Getting no results with LDAP
Thanks for the tip with th NT Domain hack Brian. An other problem is the LDAP Query themself. I get no result for my Username. But the User exists and when I use the ldapsearch command with the same filter I also get an result. I use the latest CVS Version of Freeradius and openLDAP Version 2.1.22-1 rlm_ldap: - authorize rlm_ldap: performing user authorization for sevcikb radius_xlat: '(uid=sevcikb)' radius_xlat: 'ou=People,ou=admin,dc=tgm.dc=ac,dc=at' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,ou=admin,dc=tgm.dc=ac,dc=at, with filter (uid=sevcikb) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed ldap_release_conn: Release Id: 0 Hers my config: ldap { server = localhost identity = cn=admin,dc=tgm,dc=ac,dc=at password = xxx basedn = ou=People,ou=admin,dc=tgm.dc=ac,dc=at filter = (uid=%{Stripped-User-Name:-%{User-Name}}) # base_filter = (objectclass=radiusprofile) # set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # The StartTLS operation is supposed to be used with normal # ldap connections instead of using ldaps (port 689) connections start_tls = no # tls_cacertfile= /path/to/cacert.pem # tls_cacertdir = /path/to/ca/dir/ # tls_certfile = /path/to/radius.crt # tls_keyfile = /path/to/radius.key # tls_randfile = /path/to/rnd # tls_require_cert = demand # default_profile = cn=radprofile,ou=dialup,o=My Org,c=UA # profile_attribute = radiusProfileDn # access_attr = dialupAccess # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 # # NOTICE: The password_header directive is NOT case insensitive # # password_header = {clear} # # The server can usually figure this out on its own, and pull # the correct User-Password or NT-Password from the database. # # Note that NT-Passwords MUST be stored as a 32-digit hex # string, and MUST start off with 0x, such as: # # 0x000102030405060708090a0b0c0d0e0f # # Without the leading 0x, NT-Passwords will not work. # This goes for NT-Passwords stored in SQL, too. # password_attribute = ntPassword # groupname_attribute = cn # groupmembership_filter = (|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) # groupmembership_attribute = radiusGroupName timeout = 4 timelimit = 3 net_timeout = 1 # compare_check_items = yes # do_xlat = yes # access_attr_used_for_allow = yes } Thanks for help Berndt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Getting no results with LDAP
The problem is solved! Sorry for the posting Thanks Berndt On Tue, 2003-12-16 at 15:09, Sevcik Berndt wrote: Thanks for the tip with th NT Domain hack Brian. An other problem is the LDAP Query themself. I get no result for my Username. But the User exists and when I use the ldapsearch command with the same filter I also get an result. I use the latest CVS Version of Freeradius and openLDAP Version 2.1.22-1 rlm_ldap: - authorize rlm_ldap: performing user authorization for sevcikb radius_xlat: '(uid=sevcikb)' radius_xlat: 'ou=People,ou=admin,dc=tgm.dc=ac,dc=at' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,ou=admin,dc=tgm.dc=ac,dc=at, with filter (uid=sevcikb) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed ldap_release_conn: Release Id: 0 Hers my config: ldap { server = localhost identity = cn=admin,dc=tgm,dc=ac,dc=at password = xxx basedn = ou=People,ou=admin,dc=tgm.dc=ac,dc=at filter = (uid=%{Stripped-User-Name:-%{User-Name}}) # base_filter = (objectclass=radiusprofile) # set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # The StartTLS operation is supposed to be used with normal # ldap connections instead of using ldaps (port 689) connections start_tls = no # tls_cacertfile= /path/to/cacert.pem # tls_cacertdir = /path/to/ca/dir/ # tls_certfile = /path/to/radius.crt # tls_keyfile = /path/to/radius.key # tls_randfile = /path/to/rnd # tls_require_cert = demand # default_profile = cn=radprofile,ou=dialup,o=My Org,c=UA # profile_attribute = radiusProfileDn # access_attr = dialupAccess # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 # # NOTICE: The password_header directive is NOT case insensitive # # password_header = {clear} # # The server can usually figure this out on its own, and pull # the correct User-Password or NT-Password from the database. # # Note that NT-Passwords MUST be stored as a 32-digit hex # string, and MUST start off with 0x, such as: # # 0x000102030405060708090a0b0c0d0e0f # # Without the leading 0x, NT-Passwords will not work. # This goes for NT-Passwords stored in SQL, too. # password_attribute = ntPassword # groupname_attribute = cn # groupmembership_filter = (|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) # groupmembership_attribute = radiusGroupName timeout = 4 timelimit = 3 net_timeout = 1 # compare_check_items = yes # do_xlat = yes # access_attr_used_for_allow = yes } Thanks for help Berndt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Diese Message wurde erstellt mit freundlicher Unterstuetzung eines freilaufenden Pinguins aus artgerechter Freilandhaltung. Sie ist garantiert frei von Microsoftschen Viren. - TGM - Die Schule der Technik IT-Service A-1200 Wien, Wexstr. 19-23 Tel. +43(1)33126/316 Fax: +43(1)33126/154 E-Mail: [EMAIL PROTECTED] - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Getting no results with LDAP
