On Fri, 7 Nov 2003, Peter Bates wrote:
>
> Hello all...
>
> Freeradius 0.9.2, built as an RPM on RedHat 7.3.
> I'm using LDAP support to try and authenticate users against
> Novell's eDirectory (which has the LDAP 'interface', as it were).
>
> Our usernames are generally like: (or the full DN)
> cn=Anstpbat,ou=NST,ou=AS,o=LSHTM
>
> but they are all over the 'tree', so we have a container (in Novell
> speak, don't know if it's an LDAP term!) called 'Login.lshtm', or
> 'ou=Login,o=LSHTM'.
>
> I've been configuring radiusd.conf with that as the basedn:
>
> basedn = "ou=Login,o=LSHTM"
> filter = "(cn=%{Stripped-User-Name:-%{User-Name}})"
>
> And I get:
>
> rad_recv: Access-Request packet from host 127.0.0.1:1619, id=248,
> length=60
> User-Name = "anstpbat"
> User-Password = "qwert1e"
> NAS-IP-Address = 255.255.255.255
> NAS-Port = 0
> modcall: entering group Auth-Type for request 0
> rlm_ldap: - authenticate
> rlm_ldap: login attempt by "anstpbat" with password "qwert1e"
> rlm_ldap: user DN: cn=Anstpbat,ou=Login,o=LSHTM
> rlm_ldap: (re)connect to 193.63.251.176:636, authentication 1
> rlm_ldap: setting TLS mode to 1
> rlm_ldap: bind as cn=Anstpbat,ou=Login,o=LSHTM/qwert1e to
> 193.63.251.176:636
> rlm_ldap: waiting for bind result ...
> modcall[authenticate]: module "ldap" returns reject for request 0
> modcall: group Auth-Type returns reject for request 0
> auth: Failed to validate the user.
> Login incorrect (rlm_ldap: Bind as user failed): [anstpbat/qwert1e]
> (from client localhost port 0)
>
> If I fix the basedn as the actual 'unaliased' container:
>
> basedn = "ou=NST,ou=AS,o=LSHTM"
>
> I get:
>
> rad_recv: Access-Request packet from host 127.0.0.1:1621, id=57,
> length=60
> User-Name = "anstpbat"
> User-Password = "qwert1e"
> NAS-IP-Address = 255.255.255.255
> NAS-Port = 0
> modcall: entering group Auth-Type for request 0
> rlm_ldap: - authenticate
> rlm_ldap: login attempt by "anstpbat" with password "qwert1e"
> rlm_ldap: user DN: cn=Anstpbat,ou=NST,ou=AS,o=LSHTM
> rlm_ldap: (re)connect to 193.63.251.176:636, authentication 1
> rlm_ldap: setting TLS mode to 1
> rlm_ldap: bind as cn=Anstpbat,ou=NST,ou=AS,o=LSHTM/qwert1e to
> 193.63.251.176:636
> rlm_ldap: waiting for bind result ...
> rlm_ldap: user anstpbat authenticated succesfully
> modcall[authenticate]: module "ldap" returns ok for request 0
> modcall: group Auth-Type returns ok for request 0
> Login OK: [anstpbat] (from client localhost port 0)
> Sending Access-Accept of id 57 to 127.0.0.1:1621
>
> So, we have 'rlm_ldap: user anstpbat authorized to use remote access'
> in both cases, so it's obviously reading something, but then can't do
> the actual bind as the user, unless directed to the complete DN, rather
> than trying to follow the 'alias'.
Well it can access the entry but it finds a different DN in each case.
And that is probably why the BIND operation with the aliased DN fails.
>
> There is an object, 'aliasedObjectName' which contains the complete
> name:
> aliasedObjectName: cn=Anstpbat,ou=NST,ou=AS,o=LSHTM
>
> Is there a way I can retrieve this initially, and then use this 'cn'
> result as the parameter to the bind for the password?
If that attribute is contained in the user entry you could probably map the
Ldap-UserDn attribute to that one in ldap.attrmap. Something like:
checkItem Ldap-UserDn aliasedObjectName
though i haven't checked it.
>
> I hope I've explained the above clearly... I'm not sure (but I'm
> presuming) that these 'aliases' (essentially shortcuts to other bits of
> the tree) are not standard LDAP items.
No they aren't from what i can see. LDAP refferences are the standard way to go
for these things.
> However, we authenticate boxes in
> a similar way using PAM and LDAP (for FTP/SSH, etc.), and that does
> somehow seem to follow the reference down from 'login.lshtm' down to the
> proper DN.
I don't know how PAM_LDAP works exactly. In any case rlm_ldap will just do
normal ldap operations and use the results. If that fails then it's mostly due
to the ldap server not doing something correctly.
>
> I'd be grateful for any suggestions!
>
>
>
> --------------------------------------------------------------------------------------------------->
> Peter Bates, Systems Support Officer, Network Support Team.
> London School of Hygiene & Tropical Medicine.
> Telephone:0207-958 8353 / Fax: 0207- 636 9838
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
