added not, my config file is not referencing the users file for anything. Tre
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Tre Johnston Sent: Wednesday, March 03, 2004 11:41 AM To: [EMAIL PROTECTED] Subject: ldap group authorization...HELP!!! I am having problems with radius grabbing the group memberUid attribute from ldap and deny initial access to routers users based on the group they are in. Below is a copy of the ldap configuration I have in my radiusd.conf file, also I have enabled ldap in the auth section. Any help would be gladly appreciated. ldap { server = (Hidden to protect the innocent) identity = (Hidden to protect the innocent) password =(Hidden to protect the innocent) basedn = (Hidden to protect the innocent) filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)" # set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # The StartTLS operation is supposed to be used with normal # ldap connections instead of using ldaps (port 689) connections start_tls = yes tls_cacertfile = /etc/openldap/ssl/cacert.pem # tls_cacertdir = /path/to/ca/dir/ # tls_certfile = /path/to/radius.crt # tls_keyfile = /path/to/radius.key # tls_randfile = /path/to/rnd # tls_require_cert = "demand" # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" profile_attribute = "radiusProfileDn" access_attr = "cn" #access_group = ops # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 # # NOTICE: The password_header directive is NOT case insensitive # password_header = "{SSHA}" password_attribute = userPassword groupname_attribute = "(|(&(objectClass=%(MemberUid)))) groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))ou=Group,ou=Corproate,dc=supplysolution,dc=com" groupmembership_attribute = cn # # The server can usually figure this out on its own, and pull # the correct User-Password or NT-Password from the database. # # Note that NT-Passwords MUST be stored as a 32-digit hex # string, and MUST start off with "0x", such as: # # 0x000102030405060708090a0b0c0d0e0f # # Without the leading "0x", NT-Passwords will not work. # This goes for NT-Passwords stored in SQL, too. # # password_attribute = userPassword # groupname_attribute = cn groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" groupmembership_attribute = radiusGroupName timeout = 4 timelimit = 3 net_timeout = 1 # compare_check_items = yes # do_xlat = yes access_attr_used_for_allow = yes } Here is a copy of the log for the request. rad_recv: Access-Request packet from host (Hidden to protect the innocent), id=38, length=86 User-Name = "dev" Reply-Message = "Password: " User-Password = "(Hidden to protect the innocent)" NAS-Port = 66 NAS-Port-Type = Virtual Calling-Station-Id = "(Hidden to protect the innocent)" NAS-IP-Address = (Hidden to protect the innocent) Wed Mar 3 11:27:23 2004 : Debug: rad_lowerpair: User-Name now 'dev' Wed Mar 3 11:27:23 2004 : Debug: modcall: entering group authorize for request 0 Wed Mar 3 11:27:23 2004 : Debug: modsingle[authorize]: calling preprocess (rl m_preprocess) for request 0 Wed Mar 3 11:27:23 2004 : Debug: modsingle[authorize]: returned from preproce ss (rlm_preprocess) for request 0 Wed Mar 3 11:27:23 2004 : Debug: modcall[authorize]: module "preprocess" retu rns ok for request 0 Wed Mar 3 11:27:23 2004 : Debug: modsingle[authorize]: calling ldap (rlm_ldap ) for request 0 Wed Mar 3 11:27:23 