eDir Disabled users can authenticate to Freeradius

  • Document ID:7006336
  • Creation Date:23-Jun-2010
  • Modified Date:26-Apr-2012
    • Micro Focus Products:
      eDirectory
    • SUSE Products:
      SUSE Linux Enterprise Server

Environment

Novell eDirectory 8.8 for Linux
FreeRADIUS 2.1.1-7.6
SLES 11

Situation

Upgraded from SLES10 SP2 to SLES 11
Freeradius version 1.1.0-19.9 on SLES 10
Freeradius Version 2.1.1-7.6 on SLES 11

LDAP authenticate was previously configured for eDirectory 8.8.5 on SLES 10 and was working correctly. The only change is the upgrade to SLES 11 and the newer version of Freeradius.

The logintime attribute and lastlogintime attribute do not get updated. This can be viewed in iMonitor.

Resolution

What is happening is eDirectory is only being used for password authentication. Freeradius is authorizing the user, not eDirectory.  The edir_account_policy_check is being bypassed.
To resolve this verify the configuration is correct.

Verify the /etc/raddb/modules/ldap is configured properly.
Example:
ldap {
#
# Note that this needs to match the name in the LDAP
# server certificate, if you're using ldaps.
server = "server1.novell"
identity = "cn=RADadmin,o=novell"
password = mypass
basedn = "o=novell"
filter ="(uid=%{Stripped-User-Name:-%{User-Name}})"

The password attribute should be un-remmed and as follows:
password_attribute = nspmPassword

Be sure the eDirectory account policy check is not disabled. If the account of the user is disabled or closed in eDirectory, the RADIUS server can still read the universal password and authorize the user. Also, the intruder detection facility of eDirectory will be bypassed.  The default is set to no. Change it to yes
Example:
edir_account_policy_check = yes

Then edit the /etc/raddb/sites-available/default. Then un-rem the ldap module.  This is new from SLES 10 to SLES11 and is most likely the root of the issue if you edir_account_policy_check was set to yes.

#
# Un-comment the following if you have set
# 'edir_account_policy_check = yes' in the ldap module sub-section of
# the 'modules' section.
#
ldap

Restart freeradius and test authenticate with a disabled user. The user should fail to authenticate and in the /var/log/radius/radius.log it should report the failure.

Try again with a valid user and verify the logintime attriute has been updated in iMonitor.