eDirectory backend with FreeRadius

classic Classic list List threaded Threaded
3 messages Options
| Threaded
Open this post in threaded view
|

eDirectory backend with FreeRadius

Faheem SIDDIQUI
Having spent whole last fortnight trying to configure Freeradius module
given here with LDAP Agent running on my eDir8.7.3.6 on Netware 5.1,
using iManager 2.5, I am almost there but seemingly stuck with something
vital. Ihave done everything as mentioned by Novell Admin guide posted
on this Forge project here:
http://forge.novell.com/modules/xfmod/project/?edirfreeradius

My Freeradius is running on SuSe Linux Machine with iManager 2.5
installed for managing Radius users and Universal passwords. I can do an
LDAP browse from there and connectivity is OK. Using a third Win2K  for
testing Radius connectivity. Had some problems configuring TLS/SSL
connection to LDAP server so hashed (start_tls=no) in radiusd.conf. I
don't mind secure or insecure connection between FreeRadius and LDAP Agent.

My main concern is here:(Excerpted from console log)
------------------------------------
rad_recv: Access-Request packet from host
194.170.15.100:1089, id=28, length=46
User-Name = "test04"
User-Password = "test04"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
modcall[authorize]: module "preprocess" returns ok
for request 4
modcall[authorize]: module "chap" returns noop for
request 4
modcall[authorize]: module "mschap" returns noop for
request 4
rlm_realm: No '@' in User-Name = "test04", looking
up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for
request 4
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for
request 4
users: Matched entry DEFAULT at line 153
modcall[authorize]: module "files" returns ok for
request 4
rlm_ldap: - authorize
rlm_ldap: performing user authorization for test04
radius_xlat: '(uid=test04)'
radius_xlat: 'o=euc'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=euc, with filter
(uid=test04)
rlm_ldap: no dialupAccess attribute - access denied by
default
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns userlock
for request 4
modcall: group authorize returns userlock for request 4
Delaying request 4 for 1 seconds
Finished request 4
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 28 to 194.170.15.100:1089
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 4 ID 28 with timestamp 42aaceb3
Nothing to do. Sleeping until we see a request.
------------------------------------------------------
After hashing access_attribute = 'dialupAccess'
-------------------------------------------------------


So, When I restarted the Radius Server:
.....
Listening on authentication *:1812
Listening on accounting *:1813
Listening on proxy *:1814
Ready to process requests.
rad_recv: Access-Request packet from host
194.170.15.100:1091, id=30, length=46
User-Name = "test04"
User-Password = "test04"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok
for request 0
modcall[authorize]: module "chap" returns noop for
request 0
modcall[authorize]: module "mschap" returns noop for
request 0
rlm_realm: No '@' in User-Name = "test04", looking
up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for
request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for
request 0
users: Matched entry DEFAULT at line 153
modcall[authorize]: module "files" returns ok for
request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for test04
radius_xlat: '(uid=test04)'
radius_xlat: 'o=euc'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 194.170.15.158:389,
authentication 0
rlm_ldap: setting TLS CACert File
to /etc/raddb/cert/EUCCA.b64
rlm_ldap: setting TLS CACert File to /etc/rardb/cert/
rlm_ldap: setting TLS Require Cert to demand
rlm_ldap: bind as cn=admin,o=euc/college to
194.170.15.158:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in o=euc, with filter
(uid=test04)
rlm_ldap: Error reading Universal Password.Return Code
= 80
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user test04 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for
request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type System
auth: type "System"
ERROR: Unknown value specified for Auth-Type.
Cannot perform requested action.
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
----------------------------------------


MY PROBLEM:

rlm_ldap: Error reading Universal Password.Return Code = 80

I hope it's not TLS related!!!

Consider this an SOS....Please Advise!!

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: eDirectory backend with FreeRadius

Vladimir Vuksan
Fahim wrote:

> Having spent whole last fortnight trying to configure Freeradius
> module given here with LDAP Agent running on my eDir8.7.3.6 on Netware
> 5.1, using iManager 2.5, I am almost there but seemingly stuck with
> something vital. Ihave done everything as mentioned by Novell Admin
> guide posted on this Forge project here:
> http://forge.novell.com/modules/xfmod/project/?edirfreeradius
>
> My Freeradius is running on SuSe Linux Machine with iManager 2.5
> installed for managing Radius users and Universal passwords. I can do
> an LDAP browse from there and connectivity is OK. Using a third Win2K  
> for testing Radius connectivity. Had some problems configuring TLS/SSL
> connection to LDAP server so hashed (start_tls=no) in radiusd.conf. I
> don't mind secure or insecure connection between FreeRadius and LDAP
> Agent.
>
> MY PROBLEM:
>
> rlm_ldap: Error reading Universal Password.Return Code = 80
>
> I hope it's not TLS related!!!

