[MASOCH-L] Ad e Openser com FreeRadius

Artur Hayne arturhayne at yahoo.com.br
Mon Aug 21 13:26:02 BRT 2006


O Freeradius não está fazendo uma pesquisa, ele apenas consegue se conectar com o Active  Directory, antes nem isso eu conseguia fazer.
 Você conseguiu utilizar o FreeRadius com o Active Directory (windows) para procurar usuários vindo do Openser? Me ensine, por favor!
 
 No arquivo users tem isso descomentado:
 
 DEFAULT         Auth-Type = System
                 Fall-Through = 1
 
 DEFAULT Service-Type == Framed-User
         Framed-IP-Address = 255.255.255.254,
         Framed-MTU = 576,
         Service-Type = Framed-User,
         Fall-Through = Yes
 
 DEFAULT Framed-Protocol == PPP
         Framed-Protocol = PPP,
         Framed-Compression = Van-Jacobson-TCP-IP
 
 
 DEFAULT Hint == "CSLIP"
         Framed-Protocol = SLIP,
         Framed-Compression = Van-Jacobson-TCP-IP
 
 meu radiusd.conf:
 
 prefix = /usr/local
 exec_prefix = ${prefix}
 sysconfdir = /usr/local/etc/
 localstatedir = ${prefix}/var
 sbindir = ${exec_prefix}/sbin
 logdir = ${localstatedir}/log/radius
 raddbdir = ${sysconfdir}/raddb
 radacctdir = ${logdir}/radacct
 confdir = ${raddbdir}
 run_dir = ${localstatedir}/run/radiusd
 log_file = ${logdir}/radius.log
 libdir = ${exec_prefix}/lib
 pidfile = ${run_dir}/radiusd.pid
 max_request_time = 30
 delete_blocked_requests = no
 cleanup_delay = 5
 max_requests = 1024
 bind_address = *
 port = 0
 hostname_lookups = no
 allow_core_dumps = no
 regular_expressions     = yes
 extended_expressions    = yes
 log_stripped_names = no
 log_auth = no
 log_auth_badpass = no
 log_auth_goodpass = no
 usercollide = no
 lower_user = no
 lower_pass = no
 nospace_user = no
 nospace_pass = no
 
 checkrad = ${sbindir}/checkrad
 
 security {
         max_attributes = 200
         reject_delay = 1
         status_server = no
 }
 
 proxy_requests  = yes
 $INCLUDE  ${confdir}/proxy.conf
 $INCLUDE  ${confdir}/clients.conf
 snmp    = no
 $INCLUDE  ${confdir}/snmp.conf
 
 
 thread pool {
         start_servers = 5
         max_servers = 32
         min_spare_servers = 3
         max_spare_servers = 10
         max_requests_per_server = 0
 }
 
 modules {
         chap {
                 authtype = CHAP
         }
 
         mschap {
                 authtype = MS-CHAP
                 use_mppe = yes
                 require_encryption = yes
                 require_strong = no
                 with_ntdomain_hack = yes
 
         }
 
         ldap {
                 server="actdir.bli.br"
                 identity="cn=admin,dc=bli,dc=br"
                 password="meupasswdAD"
                 basedn="dc=bli,dc=br"
                 filter = (uid=%{Stripped-User-Name:-%{User-Name}})
                 password_attribute = userPassword
                 port = 636
                 start_tls = yes
                 tls_mode = yes
                 dictionary_mapping = /usr/local/etc/raddb/ldap.attrmap
                 ldap_cache_timeout = 150
                 ldap_cache_size = 0
                 ldap_connections_number = 10
                 timeout = 3
                 timelimit = 5
                 net_timeout = 1
                 compare_check_items = no
                 tls_cacertfile = /usr/local/var/openldap-data/cacert.pem
                 tls_cacertdir = /usr/local/var/openldap-data/
                 tls_require_cert = "demand"
         }
         realm intranet.ufba.br {
                 format = suffix
                 delimiter = "@"
         }
 
         realm suffix {
                 format = suffix
                 delimiter = "@"
         }
 
         realm realmpercent {
                 format = suffix
                 delimiter = "%"
                 ignore_default = no
                 ignore_null = no
         }
 
         preprocess {
                 huntgroups = ${confdir}/huntgroups
                hints = ${confdir}/hints
                 with_ascend_hack = no
                 ascend_channels_per_line = 23
                 with_ntdomain_hack = no
                 with_specialix_jetstream_hack = no
                 with_cisco_vsa_hack = yes
         }
 
         files {
                 usersfile = ${confdir}/users
                 acctusersfile = ${confdir}/acct_users
                 compat = no
         }
 
         detail {
                 detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
 
                 detailperm = 0600
         }
 
          detail auth_log {
                  detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d
 
                  detailperm = 0600
          }
 
         acct_unique {
                 key = "User-Name, Acct-Session-Id, NAS-IP-Address"
         }
 
