me think that the issue is more > > than "forgot". > > > > > And now when I try to start the server this is what the error I see : > > > > > > > > > server { > > > modules { > > > Module: Checking authenticate {...} for more modules to load > > > //etc/raddb/modules/ldap1[29]: Failed to link to module 'rlm_ldap': > > > > So was that module built? Apparently not... > > > > > When trying with a single server ,it matches the radius request against > > > rlm_pap and not rlm_ldap. I am confused. > > > > Perhaps reading the debug output (and that of "configure" and "make") > > would help. > > > > Alan DeKok. > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with multiple ldap servers
Hello Alan I made sure this time that rlm_ldap was compiled. Now the following is the configuration --/etc/raddb/modules/ldap--- ldap ldap1 { server = "a.b.c.d" ... } ldap ldap2 { server = "w.x.y.z" ... } -/etc/raddb/radiusd.conf- authorize { ldap1 ldap2 } authenticate { ldap1 ldap2 } When I execute /sbin/radiusd -X It shows instantiating module ldap1 and module ldap2 Module: Instantiating ldap2 ldap ldap1 { server = "a.b.c.d" port = 389 Module: Instantiating ldap2 ldap ldap2 { server = "w.x.y.z" port = 389 When sending a radtest request using the following command (from the same machine as one which is running the server) $ radtest user "secret" localhost 2 testing123 I get ACCESS-REJECT reply from the sever. On the server the logs show something like this --- It shows binding to both LDAP servers one by one through something like this : rlm_ldap: performing user authorization for catch WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch) expand: ou=People,dc=example,dc=example -> ou=People,dc=example,dc=example rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 30.0.0.2:389, authentication 0 rlm_ldap: bind as / to 30.0.0.2:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=People,dc=example,dc=example, with filter (uid=catch) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap1] returns notfound rlm_ldap: - authorize rlm_ldap: performing user authorization for catch WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch) expand: ou=People,dc=example,dc=example -> ou=People,dc=example,dc=example rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 10.0.0.1:389, authentication 0 rlm_ldap: bind as / to 10.0.0.1:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=People,dc=example,dc=example, with filter (uid=catch) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap2] returns notfound auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. You can see it is attempting to search both databases but fails. If I use a simple telnet or ssh to authenticate against the LDAP server it logs in fine. LDAP client login against the LDAP server is otherwise working fine. I know I have been bothering using trivial question. But any help would be appreciated :-) Thanks in advance. Sambuddho On Tue, 2008-07-01 at 22:33 +0200, Alan DeKok wrote: > Sambuddho Chakravarty wrote: > > This is exactly what I did . I forgot to put the separate module names > > The consistent problems you see make me think that the issue is more > than "forgot". > > > And now when I try to start the server this is what the error I see : > > > > > > server { > > modules { > > Module: Checking authenticate {...} for more modules to load > > //etc/raddb/modules/ldap1[29]: Failed to link to module 'rlm_ldap': > > So was that module built? Apparently not... > > > When trying with a single server ,it matches the radius request against > > rlm_pap and not rlm_ldap. I am confused. > > Perhaps reading the debug output (and that of "configure" and "make") > would help. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with multiple ldap servers
Sambuddho Chakravarty wrote: > This is exactly what I did . I forgot to put the separate module names The consistent problems you see make me think that the issue is more than "forgot". > And now when I try to start the server this is what the error I see : > > > server { > modules { > Module: Checking authenticate {...} for more modules to load > //etc/raddb/modules/ldap1[29]: Failed to link to module 'rlm_ldap': So was that module built? Apparently not... > When trying with a single server ,it matches the radius request against > rlm_pap and not rlm_ldap. I am confused. Perhaps reading the debug output (and that of "configure" and "make") would help. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with multiple ldap servers
