From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: From: max To: community@altlinux.ru Date: Thu, 31 Mar 2005 19:04:01 +0600 User-Agent: KMail/1.6.2 MIME-Version: 1.0 Content-Disposition: inline Content-Type: text/plain; charset="windows-1251" Content-Transfer-Encoding: quoted-printable Message-Id: <200503311904.01561.alt@zlt.ru> Subject: [Comm] freeradius & openldap X-BeenThere: community@altlinux.ru X-Mailman-Version: 2.1.5 Precedence: list Reply-To: community@altlinux.ru List-Id: Mailing list for ALT Linux users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 Mar 2005 12:55:20 -0000 Archived-At: List-Archive: List-Post: =CD=E5 =EC=EE=E3=F3 =EF=EE=E4=F0=F3=E6=E8=F2=FC freeradius & openldap =ED= =E0 =CC=E0=F1=F2=E5=F0 2.4 =CA=F2=EE-=ED=E8=E1=F3=E4=FC =E4=E5=EB=E0=EB =F2=E0=EA=EE=E5? =C2 =E8=E4=E5= =E0=EB=E5 =F5=EE=F2=E5=EB =EF=EE=EB=F3=F7=E8=F2=FC vpn =F1 =E0=E2=F2=EE=F0= =E8=E7=E0=F6=E8=E5=E9 =F7=E5=F0=E5=E7 ldap. freeradius =ED=E5=EC=ED=EE=E3=EE =EE=E1=ED=EE=E2=EB=B8=ED. # rpm -qa|grep freerad freeradius-0.9.3-alt4.1 freeradius-python-0.9.3-alt4.1 freeradius-ldap-0.9.3-alt4.1 freeradius-mysql-0.9.3-alt4.1 freeradius-sqlcounter-0.9.3-alt4.1 freeradius-perl-0.9.3-alt4.1 freeradius-pgsql-0.9.3-alt4.1 # rpm -qa|grep openldap openldap-clients-2.1.30-alt3 openldap-2.1.30-alt3 openldap-servers-2.1.30-alt3 =C5=F1=F2=FC =EF=EE=EB=FC=E7=EE=E2=E0=F2=E5=EB=FC =E2 openldap: #ldapsearch -x -D "cn=3Dadmin,dc=3Dzlt,dc=3Dru" -w secret uid=3Dmax1 # extended LDIF # # LDAPv3 # base <> with scope sub # filter: uid=3Dmax1 # requesting: ALL # # max1, Users, zlt.ru dn: uid=3Dmax1,ou=3DUsers,dc=3Dzlt,dc=3Dru objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: qmailUser objectClass: posixAccount sn: max cn: max1 userPassword:: MTIz displayName: max givenName: max initials: M mail: max1@zlt.ru o: MT uid: max1 mailMessageStore: max1/Maildir/ accountStatus: active homeDirectory: /home/max1 uidNumber: 1025 gidNumber: 1025 # radtest max1 123 127.0.0.1 2 testlocal Sending Access-Request of id 79 to 127.0.0.1:1812 User-Name =3D "max1" User-Password =3D "123" NAS-IP-Address =3D max NAS-Port =3D 2 Re-sending Access-Request of id 79 to 127.0.0.1:1812 User-Name =3D "max1" User-Password =3D "\t\330#\007\\\016\202\250L\266\223\226M\315\362\= 237" NAS-IP-Address =3D max NAS-Port =3D 2 =CD=E0=F7=E8=ED=E0=FF =F1=EE =F1=F2=F0=EE=F7=EA=E8 Re-sending... =EF=EE=E2= =F2=EE=F0=FF=E5=F2=F1=FF =EF=EE=EA=E0 =ED=E5 =EE=F1=F2=E0=ED=EE=E2=E8=F8=FC =C0 =E2 =FD=F2=EE =E2=F0=E5=EC =E2 =E4=F0=F3=E3=EE=E9 =EA=EE=ED=F1=EE=EB=E8: # radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/sql.conf main: prefix =3D "/usr" main: localstatedir =3D "/var" main: logdir =3D "/var/log/freeradius" main: libdir =3D "/usr/lib/freeradius" main: radacctdir =3D "/var/log/freeradius/radacct" main: hostname_lookups =3D no main: max_request_time =3D 30 main: cleanup_delay =3D 5 main: max_requests =3D 5120 main: delete_blocked_requests =3D 0 main: port =3D 0 main: allow_core_dumps =3D no main: log_stripped_names =3D no main: log_file =3D "/var/log/freeradius/radius.log" main: log_auth =3D yes main: log_auth_badpass =3D yes main: log_auth_goodpass =3D no main: pidfile =3D "/var/run/radiusd/radiusd.pid" main: bind_address =3D localhost IP address [127.0.0.1] main: user =3D "radius" main: group =3D "radius" main: usercollide =3D no main: lower_user =3D "no" main: lower_pass =3D "no" main: nospace_user =3D "no" main: nospace_pass =3D "no" main: checkrad =3D "/usr/sbin/checkrad" main: proxy_requests =3D yes security: max_attributes =3D 200 security: reject_delay =3D 1 security: status_server =3D no main: debug_level =3D 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients Using deprecated clients file. Support for this will go away soon. read_config_files: reading realms Using deprecated realms file. Support for this will go away soon. radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe =3D yes mschap: require_encryption =3D no mschap: require_strong =3D no mschap: passwd =3D "(null)" mschap: authtype =3D "MS-CHAP" Module: Instantiated mschap (mschap) Module: Loaded preprocess preprocess: huntgroups =3D "/etc/raddb/huntgroups" preprocess: hints =3D "/etc/raddb/hints" preprocess: with_ascend_hack =3D no preprocess: ascend_channels_per_line =3D 23 preprocess: with_ntdomain_hack =3D no preprocess: with_specialix_jetstream_hack =3D no preprocess: with_cisco_vsa_hack =3D no Module: Instantiated preprocess (preprocess) Module: Loaded LDAP ldap: server =3D "localhost" ldap: port =3D 389 ldap: net_timeout =3D 1 ldap: