On May 5, 2012, at 5:09 AM, Alan DeKok wrote:
> jeff donovan wrote:
>> I made two changes. and it worked.,.. not sure if it the best syntax, but
>> it's the first time I got both systems to call back.
>>
>> authorize {
>>
>> ldap1
>> if (notfound) {
>> ldap2
>> }
>
On 05.05.2012 10:36, Tobias Hachmer wrote:
As I tried to explain before it's not the authentication of the user
in radius request which fails but the bind user so the ldap module
wasn't able to check the user credentials! Please reread the ldap
documentation if this is unclear...
Sorry, I have
jeff donovan wrote:
> I made two changes. and it worked.,.. not sure if it the best syntax, but
> it's the first time I got both systems to call back.
>
> authorize {
>
> ldap1
> if (notfound) {
> ldap2
> }
This is OK.
> if (reject) {
> l
On 05/05/2012 01:40 AM, jeff donovan wrote:
greetings
sorry
i snipped the bottom off , I didn't think it relevant since nothing happened
after it tried to auth on ldap1.
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/defaul
On May 4, 2012, at 7:40 PM, jeff donovan wrote:
>
>
> and that is correct. The user does not exist on LDAP1, his records are on
> LDAP2, which it finds, but it trys to auth against ldap1 ( which will fail ).
> I need it to step to ldap2
greetings
I made two changes. and it worked.,.. not su
On May 4, 2012, at 3:58 PM, Tobias Hachmer wrote:
> On 04.05.2012 21:05, jeff donovan wrote:
>> Found Auth-Type = LDAP
>> # Executing group from file /etc/freeradius/sites-enabled/default
>> +- entering group LDAP {...}
>> [ldap1] login attempt by "drfoo" with password "XxXxXxX"
>> [ldap1] user D
On 04.05.2012 21:05, jeff donovan wrote:
Found Auth-Type = LDAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group LDAP {...}
[ldap1] login attempt by "drfoo" with password "XxXxXxX"
[ldap1] user DN: uid=drfoo,cn=users,dc=ldap2,dc=example.com
[ldap1] (re)connect
On May 4, 2012, at 10:14 AM, Alan DeKok wrote:
> snip
>> authorize {
> ...
>>redundant {
>> ldap1
>> ldap2
>>}
>
> Change that to:
>
> ldap1
> if (notfound) {
> ldap2
> }
>
> And it will work.
greetings i read the unlang pages.
I modified my Authoriz
jeff donovan wrote:
> thanks for the reply. can i really use if then else ?
Do you think I'm lying to you? Did you read "man unlang",
which explains all of this?
> with that said, i should be able to apply the same for fail ?
$ man unlang
Alan DeKok.
-
List info/subscribe/unsubscribe? S
On May 4, 2012, at 10:14 AM, Alan DeKok wrote:
> jeff donovan wrote:
>> I'm new to radius but have been reading.
>
> That's always positive.
>
>> how can i search and alternate LDAP server for user credentials ?
>> If the first LDAP search fails try the next server in line.
>
> Do you mean
jeff donovan wrote:
> I'm new to radius but have been reading.
That's always positive.
> how can i search and alternate LDAP server for user credentials ?
> If the first LDAP search fails try the next server in line.
Do you mean "fail" or "notfound"? They're different...
> I found some do
Hi Jeff,
On 04.05.2012 14:30, jeff donovan wrote:
how can i search and alternate LDAP server for user credentials ? If
the first LDAP search fails try the next server in line.
Just mention only this ldap server in authenticate section:
authenticate {
Auth-Type LDAP {
ldap1 # the ldap
Greetings
I'm new to radius but have been reading.
I have a freeradius server running on ubuntu 11, my users file is an ldap
server which works great. My question is,
how can i search and alternate LDAP server for user credentials ?
If the first LDAP search fails try the next server in line.
s.org] *On Behalf Of *Bob Brandt
> *Sent:* Tuesday, March 23, 2010 2:23 PM
> *To:* FreeRadius users mailing list
> *Subject:* Re: configuring multiple ldap servers
>
> How about you use something like:
>
> authorize {
>redundant {
>redundant-load-balanc
23, 2010 2:23 PM
To: FreeRadius users mailing list
Subject: Re: configuring multiple ldap servers
How about you use something like:
authorize {
redundant {
redundant-load-balance
are not available.
