LDAP in authenticate, not authorize -- connect with client user/pass

Tue, 23 Mar 2004 04:10:19 -0800

Hello!

I'm trying to configure LDAP authentication to work with the user supplied 
credentials. ACLs don't allow
me to browse the LDAP directory so I'd like to authenticate the user based on a  
successfull connection to
LDAP server with his user/pass.

I've come up with this configuration but don't know how to "insert" user supplied username and password:

modules {
        [...]
        ldap {
                server = x.x.x.x
                identity = "uid=%{Stripped-User-Name},ou=users,dc=org1,dc=tld"
                password = "%{User-Password}"
                basedn = "ou=users,dc=org1,dc=tld"
                filter = "(uid=%{Stripped-User-Name})"
        }
}

authorize {
        # No LDAP entry here, I don't want it to browse LDAP directory.
        [...]
}

authenticate {
        eap
        Auth-Type LDAP {
                ldap
        }
        Auth-Type PAP {
                pap
        }
}

Tue Mar 23 08:41:31 2004 : Debug: modcall: entering group Auth-Type for request 4
Tue Mar 23 08:41:31 2004 : Debug:   modsingle[authenticate]: calling ldap (rlm_ldap) 
for request 4
Tue Mar 23 08:41:31 2004 : Debug: rlm_ldap: - authenticate
Tue Mar 23 08:41:31 2004 : Debug: rlm_ldap: login attempt by "test1" with password 
"test1"
Tue Mar 23 08:41:31 2004 : Debug: radius_xlat:  '(uid=test1)'
Tue Mar 23 08:41:31 2004 : Debug: radius_xlat:  'ou=users,dc=org1,dc=tld'
Tue Mar 23 08:41:31 2004 : Debug: ldap_get_conn: Got Id: 0
Tue Mar 23 08:41:31 2004 : Debug: rlm_ldap: attempting LDAP reconnection
Tue Mar 23 08:41:31 2004 : Debug: rlm_ldap: (re)connect to x.x.x.x:y, authentication 0
Tue Mar 23 08:41:31 2004 : Debug: rlm_ldap: bind as 
uid=%{Stripped-User-Name},ou=users,dc=org1,dc=tld/%{User-Password} to x.x.x.x:y
Tue Mar 23 08:41:31 2004 : Debug: rlm_ldap: waiting for bind result ...
Tue Mar 23 08:41:31 2004 : Error: rlm_ldap: LDAP login failed: check login, password 
settings in ldap section of radiusd.conf
Tue Mar 23 08:41:31 2004 : Error: rlm_ldap: (re)connection attempt failed
Tue Mar 23 08:41:31 2004 : Debug: ldap_release_conn: Release Id: 0
Tue Mar 23 08:41:31 2004 : Debug:   modsingle[authenticate]: returned from ldap 
(rlm_ldap) for request 4
Tue Mar 23 08:41:31 2004 : Debug:   modcall[authenticate]: module "ldap" returns fail 
for request 4
Tue Mar 23 08:41:31 2004 : Debug: modcall: group Auth-Type returns fail for request 4
Tue Mar 23 08:41:31 2004 : Debug: auth: Failed to validate the user.
Tue Mar 23 08:41:31 2004 : Auth: Login incorrect: [EMAIL PROTECTED]/test1] (from 
client localhost port 0)

As it can be seen from logs, the %{User-Password} and %{Stripped-User-Name} are not 
substituted
in "identity" and "password". If I enter the values (username and pass) directy into
these fields authentication works (naturaly).

How is it done correctly or doesn't rlm_ldap support this kind of LDAP authentication ?

--
Lep pozdrav,
Rok Papez.


- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to