Hello,
Using freeradius-0.9.1 against openldap-2.1.22. I was able to get this all
setup fine using passwords, but I have a situation where I would like to
authenticate all users with LDAP entries, and just pull the attributes out
of LDAP. Trying to use 'access_attr' to do this. The problem is, I seem to
be able to connect and authorize to radius and get LDAP attributes
returned, but it always tries to rebind to LDAP as the userid (But there
is no password) so that part always failes. Can access_attr be used for
BOTH authorization and authentication. Here are some relevant configs, and
debug output. I tried "DEFAULT Auth-Type := Accept" in the users file, and
still it tries to authenticate by binding to LDAP as the user.
Andreas
ldap {
ldap_debug = 0x0028
server = "localhost"
identity = "cn=manager,dc=speakeasy,dc=net"
password = uh^d0rg@
basedn = "ou=dsl,dc=speakeasy,dc=net"
filter = "(cn=%{Stripped-User-Name:-%{User-Name}})"
# set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
# The StartTLS operation is supposed to be used with
normal
# ldap connections instead of using ldaps (port 689)
connections
start_tls = no
#default_profile = "ou=dsl,dc=speakeasy,dc=net"
#profile_attribute = "radiusprofile"
access_attr = "objectClass"
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
# password_header = "{clear}"
# password_attribute = userPassword
# groupname_attribute = cn
# groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
# groupmembership_attribute = radiusGroupName
timeout = 4
timelimit = 3
net_timeout = 1
#compare_check_items = yes
access_attr_used_for_allow = yes
}
authorize {
ldap
}
authenticate {
Auth-Type LDAP {
ldap
}
}
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1:32807, id=20,
length=59
User-Name = "bridged"
User-Password = "pass"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
modcall: entering group authorize
rlm_ldap: - authorize
rlm_ldap: performing user authorization for bridged
radius_xlat: '(cn=bridged)'
radius_xlat: 'ou=dsl,dc=speakeasy,dc=net'
ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as cn=manager,dc=speakeasy,dc=net/uh^d0rg@ to localhost:389
rlm_ldap: waiting for bind result ...
request 1 done
rlm_ldap: performing search in ou=dsl,dc=speakeasy,dc=net, with filter
(cn=bridged)
request 2 done
rlm_ldap: checking if remote access for bridged is allowed by objectClass
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding cn as User-Name, value bridged & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusFramedIPNetmask as Framed-IP-Netmask, value
255.255.255.0 & op=11
rlm_ldap: Adding radiusFramedIPAddress as Framed-IP-Address, value
216.254.0.26 & op=11
rlm_ldap: user bridged authorized to use remote access
ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok
modcall: group authorize returns ok
rad_check_password: Found Auth-Type LDAP
auth: type "LDAP"
modcall: entering group Auth-Type
rlm_ldap: - authenticate
rlm_ldap: login attempt by "bridged" with password "pass"
rlm_ldap: user DN: cn=bridged,ou=dsl,dc=speakeasy,dc=net
rlm_ldap: (re)connect to localhost:389, authentication 1
rlm_ldap: bind as cn=bridged,ou=dsl,dc=speakeasy,dc=net/pass to
localhost:389
rlm_ldap: waiting for bind result ...
request 1 done
rlm_ldap: cn=bridged,ou=dsl,dc=speakeasy,dc=net bind to localhost:389
failed Inappropriate authentication
rlm_ldap: ldap_connect() failed
modcall[authenticate]: module "ldap" returns fail
modcall: group Auth-Type returns fail
auth: Failed to validate the user.
Sending Access-Reject of id 20 to 127.0.0.1:32807
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
