First you are clearly off topic for the samba list this is clearly a radius config issue.
Second in order to use ldap.attrmap you must have the file ldap.attrmap in /etc/raddb for Suse Linux
This information is available in the radius ldap documentation.
example
#
# Mapping of RADIUS dictionary attributes to LDAP directory attributes
# to be used by LDAP authentication and authorization module (rlm_ldap)
#
# Format:
# ItemType RADIUS-Attribute-Name ldapAttributeName
#
# Where:
# ItemType = checkItem or replyItem
# RADIUS-Attribute-Name = attribute name in RADIUS dictionary
# ldapAttributeName = attribute name in LDAP schema
#
# If $GENERIC$ is specified as RADIUS-Attribute-Name, the line specifies
# a LDAP attribute which can be used to store any RADIUS
# attribute/value-pair in LDAP directory.
#
# You should edit this file to suit it to your needs.
#
checkItem $GENERIC$ radiusCheckItem
replyItem $GENERIC$ radiusReplyItem
checkItem Auth-Type radiusAuthType
checkItem Simultaneous-Use radiusSimultaneousUse
checkItem Called-Station-Id radiusCalledStationId
checkItem Calling-Station-Id radiusCallingStationId
checkItem LM-Password lmPassword
checkItem NT-Password ntPassword
checkItem SMB-Account-CTRL-TEXT acctFlags
checkItem Expiration radiusExpiration
replyItem Service-Type radiusServiceType
replyItem Framed-Protocol radiusFramedProtocol
replyItem Framed-IP-Address radiusFramedIPAddress
replyItem Framed-IP-Netmask radiusFramedIPNetmask
replyItem Framed-Route radiusFramedRoute
replyItem Framed-Routing radiusFramedRouting
replyItem Filter-Id radiusFilterId
replyItem Framed-MTU radiusFramedMTU
replyItem Framed-Compression radiusFramedCompression
replyItem Login-IP-Host radiusLoginIPHost
replyItem Login-Service radiusLoginService
replyItem Login-TCP-Port radiusLoginTCPPort
replyItem Callback-Number radiusCallbackNumber
replyItem Callback-Id radiusCallbackId
replyItem Framed-IPX-Network radiusFramedIPXNetwork
replyItem Class radiusClass
replyItem Session-Timeout radiusSessionTimeout
replyItem Idle-Timeout radiusIdleTimeout
replyItem Termination-Action radiusTerminationAction
replyItem Login-LAT-Service radiusLoginLATService
replyItem Login-LAT-Node radiusLoginLATNode
replyItem Login-LAT-Group radiusLoginLATGroup
replyItem Framed-AppleTalk-Link radiusFramedAppleTalkLink
replyItem Framed-AppleTalk-Network radiusFramedAppleTalkNetwork
replyItem Framed-AppleTalk-Zone radiusFramedAppleTalkZone
replyItem Port-Limit radiusPortLimit
replyItem Login-LAT-Port radiusLoginLATPort
Douglas Sterner
Network Analyst
| "Adi Nugraha" <[EMAIL PROTECTED]>
04/11/2005 11:44 PM |
To: <freeradius-users@lists.freeradius.org>, "Douglas Sterner" <[EMAIL PROTECTED]> cc: <samba@lists.samba.org>, <[EMAIL PROTECTED]> Fax to: Subject: Re: [Samba] Time to give back, Samba LDAP with FreeRadius |
Hi
I'd like toask about the conf fiel you posted here is there aby mistake in
it because I tried to use it but it failed with the following message
Tue Apr 12 10:11:59 2005 : Info: Starting - reading configuration files ...
Tue Apr 12 10:11:59 2005 : Error: config: No such entry raddbdir for string
${raddbdir}/ldap.attrmap
Tue Apr 12 10:11:59 2005 : Error: Errors reading radiusd.conf
I'm trying to setup a wireless authentication using the LDAP backend
containing samba user as well can you help me with this
Thanks
----- Original Message -----
From: "Douglas Sterner" <[EMAIL PROTECTED]>
To: <freeradius-users@lists.freeradius.org>
Cc: <samba@lists.samba.org>; <[EMAIL PROTECTED]>
Sent: Thursday, April 07, 2005 7:13 AM
Subject: [Samba] Time to give back, Samba LDAP with FreeRadius
> If this is off topic I apologize in advance. Using Samba 3.0.13 with an
> LDAP back-end and FreeRadius I was trying to add the Radius schema and
> kept getting object class violations. It's my limited understanding of
> LDAP that you can not have more than one structural objectclass. I'm no
> ldap expert so no email telling me how wrong I am. So I came up with a
> another solution. Using the Windows NT user manager in samba you can grant
> dialin permission to a user and authenticate against Radius on the
> back-end. We currently already depend on User Manager for other things so
> this helped to centralize our management of our VPN users. All you have to
> do is select the user / Dialin / Grant Dialin permission to user and
> apply. Using a working Samba LDAP configuration there is nothing in samba
> or LDAP to configure it's automatic. I've included the changes necessary
> in a working radius server to complete it. We have been using this in a
> Suse ES 9 production environment with great success against a Cisco VPN
> concentrator for remote user authentication.
>
> Radius Config files
>
> Clients.conf
> client 127.0.0.1 {
>
> secret = mysecretpassword
> shortname = localhost
> nastype = other # localhost isn't usually a NAS...
> }
> client 192.168.XXX.XXX/24 {
> secret = mysecretpassword
> shortname = internal-network
> nastype = other
> }
>
> Users
> DEFAULT Auth-Type = LDAP
>
> radius.conf
> ldap {
> server = "ldap.mydomain.lcl"
> identity = "cn=Manager,dc=mydomain,dc=lcl"
> password = "myldappassword"
> basedn = "dc=mydomain,dc=lcl"
> #filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
> filter =
>
"(&(uid=%u)(SambaMungedDial=bQA6ACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAA
IAAgACAAIABkAAkAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAg
ACAA))"
> # set this to 'yes' to use TLS encrypted connections
> # to the LDAP database by using the StartTLS extended
> # operation.
> # The StartTLS operation is supposed to be used with
> normal
> # ldap connections instead of using ldaps (port 689)
> connections
> start_tls = no
>
> #default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
> #profile_attribute = "radiusProfileDn"
> #access_attr = "dialupAccess"
>
> # Mapping of RADIUS dictionary attributes to LDAP
> # directory attributes.
> dictionary_mapping = ${raddbdir}/ldap.attrmap
>
> ldap_connections_number = 5
> # password_header = "{clear}"
> # password_attribute = userPassword
> # groupname_attribute = cn
> # groupmembership_filter =
>
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupO
fUniqueNames)(uniquemember=%{Ldap-UserDn})))"
> # groupmembership_attribute = radiusGroupName
> timeout = 4
> timelimit = 3
> net_timeout = 1
> # compare_check_items = yes
> # access_attr_used_for_allow = yes
>
> }
>
>
> Douglas Sterner
> Network Analyst
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/listinfo/samba
>