Hello This is exactly what I did . I forgot to put the separate module names here in the email it like this /etc/raddb/modules/ldap1 ldap ldap1{ ... } /etc/raddb/modules/ldap2--- ldap ldap2{ .. } Or is it that it should be one file ? And now when I try to start the server this is what the error I see : server { modules { Module: Checking authenticate {...} for more modules to load //etc/raddb/modules/ldap1[29]: Failed to link to module 'rlm_ldap': rlm_ldap.so: cannot open shared object file: No such file or directory //etc/raddb/radiusd.conf[744]: Failed to find module "ldap1". //etc/raddb/radiusd.conf[743]: Errors parsing authenticate section. } } The radius.conf has this : authorize { redundant { ldap1 ldap2 } } authenticate { ldap1 ldap2 } Rest of radius.conf is untouched. When trying with a single server ,it matches the radius request against rlm_pap and not rlm_ldap. I am confused. Thanks Sambuddho On Tue, 2008-07-01 at 09:26 +0200, Alan DeKok wrote: > Sambuddho Chakravarty wrote: > > Hello > > But this never really worked. I did exactly this . The ldap1 and ldap2 > > are files with the follwoing > > > > /etc/raddb/modules/ldap1 > > > > ldap { > ... > > /etc/raddb/modules/ldap2--- > > > > ldap { > > You have two modules named "ldap". Go read the comments at the top of > the "modules" section in radiusd.conf. > > And before you go any further, PLEASE read the comments in the > configuration files. You have been told to do this before, and it's > clear that you either haven't done so, or you haven't understood them. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with multiple ldap servers
ldap ldap1 { .. } ldap ldap2 { .. } Ivan Kalik Kalik Informatika ISP Dana 1/7/2008, "Sambuddho Chakravarty" <[EMAIL PROTECTED]> piše: >Hello > But this never really worked. I did exactly this . The ldap1 and ldap2 >are files with the follwoing > >/etc/raddb/modules/ldap1 > >ldap { >server = "30.0.0.2" >basedn = "ou=People,cu=example,c=com" >filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" >port = 389 >ldap_connections_number = 5 > >timeout = 40 > >timelimit = 30 > net_timeout = 10 >tls { >start_tls = no > > require_cert = "demand" >} > >dictionary_mapping = ${confdir}/ldap.attrmap >edir_account_policy_check = no >} > > >/etc/raddb/modules/ldap2--- > >ldap { >server = "10.0.0.1" >basedn = "ou=People,cu=example,c=com" >filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" >port = 389 >ldap_connections_number = 5 > >timeout = 40 > >timelimit = 30 > net_timeout = 10 >tls { >start_tls = no > > require_cert = "demand" >} > >dictionary_mapping = ${confdir}/ldap.attrmap >edir_account_policy_check = no >} > >-- > >The only difference in both files is the LDAP server IP address . When I >did as I mentioned in my previous email and executed /sbin/radiusd -X -C >the execution ended with the following error > > > Module: Checking authenticate {...} for more modules to load >//etc/raddb/radiusd.conf[757]: Failed to find module "ldap1". >//etc/raddb/radiusd.conf[756]: Errors parsing authenticate section. > } > > >Also , one more observation, when having a single LDAP server and when >it actually worked fine, the debug messages showed > >found rlm_pap. While I think it should be showing rlm_ldap . Why is this >so. But authentication worked fine and the client received a >ACCESS-ACCEPT message as reply. > >Thanks >Sambuddho > > > > >On Thu, 2008-06-19 at 13:50 -0400, Sambuddho Chakravarty wrote: >> Do you mean something like this >> >> authorize { >> redundant { >> ldap1 >> ldap2 >> } >> } >> >>authenticate { >> ldap1 >> ldap2 >> } >> >> The reason I list them here is to use them for authentication against >> multiple LDAP servers whose configuration information is in the two >> files modules/ldap1 and modules/ldap2. Does this look valid ? >> >> Thanks >> Sambuddho >> >> On Thu, 2008-06-19 at 09:35 +0200, Alan DeKok wrote: >> > Sambuddho Chakravarty wrote: >> > > Yes , but on a freeradius-2.05 , when I create a separate authenticate >> > > {} and authorize {} subsection and plug in the following : >> > > >> > > authorize { >> > >Autz-Type LDAP { >> > >> > You don't need to use Autz-Type in 2.0. >> > >> > > authenticate { >> > >Auth-Type LDAP{ >> > > redundant{ >> > >> > Don't use redundant sections here. Just list the two LDAP modules >> > independently. The LDAP server that was used in the authorize section >> > will ensure that it is also used in the authenticate section. >> > >> > > ${confdir}/modules/ldap1 >> > >> > And I hope that's not what I think it is. >> > >> > > It doesn't work. >> > >> > See the FAQ for "it