From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <alt@zlt.ru>
From: max <alt@zlt.ru>
To: community@altlinux.ru
Date: Thu, 31 Mar 2005 19:04:01 +0600
User-Agent: KMail/1.6.2
MIME-Version: 1.0
Content-Disposition: inline
Content-Type: text/plain;
  charset="windows-1251"
Content-Transfer-Encoding: quoted-printable
Message-Id: <200503311904.01561.alt@zlt.ru>
Subject: [Comm] freeradius & openldap
X-BeenThere: community@altlinux.ru
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: community@altlinux.ru
List-Id: Mailing list for ALT Linux users <community.altlinux.ru>
List-Unsubscribe: <https://lists.altlinux.ru/mailman/listinfo/community>,
	<mailto:community-request@altlinux.ru?subject=unsubscribe>
List-Archive: <http://lists.altlinux.ru/pipermail/community>
List-Post: <mailto:community@altlinux.ru>
List-Help: <mailto:community-request@altlinux.ru?subject=help>
List-Subscribe: <https://lists.altlinux.ru/mailman/listinfo/community>,
	<mailto:community-request@altlinux.ru?subject=subscribe>
X-List-Received-Date: Thu, 31 Mar 2005 12:55:20 -0000
Archived-At: <http://lore.altlinux.org/community/200503311904.01561.alt@zlt.ru/>
List-Archive: <http://lore.altlinux.org/community/>
List-Post: <mailto:mandrake-russian@linuxteam.iplabs.ru>

=CD=E5 =EC=EE=E3=F3 =EF=EE=E4=F0=F3=E6=E8=F2=FC freeradius & openldap =ED=
=E0 =CC=E0=F1=F2=E5=F0 2.4

=CA=F2=EE-=ED=E8=E1=F3=E4=FC =E4=E5=EB=E0=EB =F2=E0=EA=EE=E5? =C2 =E8=E4=E5=
=E0=EB=E5 =F5=EE=F2=E5=EB =EF=EE=EB=F3=F7=E8=F2=FC vpn =F1 =E0=E2=F2=EE=F0=
=E8=E7=E0=F6=E8=E5=E9 =F7=E5=F0=E5=E7 ldap.

freeradius =ED=E5=EC=ED=EE=E3=EE =EE=E1=ED=EE=E2=EB=B8=ED.

# rpm -qa|grep freerad
freeradius-0.9.3-alt4.1
freeradius-python-0.9.3-alt4.1
freeradius-ldap-0.9.3-alt4.1
freeradius-mysql-0.9.3-alt4.1
freeradius-sqlcounter-0.9.3-alt4.1
freeradius-perl-0.9.3-alt4.1
freeradius-pgsql-0.9.3-alt4.1

# rpm -qa|grep openldap
openldap-clients-2.1.30-alt3
openldap-2.1.30-alt3
openldap-servers-2.1.30-alt3


=C5=F1=F2=FC =EF=EE=EB=FC=E7=EE=E2=E0=F2=E5=EB=FC =E2 openldap:

#ldapsearch -x -D "cn=3Dadmin,dc=3Dzlt,dc=3Dru" -w secret uid=3Dmax1
# extended LDIF
#
# LDAPv3
# base <> with scope sub
# filter: uid=3Dmax1
# requesting: ALL
#

# max1, Users, zlt.ru
dn: uid=3Dmax1,ou=3DUsers,dc=3Dzlt,dc=3Dru
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: qmailUser
objectClass: posixAccount
sn: max
cn: max1
userPassword:: MTIz
displayName: max
givenName: max
initials: M
mail: max1@zlt.ru
o: MT
uid: max1
mailMessageStore: max1/Maildir/
accountStatus: active
homeDirectory: /home/max1
uidNumber: 1025
gidNumber: 1025


# radtest max1 123 127.0.0.1 2 testlocal
Sending Access-Request of id 79 to 127.0.0.1:1812
        User-Name =3D "max1"
        User-Password =3D "123"
        NAS-IP-Address =3D max
        NAS-Port =3D 2
Re-sending Access-Request of id 79 to 127.0.0.1:1812
        User-Name =3D "max1"
        User-Password =3D "\t\330#\007\\\016\202\250L\266\223\226M\315\362\=
237"
        NAS-IP-Address =3D max
        NAS-Port =3D 2
=CD=E0=F7=E8=ED=E0=FF =F1=EE =F1=F2=F0=EE=F7=EA=E8 Re-sending... =EF=EE=E2=
=F2=EE=F0=FF=E5=F2=F1=FF =EF=EE=EA=E0 =ED=E5 =EE=F1=F2=E0=ED=EE=E2=E8=F8=FC