You should post your configuration from radiusd.conf. You could also
check out

http://vuksan.com/linux/dot1x/802-1x-LDAP.html#Set_up_FreeRADIUS

It is a set up for OpenLDAP but hopefully it will have some
similarities. You can even use LDAP bind to verify credentials. Just
leave of identity and password from the ldap module.

Vladimir
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: eDirectory backend with FreeRadius

Sayantan Bhowmick
In reply to this post by Faheem SIDDIQUI
Hi,
    To be able to read Universal Password from eDirectory you will HAVE
TO
have a secure connection between FreeRADIUS and eDirectory.
    That willtake care of the
"rlm_ldap: Error reading Universal Password.Return Code = 80"
problem. So you have to setup up the TLS certificates properly in the
ldap
section of radiusd.conf.
     Get back to me in case you need any further help.

-Sayantan

>>> [hidden email] 06/12/05 2:07 PM >>>
Having spent whole last fortnight trying to configure Freeradius module

given here with LDAP Agent running on my eDir8.7.3.6 on Netware 5.1,
using iManager 2.5, I am almost there but seemingly stuck with
something
vital. Ihave done everything as mentioned by Novell Admin guide posted

on this Forge project here:
http://forge.novell.com/modules/xfmod/project/?edirfreeradius 

My Freeradius is running on SuSe Linux Machine with iManager 2.5
installed for managing Radius users and Universal passwords. I can do
an
LDAP browse from there and connectivity is OK. Using a third Win2K  for

testing Radius connectivity. Had some problems configuring TLS/SSL
connection to LDAP server so hashed (start_tls=no) in radiusd.conf. I
don't mind secure or insecure connection between FreeRadius and LDAP
Agent.

My main concern is here:(Excerpted from console log)
------------------------------------
rad_recv: Access-Request packet from host
194.170.15.100:1089, id=28, length=46
User-Name = "test04"
User-Password = "test04"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
modcall[authorize]: module "preprocess" returns ok
for request 4
modcall[authorize]: module "chap" returns noop for
request 4
modcall[authorize]: module "mschap" returns noop for
request 4
rlm_realm: No '@' in User-Name = "test04", looking
up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for
request 4
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for
request 4
users: Matched entry DEFAULT at line 153
modcall[authorize]: module "files" returns ok for
request 4
rlm_ldap: - authorize
rlm_ldap: performing user authorization for test04
radius_xlat: '(uid=test04)'
radius_xlat: 'o=euc'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=euc, with filter
(uid=test04)
rlm_ldap: no dialupAccess attribute - access denied by
default
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns userlock
for request 4
modcall: group authorize returns userlock for request 4
Delaying request 4 for 1 seconds
Finished request 4
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 28 to 194.170.15.100:1089
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 4 ID 28 with timestamp 42aaceb3
Nothing to do. Sleeping until we see a request.
------------------------------------------------------
After hashing access_attribute = 'dialupAccess'
-------------------------------------------------------


So, When I restarted the Radius Server:
.....
Listening on authentication *:1812
Listening on accounting *:1813
Listening on proxy *:1814
Ready to process requests.
rad_recv: Access-Request packet from host
194.170.15.100:1091, id=30, length=46
User-Name = "test04"
User-Password = "test04"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok
for request 0
modcall[authorize]: module "chap" returns noop for
request 0
modcall[authorize]: module "mschap" returns noop for
request 0
rlm_realm: No '@' in User-Name = "test04", looking
up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for
request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for
request 0
users: Matched entry DEFAULT at line 153
modcall[authorize]: module "files" returns ok for
request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for test04
radius_xlat: '(uid=test04)'
radius_xlat: 'o=euc'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 194.170.15.158:389,
authentication 0
rlm_ldap: setting TLS CACert File
to /etc/raddb/cert/EUCCA.b64
rlm_ldap: setting TLS CACert File to /etc/rardb/cert/
rlm_ldap: setting TLS Require Cert to demand
rlm_ldap: bind as cn=admin,o=euc/college to
194.170.15.158:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in o=euc, with filter
(uid=test04)
rlm_ldap: Error reading Universal Password.Return Code
= 80
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user test04 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for
request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type System
auth: type "System"
ERROR: Unknown value specified for Auth-Type.
Cannot perform requested action.
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
----------------------------------------


MY PROBLEM:

rlm_ldap: Error reading Universal Password.Return Code = 80

I hope it's not TLS related!!!

Consider this an SOS....Please Advise!!

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html