Bob
On Tue, Mar 23, 2010 at 6:53 AM, V Jyothi-B22245 wrote:
>
> Hi,
>
> I want to understand in freeradius with rlm_ldap,
> Is it possible to configure multiple LDAP servers in Freeradius and the
> freeradius uses different LDAP server for different r
Hi,
I want to understand in freeradius with rlm_ldap,
Is it possible to configure multiple LDAP servers in Freeradius and the
freeradius uses different LDAP server for different requests.
Is it possible to add some kind of id in radius requests, so that
freeradius makes use of that ID to
>> ...
>>>rad_check_password: Found Auth-Type LDAP
>>> auth: type "LDAP"
>>
>> Remove that from users file. Let pap module do the authentication. Ldap
>> should return the password to radius via ldap.attrmap.
>
> I still need this in the users file though. Without it, I get rejections.
> It s
Quoting "Ivan Kalik" :
Ok. You can remove redundant (module is not failing, so no failover
needed). Just list the two modules one below the other.
Removing the redundant lines, seems to make this work!
...
rad_check_password: Found Auth-Type LDAP
auth: type "LDAP"
Remove that from us
> Quoting "Ivan Kalik" :
>
>> So what does first ldap section return when user is missling - fail or
>> reject (I see you have access attribute configured there)? If it's
>> reject
>> you need unlang (ie 2.x).
>>
>
> Here is my output of radtest with a user on the second LDAP server.
> This server
AJ wrote:
> I would appreciate some pointers because I am just not getting it.
>
> redundant {
>
> rhds_ldap
> notfound = 1
> ok = return
You need brackets around everything:
redundant {
rhds_ldap {
Quoting "Ivan Kalik" :
So what does first ldap section return when user is missling - fail or
reject (I see you have access attribute configured there)? If it's reject
you need unlang (ie 2.x).
Here is my output of radtest with a user on the second LDAP server.
This server never gets quier
>> Redundant should work in 1.1.7. But in 2.x you can use unlang for even
>> more flexibility. Not to mention all the bug and security fixes and
>> enhancements in years since 1.1.7. If you are upgrading go for the
>> latest
>> version.
>
> I have upgraded to 1.1.7, and I still have the same behavi
AJ wrote:
> I know this has been discussed before on the list and there is
> documentation for this, but I have literally spent days on this and I
> cannot get the result that I am looking for. I am hoping someone can
> share a configuration with me that works. Basically, I am looking to
> have
Quoting "Ivan Kalik" :
Redundant should work in 1.1.7. But in 2.x you can use unlang for even
more flexibility. Not to mention all the bug and security fixes and
enhancements in years since 1.1.7. If you are upgrading go for the latest
version.
I have upgraded to 1.1.7, and I still have the s
>> Upgrade. Then create redundant section for ldap servers in authorize.
>>
>
> Would I be able to go to latest 1.1.x release to get this working or
> do I need to go to 2.x?
Redundant should work in 1.1.7. But in 2.x you can use unlang for even
more flexibility. Not to mention all the bug and sec
Quoting "Ivan Kalik" :
Upgrade. Then create redundant section for ldap servers in authorize.
Would I be able to go to latest 1.1.x release to get this working or
do I need to go to 2.x?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> I know this has been discussed before on the list and there is
> documentation for this, but I have literally spent days on this and I
> cannot get the result that I am looking for. I am hoping someone can
> share a configuration with me that works. Basically, I am looking to
> have radius au
Hi,
I know this has been discussed before on the list and there is
documentation for this, but I have literally spent days on this and I
cannot get the result that I am looking for. I am hoping someone can
share a configuration with me that works. Basically, I am looking to
have radius
Hello Ivan and Alan
Thanks a lot for tolerating my pestering. It has worked. The problem
was with the PAP module. The auto header detection was turned off. It
works perfectly now.
