On 13 May 2002, Michael Klatsky wrote: > I thought I would place a general post regarding the Access packets... > > While I successfully authenticate, I cannot seem to formulate a working > packet which authenticates AND authorizes. With 3 1/2 years of working > with 2 other (commercial) radius servers, I thought I would have gotten > this by now.:( > > Below is the response from my test: > > rad# radclient -f test.auth localhost auth xxxxx > Received response ID 90, code 3, length = 20 > > > Here is my test.auth: > > User-Name = gozilla > User-Password = xxxxx > Nas-IP-Address = 127.0.0.1 > Nas-Port-ID = 0 > Service-Type = Framed-User > Class = AnalogUser > > And here are some log entries: > > rlm_ldap: checking if remote access for gozilla is allowed by > radiusClass > rlm_ldap: checking user membership in dialup-enabling group > ou=People,o=CTTEL,c=US > radius_xlat: 'ou=People,o=CTTEL,c=US' > radius_xlat: ''(&(uid=gozilla)(o=cttel.net))'' > rlm_ldap: performing search in ou=People,o=CTTEL,c=US, with filter > '(&(uid=gozilla)(o=cttel.net))' > rlm_ldap: object not found or got ambiguous search result > ldap_release_conn: Release Id: 0 > modcall[authorize]: module "ldap" returns userlock > modcall: group authorize returns userlock > Invalid user (rlm_ldap: User is not an access group member): > [gozilla/xxxxxx] (from nas local port 0) > Delaying request 0 for 1 seconds > Finished request 0 > Going to the next request > Thread 1 waiting to be assigned a request > rad_recv: Access-Request packet from host 127.0.0.1:33879, id=90, > length=74 > Sending duplicate authentication reply to client localhost:33879 - ID: > 90 > Sending Access-Reject of id 90 to 127.0.0.1:33879 > > The result of an ldapsearch as below returns what is expected. > > ldapsearch -x -v -hloon.cttel.net -bou=People,o=CTTEL,c=US > '(&(uid=gozilla)(o=cttel.net))' > > I am running my ldap server in debug mode, and am seeing a failed > inquiry, using exactly the information above- so I am wondering whether > there is a bug, or a fundamental misunderstanding in how to either > configure this portion of a freeradius server. > > > > If more info is needed - please let me know. Thanks again as I'm sure I > am not unique in hoping to document step by step the process of setting > up and testing the freeradius server. It IS a very nice piece of > software. > > > > > -- > > > Sincerely, > > > Michael Klatsky > Senior Unix Administrator > Connecticut Telephone > 1 Talcott Plaza > Hartford, CT 06103 > 1-860-240-6496 > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
You are using group membership access without having defined a group. The way you have configured it the ldap module will try to find if user godzilla is a member of the group ou=People,o=CTTEL,c=US. In your case though ou=People,o=CTTEL,c=US is just the base for your ldap search and not an ldap group. So you should either use a valid group or disable the access_group configuration directive (just comment it out). The comment in doc/rlm_ldap: 'means all users located in the LDAP tree under specified "basedn"' applies for the default access_group (NULL). -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