=C0 =E2 =FD=F2=EE =E2=F0=E5=EC =E2 =E4=F0=F3=E3=EE=E9 =EA=EE=ED=F1=EE=EB=E8:
# radiusd -X
Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /etc/raddb/clients.conf
Config:   including file: /etc/raddb/sql.conf
 main: prefix =3D "/usr"
 main: localstatedir =3D "/var"
 main: logdir =3D "/var/log/freeradius"
 main: libdir =3D "/usr/lib/freeradius"
 main: radacctdir =3D "/var/log/freeradius/radacct"
 main: hostname_lookups =3D no
 main: max_request_time =3D 30
 main: cleanup_delay =3D 5
 main: max_requests =3D 5120
 main: delete_blocked_requests =3D 0
 main: port =3D 0
 main: allow_core_dumps =3D no
 main: log_stripped_names =3D no
 main: log_file =3D "/var/log/freeradius/radius.log"
 main: log_auth =3D yes
 main: log_auth_badpass =3D yes
 main: log_auth_goodpass =3D no
 main: pidfile =3D "/var/run/radiusd/radiusd.pid"
 main: bind_address =3D localhost IP address [127.0.0.1]
 main: user =3D "radius"
 main: group =3D "radius"
 main: usercollide =3D no
 main: lower_user =3D "no"
 main: lower_pass =3D "no"
 main: nospace_user =3D "no"
 main: nospace_pass =3D "no"
 main: checkrad =3D "/usr/sbin/checkrad"
 main: proxy_requests =3D yes
 security: max_attributes =3D 200
 security: reject_delay =3D 1
 security: status_server =3D no
 main: debug_level =3D 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
Using deprecated naslist file.  Support for this will go away soon.
read_config_files:  reading clients
Using deprecated clients file.  Support for this will go away soon.
read_config_files:  reading realms
Using deprecated realms file.  Support for this will go away soon.
radiusd:  entering modules setup
Module: Library search path is /usr/lib/freeradius
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
 mschap: use_mppe =3D yes
 mschap: require_encryption =3D no
 mschap: require_strong =3D no
 mschap: passwd =3D "(null)"
 mschap: authtype =3D "MS-CHAP"
Module: Instantiated mschap (mschap)
Module: Loaded preprocess
 preprocess: huntgroups =3D "/etc/raddb/huntgroups"
 preprocess: hints =3D "/etc/raddb/hints"
 preprocess: with_ascend_hack =3D no
 preprocess: ascend_channels_per_line =3D 23
 preprocess: with_ntdomain_hack =3D no
 preprocess: with_specialix_jetstream_hack =3D no
 preprocess: with_cisco_vsa_hack =3D no
Module: Instantiated preprocess (preprocess)
Module: Loaded LDAP
 ldap: server =3D "localhost"
 ldap: port =3D 389
 ldap: net_timeout =3D 1
 ldap: timeout =3D 4
 ldap: timelimit =3D 3
 ldap: identity =3D "cn=3Dadmin,dc=3Dzlt,dc=3Dru"
 ldap: start_tls =3D no
 ldap: password =3D "secret"
 ldap: basedn =3D "ou=3DUsers dc=3Dzlt,dc=3Dru"
 ldap: filter =3D "(&(objectClass=3DposixAccount)(uid=3D%u))"
 ldap: default_profile =3D "(null)"
 ldap: profile_attribute =3D "(null)"
 ldap: password_header =3D "(null)"
 ldap: password_attribute =3D "userPassword"
 ldap: access_attr =3D "dialupAccess"
 ldap: groupname_attribute =3D "cn"
 ldap: groupmembership_filter =3D "(|(&(objectClass=3DGroupOfNames)
(member=3D%{Ldap-UserDn}))(&(objectClass=3DGroupOfUniqueNames)
(uniquemember=3D%{Ldap-UserDn})))"
 ldap: groupmembership_attribute =3D "(null)"
 ldap: dictionary_mapping =3D "/etc/raddb/ldap.attrmap"
 ldap: ldap_debug =3D 0
 ldap: ldap_connections_number =3D 5
 ldap: compare_check_items =3D no
 ldap: access_attr_used_for_allow =3D yes
conns: (nil)
rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS=20
=46ramed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS=20
=46ramed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS=20
=46ramed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
conns: 0x8102b58
Module: Instantiated ldap (ldap)
Module: Loaded Acct-Unique-Session-Id
 acct_unique: key =3D "User-Name, Acct-Session-Id, NAS-IP-Address,=20
Client-IP-Address, NAS-Port-Id"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
 detail: detailfile =3D=20
"/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
 detail: detailperm =3D 384
 detail: dirperm =3D 493
 detail: locking =3D no
Module: Instantiated detail (detail)
Module: Loaded radutmp
 radutmp: filename =3D "/var/log/freeradius/radutmp"
 radutmp: username =3D "%{User-Name}"
 radutmp: case_sensitive =3D yes
 radutmp: check_with_nas =3D yes
 radutmp: perm =3D 384
 radutmp: callerid =3D yes
Module: Instantiated radutmp (radutmp)
Listening on IP address 127.0.0.1, ports 1812/udp and 1813/udp, with proxy =
on=20
1814/udp.
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1:32838, id=3D41, length=
=3D56
        User-Name =3D "max1"
        User-Password =3D "123"
        NAS-IP-Address =3D 255.255.255.255
        NAS-Port =3D 2
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for max1
radius_xlat:  '(&(objectClass=3DposixAccount)(uid=3Dmax1))'
radius_xlat:  'ou=3DUsers dc=3Dzlt,dc=3Dru'
ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as cn=3Dadmin,dc=3Dzlt,dc=3Dru/secret to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: performing search in ou=3DUsers dc=3Dzlt,dc=3Dru, with filter=20
(&(objectClass=3DposixAccount)(uid=3Dmax1))
rlm_ldap: ldap_search() failed: Invalid DN syntax
rlm_ldap: search failed
ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns fail for request 0
modcall: group authorize returns fail for request 0
=46inished request 0
Going to the next request
=2D-- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 127.0.0.1:32838, id=3D41, length=
=3D56
Dropping packet from client localhost:32838 - ID: 41 due to dead request 0
=2D-- Walking the entire request list ---
Waking up in 3 seconds...
=2D-- Walking the entire request list ---
Cleaning up request 0 ID 41 with timestamp 424bf0f8
Nothing to do.  Sleeping until we see a request.