Thanks
Sambuddho
On Mon, 2008-07-07 at 10:08 +0100, Ivan Kalik wrote:
> > Does that mean that I cannot authenticate a
Hello Ivan
The ldap database has passwords have the '{crypt}' header. What I meant
by cleartext passwords is that I am typing in the password in clear text
in the radtest program.
Thanks
Sambuddho
On Mon, 2008-07-07 at 10:08 +0100, Ivan Kalik wrote:
> > Does that mean that I cannot authenticate ag
> Does that mean that I cannot authenticate against a LDAP server from a
>freeradius server using cleartext passwords.
But you are not using cleartext passwords. Passwords in ldap are
encrypted.
>So the freeradius client
>needs to send the password in encrypted format. But other programs which
>
Hi,
> I went through the documentation on the website and in the doc/
> directory in the source distribution. I read through the
> ldap_howto.txt. Is that the example you refer to ? (Thats the only one I
> found with the source distribution). It had many components that I dont
> require. I scrol
Hello Alan
I went through the documentation on the website and in the doc/
directory in the source distribution. I read through the
ldap_howto.txt. Is that the example you refer to ? (Thats the only one I
found with the source distribution). It had many components that I dont
require. I scrolled
Sambuddho Chakravarty wrote:
> My intent is not to pester you with my queries but the problem is still
> what it was initially. Ill once again tell you the configuration that I
> am using.
The difficulty I'm having is being *able* to help you. At this point
it's clear that the documentation is
Hello Alan and Ivan
My intent is not to pester you with my queries but the problem is still
what it was initially. Ill once again tell you the configuration that I
am using.
radiusd.conf---
/* Most of the stuff is untouched.
*/
/* Added
Sambuddho Chakravarty wrote:
> Does that mean that I cannot authenticate against a LDAP server from a
> freeradius server using cleartext passwords.
No. That is not what he said.
> So the freeradius client
> needs to send the password in encrypted format.
No. That is not what he said.
>
Interestingly the bind as the root DN works with password supplied in
clear-text through the ldap {} module...
Thanks
Sambuddho
On Sat, 2008-07-05 at 18:03 -0400, Sambuddho Chakravarty wrote:
> Hello Ivan
> Does that mean that I cannot authenticate against a LDAP server from a
> freeradius server
Hello Ivan
Does that mean that I cannot authenticate against a LDAP server from a
freeradius server using cleartext passwords. So the freeradius client
needs to send the password in encrypted format. But other programs which
using LDAP server to authenticate (eg. the pam_ldap ) takes as input the
> Problem still persists. What do you mean by the {crypt} header.
>From RFC2256:
5.36. userPassword
( 2.5.4.35 NAME 'userPassword' EQUALITY octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} )
Passwords are stored using an Octet String syntax and are not
encrypted.
Sinc
Hello Ivan
Problem still persists. What do you mean by the {crypt} header. These
are simple /etc/passwd file converted into a ldif database using LDAP
Migration Scripts from padl.com
This is what the logs look like
(supplied clear
>> >ldap ldap1{
>> >
>> >
>> > identity = (root DN)
>> > password = (password for the root DN)
>> >
>> > password_header="{crypt}"
>> > password_attribute=Crypt-Password
>
>Yes changed this to password_radius_attribute=Crypt-Password
>
>However , if I change the password_attribute=userPassw
Hello Ivan
Problem still the same
I changed :-
On Thu, 2008-07-03 at 22:20 +0100, Ivan Kalik wrote:
> >
> >Added to ldap.attrmap
> >---
> >checkItem Crypt-Password userPassword
> >
>
Removed this from ldap.attrmap
> Don't do that. userPassword i
>
>Added to ldap.attrmap
>---
>checkItem Crypt-Password userPassword
>
Don't do that. userPassword is already mapped in ldap module:
# password_attribute: Define the attribute which contains the user
# password.
# While integrating FreeRADIUS with No
l, send a message with subject or body 'help' to
> > > [EMAIL PROTECTED]
> > >
> > > You can reach the person managing the list at
> > > [EMAIL PROTECTED]
> > >
> > > When replying, please edit your Subject line so it is more sp
ject line so it is more specific
> > than "Re: Contents of Freeradius-Users digest..."
