|
Dear Radius Users,
I am using the FR-0.7 to authenticate against
OpenLDAP-2.0 GROUP. I have only one group called "G022" and members of the group
will be able to connect only between 11pm and 8am. My radius user file has only
the following two entries.
##########USERS###########
DEFAULT AUTH-TYPE:=LDAP
Fall-Through=1
DEFAULT Ldap-Group == "G022",
Current-Time:="Any2300-0800"
Service-Type= Framed-User,
Framed-Protocol = PPP
All users not belonging to the above group will be
authenticated and will be billed by our billing software.
But when I run radiusd in debug mode, I get error
and the user is is getting Access-Reject Packet. Please help!!!
##################LDIF################
dn: dc=neline,dc=com dc: neline objectClass: top objectClass: domain dn: ou=radius, dc=neline,dc=com ou: radius objectClass: organizationalUnit objectClass: top dn: uid=testing,ou=radius, dc=neline,dc=com sn: testing userPassword:: bmVsaW5l loginShell: /bin/noshell l: testing uidNumber: 1500 gidNumber: 1000 objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount uid: testing cn: testing homeDirectory: /home/testing description: test acct for radius auth dn: ou=usergroup, dc=neline,dc=com ou: usergroup objectClass: top objectClass: organizationalUnit dn: cn=testgroup,ou=usergroup, dc=neline,dc=com gidNumber: 1000 memberUid: testing objectClass: top objectClass: groupOfUniqueNames objectClass: posixGroup uniqueMember: uid=testing,ou=radius,dc=neline,dc=com cn: testgroup ##################radiusd.conf##########
ldap { server = "192.9.168.2" # identity = "cn=admin,o=My Org,c=UA" # password = mypass basedn = "dc=neline,dc=com" filter = "(&(objectclass=posixaccount)(uid=%u))" # set this to 'yes' to use TLS encrypted connections # to the LDAP database. start_tls = no # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" # profile_attribute = "radiusProfileDn" access_group = "cn=testgroup,ou=usergroup,dc=neline,dc=com" #access_attr = "dialupAccess" # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap # ldap_cache_timeout = 120 # ldap_cache_size = 0 ldap_connections_number = 5 # password_header = "{clear}" #password_attribute = userPassword groupname_attribute = cn groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" timeout = 4 timelimit = 3 net_timeout = 1 # compare_check_items = yes # access_attr_used_for_allow = yes } ##################RADIUSD############
Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/var" main: logdir = "/var/log" main: libdir = "/usr/local/lib" main: radacctdir = "/var/log/radacct" main: hostname_lookups = no read_config_files: reading dictionary read_config_files: reading clients read_config_files: reading realms read_config_files: reading naslist main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 security: max_attributes = 200 security: reject_delay = 1 main: debug_level = 0 read_config_files: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded LDAP ldap: server = "192.9.168.2" ldap: port = 389 ldap: net_timeout = 1 ldap: timeout = 4 ldap: timelimit = 3 ldap: ldap_cache_timeout = 0 ldap: ldap_cache_size = 0 ldap: identity = "" ldap: start_tls = no ldap: password = "" ldap: basedn = "dc=neline,dc=com" ldap: filter = "(&(objectclass=posixaccount)(uid=%u))" ldap: default_profile = "(null)" ldap: profile_attribute = "(null)" ldap: access_group = "cn=testgroup,ou=usergroup,dc=neline,dc=com" ldap: password_header = "(null)" ldap: password_attribute = "(null)" ldap: access_attr = "(null)" ldap: groupname_attribute = "cn" ldap: groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" ldap: dictionary_mapping = "/etc/raddb/ldap.attrmap" ldap: ldap_debug = 0 ldap: ldap_connections_number = 5 ldap: compare_check_items = no ldap: access_attr_used_for_allow = yes conns: (nil) rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP maxlogins mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP rategroupid mapped to RADIUS Group rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port conns: 0x80ba7b8 Module: Instantiated ldap (ldap) Module: Loaded preprocess preprocess: huntgroups = "/etc/raddb/huntgroups" preprocess: hints = "/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded files files: usersfile = "/etc/raddb/users" files: acctusersfile = "/etc/raddb/acct_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" Module: Instantiated realm (suffix) Module: Loaded detail detail: detailfile = "/var/log/radacct/%{Client-IP-Address}/detail.local" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/var/log/radutmp" radutmp: username = "%{User-Name}" radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp. Ready to process requests. rad_recv: Access-Request packet from host 192.9.168.10:63008, id=1, length=47 User-Name = "testing" User-Password = "\215\365\030\211\244\375)\351\262WI6e$\320\322" modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok users: Matched DEFAULT at 19 modcall[authorize]: module "files" returns ok rlm_ldap: - authorize rlm_ldap: performing user authorization for testing radius_xlat: '(&(objectclass=posixaccount)(uid=testing))' radius_xlat: 'dc=neline,dc=com' ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 192.9.168.2:389, authentication 0 rlm_ldap: setting TLS mode to 4 rlm_ldap: bind as / to 192.9.168.2:389 rlm_ldap: waiting for bind result ... rlm_ldap: performing search in dc=neline,dc=com, with filter (&(objectclass=posixaccount)(uid=testing)) rlm_ldap: checking user membership in dialup-enabling group cn=testgroup,ou=usergroup,dc=neline,dc=com radius_xlat: 'cn=testgroup,ou=usergroup,dc=neline,dc=com' radius_xlat: '(|(&(objectClass=GroupOfNames)(member=uid=testing,ou=radius,dc=neline,dc=com))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid=testing,ou=radius,dc=neline,dc=com)))' rlm_ldap: performing search in cn=testgroup,ou=usergroup,dc=neline,dc=com, with filter (|(&(objectClass=GroupOfNames)(member=uid=testing,ou=radius,dc=neline,dc=com))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid=testing,ou=radius,dc=neline,dc=com))) rlm_ldap: object not found or got ambiguous search result ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns userlock modcall: group authorize returns userlock Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 1 to 192.9.168.10:63008 Waking up in 4 seconds... MASTER: exit on signal (2) Sorry for this long mail. But i would really
appreciate if somebody tell me where i am wrong or if any extra configuration is
needed. I know I am missing a very small thing somewhere!!!
Atanu Das
System Development SS NetCom Pvt Ltd. Dhankheti Shillong-793003 Ph: 91+361+502355 Visit us at: http://www.neline.com |
