Author Topic: Radius - Where is my error  (Read 8965 times)

christian

  • Guest
Re: Radius - Where is my error
« Reply #15 on: January 06, 2013, 09:53:02 pm »
If you increase LDAP log level on both standard and Samba LDAP servers, you will easily see in syslog which one is requested from Radius server (I hope)

half_life

  • Bug Hunter
  • Zen Hero
  • *****
  • Posts: 867
  • Karma: +59/-0
    • View Profile
Re: Radius - Where is my error
« Reply #16 on: January 07, 2013, 11:51:51 pm »
Christian,  I am able to verify by the ldap info contained in /etc/modules/ldap that it is pointing at the one on 390.  Using Apache Studio I can verify that the password is hashed with kerberos 5.  Where does that leave me?  I am certain from watching the radius server in debug mode that it correctly get through the authorization section but does not get through the authentication section.  Jury rig things so that the radius server asks the old ldap server and everything works correctly.  What, besides password could be the problem? 

christian

  • Guest
Re: Radius - Where is my error
« Reply #17 on: January 08, 2013, 12:10:52 am »
If LDAP authentication is wrong, you should see LDAP err 49 in syslog.
Again (sorry for being heavy on this point), increase LDAP log level so that you can check LDAP request and result and determine if error is due to LDAP, password or something else.

half_life

  • Bug Hunter
  • Zen Hero
  • *****
  • Posts: 867
  • Karma: +59/-0
    • View Profile
Re: Radius - Where is my error
« Reply #18 on: January 08, 2013, 03:51:12 am »
Where exactly would I make these adjustments at?  I am convinced of my findings at this point but am willing to take direction if you can.

christian

  • Guest
Re: Radius - Where is my error
« Reply #19 on: January 08, 2013, 06:48:55 am »
You have to change olcloglevel attribute from "0" to "256" in order to get verbose log.
this attribute is attached to cn=config entry.
Have a look here.

You can apply this change either using command line or LDAP graphic interface (which is more convenient). Apache Directory Studio is one of the various tools you may use.

Looking closely at LDAP content is not something expected for basic Zentyal user but it helps a lot especially during this "tuning & debugging" phase.

half_life

  • Bug Hunter
  • Zen Hero
  • *****
  • Posts: 867
  • Karma: +59/-0
    • View Profile
Re: Radius - Where is my error
« Reply #20 on: January 08, 2013, 02:37:33 pm »
There is no CN=config 

christian

  • Guest
Re: Radius - Where is my error
« Reply #21 on: January 08, 2013, 03:07:48 pm »
yes there is one  ;) trust me  8)
the point is that you have to change your baseDN and point to cn=config instead of standard basedDN as displayed in Zentyal interface.
LDAP server hosts at least 2 root entries:
- one is cn=config (which contains LDAP config, name is quite self-explanatory)
- one is dc=yourdomain or something like this, containing your entries (accounts, groups ...)

half_life

  • Bug Hunter
  • Zen Hero
  • *****
  • Posts: 867
  • Karma: +59/-0
    • View Profile
Re: Radius - Where is my error
« Reply #22 on: January 08, 2013, 04:34:42 pm »
I understood you Christian.  I get an error when I try that (error 49 - invalid credentials) I have tried:
this is my Root    cn=zentyal,dc=rapheal,dc=no-ip,dc=com   and this works

my base is dc=rapheal,dc=no-ip,dc=com
my config should be cn=config,dc=rapheal,dc=no-ip,dc=com
in addition I tried cn=config,cn=zentyal,dc=rapheal,dc=no-ip,dc=com

Where is my mistake?

christian

  • Guest
Re: Radius - Where is my error
« Reply #23 on: January 08, 2013, 05:22:48 pm »
your base must be  cn=config

no more nor less  ;)

thorsten

  • Guest
Re: Radius - Where is my error
« Reply #24 on: January 08, 2013, 08:18:29 pm »
Hi Christian,

I do not understand some parts of the link on LDAP you quoted:
Quote
Have a look here.

ICHAT writes below, that the firewall may block port 390, but port 390 is blocked by default from Zentyal (clean installation). I did not change that and I remember that it was also blocked within Zentyal 2.2.

Additonally, where do I need to change CN=config, which is the path / file?

Another stupid question: for me, proxy and SSO (Zarafa) is blocked, but the computer is domain member and a valid user is logged on: It does request a password I can not satisfy. Same / Similar for Proxy: Zentyal simply blockes everything.

THX
Thorsten

half_life

  • Bug Hunter
  • Zen Hero
  • *****
  • Posts: 867
  • Karma: +59/-0
    • View Profile
Re: Radius - Where is my error
« Reply #25 on: January 09, 2013, 12:12:01 am »
your base must be  cn=config

no more nor less  ;)

Sorry,  no dice.  Same error. 

christian

  • Guest
Re: Radius - Where is my error
« Reply #26 on: January 09, 2013, 07:57:48 am »
from command line (on Zentyal server, SSH e.g.  ;) ), try something like this:
Code: [Select]
ldapsearch -h localhost -p 390 -b 'cn=config' -x -D cn=ebox,dc=yourhost,dc=yourdomain -w ebox_passwordand let us know what you see.

On my 2.2 Zentyal server, it works (on port 389)

half_life

  • Bug Hunter
  • Zen Hero
  • *****
  • Posts: 867
  • Karma: +59/-0
    • View Profile
Re: Radius - Where is my error
« Reply #27 on: January 10, 2013, 01:13:28 am »
Same result.  I tried a few variations just to make sure.

christian

  • Guest
Re: Radius - Where is my error
« Reply #28 on: January 10, 2013, 07:34:38 am »
 :o :o
I curently don't have time to restart and test with Zentyal 3.0 but I'm very very surprised you don't find cn=config entry.
This one is mandatory.
When you report "same result", what is this result ?
- no such object (error code 32) or something else?

half_life

  • Bug Hunter
  • Zen Hero
  • *****
  • Posts: 867
  • Karma: +59/-0
    • View Profile
Re: Radius - Where is my error
« Reply #29 on: January 10, 2013, 02:19:30 pm »
christian,  you aren't the only one with limits to their time.  I think we have beaten this horse long enough trying to deny that there is an issue with radius/ldap.

Code: [Select]
ldap_bind: Invalid credentials (49)