On Tue, 16 Dec 2003, Sevcik Berndt wrote:
> Thanks for the tip with th NT Domain hack Brian.
>
> An other problem is the LDAP Query themself. I get no result for my Username.
> But the User exists and when I use the ldapsearch command with the
> same filter I also get an result.
>
> I use the latest CVS Version of Freeradius
> and openLDAP Version 2.1.22-1
>
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for sevcikb
> radius_xlat: '(uid=sevcikb)'
> radius_xlat: 'ou=People,ou=admin,dc=tgm.dc=ac,dc=at'
> ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in ou=People,ou=admin,dc=tgm.dc=ac,dc=at, with filter
> (uid=sevcikb)
> rlm_ldap: object not found or got ambiguous search result
> rlm_ldap: search failed
> ldap_release_conn: Release Id: 0
Check your ldap server ACIs
Check your ldap server logs
freeradius normally just uses the openldap libs (which are used by ldapsearch)
so there should be some kind of difference between the queries ran by each one.
>
> Hers my config:
>
> ldap {
> server = "localhost"
> identity = "cn=admin,dc=tgm,dc=ac,dc=at"
> password = xxx
> basedn = "ou=People,ou=admin,dc=tgm.dc=ac,dc=at"
> filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
>
> # base_filter = "(objectclass=radiusprofile)"
>
> # set this to 'yes' to use TLS encrypted connections
> # to the LDAP database by using the StartTLS extended
> # operation.
> # The StartTLS operation is supposed to be used with normal
> # ldap connections instead of using ldaps (port 689) connections
> start_tls = no
>
> # tls_cacertfile = /path/to/cacert.pem
> # tls_cacertdir = /path/to/ca/dir/
> # tls_certfile = /path/to/radius.crt
> # tls_keyfile = /path/to/radius.key
> # tls_randfile = /path/to/rnd
> # tls_require_cert = "demand"
>
> # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
> # profile_attribute = "radiusProfileDn"
> # access_attr = "dialupAccess"
>
> # Mapping of RADIUS dictionary attributes to LDAP
> # directory attributes.
> dictionary_mapping = ${raddbdir}/ldap.attrmap
>
> ldap_connections_number = 5
>
> #
> # NOTICE: The password_header directive is NOT case insensitive
> #
> # password_header = "{clear}"
> #
> # The server can usually figure this out on its own, and pull
> # the correct User-Password or NT-Password from the database.
> #
> # Note that NT-Passwords MUST be stored as a 32-digit hex
> # string, and MUST start off with "0x", such as:
> #
> # 0x000102030405060708090a0b0c0d0e0f
> #
> # Without the leading "0x", NT-Passwords will not work.
> # This goes for NT-Passwords stored in SQL, too.
> #
> password_attribute = ntPassword
> # groupname_attribute = cn
> # groupmembership_filter =
> "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
> # groupmembership_attribute = radiusGroupName
> timeout = 4
> timelimit = 3
> net_timeout = 1
> # compare_check_items = yes
> # do_xlat = yes
> # access_attr_used_for_allow = yes
> }
>
> Thanks for help
> Berndt
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