 
         $INCLUDE  ${confdir}/postgresql.conf
 
         radutmp {
                 filename = ${logdir}/radutmp
                 username = %{User-Name}
                 case_sensitive = yes
                 check_with_nas = yes
                 perm = 0600
                 callerid = "yes"
         }
 
         radutmp sradutmp {
                 filename = ${logdir}/sradutmp
                 perm = 0644
                 callerid = "no"
         }
 
         attr_filter {
                 attrsfile = ${confdir}/attrs
         }
 
         counter daily {
                 filename = ${raddbdir}/db.daily
                 key = User-Name
                 count-attribute = Acct-Session-Time
                 reset = daily
                 counter-name = Daily-Session-Time
                 check-name = Max-Daily-Session
                 allowed-servicetype = Framed-User
                 cache-size = 5000
         }
 
         always fail {
                 rcode = fail
         }
         always reject {
                 rcode = reject
         }
         always ok {
                 rcode = ok
                 simulcount = 0
                 mpp = no
         }
 
         expr {
         }
 
         digest {
         }
 
         exec {
                 input_pairs = request
                 wait = yes
         }
 
         exec echo {
                 wait = yes
                 program = "/bin/echo %{User-Name}"
                 input_pairs = request
                 output_pairs = reply
 
         }
         ippool main_pool {
                 range-start = 192.168.1.1
                 range-stop = 192.168.3.254
                 netmask = 255.255.255.0
                 cache-size = 800
                 session-db = ${raddbdir}/db.ippool
                 ip-index = ${raddbdir}/db.ipindex
                 override = no
                maximum-timeout = 0
         }
 }
 instantiate {
         exec
         expr
 
 }
 authorize {
         preprocess
         auth_log
         digest
         files
         ldap {
         notfound = return
         }
 
 }
 
 authenticate {
 
         Auth-Type CHAP {
                 chap
         }
 
         Auth-Type MS-CHAP {
                 mschap
                 ldap
         }
 
          digest
 
         Auth-Type LDAP {
                 ldap
         }
 }
 
 preacct {
         preprocess
         acct_unique
         suffix
 }
 accounting {
         detail
         sql
 }
 session {
         radutmp
 }
 
 post-auth {
 }
 
 pre-proxy {
 }
 
 post-proxy {
 }
 
 
Arthur,

qual ? a pesquisa que o freeradius est? fazendo no ldap?
o que tem no users.conf?

eu f? utilizei freeradius+ldap sem problemas.

[]s
Marcelo Costa

Em 20/8/2006, "Artur Hayne" <arturhayne at yahoo.com.br> escreveu:

>Ol? a todos, 
>  
>  Eu tenho um problema que parece n?o haver solu??o. Tenho um servidor  
openser que deve autenticar os usu?rios no servidor ldap Active  
Directory atrav?s do FreeRadius. Consigo estabelecer uma se??o do  Freeradius 
com o AD, porem quando o usu?rio tenta se autenticar atraves  de um 
softphone, passando pelo FreeRadius, aparece um erro.
>  
>  Vejam aqui o debug do Radius:
>  
>   radius_xlat:  'ou=bli,dc=blo,dc=blu,dc=br'
>  rlm_ldap: ldap_get_conn: Checking Id: 0
>  rlm_ldap: ldap_get_conn: Got Id: 0
>  rlm_ldap: performing search in ou=bli,dc=blo,dc=blu,dc=br, with 
filter (uid=jab)
>  rlm_ldap: object not found or got ambiguous search result 
<---------- essa linha!!!
>  rlm_ldap: search failed <---------- essa linha!!!
>  rlm_ldap: ldap_release_conn: Release Id: 0
>    modcall[authorize]: module "ldap" returns notfound for request 47 
<---------- essa linha!!!
>  modcall: leaving group authorize (returns ok) for request 47
>    rad_check_password:  Found Auth-Type DIGEST
>  auth: type "digest"
>    Processing the authenticate section of radiusd.conf
>  modcall: entering group authenticate for request 47
>  rlm_digest: Configuration item "User-Password" or MD5-Password is 
required for authentication. <---------- essa linha!!!
>    modcall[authenticate]: module "digest" returns invalid for request 
47 <---------- essa linha!!!
>  modcall: leaving group authenticate (returns invalid) for request 47
>  auth: Failed to validate the user. <---------- essa linha!!!
>  
>  Eu vi alguns tutoriais mostrando como autenticar no dominio 
utilizando  a ferramneta ntlm_auth,  mas ela parece que so funciona com o  
protocolo mschap, sendo que o Openser utiliza o digest para autenticar.  
>  No radiusd.conf o digest e o ldap est?o descomentados tanto para 
autentica??o como para autoriza??o.
>  ? necess?rio fazer alguma configura??o nos aquivos users ou em 
outro?
>  Eu ainda estou tentando entender um pouco mais do Freeradius.
>  
>  Obrigado.
>  
>  
>   
>---------------------------------
> O Yahoo! est? de cara nova. Venha conferir!
>__
>masoch-l list
 
 
 
 		
---------------------------------
 Yahoo! Search
 Música para ver e ouvir: You're Beautiful, do James Blunt


More information about the masoch-l mailing list