Hi, I looked at a few things: 1. the authorize section contains "ldap" 2. I bind with an existing user 3. I want to return "Filter-Id" and this is in teh "ldap.attrmap"
The strange thing is the following: I run the Freeradius on a Virtual machine. I tried this first with Novell Server A There I had an very fast binding and got my return attributes. Then I tried with Novell Server B The binding was very slow and I didn´t got my attributes. The only thing I changed were the servers and groups I authenticate against. Your answer brings me to another question: Do the return Attributes need to be defined on the user properties on the novell server ? Find attached a debug output: rad_recv: Access-Request packet from host 170.56.119.129:3243, id=1, length=48 User-Name = "herkenra" User-Password = "removed" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "herkenra", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'OU=Abteilungen,O=FKEL' radius_xlat: '(uid=herkenra)' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 170.56.185.59:389, authentication 0 rlm_ldap: bind as cn=B_LDAP,o=FKEL/ to 170.56.185.59:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in OU=Abteilungen,O=FKEL, with filter (uid=herkenra) rlm_ldap: ldap_release_conn: Release Id: 0 radius_xlat: '(|(&(objectClass=GroupOfNames)(member=cn=herkenra,ou=GCD,ou=Abteilungen ,o=FKEL))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn=herkenra,ou= GCD,ou=Abteilungen,o=FKEL)))' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in CN=WGRAS,O=FKEL, with filter (|(&(objectClass=GroupOfNames)(member=cn=herkenra,ou=GCD,ou=Abteilungen, o=FKEL))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn=herkenra,ou=G CD,ou=Abteilungen,o=FKEL))) rlm_ldap: object not found or got ambiguous search result rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in cn=herkenra,ou=GCD,ou=Abteilungen,o=FKEL, with filter (objectclass=*) rlm_ldap::ldap_groupcmp: ldap_get_values() failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "files" returns notfound for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for herkenra radius_xlat: '(uid=herkenra)' radius_xlat: 'OU=Abteilungen,O=FKEL' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in OU=Abteilungen,O=FKEL, with filter (uid=herkenra) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user herkenra authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_ldap: - authenticate rlm_ldap: login attempt by "herkenra" with password "removed" rlm_ldap: user DN: cn=herkenra,ou=GCD,ou=Abteilungen,o=FKEL rlm_ldap: (re)connect to 170.56.185.59:389, authentication 1 rlm_ldap: bind as cn=herkenra,ou=GCD,ou=Abteilungen,o=FKEL/removed to 170.56.185.59:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user herkenra authenticated succesfully modcall[authenticate]: module "ldap" returns ok for request 0 modcall: group Auth-Type returns ok for request 0 Sending Access-Accept of id 1 to 170.56.119.129:3243 Finished request 0 Going to the next request -----Ursprüngliche Nachricht----- Von: Michael Mitchell [mailto:[EMAIL PROTECTED] Gesendet: Mittwoch, 20. April 2005 15:19 An: freeradius-users@lists.freeradius.org Betreff: Re: Attributes Missing - Auth with ldap Firstly, run freeradius is debug mode (radiusd -X) and it will tell you exactly what it is doing. You should be able to see which attribute it has retrieved from the directory to add to the reply. A few things to look at would be: 1) Do you have ldap configured in the authorize section of radiusd.conf? This is where it picks up the attributes from the user's record. 2) If the answer to 1 is yes, You're doing an anonymous bind to the LDAP server. Does that give you the necessary access rights to read the record from LDAP? 3) If the answer to 2 is yes, are the attributes you're trying to read/return configured in $prefix/etc/raddb/ldap.attrmap Hope that helps, and guides you on your way to a solution. regards, Mike Andre Herkenrath wrote: > Hi, > > I have a very strange problem. > I authenticate a user agains a Novell 6 Server, which is not the > problem. > But I need some Attributes from the authentication brought back to the > NAS > > I put these in the users file and it worked with another server: > > Users (complete) > ----------------- > DEFAULT Auth-Type :=3DLDAP ,Ldap-Group =3D=3D "CN=3DWGRAS,O=3DFKEL" > Reply-Message =3D "Welcome, you are allowed to have dialup > access", > Framed-Filter-Id =3D "std.ppp", > Fall-Through =3D 0 > ------------------ > The Ldap portion of the radiusd.conf (comments removed) > ---------------- > > ldap { > server =3D "170.56.185.59" > identity =3D "anonymous" > basedn =3D "OU=3DAbteilungen,O=3DFKEL" > filter =3D "(uid=3D%{Stripped-User-Name:-%{User-Name}})" > start_tls =3D no > dictionary_mapping =3D ${raddbdir}/ldap.attrmap > ldap_connections_number =3D 5 > groupmembership_attribute =3D radiusGroupName > timeout =3D 20 > timelimit =3D 20 > net_timeout =3D 10 > } > > Strangely the binds need a very long time (up to 8 seconds each) - but > what has this to do with the not transmitting the Attributes ?? > > As I said, the authentication works, but the Attributes are missing - > Any Ideas ? > > Regards > Andre - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html