timeout =3D 4 ldap: timelimit =3D 3 ldap: identity =3D "cn=3Dadmin,dc=3Dzlt,dc=3Dru" ldap: start_tls =3D no ldap: password =3D "secret" ldap: basedn =3D "ou=3DUsers dc=3Dzlt,dc=3Dru" ldap: filter =3D "(&(objectClass=3DposixAccount)(uid=3D%u))" ldap: default_profile =3D "(null)" ldap: profile_attribute =3D "(null)" ldap: password_header =3D "(null)" ldap: password_attribute =3D "userPassword" ldap: access_attr =3D "dialupAccess" ldap: groupname_attribute =3D "cn" ldap: groupmembership_filter =3D "(|(&(objectClass=3DGroupOfNames) (member=3D%{Ldap-UserDn}))(&(objectClass=3DGroupOfUniqueNames) (uniquemember=3D%{Ldap-UserDn})))" ldap: groupmembership_attribute =3D "(null)" ldap: dictionary_mapping =3D "/etc/raddb/ldap.attrmap" ldap: ldap_debug =3D 0 ldap: ldap_connections_number =3D 5 ldap: compare_check_items =3D no ldap: access_attr_used_for_allow =3D yes conns: (nil) rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS=20 =46ramed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS=20 =46ramed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS=20 =46ramed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port conns: 0x8102b58 Module: Instantiated ldap (ldap) Module: Loaded Acct-Unique-Session-Id acct_unique: key =3D "User-Name, Acct-Session-Id, NAS-IP-Address,=20 Client-IP-Address, NAS-Port-Id" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile =3D=20 "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm =3D 384 detail: dirperm =3D 493 detail: locking =3D no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename =3D "/var/log/freeradius/radutmp" radutmp: username =3D "%{User-Name}" radutmp: case_sensitive =3D yes radutmp: check_with_nas =3D yes radutmp: perm =3D 384 radutmp: callerid =3D yes Module: Instantiated radutmp (radutmp) Listening on IP address 127.0.0.1, ports 1812/udp and 1813/udp, with proxy = on=20 1814/udp. Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:32838, id=3D41, length= =3D56 User-Name =3D "max1" User-Password =3D "123" NAS-IP-Address =3D 255.255.255.255 NAS-Port =3D 2 modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for max1 radius_xlat: '(&(objectClass=3DposixAccount)(uid=3Dmax1))' radius_xlat: 'ou=3DUsers dc=3Dzlt,dc=3Dru' ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=3Dadmin,dc=3Dzlt,dc=3Dru/secret to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: performing search in ou=3DUsers dc=3Dzlt,dc=3Dru, with filter=20 (&(objectClass=3DposixAccount)(uid=3Dmax1)) rlm_ldap: ldap_search() failed: Invalid DN syntax rlm_ldap: search failed ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns fail for request 0 modcall: group authorize returns fail for request 0 =46inished request 0 Going to the next request =2D-- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 127.0.0.1:32838, id=3D41, length= =3D56 Dropping packet from client localhost:32838 - ID: 41 due to dead request 0 =2D-- Walking the entire request list --- Waking up in 3 seconds... =2D-- Walking the entire request list --- Cleaning up request 0 ID 41 with timestamp 424bf0f8 Nothing to do. Sleeping until we see a request. =C2=EE=F2 =F7=E0=F1=F2=FC =EA=EE=F4=E8=E3=E0 =F0=E0=E4=E8=F3=F1=E0: ldap { server =3D "localhost" identity =3D "cn=3Dadmin,dc=3Dzlt,dc=3Dru" password =3D secret basedn =3D "ou=3DUsers dc=3Dzlt,dc=3Dru" filter =3D "(&(objectClass=3DposixAccount)(uid=3D%u))" # set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. start_tls =3D no # set this to 'yes' to use TLS encrypted connections to the # LDAP database by passing the LDAP_OPT_X_TLS_TRY option to # the ldap library. tls_mode =3D no # default_profile =3D "cn=3Dradprofile,ou=3Ddialup,o=3DMy O= rg,c=3DUA" # profile_attribute =3D "radiusProfileDn" access_attr =3D "dialupAccess" # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping =3D ${raddbdir}/ldap.attrmap # ldap_cache_timeout =3D 120 # ldap_cache_size =3D 0 ldap_connections_number =3D 5 # password_header =3D "{clear}" password_attribute =3D userPassword # groupname_attribute =3D cn # groupmembership_filter =3D "(|(&(objectClass=3DGroupOfNam= es) (member=3D%{Ldap-UserDn}))(&(objectClass=3DGroupOfUniqueNames) (uniquemember=3D%{Ldap-UserDn})))" # groupmembership_attribute =3D radiusGroupName timeout =3D 4 timelimit =3D 3 net_timeout =3D 1 # compare_check_items =3D yes # access_attr_used_for_allow =3D yes } =D7=F2=EE =EC=EE=E6=E5=F2 =E1=FB=F2=FC =ED=E5=EF=F0=E0=E2=E8=EB=FC=ED=EE? =C1=F3=E4=F3 =EE=F7=E5=ED=FC =F0=E0=E4 =F0=E0=E1=EE=F7=E5=EC=F3 =EA=EE=ED= =F4=E8=E3=F3 =E8=EB=E8 =EB=FE=E1=EE=E9 =EF=EE=EC=EE=F9=E8! =2D-=20 MaX