0

我最近将 IBM 安全目录服务器从 6.3 迁移到 6.4.0.20。我遵循此指南https://www.ibm.com/support/pages/remote-migration-tds-62-sds-64。完成迁移后,我将 radius 服务器设置为连接到 IBM 安全目录服务器 6.4.0.20。我收到一条错误消息。

未添加“已知良好”密码。确保管理员用户具有读取密码属性的权限

Radius 使用用户cn=root绑定 IBM 安全目录服务器。这是/etc/raddb/mods-enabled/ldap.

ldap {
    server = "10.1.11.56"
    identity = "cn=root"
    password = password

    base_dn = "dc=sample,dc=com,dc=tw"

    update {
        control:Password-With-Header    += 'userPassword'
    }

    user {
        base_dn = "${..base_dn}"

        filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
    }

    group {
        base_dn = "${..base_dn}"

        filter = "(objectClass=posixGroup)"
        membership_attribute = "memberOf"
    }

    profile {
    }

    client {
        base_dn = "${..base_dn}"

        filter = '(objectClass=frClient)'

        attribute {
            identifier          = 'radiusClientIdentifier'
            secret              = 'radiusClientSecret'
        }
    }

    accounting {
        reference = "%{tolower:type.%{Acct-Status-Type}}"

        type {
            start {
                update {
                    description := "Online at %S"
                }
            }

            interim-update {
                update {
                    description := "Last seen at %S"
                }
            }

            stop {
                update {
                    description := "Offline at %S"
                }
            }
        }
    }

    post-auth {
        update {
            description := "Authenticated at %S"
        }
    }

    options {
        chase_referrals = yes
        rebind = yes

        timeout = 20

        timelimit = 20

        net_timeout = 10

        idle = 60

        probes = 3

        interval = 3

        ldap_debug = 0x0028
    }

    tls {
        start_tls = no
    }

    pool {
        start = 5

        min = 4

        max = ${thread[pool].max_servers}

        spare = 3

        uses = 0

        lifetime = 0

        idle_timeout = 60
    }
}

这是所有调试消息。我认为 Radius 有权读取userPassword并且该条目uid=eric.su,cn=users,dc=sample,dc=com,dc=tw 确实具有userPassword属性。Radius 可以与旧的 IBM 安全目录服务器(6.3 版)配合使用。我尝试创建新的 VM 并克隆旧的 IBM 安全目录服务器,它也可以正常工作。所以,我错过了 6.4 版的一些设置。

(0) Received Access-Request Id 15 from 10.1.3.52:53965 to 10.1.4.200:1812 length 48
(0)   User-Name = "eric.su"
(0)   CHAP-Password = 0xf030d35fa386df51091dc439ac0f226123
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0)   authorize {
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = notfound
(0)     } # policy filter_username = notfound
(0)     [preprocess] = ok
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "eric.su", looking up realm NULL
(0) suffix: No such realm "NULL"
(0)     [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0)     [eap] = noop
rlm_ldap (ldap): Reserved connection (0)
(0) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(0) ldap:    --> (uid=eric.su)
(0) ldap: Performing search in "dc=sample,dc=com,dc=tw" with filter "(uid=eric.su)", scope "sub"
(0) ldap: Waiting for search result...
(0) ldap: User object found at DN "uid=eric.su,cn=users,dc=sample,dc=com,dc=tw"
(0) ldap: Processing user attributes
(0) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute
(0) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
rlm_ldap (ldap): Released connection (0)
rlm_ldap (ldap): Closing connection (1), from 1 unused connections
(0)     [ldap] = ok
(0)     [expiration] = noop
(0)     [logintime] = noop
(0) pap: WARNING: No "known good" password found for the user.  Not setting Auth-Type
(0) pap: WARNING: Authentication will fail unless a "known good" password is available
(0)     [pap] = noop
(0)   } # authorize = ok
(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0)   Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject:    --> eric.su
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0)     [attr_filter.access_reject] = updated
(0)     [eap] = noop
(0)     policy remove_reply_message_if_eap {
(0)       if (&reply:EAP-Message && &reply:Reply-Message) {
(0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(0)       else {
(0)         [noop] = noop
(0)       } # else = noop
(0)     } # policy remove_reply_message_if_eap = noop
(0)   } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1.000000 seconds

我该如何解决这个问题?对不起我的英语不好。

4

0 回答 0