[Comm] Re: freeradius & openldap
max
=?iso-8859-1?q?alt_=CE=C1_zlt=2Eru?=
Пн Апр 4 16:16:53 MSD 2005
В сообщении от 31 Март 2005 19:09 Dmitry Lebkov написал(a):
> max wrote:
> > Не могу подружить freeradius & openldap на Мастер 2.4
> >
> > Кто-нибудь делал такое? В идеале хотел получить vpn с авторизацией через
> > ldap.
> >
> > freeradius немного обновлён.
>
> [ненужные подробности поскипаны]
>
> > rlm_ldap: performing search in ou=Users dc=zlt,dc=ru, with filter
> > (&(objectClass=posixAccount)(uid=max1)) rlm_ldap: ldap_search() failed:
> > Invalid DN syntax
>
> Учимся внимательно читать debug output. Проблема в конфиге radius'а, в
> секции ldap - в DN пропущена запятая
>
> > rlm_ldap: search failed
> > ldap_release_conn: Release Id: 0
> > modcall[authorize]: module "ldap" returns fail for request 0
> > modcall: group authorize returns fail for request 0
>
> И как результат - авторизация не пршла.
>
> [skip]
>
> > Вот часть кофига радиуса:
> > ldap {
> > server = "localhost"
> > identity = "cn=admin,dc=zlt,dc=ru"
> > password = secret
> > basedn = "ou=Users dc=zlt,dc=ru"
>
> ^пропущена запятая
Это помогло, сразу заработало.
#radtest max1 123 localhost 2 testlocal
Sending Access-Request of id 13 to 127.0.0.1:1812
User-Name = "max1"
User-Password = "123"
NAS-IP-Address = max
NAS-Port = 2
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=13, length=99
Framed-Compression = None
Framed-MTU = 1400
Framed-Routing = Broadcast-Listen
Framed-Route = "192.168.1.0/24 192.168.200.204/32 1"
Framed-IP-Netmask = 255.255.255.255
Framed-IP-Address = 192.168.10.100
Framed-Protocol = PPP
Service-Type = Framed-User
# radiusd -X
rad_recv: Access-Request packet from host 127.0.0.1:32936, id=13, length=56
User-Name = "max1"
User-Password = "123"
NAS-IP-Address = 255.255.255.255
NAS-Port = 2
modcall: entering group authorize for request 16
modcall[authorize]: module "preprocess" returns ok for request 16
rlm_ldap: - authorize
rlm_ldap: performing user authorization for max1
radius_xlat: '(&(objectClass=posixAccount)(uid=max1))'
radius_xlat: 'ou=Users, dc=zlt,dc=ru'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=Users, dc=zlt,dc=ru, with filter
(&(objectClass=posixAccount)(uid=max1))
rlm_ldap: checking if remote access for max1 is allowed by dialupAccess
rlm_ldap: Added password 123 in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusFramedCompression as Framed-Compression, value None &
op=11
rlm_ldap: Adding radiusFramedMTU as Framed-MTU, value 1400 & op=11
rlm_ldap: Adding radiusFramedRouting as Framed-Routing, value Broadcast-Listen
& op=11
rlm_ldap: Adding radiusFramedRoute as Framed-Route, value 192.168.1.0/24
192.168.200.204/32 1 & op=11
rlm_ldap: Adding radiusFramedIPNetmask as Framed-IP-Netmask, value
255.255.255.255 & op=11
rlm_ldap: Adding radiusFramedIPAddress as Framed-IP-Address, value
192.168.10.100 & op=11
rlm_ldap: Adding radiusFramedProtocol as Framed-Protocol, value PPP & op=11
rlm_ldap: Adding radiusServiceType as Service-Type, value Framed-User & op=11
rlm_ldap: user max1 authorized to use remote access
ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 16
modcall: group authorize returns ok for request 16
rad_check_password: Found Auth-Type LDAP
auth: type "LDAP"
modcall: entering group authtype for request 16
rlm_ldap: - authenticate
rlm_ldap: login attempt by "max1" with password "123"
rlm_ldap: user DN: uid=max1,ou=Users,dc=zlt,dc=ru
rlm_ldap: (re)connect to localhost:389, authentication 1
rlm_ldap: bind as uid=max1,ou=Users,dc=zlt,dc=ru/123 to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: user max1 authenticated succesfully
modcall[authenticate]: module "ldap" returns ok for request 16
modcall: group authtype returns ok for request 16
Login OK: [max1] (from client localhost port 2)
Sending Access-Accept of id 13 to 127.0.0.1:32936
Framed-Compression = None
Framed-MTU = 1400
Framed-Routing = Broadcast-Listen
Framed-Route = "192.168.1.0/24 192.168.200.204/32 1"
Framed-IP-Netmask = 255.255.255.255
Framed-IP-Address = 192.168.10.100
Framed-Protocol = PPP
Service-Type = Framed-User
Finished request 16
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 16 ID 13 with timestamp 4251220c
Nothing to do. Sleeping until we see a request.
