Environment
FreeRADIUS 2.1.1-7.6
SLES 11
Situation
Upgraded from SLES10 SP2 to SLES 11
Freeradius version 1.1.0-19.9 on SLES
10
Freeradius Version 2.1.1-7.6 on SLES 11
LDAP authenticate was previously configured for eDirectory 8.8.5 on SLES 10 and was working correctly. The only change is the upgrade to SLES 11 and the newer version of Freeradius.
The logintime attribute and lastlogintime attribute do not get updated. This can be viewed in iMonitor.
Resolution
What is happening is eDirectory is only being used for
password authentication. Freeradius is authorizing the user, not
eDirectory. The edir_account_policy_check is being bypassed.
To resolve this verify the configuration is correct.
Verify the /etc/raddb/modules/ldap is
configured properly.
Example:
ldap {
#
# Note that this needs to match the
name in the LDAP
# server certificate, if you're using
ldaps.
server = "server1.novell"
identity = "cn=RADadmin,o=novell"
password = mypass
basedn = "o=novell"
filter ="(uid=%{Stripped-User-Name:-%{User-Name}})"
The password attribute should be
un-remmed and as follows:
password_attribute = nspmPassword
Be sure the eDirectory account policy
check is not disabled. If the account of the user is disabled or
closed in eDirectory, the RADIUS server can still read the universal
password and authorize the user. Also, the intruder detection
facility of eDirectory will be bypassed. The default is set to no. Change it
to yes
Example:
edir_account_policy_check = yes
Then edit the /etc/raddb/sites-available/default. Then un-rem the ldap module. This is new from SLES 10 to SLES11 and is most likely the root of the issue if you edir_account_policy_check was set to yes.
#
# Un-comment the following if
you have set
# 'edir_account_policy_check =
yes' in the ldap module sub-section of
# the 'modules' section.
#
ldap
Restart freeradius and test authenticate with a disabled user. The user should fail to authenticate and in the /var/log/radius/radius.log it should report the failure.
Try again with a valid user and verify the logintime attriute has been updated in iMonitor.