On Tue, 16 Dec 2003, Sevcik Berndt wrote: Thanks for the tip with th NT Domain hack Brian. An other problem is the LDAP Query themself. I get no result for my Username. But the User exists and when I use the ldapsearch command with the same filter I also get an result. I use the latest CVS Version of Freeradius and openLDAP Version 2.1.22-1 rlm_ldap: - authorize rlm_ldap: performing user authorization for sevcikb radius_xlat: '(uid=sevcikb)' radius_xlat: 'ou=People,ou=admin,dc=tgm.dc=ac,dc=at' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,ou=admin,dc=tgm.dc=ac,dc=at, with filter (uid=sevcikb) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed ldap_release_conn: Release Id: 0 Check your ldap server ACIs Check your ldap server logs freeradius normally just uses the openldap libs (which are used by ldapsearch) so there should be some kind of difference between the queries ran by each one. Hers my config: ldap { server = localhost identity = cn=admin,dc=tgm,dc=ac,dc=at password = xxx basedn = ou=People,ou=admin,dc=tgm.dc=ac,dc=at filter = (uid=%{Stripped-User-Name:-%{User-Name}}) # base_filter = (objectclass=radiusprofile) # set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # The StartTLS operation is supposed to be used with normal # ldap connections instead of using ldaps (port 689) connections start_tls = no # tls_cacertfile= /path/to/cacert.pem # tls_cacertdir = /path/to/ca/dir/ # tls_certfile = /path/to/radius.crt # tls_keyfile = /path/to/radius.key # tls_randfile = /path/to/rnd # tls_require_cert = demand # default_profile = cn=radprofile,ou=dialup,o=My Org,c=UA # profile_attribute = radiusProfileDn # access_attr = dialupAccess # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 # # NOTICE: The password_header directive is NOT case insensitive # # password_header = {clear} # # The server can usually figure this out on its own, and pull # the correct User-Password or NT-Password from the database. # # Note that NT-Passwords MUST be stored as a 32-digit hex # string, and MUST start off with 0x, such as: # # 0x000102030405060708090a0b0c0d0e0f # # Without the leading 0x, NT-Passwords will not work. # This goes for NT-Passwords stored in SQL, too. # password_attribute = ntPassword # groupname_attribute = cn # groupmembership_filter = (|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) # groupmembership_attribute = radiusGroupName timeout = 4 timelimit = 3 net_timeout = 1 # compare_check_items = yes # do_xlat = yes # access_attr_used_for_allow = yes } Thanks for help Berndt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Getting no results with LDAP
The problem was the following line password = xxx The correct syntax is: password = xxx I copied this line from an earlier version of freeradius (about 0.9) and I think there it worked. But I updated also the openldap Server, so it is hard to say which part changed. Berndt On Tue, 2003-12-16 at 16:23, Kostas Kalevras wrote: On Tue, 16 Dec 2003, Sevcik Berndt wrote: Thanks for the tip with th NT Domain hack Brian. An other problem is the LDAP Query themself. I get no result for my Username. But the User exists and when I use the ldapsearch command with the same filter I also get an result. I use the latest CVS Version of Freeradius and openLDAP Version 2.1.22-1 rlm_ldap: - authorize rlm_ldap: performing user authorization for sevcikb radius_xlat: '(uid=sevcikb)' radius_xlat: 'ou=People,ou=admin,dc=tgm.dc=ac,dc=at' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,ou=admin,dc=tgm.dc=ac,dc=at, with filter (uid=sevcikb) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed ldap_release_conn: Release Id: 0 Check your ldap server ACIs Check your ldap server logs freeradius normally just uses the openldap libs (which are used by ldapsearch) so there should be some kind of difference between the queries ran by each one. Hers my config: ldap { server = localhost identity = cn=admin,dc=tgm,dc=ac,dc=at password = xxx basedn = ou=People,ou=admin,dc=tgm.dc=ac,dc=at filter = (uid=%{Stripped-User-Name:-%{User-Name}}) # base_filter = (objectclass=radiusprofile) # set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # The StartTLS operation is supposed to be used with normal # ldap connections instead of using ldaps (port 689) connections start_tls = no # tls_cacertfile= /path/to/cacert.pem # tls_cacertdir = /path/to/ca/dir/ # tls_certfile = /path/to/radius.crt # tls_keyfile = /path/to/radius.key # tls_randfile = /path/to/rnd # tls_require_cert = demand # default_profile = cn=radprofile,ou=dialup,o=My Org,c=UA # profile_attribute = radiusProfileDn # access_attr = dialupAccess # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 # # NOTICE: The password_header directive is NOT case insensitive # # password_header = {clear} # # The server can usually figure this out on its own, and pull # the correct User-Password or NT-Password from the database. # # Note that NT-Passwords MUST be stored as a 32-digit hex # string, and MUST start off with 0x, such as: # # 0x000102030405060708090a0b0c0d0e0f # # Without the leading 0x, NT-Passwords will not work. # This goes for NT-Passwords stored in SQL, too. # password_attribute = ntPassword # groupname_attribute = cn # groupmembership_filter = (|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) # groupmembership_attribute = radiusGroupName timeout = 4 timelimit = 3 net_timeout = 1 # compare_check_items = yes # do_xlat = yes # access_attr_used_for_allow = yes } Thanks for help Berndt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Diese Message wurde erstellt mit freundlicher Unterstuetzung eines freilaufenden Pinguins aus artgerechter Freilandhaltung. Sie ist garantiert frei von Microsoftschen Viren. - TGM - Die Schule der Technik IT-Service A-1200 Wien, Wexstr. 19-23 Tel. +43(1)33126/316 Fax: +43(1)33126/154 E-Mail: [EMAIL PROTECTED] -