Hi,
I looked at a few things:
1. the authorize section contains "ldap"
2. I bind with an existing user
3. I want to return "Filter-Id" and this is in teh "ldap.attrmap"
The strange thing is the following:
I run the Freeradius on a Virtual machine.
I tried this first with Novell Server A
There I had an very fast binding and got my return attributes.
Then I tried with Novell Server B
The binding was very slow and I didn´t got my attributes.
The only thing I changed were the servers and groups I authenticate
against.
Your answer brings me to another question:
Do the return Attributes need to be defined on the user properties on
the novell server ?
Find attached a debug output:
rad_recv: Access-Request packet from host 170.56.119.129:3243, id=1,
length=48
User-Name = "herkenra"
User-Password = "removed"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "herkenra", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 0
rlm_ldap: Entering ldap_groupcmp()
radius_xlat: 'OU=Abteilungen,O=FKEL'
radius_xlat: '(uid=herkenra)'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 170.56.185.59:389, authentication 0
rlm_ldap: bind as cn=B_LDAP,o=FKEL/ to 170.56.185.59:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in OU=Abteilungen,O=FKEL, with filter
(uid=herkenra)
rlm_ldap: ldap_release_conn: Release Id: 0
radius_xlat:
'(|(&(objectClass=GroupOfNames)(member=cn=herkenra,ou=GCD,ou=Abteilungen
,o=FKEL))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn=herkenra,ou=
GCD,ou=Abteilungen,o=FKEL)))'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in CN=WGRAS,O=FKEL, with filter
(|(&(objectClass=GroupOfNames)(member=cn=herkenra,ou=GCD,ou=Abteilungen,
o=FKEL))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn=herkenra,ou=G
CD,ou=Abteilungen,o=FKEL)))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in cn=herkenra,ou=GCD,ou=Abteilungen,o=FKEL,
with filter (objectclass=*)
rlm_ldap::ldap_groupcmp: ldap_get_values() failed
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "files" returns notfound for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for herkenra
radius_xlat: '(uid=herkenra)'
radius_xlat: 'OU=Abteilungen,O=FKEL'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in OU=Abteilungen,O=FKEL, with filter
(uid=herkenra)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user herkenra authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type LDAP
auth: type "LDAP"
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 0
rlm_ldap: - authenticate
rlm_ldap: login attempt by "herkenra" with password "removed"
rlm_ldap: user DN: cn=herkenra,ou=GCD,ou=Abteilungen,o=FKEL
rlm_ldap: (re)connect to 170.56.185.59:389, authentication 1
rlm_ldap: bind as cn=herkenra,ou=GCD,ou=Abteilungen,o=FKEL/removed to
170.56.185.59:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: user herkenra authenticated succesfully
modcall[authenticate]: module "ldap" returns ok for request 0
modcall: group Auth-Type returns ok for request 0
Sending Access-Accept of id 1 to 170.56.119.129:3243
Finished request 0
Going to the next request
-----Ursprüngliche Nachricht-----
Von: Michael Mitchell [mailto:[EMAIL PROTECTED]
Gesendet: Mittwoch, 20. April 2005 15:19
An: freeradius-users@lists.freeradius.org
Betreff: Re: Attributes Missing - Auth with ldap
Firstly, run freeradius is debug mode (radiusd -X) and it will tell you
exactly what it is doing. You should be able to see which attribute it
has retrieved from the directory to add to the reply.
A few things to look at would be:
1) Do you have ldap configured in the authorize section of radiusd.conf?
This is where it picks up the attributes from the user's record.
2) If the answer to 1 is yes, You're doing an anonymous bind to the LDAP
server. Does that give you the necessary access rights to read the
record from LDAP?
3) If the answer to 2 is yes, are the attributes you're trying to
read/return configured in $prefix/etc/raddb/ldap.attrmap
Hope that helps, and guides you on your way to a solution.
regards,
Mike
Andre Herkenrath wrote:
> Hi,
>
> I have a very strange problem.
> I authenticate a user agains a Novell 6 Server, which is not the
> problem.
> But I need some Attributes from the authentication brought back to the
> NAS
>
> I put these in the users file and it worked with another server:
>
> Users (complete)
> -----------------
> DEFAULT Auth-Type :=3DLDAP ,Ldap-Group =3D=3D "CN=3DWGRAS,O=3DFKEL"
> Reply-Message =3D "Welcome, you are allowed to have dialup
> access",
> Framed-Filter-Id =3D "std.ppp",
> Fall-Through =3D 0
> ------------------
> The Ldap portion of the radiusd.conf (comments removed)
> ----------------
>
> ldap {
> server =3D "170.56.185.59"
> identity =3D "anonymous"
> basedn =3D "OU=3DAbteilungen,O=3DFKEL"
> filter =3D
"(uid=3D%{Stripped-User-Name:-%{User-Name}})"
> start_tls =3D no
> dictionary_mapping =3D ${raddbdir}/ldap.attrmap
> ldap_connections_number =3D 5
> groupmembership_attribute =3D radiusGroupName
> timeout =3D 20
> timelimit =3D 20
> net_timeout =3D 10
> }
>
> Strangely the binds need a very long time (up to 8 seconds each) - but
> what has this to do with the not transmitting the Attributes ??
>
> As I said, the authentication works, but the Attributes are missing -
> Any Ideas ?
>
> Regards
> Andre
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
