Having spent whole last fortnight trying to configure Freeradius module
given here with LDAP Agent running on my eDir8.7.3.6 on Netware 5.1, using iManager 2.5, I am almost there but seemingly stuck with something vital. Ihave done everything as mentioned by Novell Admin guide posted on this Forge project here: http://forge.novell.com/modules/xfmod/project/?edirfreeradius My Freeradius is running on SuSe Linux Machine with iManager 2.5 installed for managing Radius users and Universal passwords. I can do an LDAP browse from there and connectivity is OK. Using a third Win2K for testing Radius connectivity. Had some problems configuring TLS/SSL connection to LDAP server so hashed (start_tls=no) in radiusd.conf. I don't mind secure or insecure connection between FreeRadius and LDAP Agent. My main concern is here:(Excerpted from console log) ------------------------------------ rad_recv: Access-Request packet from host 194.170.15.100:1089, id=28, length=46 User-Name = "test04" User-Password = "test04" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module "preprocess" returns ok for request 4 modcall[authorize]: module "chap" returns noop for request 4 modcall[authorize]: module "mschap" returns noop for request 4 rlm_realm: No '@' in User-Name = "test04", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 4 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 4 users: Matched entry DEFAULT at line 153 modcall[authorize]: module "files" returns ok for request 4 rlm_ldap: - authorize rlm_ldap: performing user authorization for test04 radius_xlat: '(uid=test04)' radius_xlat: 'o=euc' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=euc, with filter (uid=test04) rlm_ldap: no dialupAccess attribute - access denied by default rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns userlock for request 4 modcall: group authorize returns userlock for request 4 Delaying request 4 for 1 seconds Finished request 4 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 28 to 194.170.15.100:1089 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 4 ID 28 with timestamp 42aaceb3 Nothing to do. Sleeping until we see a request. ------------------------------------------------------ After hashing access_attribute = 'dialupAccess' ------------------------------------------------------- So, When I restarted the Radius Server: ..... Listening on authentication *:1812 Listening on accounting *:1813 Listening on proxy *:1814 Ready to process requests. rad_recv: Access-Request packet from host 194.170.15.100:1091, id=30, length=46 User-Name = "test04" User-Password = "test04" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "test04", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 153 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for test04 radius_xlat: '(uid=test04)' radius_xlat: 'o=euc' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 194.170.15.158:389, authentication 0 rlm_ldap: setting TLS CACert File to /etc/raddb/cert/EUCCA.b64 rlm_ldap: setting TLS CACert File to /etc/rardb/cert/ rlm_ldap: setting TLS Require Cert to demand rlm_ldap: bind as cn=admin,o=euc/college to 194.170.15.158:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in o=euc, with filter (uid=test04) rlm_ldap: Error reading Universal Password.Return Code = 80 rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user test04 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type System auth: type "System" ERROR: Unknown value specified for Auth-Type. Cannot perform requested action. auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request ---------------------------------------- MY PROBLEM: rlm_ldap: Error reading Universal Password.Return Code = 80 I hope it's not TLS related!!! Consider this an SOS....Please Advise!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html |
Fahim wrote:
> Having spent whole last fortnight trying to configure Freeradius > module given here with LDAP Agent running on my eDir8.7.3.6 on Netware > 5.1, using iManager 2.5, I am almost there but seemingly stuck with > something vital. Ihave done everything as mentioned by Novell Admin > guide posted on this Forge project here: > http://forge.novell.com/modules/xfmod/project/?edirfreeradius > > My Freeradius is running on SuSe Linux Machine with iManager 2.5 > installed for managing Radius users and Universal passwords. I can do > an LDAP browse from there and connectivity is OK. Using a third Win2K > for testing Radius connectivity. Had some problems configuring TLS/SSL > connection to LDAP server so hashed (start_tls=no) in radiusd.conf. I > don't mind secure or insecure connection between FreeRadius and LDAP > Agent. > > MY PROBLEM: > > rlm_ldap: Error reading Universal Password.Return Code = 80 > > I hope it's not TLS related!!! You should post your configuration from radiusd.conf. You could also check out http://vuksan.com/linux/dot1x/802-1x-LDAP.html#Set_up_FreeRADIUS It is a set up for OpenLDAP but hopefully it will have some similarities. You can even use LDAP bind to verify credentials. Just leave of identity and password from the ldap module. Vladimir - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html |
