Re: lotus notes ldap

Fri, 17 Sep 2004 07:16:46 -0700 


On Thu, 16 Sep 2004, J.R. Cabanban wrote:

> command:  radtest arookie ******** localhost 1 sharedsecret
>
> response:  rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=61,
> length=20
>
> snapshot of radiusd -X -A
>
> rad_recv: Access-Request packet from host 127.0.0.1:32847, id=53,
> length=59
>         User-Name = "arookie"
>         User-Password = "*********"
>         NAS-IP-Address = 255.255.255.255
>         NAS-Port = 1
>   Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 1
>   modcall[authorize]: module "preprocess" returns ok for request 1
>   modcall[authorize]: module "chap" returns noop for request 1
>   modcall[authorize]: module "mschap" returns noop for request 1
>     rlm_realm: No '@' in User-Name = "arookie", looking up realm NULL
>     rlm_realm: No such realm "NULL"
>   modcall[authorize]: module "suffix" returns noop for request 1
>   rlm_eap: No EAP-Message, not doing EAP
>   modcall[authorize]: module "eap" returns noop for request 1
>     users: Matched DEFAULT at 152
>     users: Matched DEFAULT at 155
>   modcall[authorize]: module "files" returns ok for request 1
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for arookie
> radius_xlat:  '(uid=arookie)'
> radius_xlat:  'cn'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in cn, with filter (uid=arookie)
> rlm_ldap: looking for check items in directory...
> rlm_ldap: looking for reply items in directory...
> rlm_ldap: user arookie authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0
>   modcall[authorize]: module "ldap" returns ok for request 1
> modcall: group authorize returns ok for request 1
>   rad_check_password:  Found Auth-Type System
> auth: type "System"
>   Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 1
>   modcall[authenticate]: module "unix" returns notfound for request 1
> modcall: group authenticate returns notfound for request 1
> auth: Failed to validate the user.
> Delaying request 1 for 1 seconds
> Finished request 1
>
> Q.  did the ldap server properly authenticated the user & allow access. if
> so why did the final result was Access-Reject?
>

Ldap authorized the user, but then you have it set to use System to
authenticate.  These are two separate procedures.  Check radiusd.conf and
make sure you have ldap in the authorize section.

Uncomment this part, if you haven't already.
#       Auth-Type LDAP {
#               ldap
#       }

-Dusty Doris


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to