> >
> >
> > Today's Topics:
> >
> >1. Re: =?UTF-8?Q?freeradius-proxy_+_PAP_works,
> > _PEAP_and_the_rest_doesn=C2=B4t?= ([EMAIL PROTECTED])
> >
> But I don't have a field in the database by that name .
No, you don't. I am talking about ldap section of radiusd.conf. You need
to set the appropriate radius password attribute.
http://wiki.freeradius.org/index.php/Rlm_ldap
>Also , my
>question on failover. Is the failover used when the first
?Q?freeradius-proxy_+_PAP_works,
_PEAP_and_the_rest_doesn=C2=B4t?= ([EMAIL PROTECTED])
2. Re: freeradius-proxy + PAP works, PEAP and the rest doesn?t
(Alan DeKok)
3. Re: freeradius-proxy + PAP works, PEAP and the rest doesn?t
(Ivan Kalik)
4. Re: sqlippool (Ivan Kalik)
5. R
Hello Ivan
But I don't have a field in the database by that name . The name of the
field is "userPassword" . This is what the openLDAP migration scripts
generated. Please let me know what mistake I am doing . Also , my
question on failover. Is the failover used when the first LDAP server is
down /
Password (radius) attribute should be Crypt-Password not User-Password.
Ivan Kalik
Kalik Informatika ISP
Dana 3/7/2008, "Sambuddho Chakravarty" <[EMAIL PROTECTED]> piše:
>Hello
>
>I set the password_header to = {crypt} and password_attribute to
>"userPassword" (Thats the name of the field in th
Hello ,
Maybe I didn't as the correct question previously. Is it that failover
works only when the first LDAP server is not reachable ? In my case both
servers are reachable. I want to configure a case where if the login
fails in one of the servers , the other one is tried.
Thanks
Sambuddho
On W
Hello
I set the password_header to = {crypt} and password_attribute to
"userPassword" (Thats the name of the field in the database). Now this
is what the logs show,
rlm_ldap: performing search in ou=People,dc=example,dc=com, with filter
(uid=try)
rlm_ldap: Added User-Password = $1$n48a7wCp$RfvlOx
http://wiki.freeradius.org/index.php/Rlm_ldap
See use of password_header and password_attribute.
Ivan Kalik
Kalik Informatika ISP
Dana 2/7/2008, "Sambuddho Chakravarty" <[EMAIL PROTECTED]> piše:
>Hello
> I think I know what the problem is. The radius server is looking up
>using cleartext passw
Hello
I think I know what the problem is. The radius server is looking up
using cleartext password , while the LDAP data base stores the hashed
passwords. How can I force the radiuse server to search for the password
as a hashed value (rather than searching for the clear-text value) ?
Thanks
Sa
Hello Alan
I made sure this time that rlm_ldap was compiled. Now the following is
the configuration
--/etc/raddb/modules/ldap---
ldap ldap1 {
server = "a.b.c.d"
...
}
ldap ldap2 {
server = "w.x.y.z"
...
}
-/etc/raddb/radiusd.conf
Sambuddho Chakravarty wrote:
> This is exactly what I did . I forgot to put the separate module names
The consistent problems you see make me think that the issue is more
than "forgot".
> And now when I try to start the server this is what the error I see :
>
>
> server {
> modules {
> Mod
Hello
This is exactly what I did . I forgot to put the separate module names
here in the email it like this
/etc/raddb/modules/ldap1
ldap ldap1{
...
}
/etc/raddb/modules/ldap2---
ldap ldap2{
dap . Why is this
>so. But authentication worked fine and the client received a
>ACCESS-ACCEPT message as reply.
>
>Thanks
>Sambuddho
>
>
>
>
>On Thu, 2008-06-19 at 13:50 -0400, Sambuddho Chakravarty wrote:
>> Do you mean something like this
>>
>> authorize {
>> redundant {
&
Sambuddho Chakravarty wrote:
> Hello
> But this never really worked. I did exactly this . The ldap1 and ldap2
> are files with the follwoing
>
> /etc/raddb/modules/ldap1
>
> ldap {
...
