On Tue, 23 Mar 2004, Rok Papez wrote:
> Hello!
>
> I'm trying to configure LDAP authentication to work with the user supplied
> credentials. ACLs don't allow
> me to browse the LDAP directory so I'd like to authenticate the user based on a
> successfull connection to
> LDAP server with his user/pass.
>
> I've come up with this configuration but don't know how to "insert" user supplied
> username and password:
>
> modules {
> [...]
> ldap {
> server = x.x.x.x
> identity = "uid=%{Stripped-User-Name},ou=users,dc=org1,dc=tld"
> password = "%{User-Password}"
> basedn = "ou=users,dc=org1,dc=tld"
> filter = "(uid=%{Stripped-User-Name})"
> }
> }
>
> authorize {
> # No LDAP entry here, I don't want it to browse LDAP directory.
> [...]
> }
>
> authenticate {
> eap
> Auth-Type LDAP {
> ldap
> }
> Auth-Type PAP {
> pap
> }
> }
>
> Tue Mar 23 08:41:31 2004 : Debug: modcall: entering group Auth-Type for request 4
> Tue Mar 23 08:41:31 2004 : Debug: modsingle[authenticate]: calling ldap (rlm_ldap)
> for request 4
> Tue Mar 23 08:41:31 2004 : Debug: rlm_ldap: - authenticate
> Tue Mar 23 08:41:31 2004 : Debug: rlm_ldap: login attempt by "test1" with password
> "test1"
> Tue Mar 23 08:41:31 2004 : Debug: radius_xlat: '(uid=test1)'
> Tue Mar 23 08:41:31 2004 : Debug: radius_xlat: 'ou=users,dc=org1,dc=tld'
> Tue Mar 23 08:41:31 2004 : Debug: ldap_get_conn: Got Id: 0
> Tue Mar 23 08:41:31 2004 : Debug: rlm_ldap: attempting LDAP reconnection
> Tue Mar 23 08:41:31 2004 : Debug: rlm_ldap: (re)connect to x.x.x.x:y, authentication > 0
> Tue Mar 23 08:41:31 2004 : Debug: rlm_ldap: bind as
> uid=%{Stripped-User-Name},ou=users,dc=org1,dc=tld/%{User-Password} to x.x.x.x:y
> Tue Mar 23 08:41:31 2004 : Debug: rlm_ldap: waiting for bind result ...
> Tue Mar 23 08:41:31 2004 : Error: rlm_ldap: LDAP login failed: check login, password
> settings in ldap section of radiusd.conf
> Tue Mar 23 08:41:31 2004 : Error: rlm_ldap: (re)connection attempt failed
> Tue Mar 23 08:41:31 2004 : Debug: ldap_release_conn: Release Id: 0
> Tue Mar 23 08:41:31 2004 : Debug: modsingle[authenticate]: returned from ldap
> (rlm_ldap) for request 4
> Tue Mar 23 08:41:31 2004 : Debug: modcall[authenticate]: module "ldap" returns
> fail for request 4
> Tue Mar 23 08:41:31 2004 : Debug: modcall: group Auth-Type returns fail for request 4
> Tue Mar 23 08:41:31 2004 : Debug: auth: Failed to validate the user.
> Tue Mar 23 08:41:31 2004 : Auth: Login incorrect: [EMAIL PROTECTED]/test1] (from
> client localhost port 0)
>
> As it can be seen from logs, the %{User-Password} and %{Stripped-User-Name} are not
> substituted
> in "identity" and "password". If I enter the values (username and pass) directy into
> these fields authentication works (naturaly).
>
> How is it done correctly or doesn't rlm_ldap support this kind of LDAP
> authentication ?
identity/password are used to create an ldap connection pool for the authorize
section to be able to use those connections to perform ldap searches.
You should set the attribute Ldap-UserDN somewhere in the authorize section (for
example by using the users file):
DEFAULT Ldap-UserDN := `uid=%{Stripped-User-Name},ou=users,dc=org1,dc=tld`
Then rlm_ldap will use the DN contained in that attribute and just use the
password supplied in the Access-Request to perform user authentication.
>
> --
> Lep pozdrav,
> Rok Papez.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
