i'll try it on monday, don't want to go at work during the week end =)
i thought radiusd would connect as the user on the ldap server because in the
logs it shows that the user is allowed to access some sort of information ...
thanks a lot for your help, i'll keep you up to date on monday if the problem is
resolved, or not.
Thanks,
Arnauld
Selon Dustin Doris <[EMAIL PROTECTED]>:
> > okay i'm not really into Win stuff .. ntPassword fields seem crypted since
> i
> > can't "read" them with my eyes, but i think it's just a hash or something.
> Isn't
> > it the regular way to store NT passwords ?
> >
> > anyway, here is my ldap section in radiusd.conf:
> >
> > ldap {
> > server = "192.168.1.6"
> > basedn = "ou=Users,dc=mtp,dc=epsi,dc=fr"
> > filter = "(&(objectclass=posixAccount)(uid=%u))"
> > start_tls = no
> > dictionary_mapping = ${raddbdir}/ldap.attrmap
> > ldap_connections_number = 5
> > password_attribute = ntPassword #<--- i changed this one just to try it
> out,
> > it was originally userPassword
> > timeout = 4
> > timelimit = 3
> > net_timeout = 1
> > }
> >
> >
> > and here are my sldapd access rules:
> >
> > access to dn=".*,dc=mtp,dc=epsi,dc=fr" attr=userPassword
> > by dn="cn=root,dc=mtp,dc=epsi,dc=fr" write
> > by self write
> > by * auth
> >
> > access to dn=".*,dc=mtp,dc=epsi,dc=fr" attr=ntPassword
> > by dn="cn=root,dc=mtp,dc=epsi,dc=fr" write
> > by self write
> > by * auth
> >
> > access to dn=".*,dc=mtp,dc=epsi,dc=fr" attr=lmPassword
> > by dn="cn=root,dc=mtp,dc=epsi,dc=fr" write
> > by self write
> > by * auth
> >
> > if i remember well (long time i've not reconfigured openldap) the write
> perm
> > also allow read ?
> > since i didn't configure any user in the ldap section of radiusd, isn't it
> > supposed to log in the ldap server with the username/passwd received by
> radiusd,
> > and grab the user password which should be possible since it has write
> (read ?)
> > perm ?
> >
> > thanks for your help
> >
> > --
> > Arnauld Dravet
> >
>
> No, you need to add a user to do the search for the user logging in.
> Since you don't allow anonymous reads, you'll need to create a user with
> read access.
>
> So, first change the ldap section to include something like
> identity = "cn=freeradius,dc=mtp,dc=epsi,dc=fr"
> password = password
>
> Then in slapd.conf add something like
>
> access to dn.subtree="ou=Users,dc=mtp,dc=epsi,dc=fr"
> by "cn=freeradius,dc=mtp,dc=epsi,dc=fr" read
> by self write
> by * auth
>
>
> Then add the freeradius user to ldap
>
> $ ldapadd -D "cn=root,dc=mtp,dc=epsi,dc=fr" -W
> dn: cn=freeradius,dc=mtp,dc=epsi,dc=fr
> objectclass: person
> cn: freeradius
> sn: freeradius
> userpassword: password
> objectclass: person
>
> Hope that helps
>
> Dusty Doris
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
--
Arnauld Dravet
Administrateur Réseau & Prof. Algorithmique
EPSI Montpellier
499, Rue de la croix verte
34196 Montpellier Cedex 5
Tel Accueil/Direct: 04.67.04.2001 / 04.67.04.0008
Fax: 04.67.63.90.83
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