doesn't work". >> > >> > > Here the ldap1 and ldap2 are two separate files in >> > > the /etc/raddb/modules directory and have separate ldap server IP >> > > addresses. Can anyone please point out to me where I am going wrong ? >> > >> > Lots. The major one is that you are putting the module >> > *configuration* into the authorize and authenticate sections. I have no >> > idea why you think that's a good idea. The examples included in the >> > server DO NOT DO THIS. >> > >> > The files in the "modules" directory belong in the "modules" section >> > of radiusd.conf. This is documented in the comments, and in many examples. >> > >> > The entries in the "authorize" and "authenticate" sections are simply >> > a one-word reference to the name of a module. Again, this is documented >> > in the comments and in many examples. >> > >> > Alan DeKok. >> > - >> > List info/subscribe/unsubscribe? See >> > http://www.freeradius.org/list/users.html >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with multiple ldap servers
Sambuddho Chakravarty wrote: > Hello > But this never really worked. I did exactly this . The ldap1 and ldap2 > are files with the follwoing > > /etc/raddb/modules/ldap1 > > ldap { ... > /etc/raddb/modules/ldap2--- > > ldap { You have two modules named "ldap". Go read the comments at the top of the "modules" section in radiusd.conf. And before you go any further, PLEASE read the comments in the configuration files. You have been told to do this before, and it's clear that you either haven't done so, or you haven't understood them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with multiple ldap servers
Hello But this never really worked. I did exactly this . The ldap1 and ldap2 are files with the follwoing /etc/raddb/modules/ldap1 ldap { server = "30.0.0.2" basedn = "ou=People,cu=example,c=com" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" port = 389 ldap_connections_number = 5 timeout = 40 timelimit = 30 net_timeout = 10 tls { start_tls = no require_cert = "demand" } dictionary_mapping = ${confdir}/ldap.attrmap edir_account_policy_check = no } /etc/raddb/modules/ldap2--- ldap { server = "10.0.0.1" basedn = "ou=People,cu=example,c=com" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" port = 389 ldap_connections_number = 5 timeout = 40 timelimit = 30 net_timeout = 10 tls { start_tls = no require_cert = "demand" } dictionary_mapping = ${confdir}/ldap.attrmap edir_account_policy_check = no } -- The only difference in both files is the LDAP server IP address . When I did as I mentioned in my previous email and executed /sbin/radiusd -X -C the execution ended with the following error Module: Checking authenticate {...} for more modules to load //etc/raddb/radiusd.conf[757]: Failed to find module "ldap1". //etc/raddb/radiusd.conf[756]: Errors parsing authenticate section. } Also , one more observation, when having a single LDAP server and when it actually worked fine, the debug messages showed found rlm_pap. While I think it should be showing rlm_ldap . Why is this so. But authentication worked fine and the client received a ACCESS-ACCEPT message as reply. Thanks Sambuddho On Thu, 2008-06-19 at 13:50 -0400, Sambuddho Chakravarty wrote: > Do you mean something like this > > authorize { > redundant { >ldap1 > ldap2 > } > } > >authenticate { > ldap1 > ldap2 > } > > The reason I list them here is to use them for authentication against > multiple LDAP servers whose configuration information is in the two > files modules/ldap1 and modules/ldap2. Does this look valid ? > > Thanks > Sambuddho > > On Thu, 2008-06-19 at 09:35 +0200, Alan DeKok wrote: > > Sambuddho Chakravarty wrote: > > > Yes , but on a freeradius-2.05 , when I create a separate authenticate > > > {} and authorize {} subsection and plug in the following : > > > > > > authorize { > > >Autz-Type LDAP { > > > > You don't need to use Autz-Type in 2.0. > > > > > authenticate { > > >Auth-Type LDAP{ > > > redundant{ > > > > Don't use redundant sections here. Just list the two LDAP modules > > independently. The LDAP server that was used in the authorize section > > will ensure that it is also used in the authenticate section. > > > > > ${confdir}/modules/ldap1 > > > > And I hope that's not what I think it is. > > > > > It doesn't work. > > > > See the FAQ for "it doesn't work". > > > > > Here the ldap1 and ldap2 are two separate files in > > > the /etc/raddb/modules directory and have separate ldap server IP > > > addresses. Can anyone please point out to me where I am going wrong ? > > > > Lots. The major one is that you are putting the module > > *configuration* into the authorize and authenticate sections. I have no > > idea why you think that's a good idea. The examples included in the > > server DO NOT DO THIS. > > > > The files in the "modules" directory belong in the "modules" section > > of radiusd.conf. This is documented in the comments, and in many examples. > > > > The entries in the "authorize" and "authenticate" sections are simply > > a one-word reference to the name of a module. Again, this is documented > > in the comments and in many examples. > > > > Alan DeKok. > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with multiple ldap servers