> /etc/raddb/modules/ldap2---
2008-06-19 at 13:50 -0400, Sambuddho Chakravarty wrote:
> Do you mean something like this
>
> authorize {
> redundant {
>ldap1
> ldap2
> }
> }
>
>authenticate {
> ldap1
> ldap2
> }
>
> The reason I list th
Sambuddho Chakravarty wrote:
> Do you mean something like this
Yes.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Do you mean something like this
authorize {
redundant {
ldap1
ldap2
}
}
authenticate {
ldap1
ldap2
}
The reason I list them here is to use them for authentication against
multiple LDAP servers whose configuration
Sambuddho Chakravarty wrote:
> Yes , but on a freeradius-2.05 , when I create a separate authenticate
> {} and authorize {} subsection and plug in the following :
>
> authorize {
>Autz-Type LDAP {
You don't need to use Autz-Type in 2.0.
> authenticate {
>Auth-Type LDAP{
>
Yes , but on a freeradius-2.05 , when I create a separate authenticate
{} and authorize {} subsection and plug in the following :
authorize {
Autz-Type LDAP {
redundant {
${confdir}/modules/ldap1
${confdir}/modules/ldap2
}
}
}
authenticate {
As in:
redundant {
ldap1
ldap2
}
On Jun 15, 2008, at 1:08 AM, Ivan Kalik wrote:
http://www.freeradius.org/radiusd/man/unlang.html
Ivan Kalik
Kalik Informatika ISP
Dana 15/6/2008, "Sambuddho Chakravarty" <[EMAIL PROTECTED]> piše:
Hello All
Will creating multiple insta
http://www.freeradius.org/radiusd/man/unlang.html
Ivan Kalik
Kalik Informatika ISP
Dana 15/6/2008, "Sambuddho Chakravarty" <[EMAIL PROTECTED]> piše:
>Hello All
> Will creating multiple instances of the /etc/raddb/modules/ldap1
>and /etc/raddb/modules/ldap2 each with different LDAP server addres
Hello All
Will creating multiple instances of the /etc/raddb/modules/ldap1
and /etc/raddb/modules/ldap2 each with different LDAP server addresses
and database information work for having a user authenticate against
either of the two LDAP servers. By that I mean that say our user 'try'
tries to aut
Jean Frontin wrote:
> After several hours of research I don't understand howto configure
> FreeRadius to use two ldap servers. With only one ldap server all is OK !
>
> I run FreeRadius 1.1.7 under Fedora core 8. Below I present you a
> radiusd.conf extract and a logof a session. In the og I put a
Hello,
After several hours of research I don't understand howto configure
FreeRadius to use two ldap servers. With only one ldap server all is OK !
I run FreeRadius 1.1.7 under Fedora core 8. Below I present you a
radiusd.conf extract and a logof a session. In the og I put a start at
the beg
On Wed, 18 May 2005, Matthew Hunter wrote:
How do I get freeradius to check both ldap servers for a user. I have
ldap configured already for redundency but I want it to look at the
first ldap server and if the user is not found then check the second
ldap server.
Yes. See doc/configurable_failover
"Matthew Hunter" <[EMAIL PROTECTED]> wrote:
> How do I get freeradius to check both ldap servers for a user. I have
> ldap configured already for redundency but I want it to look at the
> first ldap server and if the user is not found then check the second
> ldap server.
doc/configurable_failov
How do I get freeradius to check both ldap servers for a user. I have
ldap configured already for redundency but I want it to look at the
first ldap server and if the user is not found then check the second
ldap server.
Matt Hunter
Network Analyst
Waukesha County Technical College
-
List info/
See doc/configurable_failover in the source tree.
--Mike
On Thu, 2004-09-16 at 08:23, Matthew Hunter wrote:
> I have Freeradius configured with Ldap which works but I would like to
> specify a secondary Ldap server incase the primary ldap goes down. How
> would I go about doing that? Thanks
>
I have Freeradius configured with Ldap which works but I would like to
specify a secondary Ldap server incase the primary ldap goes down. How
would I go about doing that? Thanks
Matt Hunter
Network Analyst
Waukesha County Technical College
-
List info/subscribe/unsubscribe? See http://www.fre
74 matches
Mail list logo