Why don't you try taking out the group and redundant statements and see if
it works then. It looks like you are using the ldap1 configuration at
first. Then you can add configurable failover back into the mix after you
get it seperating basedns they way you want.
On Wed, 29 Dec 2004 [EMAIL PROTECTED] wrote:
> I already set the specific basedn in the radiusd.conf.
>
> I want to search only in the specific ldap branch for an specific
> called-station-id.
>
> Here is the debug log:
>
> rad_recv: Access-Request packet from host 10.160.4.7:3459, id=27, length=55
> User-Name = "admin"
> User-Password = "pass123"
> Called-Station-Id = "40004015"
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 0
> modcall[authorize]: module "preprocess" returns ok for request 0
> users: Matched DEFAULT at 57
> modcall[authorize]: module "files" returns ok for request 0
> modcall[authorize]: module "chap" returns noop for request 0
> modcall: entering group group for request 0
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for admin
> radius_xlat: '(&(objectClass=aRadiusAccount)(uid=admin))'
> radius_xlat: 'dc=company,dc=com'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to 192.168.220.100:389, authentication 0
> rlm_ldap: bind as cn=Manager,dc=company,dc=com/secret to 192.168.220.100:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: performing search in dc=company,dc=com, with filter
> (&(objectClass=aRadiusAccount)(uid=admin))
> rlm_ldap: Added password {SHA}65klKnzqoLdyHTcDnLVHwNNxTo4= in check items
> rlm_ldap: looking for check items in directory...
> rlm_ldap: looking for reply items in directory...
> rlm_ldap: user admin authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0
> modcall[authorize]: module "ldap1" returns ok for request 0
> modcall: group group returns ok for request 0
> modcall: group authorize returns ok for request 0
> Processing the authorize section of radiusd.conf
> modcall: entering group autztype for request 0
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for admin
> radius_xlat: '(&(objectClass=aRadiusAccount)(uid=admin))'
> radius_xlat: 'ou=client1,dc=company,dc=com'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to 192.168.220.100:389, authentication 0
> rlm_ldap: bind as cn=Manager,dc=company,dc=com/secret to 192.168.220.100:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: performing search in ou=client1,dc=company,dc=com, with filter
> (&(objectClass=aRadiusAccount)(uid=admin))
> rlm_ldap: object not found or got ambiguous search result
> rlm_ldap: search failed
> rlm_ldap: ldap_release_conn: Release Id: 0
> modcall[authorize]: module "ldap_client1" returns notfound for request 0
> modcall: group autztype returns notfound for request 0
> rad_check_password: Found Auth-Type CLIENT1
> auth: type "CLIENT1"
> Processing the authenticate section of radiusd.conf
> modcall: entering group authtype for request 0
> rlm_ldap: - authenticate
> rlm_ldap: login attempt by "admin" with password "pass123"
> rlm_ldap: user DN: uid=admin,ou=a,ou=bender,dc=company,dc=com
> rlm_ldap: (re)connect to 192.168.220.100:389, authentication 1
> rlm_ldap: bind as uid=admin,ou=a,ou=bender,dc=company,dc=com/pass123 to
> 192.168.220.100:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: user admin authenticated succesfully
> modcall[authenticate]: module "ldap_client1" returns ok for request 0
> modcall: group authtype returns ok for request 0
> radius_xlat: 'Welcome a CLIENT1.'
> Login OK: [admin/pass123] (from client Esteban port 0)
> Sending Access-Accept of id 27 to 10.160.4.7:3459
> Reply-Message = "Bienvenido a CLIENT1."
> Finished request 0
> Going to the next request
>
>
>
>
> Mensaje citado por Dustin Doris <[EMAIL PROTECTED]>:
>
> > >
> > > Does anyone know how to restrict user search to an specific LDAP branch?
> >
> > the basedn setting in radiusd.conf ldap section.
> >
> > >
> > > I want to find in an specific ldap branch if an specific DNIS arrives.
> > >
> > > I tried these setting, but when the user is noy found in the specific
> > branch,
> > > the search then try to find the user in the other ldaps that I set.
> >
> > Are you saying you want to try the search in the other branch if not found
> > in the first branch? Or, are you saying it is searching in the other
> > branch, but you don't want it to?
> >
> > >
> > > I tried setting the user file:
> > > DEFAULT Called-Station-Id == "123456", Auth-type := client1 ,
> > > Autz-Type
> > :=
> > > ldap_client1
> > >
> > > and in the radiusd.conf:
> > >
> > > ldap ldap_client1 { server = "192.168.1.1"
> > > basedn = "ou=client1, dc=abc , dc=com"
> > > .....
> > > .....
> > > }
> > >
> > > authorize {
> > > preprocess
> > > files
> > > chap
> > > group {
> > > ldap1
> > > ldap2
> > > }
> > > autztype ldap_client1
> > > ldap_client1
> > > }
> > >
> > > Authenticate
> > > {
> > > authtype CHAP{chap}
> > > authtype LDAP {
> > > redundant{
> > > ldap1
> > > ldap2
> > > }
> > > }
> > > authtype client1 {
> > > ldap_client1}
> > > }
> >
> >
> > What does radiusd -X show? Please be more specific in what you want to
> > happen and then include the radiusd -X debug showing what is happening.
> >
> >
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
>
>
>
>
> -----------------------------------------------------------------
> Obten� tu casilla gratis con 20MB, en: http://www.aconectarse.com
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