=C2=EE=F2 =F7=E0=F1=F2=FC =EA=EE=F4=E8=E3=E0 =F0=E0=E4=E8=F3=F1=E0:
        ldap {
                server =3D "localhost"
                identity =3D "cn=3Dadmin,dc=3Dzlt,dc=3Dru"
                password =3D secret
                basedn =3D "ou=3DUsers dc=3Dzlt,dc=3Dru"
                filter =3D "(&(objectClass=3DposixAccount)(uid=3D%u))"

                # set this to 'yes' to use TLS encrypted connections
                # to the LDAP database by using the StartTLS extended
                # operation.
                start_tls =3D no
                # set this to 'yes' to use TLS encrypted connections to the
                # LDAP database by passing the LDAP_OPT_X_TLS_TRY option to
                # the ldap library.
                tls_mode =3D no

                # default_profile =3D "cn=3Dradprofile,ou=3Ddialup,o=3DMy O=
rg,c=3DUA"
                # profile_attribute =3D "radiusProfileDn"
                access_attr =3D "dialupAccess"

                # Mapping of RADIUS dictionary attributes to LDAP
                # directory attributes.
                dictionary_mapping =3D ${raddbdir}/ldap.attrmap

                # ldap_cache_timeout =3D 120
                # ldap_cache_size =3D 0
                ldap_connections_number =3D 5
                # password_header =3D "{clear}"
                 password_attribute =3D userPassword
                # groupname_attribute =3D cn
                # groupmembership_filter =3D "(|(&(objectClass=3DGroupOfNam=
es)
(member=3D%{Ldap-UserDn}))(&(objectClass=3DGroupOfUniqueNames)
(uniquemember=3D%{Ldap-UserDn})))"
                # groupmembership_attribute =3D radiusGroupName
                timeout =3D 4
                timelimit =3D 3
                net_timeout =3D 1
                # compare_check_items =3D yes
                # access_attr_used_for_allow =3D yes
        }

=D7=F2=EE =EC=EE=E6=E5=F2 =E1=FB=F2=FC =ED=E5=EF=F0=E0=E2=E8=EB=FC=ED=EE?
=C1=F3=E4=F3 =EE=F7=E5=ED=FC =F0=E0=E4 =F0=E0=E1=EE=F7=E5=EC=F3 =EA=EE=ED=
=F4=E8=E3=F3 =E8=EB=E8 =EB=FE=E1=EE=E9 =EF=EE=EC=EE=F9=E8!
=2D-=20
MaX