In reply to this post by Faheem SIDDIQUI
Hi,
To be able to read Universal Password from eDirectory you will HAVE TO have a secure connection between FreeRADIUS and eDirectory. That willtake care of the "rlm_ldap: Error reading Universal Password.Return Code = 80" problem. So you have to setup up the TLS certificates properly in the ldap section of radiusd.conf. Get back to me in case you need any further help. -Sayantan >>> [hidden email] 06/12/05 2:07 PM >>> Having spent whole last fortnight trying to configure Freeradius module given here with LDAP Agent running on my eDir8.7.3.6 on Netware 5.1, using iManager 2.5, I am almost there but seemingly stuck with something vital. Ihave done everything as mentioned by Novell Admin guide posted on this Forge project here: http://forge.novell.com/modules/xfmod/project/?edirfreeradius My Freeradius is running on SuSe Linux Machine with iManager 2.5 installed for managing Radius users and Universal passwords. I can do an LDAP browse from there and connectivity is OK. Using a third Win2K for testing Radius connectivity. Had some problems configuring TLS/SSL connection to LDAP server so hashed (start_tls=no) in radiusd.conf. I don't mind secure or insecure connection between FreeRadius and LDAP Agent. My main concern is here:(Excerpted from console log) ------------------------------------ rad_recv: Access-Request packet from host 194.170.15.100:1089, id=28, length=46 User-Name = "test04" User-Password = "test04" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module "preprocess" returns ok for request 4 modcall[authorize]: module "chap" returns noop for request 4 modcall[authorize]: module "mschap" returns noop for request 4 rlm_realm: No '@' in User-Name = "test04", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 4 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 4 users: Matched entry DEFAULT at line 153 modcall[authorize]: module "files" returns ok for request 4 rlm_ldap: - authorize rlm_ldap: performing user authorization for test04 radius_xlat: '(uid=test04)' radius_xlat: 'o=euc' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=euc, with filter (uid=test04) rlm_ldap: no dialupAccess attribute - access denied by default rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns userlock for request 4 modcall: group authorize returns userlock for request 4 Delaying request 4 for 1 seconds Finished request 4 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 28 to 194.170.15.100:1089 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 4 ID 28 with timestamp 42aaceb3 Nothing to do. Sleeping until we see a request. ------------------------------------------------------ After hashing access_attribute = 'dialupAccess' ------------------------------------------------------- So, When I restarted the Radius Server: ..... Listening on authentication *:1812 Listening on accounting *:1813 Listening on proxy *:1814 Ready to process requests. rad_recv: Access-Request packet from host 194.170.15.100:1091, id=30, length=46 User-Name = "test04" User-Password = "test04" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "test04", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 153 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for test04 radius_xlat: '(uid=test04)' radius_xlat: 'o=euc' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 194.170.15.158:389, authentication 0 rlm_ldap: setting TLS CACert File to /etc/raddb/cert/EUCCA.b64 rlm_ldap: setting TLS CACert File to /etc/rardb/cert/ rlm_ldap: setting TLS Require Cert to demand rlm_ldap: bind as cn=admin,o=euc/college to 194.170.15.158:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in o=euc, with filter (uid=test04) rlm_ldap: Error reading Universal Password.Return Code = 80 rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user test04 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type System auth: type "System" ERROR: Unknown value specified for Auth-Type. Cannot perform requested action. auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request ---------------------------------------- MY PROBLEM: rlm_ldap: Error reading Universal Password.Return Code = 80 I hope it's not TLS related!!! Consider this an SOS....Please Advise!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html |
Free forum by Nabble | Edit this page |