[MASOCH-L] Ad e Openser com FreeRadius
Artur Hayne
arturhayne at yahoo.com.br
Mon Aug 21 13:26:02 -03 2006
O Freeradius não está fazendo uma pesquisa, ele apenas consegue se conectar com o Active Directory, antes nem isso eu conseguia fazer.
Você conseguiu utilizar o FreeRadius com o Active Directory (windows) para procurar usuários vindo do Openser? Me ensine, por favor!
No arquivo users tem isso descomentado:
DEFAULT Auth-Type = System
Fall-Through = 1
DEFAULT Service-Type == Framed-User
Framed-IP-Address = 255.255.255.254,
Framed-MTU = 576,
Service-Type = Framed-User,
Fall-Through = Yes
DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "CSLIP"
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP
meu radiusd.conf:
prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = /usr/local/etc/
localstatedir = ${prefix}/var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/radiusd.pid
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = no
log_auth = no
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf
$INCLUDE ${confdir}/clients.conf
snmp = no
$INCLUDE ${confdir}/snmp.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
chap {
authtype = CHAP
}
mschap {
authtype = MS-CHAP
use_mppe = yes
require_encryption = yes
require_strong = no
with_ntdomain_hack = yes
}
ldap {
server="actdir.bli.br"
identity="cn=admin,dc=bli,dc=br"
password="meupasswdAD"
basedn="dc=bli,dc=br"
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
password_attribute = userPassword
port = 636
start_tls = yes
tls_mode = yes
dictionary_mapping = /usr/local/etc/raddb/ldap.attrmap
ldap_cache_timeout = 150
ldap_cache_size = 0
ldap_connections_number = 10
timeout = 3
timelimit = 5
net_timeout = 1
compare_check_items = no
tls_cacertfile = /usr/local/var/openldap-data/cacert.pem
tls_cacertdir = /usr/local/var/openldap-data/
tls_require_cert = "demand"
}
realm intranet.ufba.br {
format = suffix
delimiter = "@"
}
realm suffix {
format = suffix
delimiter = "@"
}
realm realmpercent {
format = suffix
delimiter = "%"
ignore_default = no
ignore_null = no
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = yes
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
compat = no
}
detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
}
detail auth_log {
detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d
detailperm = 0600
}
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address"
}
$INCLUDE ${confdir}/postgresql.conf
radutmp {
filename = ${logdir}/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
perm = 0600
callerid = "yes"
}
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = "no"
}
attr_filter {
attrsfile = ${confdir}/attrs
}
counter daily {
filename = ${raddbdir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
expr {
}
digest {
}
exec {
input_pairs = request
wait = yes
}
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = request
output_pairs = reply
}
ippool main_pool {
range-start = 192.168.1.1
range-stop = 192.168.3.254
netmask = 255.255.255.0
cache-size = 800
session-db = ${raddbdir}/db.ippool
ip-index = ${raddbdir}/db.ipindex
override = no
maximum-timeout = 0
}
}
instantiate {
exec
expr
}
authorize {
preprocess
auth_log
digest
files
ldap {
notfound = return
}
}
authenticate {
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
ldap
}
digest
Auth-Type LDAP {
ldap
}
}
preacct {
preprocess
acct_unique
suffix
}
accounting {
detail
sql
}
session {
radutmp
}
post-auth {
}
pre-proxy {
}
post-proxy {
}
Arthur,
qual ? a pesquisa que o freeradius est? fazendo no ldap?
o que tem no users.conf?
eu f? utilizei freeradius+ldap sem problemas.
[]s
Marcelo Costa
Em 20/8/2006, "Artur Hayne" <arturhayne at yahoo.com.br> escreveu:
>Ol? a todos,
>
> Eu tenho um problema que parece n?o haver solu??o. Tenho um servidor
openser que deve autenticar os usu?rios no servidor ldap Active
Directory atrav?s do FreeRadius. Consigo estabelecer uma se??o do Freeradius
com o AD, porem quando o usu?rio tenta se autenticar atraves de um
softphone, passando pelo FreeRadius, aparece um erro.
>
> Vejam aqui o debug do Radius:
>
> radius_xlat: 'ou=bli,dc=blo,dc=blu,dc=br'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in ou=bli,dc=blo,dc=blu,dc=br, with
filter (uid=jab)
> rlm_ldap: object not found or got ambiguous search result
<---------- essa linha!!!
> rlm_ldap: search failed <---------- essa linha!!!
> rlm_ldap: ldap_release_conn: Release Id: 0
> modcall[authorize]: module "ldap" returns notfound for request 47
<---------- essa linha!!!
> modcall: leaving group authorize (returns ok) for request 47
> rad_check_password: Found Auth-Type DIGEST
> auth: type "digest"
> Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 47
> rlm_digest: Configuration item "User-Password" or MD5-Password is
required for authentication. <---------- essa linha!!!
> modcall[authenticate]: module "digest" returns invalid for request
47 <---------- essa linha!!!
> modcall: leaving group authenticate (returns invalid) for request 47
> auth: Failed to validate the user. <---------- essa linha!!!
>
> Eu vi alguns tutoriais mostrando como autenticar no dominio
utilizando a ferramneta ntlm_auth, mas ela parece que so funciona com o
protocolo mschap, sendo que o Openser utiliza o digest para autenticar.
> No radiusd.conf o digest e o ldap est?o descomentados tanto para
autentica??o como para autoriza??o.
> ? necess?rio fazer alguma configura??o nos aquivos users ou em
outro?
> Eu ainda estou tentando entender um pouco mais do Freeradius.
>
> Obrigado.
>
>
>
>---------------------------------
> O Yahoo! est? de cara nova. Venha conferir!
>__
>masoch-l list
---------------------------------
Yahoo! Search
Música para ver e ouvir: You're Beautiful, do James Blunt
More information about the masoch-l
mailing list