Sambuddho Chakravarty wrote: > Do you mean something like this Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with multiple ldap servers
Do you mean something like this authorize { redundant { ldap1 ldap2 } } authenticate { ldap1 ldap2 } The reason I list them here is to use them for authentication against multiple LDAP servers whose configuration information is in the two files modules/ldap1 and modules/ldap2. Does this look valid ? Thanks Sambuddho On Thu, 2008-06-19 at 09:35 +0200, Alan DeKok wrote: > Sambuddho Chakravarty wrote: > > Yes , but on a freeradius-2.05 , when I create a separate authenticate > > {} and authorize {} subsection and plug in the following : > > > > authorize { > >Autz-Type LDAP { > > You don't need to use Autz-Type in 2.0. > > > authenticate { > >Auth-Type LDAP{ > > redundant{ > > Don't use redundant sections here. Just list the two LDAP modules > independently. The LDAP server that was used in the authorize section > will ensure that it is also used in the authenticate section. > > > ${confdir}/modules/ldap1 > > And I hope that's not what I think it is. > > > It doesn't work. > > See the FAQ for "it doesn't work". > > > Here the ldap1 and ldap2 are two separate files in > > the /etc/raddb/modules directory and have separate ldap server IP > > addresses. Can anyone please point out to me where I am going wrong ? > > Lots. The major one is that you are putting the module > *configuration* into the authorize and authenticate sections. I have no > idea why you think that's a good idea. The examples included in the > server DO NOT DO THIS. > > The files in the "modules" directory belong in the "modules" section > of radiusd.conf. This is documented in the comments, and in many examples. > > The entries in the "authorize" and "authenticate" sections are simply > a one-word reference to the name of a module. Again, this is documented > in the comments and in many examples. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with multiple ldap servers
Sambuddho Chakravarty wrote: > Yes , but on a freeradius-2.05 , when I create a separate authenticate > {} and authorize {} subsection and plug in the following : > > authorize { >Autz-Type LDAP { You don't need to use Autz-Type in 2.0. > authenticate { >Auth-Type LDAP{ > redundant{ Don't use redundant sections here. Just list the two LDAP modules independently. The LDAP server that was used in the authorize section will ensure that it is also used in the authenticate section. > ${confdir}/modules/ldap1 And I hope that's not what I think it is. > It doesn't work. See the FAQ for "it doesn't work". > Here the ldap1 and ldap2 are two separate files in > the /etc/raddb/modules directory and have separate ldap server IP > addresses. Can anyone please point out to me where I am going wrong ? Lots. The major one is that you are putting the module *configuration* into the authorize and authenticate sections. I have no idea why you think that's a good idea. The examples included in the server DO NOT DO THIS. The files in the "modules" directory belong in the "modules" section of radiusd.conf. This is documented in the comments, and in many examples. The entries in the "authorize" and "authenticate" sections are simply a one-word reference to the name of a module. Again, this is documented in the comments and in many examples. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with multiple ldap servers