2004 : Debug: rlm_ldap: - authorize Wed Mar 3 11:27:23 2004 : Debug: rlm_ldap: performing user authorization for de v Wed Mar 3 11:27:23 2004 : Debug: radius_xlat: '(uid=dev)' Wed Mar 3 11:27:23 2004 : Debug: radius_xlat: (Hidden to protect the innocent) Wed Mar 3 11:27:23 2004 : Debug: ldap_get_conn: Got Id: 0 Wed Mar 3 11:27:23 2004 : Debug: rlm_ldap: attempting LDAP reconnection Wed Mar 3 11:27:23 2004 : Debug: rlm_ldap: (re)connect to management1.pleas.sup plysolution.com:389, authentication 0 Wed Mar 3 11:27:23 2004 : Debug: rlm_ldap: starting TLS Wed Mar 3 11:27:23 2004 : Debug: rlm_ldap: bind as (Hidden to protect the innocent) Wed Mar 3 11:27:23 2004 : Debug: rlm_ldap: waiting for bind result ... Wed Mar 3 11:27:23 2004 : Debug: rlm_ldap: performing search in (Hidden to protect the innocent), with filter (uid=dev) Wed Mar 3 11:27:23 2004 : Debug: rlm_ldap: checking if remote access for dev is allowed by cn Wed Mar 3 11:27:23 2004 : Debug: rlm_ldap: Added password umFYzyfnmhVQdQC+Lleys j8RFv7g+TE+ in check items Wed Mar 3 11:27:23 2004 : Debug: rlm_ldap: looking for check items in directory ... Wed Mar 3 11:27:23 2004 : Debug: rlm_ldap: looking for reply items in directory ... Wed Mar 3 11:27:23 2004 : Debug: rlm_ldap: user dev authorized to use remote ac cess Wed Mar 3 11:27:23 2004 : Debug: ldap_release_conn: Release Id: 0 Wed Mar 3 11:27:23 2004 : Debug: modsingle[authorize]: returned from ldap (rl m_ldap) for request 0 Wed Mar 3 11:27:23 2004 : Debug: modcall[authorize]: module "ldap" returns ok for request 0 Wed Mar 3 11:27:23 2004 : Debug: modcall: group authorize returns ok for reques t 0 Wed Mar 3 11:27:23 2004 : Debug: rad_check_password: Found Auth-Type LDAP Wed Mar 3 11:27:23 2004 : Debug: auth: type "LDAP" Wed Mar 3 11:27:23 2004 : Debug: modcall: entering group Auth-Type for request 0 Wed Mar 3 11:27:23 2004 : Debug: modsingle[authenticate]: calling ldap (rlm_l dap) for request 0 Wed Mar 3 11:27:23 2004 : Debug: rlm_ldap: - authenticate Wed Mar 3 11:27:23 2004 : Debug: rlm_ldap: login attempt by "dev" with password "changeme" Wed Mar 3 11:27:23 2004 : Debug: rlm_ldap: user DN: uid=dev,(Hidden to protect the innocent) Wed Mar 3 11:27:23 2004 : Debug: rlm_ldap: (re)connect to (Hidden to protect the innocent) authentication 1 Wed Mar 3 11:27:23 2004 : Debug: rlm_ldap: starting TLS Wed Mar 3 11:27:23 2004 : Debug: rlm_ldap: bind as uid=dev,(Hidden to protect the innocent) Wed Mar 3 11:27:23 2004 : Debug: rlm_ldap: waiting for bind result ... Wed Mar 3 11:27:23 2004 : Debug: rlm_ldap: user dev authenticated succesfully Wed Mar 3 11:27:23 2004 : Debug: modsingle[authenticate]: returned from ldap (rlm_ldap) for request 0 Wed Mar 3 11:27:23 2004 : Debug: modcall[authenticate]: module "ldap" returns ok for request 0 Wed Mar 3 11:27:23 2004 : Debug: modcall: group Auth-Type returns ok for reques t 0 Wed Mar 3 11:27:23 2004 : Auth: Login OK: [dev] (from client router port 66 cli (hidden)) Sending Access-Accept of id 38 to 67.29.144.130:1645 Wed Mar 3 11:27:23 2004 : Debug: Finished request 0 Wed Mar 3 11:27:23 2004 : Debug: Going to the next request Wed Mar 3 11:27:23 2004 : Debug: --- Walking the entire request list --- Wed Mar 3 11:27:23 2004 : Debug: Waking up in 6 seconds... Warning: Remote host denied X11 forwarding. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
