Re: redundant LDAP server with free-radius
got you, mate
I was a kind of confused by
authenticate {
Auth-Type MS-CHAP {
mschap
}
Looking at this makes things more clear.
modules {
mschap {
authtype = MS-CHAP
Still, Failover is a kind of inconsistent/incomplete without pointing
this out (thought it is an indirect detail). Other parts of doc might
well have a reference to that, but IMO it is worth referring to this on
failover page, doc is supposed to help people getting answers ... People
might never come to renaming module instances but for redundancy. Since
it is Wiki, I can probably update it by adding ~200-300 bytes of text
and in case you won't like it, you can always roll back.
A.
on 2/1/2007 4:55 PM Alan DeKok wrote:
Alexei Monastyrnyi wrote:
this works as expected, though it is not that obvious that Auth-Type
name refers to module name, and not just names the method...
It defines the method, but doesn't make the module set Auth-Type to
that method.
Or I might
have missed that from the documentation. Anyway, fail-over section
does not reflect this IMO. Not a note of authenticate sub-section at
all... should it be updated?
Modules having authenticate sections automatically have Auth-Type
definitions created based on their name. This is normally the module
name (i.e. LDAP), unless the module has an *instance* name, in which
case it's the instance name.
The LDAP module sets Auth-Type to it's *instance* name, not to
LDAP. That appears to be the piece you're missing.
This has nothing to do with failover.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
redundant LDAP server with free-radius
Folks,
sorry for bringing this up again.
I am running FreeRADIUS 1.1.4 and OpenLDAP 2.3.32 on two Solaris10/x86
hosts.
Non-redundant config works fine with FreeRADIUS and OpenLDAP on a single
host.
modules {
ldap {
}
}
authorize {
...
ldap
}
authenticate {
...
Auth-Type LDAP {
ldap
}
}
When I use a redundant config as per instruction in docs, I have the
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user in debugs and user is rejected. Please see
config and debug output below. I guess I am mussing some fine detail
here. Your help would be highly appreciated.
modules {
ldap ds-01 {
}
ldap ds-02 {
}
}
authorize {
...
redundant {
ds-02
ds-01
}
}
authenticate {
...
Auth-Type LDAP {
redundant {
ds-02
ds-01
}
}
}
Debug output
rad_recv: Access-Request packet from host 1.1.1.1:3283, id=29, length=47
User-Name = qwer
User-Password = qwer
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
modcall[authorize]: module mschap returns noop for request 0
rlm_realm: No '@' in User-Name = qwer, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 0
modcall: entering group redundant for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for qwer
radius_xlat: '((objectClass=posixAccount)(l=*)(uid=qwer))'
radius_xlat: 'dc=my,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as / to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=my,dc=com, with filter
((objectClass=posixAccount)(l=*)(uid=qwer))
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user alexeim authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ds-02 returns ok for request 0
modcall: leaving group redundant (returns ok) for request 0
modcall: leaving group authorize (returns ok) for request 0
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
TIA
A.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: redundant LDAP server with free-radius
Alexei Monastyrnyi wrote: When I use a redundant config as per instruction in docs, I have the auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user in debugs and user is rejected. Please see config and debug output below. I guess I am mussing some fine detail here. Your help would be highly appreciated. The modules are named ds-01 and ds-02, not LDAP. In this case, you will have to set Auth-Type to LDAP by hand. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: redundant LDAP server with free-radius
Thanks Alan.
But I do define it when switching from singe server to redundant group, don't I?
Auth-Type LDAP {
ldap
}
to
Auth-Type LDAP {
redundant {
ds-02
ds-01
}
}
Isn't that enough?
A.
Alexei Monastyrnyi wrote:
/ When I use a redundant config as per instruction in docs, I have the
// auth: No authenticate method (Auth-Type) configuration found for the
// request: Rejecting the user in debugs and user is rejected. Please see
// config and debug output below. I guess I am mussing some fine detail
// here. Your help would be highly appreciated.
/
The modules are named ds-01 and ds-02, not LDAP. In this case,
you will have to set Auth-Type to LDAP by hand.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: redundant LDAP server with free-radius
Alexei Monastyrnyi wrote: But I do define it when switching from singe server to redundant group, don't I? Yes. Isn't that enough? What did my previous response say? You can argue with me, or you can try what I suggested, and verify for yourself that it works. As a hint: when the LDAP module sets Auth-Type, it sets the value to the name of the module... which in your case is ds-01, not LDAP. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: redundant LDAP server with free-radius
no arguing here, just clearing up things... :-) stay cool
this works as expected, though it is not that obvious that Auth-Type
name refers to module name, and not just names the method... Or I might
have missed that from the documentation. Anyway, fail-over section
does not reflect this IMO. Not a note of authenticate sub-section at
all... should it be updated?
http://wiki.freeradius.org/Fail-over
authorize {
...
redundant {
ds-02
ds-01
}
}
authenticate {
...