Yes , but on a freeradius-2.05 , when I create a separate authenticate {} and authorize {} subsection and plug in the following : authorize { Autz-Type LDAP { redundant { ${confdir}/modules/ldap1 ${confdir}/modules/ldap2 } } } authenticate { Auth-Type LDAP{ redundant{ ${confdir}/modules/ldap1 ${confdir}/modules/ldap2 } } } It doesn't work. Here the ldap1 and ldap2 are two separate files in the /etc/raddb/modules directory and have separate ldap server IP addresses. Can anyone please point out to me where I am going wrong ? Thanks Sambuddho On Sun, 2008-06-15 at 01:55 -0700, Chris wrote: > As in: > > redundant { > ldap1 > ldap2 > } > > On Jun 15, 2008, at 1:08 AM, Ivan Kalik wrote: > > > http://www.freeradius.org/radiusd/man/unlang.html > > > > Ivan Kalik > > Kalik Informatika ISP > > > > > > Dana 15/6/2008, "Sambuddho Chakravarty" <[EMAIL PROTECTED]> piše: > > > >> Hello All > >> Will creating multiple instances of the /etc/raddb/modules/ldap1 > >> and /etc/raddb/modules/ldap2 each with different LDAP server > >> addresses > >> and database information work for having a user authenticate against > >> either of the two LDAP servers. By that I mean that say our user > >> 'try' > >> tries to authenticate and sends the radius server an authentication > >> request message, then, by having two files /etc/raddb/modules/ldap1 > >> and /etc/raddb/modules/ldap2 cause the server to connect to both the > >> servers and check for authentication ? If no then can anyone please > >> suggest what is the way for doing this ? > >> > >> Thanks > >> Sambuddho > >> > >> - > >> List info/subscribe/unsubscribe? See > >> http://www.freeradius.org/list/users.html > >> > >> > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with multiple ldap servers
As in: redundant { ldap1 ldap2 } On Jun 15, 2008, at 1:08 AM, Ivan Kalik wrote: http://www.freeradius.org/radiusd/man/unlang.html Ivan Kalik Kalik Informatika ISP Dana 15/6/2008, "Sambuddho Chakravarty" <[EMAIL PROTECTED]> piše: Hello All Will creating multiple instances of the /etc/raddb/modules/ldap1 and /etc/raddb/modules/ldap2 each with different LDAP server addresses and database information work for having a user authenticate against either of the two LDAP servers. By that I mean that say our user 'try' tries to authenticate and sends the radius server an authentication request message, then, by having two files /etc/raddb/modules/ldap1 and /etc/raddb/modules/ldap2 cause the server to connect to both the servers and check for authentication ? If no then can anyone please suggest what is the way for doing this ? Thanks Sambuddho - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with multiple ldap servers
http://www.freeradius.org/radiusd/man/unlang.html Ivan Kalik Kalik Informatika ISP Dana 15/6/2008, "Sambuddho Chakravarty" <[EMAIL PROTECTED]> piše: >Hello All > Will creating multiple instances of the /etc/raddb/modules/ldap1 >and /etc/raddb/modules/ldap2 each with different LDAP server addresses >and database information work for having a user authenticate against >either of the two LDAP servers. By that I mean that say our user 'try' >tries to authenticate and sends the radius server an authentication >request message, then, by having two files /etc/raddb/modules/ldap1 >and /etc/raddb/modules/ldap2 cause the server to connect to both the >servers and check for authentication ? If no then can anyone please >suggest what is the way for doing this ? > >Thanks >Sambuddho > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius with multiple ldap servers
Hello All Will creating multiple instances of the /etc/raddb/modules/ldap1 and /etc/raddb/modules/ldap2 each with different LDAP server addresses and database information work for having a user authenticate against either of the two LDAP servers. By that I mean that say our user 'try' tries to authenticate and sends the radius server an authentication request message, then, by having two files /etc/raddb/modules/ldap1 and /etc/raddb/modules/ldap2 cause the server to connect to both the servers and check for authentication ? If no then can anyone please suggest what is the way for doing this ? Thanks Sambuddho - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with Multiple Ldap Servers
See doc/configurable_failover in the source tree. --Mike On Thu, 2004-09-16 at 08:23, Matthew Hunter wrote: > I have Freeradius configured with Ldap which works but I would like to > specify a secondary Ldap server incase the primary ldap goes down. How > would I go about doing that? Thanks > > Matt Hunter > Network Analyst > Waukesha County Technical College > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius with Multiple Ldap Servers
I have Freeradius configured with Ldap which works but I would like to specify a secondary Ldap server incase the primary ldap goes down. How would I go about doing that? Thanks Matt Hunter Network Analyst Waukesha County Technical College - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html