Короче radtest работает.
Но подключится к pptpd не получается. Неверный логин-пароль :(
Вот что в логах:
Apr 4 17:51:33 max pptpd[23341]: CTRL: Client 192.168.11.62 control
connection started
Apr 4 17:51:33 max pptpd[23341]: CTRL: Starting call (launching pppd, opening
GRE)
Apr 4 17:51:33 max pppd[23342]: Plugin radius.so loaded.
Apr 4 17:51:33 max pppd[23342]: RADIUS plugin initialized.
Apr 4 17:51:33 max pppd[23342]: pppd 2.4.2 started by root, uid 0
Apr 4 17:51:33 max pptpd[23341]: GRE: Discarding duplicate packet
Apr 4 17:51:33 max pppd[23342]: Using interface ppp1
Apr 4 17:51:33 max pppd[23342]: Connect: ppp1 <--> /dev/pts/8
Apr 4 17:51:33 max pptpd[23341]: GRE: Bad checksum from pppd.
Apr 4 17:51:35 max pptpd[23341]: CTRL: Ignored a SET LINK INFO packet with
real ACCMs!
Apr 4 17:51:36 max pptp[22751]: anon log[ctrlp_rep:pptp_ctrl.c:243]: Sent
control packet type is 5 'Echo-Request'
Apr 4 17:51:36 max pptp[22751]: anon log[logecho:pptp_ctrl.c:659]: Echo Reply
received.
Apr 4 17:51:36 max pptp[22751]: anon log[logecho:pptp_ctrl.c:661]: no more
Echo Reply/Request packets will be reported.
Apr 4 17:51:37 max pppd[23342]: Peer max1 failed CHAP authentication
Apr 4 17:51:37 max pppd[23342]: Connection terminated.
Apr 4 17:51:37 max pppd[23342]: Exit.
В это время # radiusd -X
rad_recv: Access-Request packet from host 127.0.0.1:32996, id=221, length=132
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = "max1"
MS-CHAP-Challenge = 0xfd0cf587b3d545c1888e02d8fe9527a6
MS-CHAP2-Response =
0x1e0013afdccec8c685742c81fdcd87c34fa10000000000000000740fd7751f825f095cb8e04f062026ef56f0a0256665feab
NAS-IP-Address = 192.168.11.15
NAS-Port = 1
modcall: entering group authorize for request 3
modcall[authorize]: module "preprocess" returns ok for request 3
rlm_ldap: - authorize
rlm_ldap: performing user authorization for max1
radius_xlat: '(&(objectClass=posixAccount)(uid=max1))'
radius_xlat: 'ou=Users, dc=zlt,dc=ru'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=Users, dc=zlt,dc=ru, with filter
(&(objectClass=posixAccount)(uid=max1))
rlm_ldap: checking if remote access for max1 is allowed by dialupAccess
rlm_ldap: Added password 123 in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusFramedCompression as Framed-Compression, value None &
op=11
rlm_ldap: Adding radiusFramedMTU as Framed-MTU, value 1400 & op=11
rlm_ldap: Adding radiusFramedRouting as Framed-Routing, value Broadcast-Listen
& op=11
rlm_ldap: Adding radiusFramedRoute as Framed-Route, value 192.168.1.0/24
192.168.200.204/32 1 & op=11
rlm_ldap: Adding radiusFramedIPNetmask as Framed-IP-Netmask, value
255.255.255.255 & op=11
rlm_ldap: Adding radiusFramedIPAddress as Framed-IP-Address, value
192.168.10.100 & op=11
rlm_ldap: Adding radiusFramedProtocol as Framed-Protocol, value PPP & op=11
rlm_ldap: Adding radiusServiceType as Service-Type, value Framed-User & op=11
rlm_ldap: user max1 authorized to use remote access
ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 3
modcall: group authorize returns ok for request 3
rad_check_password: Found Auth-Type LDAP
auth: type "LDAP"
modcall: entering group authtype for request 3
rlm_ldap: - authenticate
rlm_ldap: Attribute "User-Password" is required for authentication.
modcall[authenticate]: module "ldap" returns invalid for request 3
modcall: group authtype returns invalid for request 3
auth: Failed to validate the user.
Login incorrect: [max1/<no User-Password attribute>] (from client localhost
port 1)
Delaying request 3 for 1 seconds
Finished request 3
Куда девался User-Password ?
Ведь был вначале вывода radiusd -X пароль, а в конце нету....
--
MaX
Подробная информация о списке рассылки community