Hello All !
Помогите пожалуйста понять, как подружить freeradius-1.0.1 и OpenLDAP-2.1.29 и SASLv2 ? Пароли у пользователей LDAP-базе в md5.
Hемогу понять, почему пароли у пользователей не проходят для freeradius, при этом для всех сервисов sendmail, cyrus пароли для пользователей из LDAP работают нормально.
P.S: Если у кого работает freeradius в связке с OpenLDAP откликнитесь пожалуйста. Или покажите пожалуйста свой конфиг для связки с LDAP, и скажите пожалуйста в каком формате у вас пароли в LDAP.
# cat radiusd.conf ==== ... ldap { server = "localhost" identity = "cn=radius,dc=xxx,dc=xxx,dc=ppp,dc=ru" password = xxxxxxxxxxx basedn = "ou=users,dc=xxx,dc=xxx,dc=ppp,dc=ru" #filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" filter = "(&(objectClass=posixAccount)(uid=%u))" start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 #password_header = "{MD5}" password_attribute = userPassword # groupname_attribute = cn # groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectCla ss=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn} )))" # groupmembership_attribute = radiusGroupName timeout = 4 timelimit = 3 net_timeout = 1 compare_check_items = yes access_attr_used_for_allow = yes } ... authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap }
Auth-Type MS-CHAP { mschap } pam unix Auth-Type LDAP { ldap } eap }
preacct { preprocess # realmslash suffix # files } ... accounting { acct_unique detail # daily unix # wtmp file # ldap radutmp # sradutmp # main_pool } ... ====
Пробую делать radtest: ===== # radtest test xxxxxxxxxxxx localhost 0 xxxxxxxxx Sending Access-Request of id 53 to 127.0.0.1:1812 User-Name = "test" User-Password = "xxxxxx" NAS-IP-Address = ciscoXXXX.xxx.xxx.ppp.ru NAS-Port = 0 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=53, length=20 rad_decode: Received Access-Reject packet from 127.0.0.1:1812 with invalid signature (err=2)! (Shared secret is incorrect.) radclient: radclient.c:440: send_one_packet: Assertion `radclient->reply == ((void *)0)' failed. /usr/bin/radtest: line 53: 10804 Done ( echo "User-Name = \"$1\""; echo "User-Password = \"$2\""; echo "NAS-IP-Address = $nas"; echo "NAS-Port = $4"; if [ "$6" ]; then echo "Framed-Protocol = PPP"; fi ) 10805 Aborted | $radclient $DICTIONARY -x $3 auth $5 # =====
Результат radtest'а в протоколах работы сервера: ===== #/usr/sbin/radiusd -X -A ... Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:32769, id=53, length=56 User-Name = "test" User-Password = "\320Q\010,+\270\253\332\360\037I\223\215\302\\\362" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for test radius_xlat: '(&(objectClass=posixAccount)(uid=test))' radius_xlat: 'ou=users,dc=xxx,dc=xxx,dc=ppp,dc=ru' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=radius,dc=xxx,dc=xxx,dc=ppp,dc=ru/xxxxxxxxxx to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=users,dc=xxx,dc=xxx,dc=ppp,dc=ru, with filter (&(objectClass=posixAccount)(uid=test)) rlm_ldap: Added password xxxxxxxxxxxxx in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... Invalid operator for item User-Password: reverting to '==' rlm_ldap: Pairs do not match. Rejecting user. rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns reject for request 0 modcall: group authorize returns reject for request 0 Invalid user (rlm_ldap: Pairs do not match): [test/\320Q\010,+\270\253\332\360\037I\223\215\302\\\362] (from client localhost port 0) Delaying request 0 for 1 seconds Finished request 0 Going to the next request - --- Walking the entire request list --- Waking up in 1 seconds... - --- Walking the entire request list --- Waking up in 1 seconds... - --- Walking the entire request list --- Sending Access-Reject of id 53 to 127.0.0.1:32769 Waking up in 4 seconds... - --- Walking the entire request list --- Cleaning up request 0 ID 53 with timestamp 41b05403 Nothing to do. Sleeping until we see a request. ... ====
Помогите понять, что я не так делаю.
Спасибо. ---- С уважением, Milord