Auth-Type ds-01 {
ds-01
}
Auth-Type ds-02 {
ds-02
}
}
on 2/1/2007 4:04 PM Alan DeKok wrote:
Alexei Monastyrnyi wrote:
But I do define it when switching from singe server to redundant group,
don't I?
Yes.
Isn't that enough?
What did my previous response say?
You can argue with me, or you can try what I suggested, and verify for
yourself that it works.
As a hint: when the LDAP module sets Auth-Type, it sets the value to
the name of the module... which in your case is ds-01, not LDAP.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: redundant LDAP server with free-radius
Alexei Monastyrnyi wrote: this works as expected, though it is not that obvious that Auth-Type name refers to module name, and not just names the method... It defines the method, but doesn't make the module set Auth-Type to that method. Or I might have missed that from the documentation. Anyway, fail-over section does not reflect this IMO. Not a note of authenticate sub-section at all... should it be updated? Modules having authenticate sections automatically have Auth-Type definitions created based on their name. This is normally the module name (i.e. LDAP), unless the module has an *instance* name, in which case it's the instance name. The LDAP module sets Auth-Type to it's *instance* name, not to LDAP. That appears to be the piece you're missing. This has nothing to do with failover. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: redundant LDAP server with free-radius
sumi thra [EMAIL PROTECTED] wrote: My access-request is not successed when i configure multiple ldap instances. I read the rlm_ldap document, according to that, I don't think this has anything to do with LDAP. rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: Request not found in the list rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request That's the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: redundant LDAP server with free-radius
On 4/27/06, Alan DeKok [EMAIL PROTECTED] wrote: sumi thra [EMAIL PROTECTED] wrote: My access-request is not successed when i configure multiple ldap instances.I read the rlm_ldap document, according to that, I don't think this has anything to do with LDAP. rad_check_password:Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: Request not found in the list rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-requestThat's the problem.You mean to say that, this is an issue in free-radius ?? or my configuration is mismatching? Alan DeKok.-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
redundant LDAP server with free-radius
Hi All,1. When i configure the free-radius to use redundant ldap, the radius server contacts the secondary ldap server first.My config file options are: authorize { ... redundant{
ldap_primary ldap_secondary } ..}authenticate { .. .. Auth-Type LDAP { redundant { ldap_primary
ldap_secondary } }} #unix eap}ldap ldap_primary { ;; ..}ldap ldap_secondary {
...}2. My users file has : DEFAULT LDAP-Group := groupname1 some vendor specific attributes follows.. DEFAULT LDAP-Group := groupname2 .
Do i need to specify it as ldap_primary-LDAP-Group := groupname1 ldap_secondary-LDAP-Group := groupname1 ?? or the previous define itself will work ??
Its very urgent. Please reply me if you have any idea.Thanks in advance.Regards,Sumi.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: redundant LDAP server with free-radius
sumi thra [EMAIL PROTECTED] wrote: 1. When i configure the free-radius to use redundant ldap, the radius server contacts the secondary ldap server first. It works for me. And since you haven't posted the debugging output as suggested in the README, FAQ, INSTALL, etc., my guess is you're doing something else wrong that causes the problem. 2. My users file has : DEFAULT LDAP-Group := groupname1 some vendor specific attributes follows.. DEFAULT LDAP-Group := groupname2 . Do i need to specify it as ldap_primary-LDAP-Group := groupname1 Did you read doc/rlm_ldap? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: redundant LDAP server with free-radius
Yes. i got it now.Thank you so much for your information. :-)RegardsSumiOn 4/25/06, Alan DeKok [EMAIL PROTECTED] wrote:sumi thra [EMAIL PROTECTED] wrote: 1. When i configure the free-radius to use redundant ldap, the radius server contacts the secondary ldap server first.It works for me.And since you haven't posted the debugging output as suggested in the README, FAQ, INSTALL, etc., my guess is you're doing somethingelse wrong that causes the problem. 2. My users file has : DEFAULT LDAP-Group := groupname1 some vendor specific attributes follows.. DEFAULT LDAP-Group := groupname2. Do i need to specify it as ldap_primary-LDAP-Group := groupname1Did you read doc/rlm_ldap? Alan DeKok.-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
