Hi , I have got freeradius up and running . However I have a few questions , regarding the users . I have setup ldap as authentication backend for freeradius . So my radiusd.conf file , the ldap modules section looks like this : ldap { server = 127.0.0.1 identity = "cn=admin,dc=example,dc=com" password = secret basedn = "dc=example,dc=com" filter = "(uid=%u)" default_profile = "cn=radprofile,ou=People,dc=example,dc=com" access_group = "cn=radius_accounts,ou=People,dc=example,dc=com" access_attr = "uid" dictionary_mapping = ${raddbdir}/ldap.attrmap timeout = 4 timelimit = 3 net_timeout = 1 ldap_debug = 0x0028 }
and the authorize section is : authorize { preprocess # counter # attr_filter suffix files ldap } and authenticate section is : authenticate { # pam unix # By grouping modules together in an authtype block, that authtype will be # tried on each module in sequence until one returns REJECT or OK. This # allows authentication failover if the first SQL server has crashed, for # example. # authtype SQL { # sql # sql2 # } ldap } My users file contains the directives : DEFAULT Auth-Type := LDAP Fall-Through = 1 DEFAULT Auth-Type := System Fall-Through = 1 # # # # Last default: shell on the local terminal server. # # DEFAULT Service-Type = Shell-User I tested the free-radius server by running the radtest command locally as : radtest basavaraj welcome123 localhost 10 testing123 and it seems to work fine .Both the authorization and authentication work fine. A dn by name is basavaraj is present in the ldap directory and hence ldap authenticates it successfully . However , I commented all the entries in the users file and tested the radius server with a different username ,using the following command radtest guest hello123 localhost 10 testing123 and it works fine too !!! NOTE : The user guest has a DN entry in the ldap directory . The module "files" returns not found since there is no entry in the users file still the authorization is done with ldap . I was under the impression that if a user-name is not present in the users file then the user should be denied access OR am I doing something wrong here . Someone please help me . I have attached the the log & debug output below . -Raj User-Name = "guest" Password = "\373\312\t\203\003\231\225\227^c\031\340&\r\242_" NAS-IP-Address = 255.255.255.255 NAS-Port-Id = "10" Framed-Protocol = PPP modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok modcall[authorize]: module "suffix" returns ok modcall[authorize]: module "files" returns notfound rlm_ldap: - authorize rlm_ldap: performing user authorization for guest radius_xlat: '(uid=guest)' rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=admin,dc=example,dc=com/secret rlm_ldap: waiting for bind result ... request 1 done rlm_ldap: performing search in dc=example,dc=com, with filter (uid=guest) request 2 done rlm_ldap: checking if remote access for guest is allowed by uid rlm_ldap: checking user membership in dialup-enabling group cn=radius_accounts,ou=people,dc=example,dc=com radius_xlat: '(| (& (objectClass=GroupOfNames) (member=uid=guest,ou=People,dc=example,dc=com)) (& (objectClass=GroupOfUniqueNames) (uniquemember=uid=guest,ou=People,dc=example,dc=com)))' rlm_ldap: performing search in cn=radius_accounts,ou=people,dc=example,dc=com, with filter (| (& (objectClass=GroupOfNames) (member=uid=guest,ou=People,dc=example,dc=com)) (& (objectClass=GroupOfUniqueNames) (uniquemember=uid=guest,ou=People,dc=example,dc=com))) request 3 done radius_xlat: '(objectclass=*)' rlm_ldap: performing search in cn=radprofile,ou=people,dc=example,dc=com, with filter (objectclass=*) request 4 done rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user guest authorized to use remote access modcall[authorize]: module "ldap" returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type LDAP auth: type "Ldap" modcall: entering group authenticate rlm_ldap: - authenticate rlm_ldap: login attempt by "guest" with password "hello123" radius_xlat: '(uid=guest)' rlm_ldap: user DN: uid=guest,ou=People,dc=example,dc=com rlm_ldap: (re)connect to localhost:389, authentication 1 rlm_ldap: bind as uid=guest,ou=People,dc=example,dc=com/hello123 rlm_ldap: waiting for bind result ... request 1 done rlm_ldap: user guest authenticated succesfully modcall[authenticate]: module "ldap" returns ok modcall: group authenticate returns ok - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html