RE: ldap huntgroups and groups

Dustin Doris Fri, 20 May 2005 12:10:14 -0700

On Thu, 19 May 2005, alan walters wrote:

>
> >Please post radiusd -X output.  Specifically the part on ldap searches and
> >where the USERS file is matched.
>
> Relevant part of radius -X
>
> (auth is successful and group correct)


clipping most of it for readability

>
> rad_recv: Access-Request packet from host 10.250.3.1:56020, id=246, length=188
>         NAS-Identifier = "radiowavetest.radiowave.net"
>         NAS-Port = 0
>         NAS-Port-Type = Virtual
>         Service-Type = Framed-User
>         Framed-Protocol = PPP
>         Calling-Station-Id = "10.4.230.10"
>         User-Name = "[EMAIL PROTECTED]"
>         MS-CHAP-Challenge = 0xbb1e683a0647bf82fa842f8dddd0407f
>         MS-CHAP2-Response = 
> 0x010056f2af227579756f984ce333919c80660000000000000000e2af48d7ffc1f099a96315810b76b801aa3270f18e3b7016
>   Processing the authorize section of radiusd.conf
> rlm_ldap: performing search in o=clients,dc=radiowave,dc=net, with filter 
> (&(radiusGroupName=lisdoonvarna)([EMAIL 
> PROTECTED],vd=radiowave.net,o=clients,dc=radiowave,dc=net))
> rlm_ldap: object not found or got ambiguous search result

> rlm_ldap: performing search in [EMAIL 
> PROTECTED],vd=radiowave.net,o=clients,dc=radiowave,dc=net, with filter 
> (objectclass=*)
> rlm_ldap::groupcmp: Group lisdoonvarna not found ????or user not a member

> rlm_ldap: performing search in o=clients,dc=radiowave,dc=net, with filter 
> (&(radiusGroupName=ballyvaughan)([EMAIL 
> PROTECTED],vd=radiowave.net,o=clients,dc=radiowave,dc=net))
> rlm_ldap: object not found or got ambiguous search result

> rlm_ldap: performing search in [EMAIL 
> PROTECTED],vd=radiowave.net,o=clients,dc=radiowave,dc=net, with filter 
> (objectclass=*)
> rlm_ldap::ldap_groupcmp: User found in group ballyvaughan
> rlm_ldap: ldap_release_conn: Release Id: 0
>     users: Matched entry DEFAULT at line 10

first users file match, but then it keeps going.

> rlm_ldap: performing search in o=clients,dc=radiowave,dc=net, with filter 
> (&(radiusGroupName=doolin)([EMAIL 
> PROTECTED],vd=radiowave.net,o=clients,dc=radiowave,dc=net))
> rlm_ldap: object not found or got ambiguous search result

> rlm_ldap: performing search in [EMAIL 
> PROTECTED],vd=radiowave.net,o=clients,dc=radiowave,dc=net, with filter 
> (objectclass=*)
> rlm_ldap::groupcmp: Group doolin not found ????or user not a member

> rlm_ldap: performing search in o=clients,dc=radiowave,dc=net, with filter 
> (&(radiusGroupName=fanore)([EMAIL 
> PROTECTED],vd=radiowave.net,o=clients,dc=radiowave,dc=net))
> rlm_ldap: object not found or got ambiguous search result

> rlm_ldap: performing search in [EMAIL 
> PROTECTED],vd=radiowave.net,o=clients,dc=radiowave,dc=net, with filter 
> (objectclass=*)
> rlm_ldap::groupcmp: Group fanore not found ????or user not a member
> rlm_ldap: ldap_release_conn: Release Id: 0
>     users: Matched entry DEFAULT at line 32

second match

> (auth is successful but group does not exsist)
>
> rad_recv: Access-Request packet from host 10.250.3.1:60780, id=53, length=188
>         NAS-Identifier = "radiowavetest.radiowave.net"
>         NAS-Port = 0
>         NAS-Port-Type = Virtual
>         Service-Type = Framed-User
>         Framed-Protocol = PPP
>         Calling-Station-Id = "10.4.230.10"
>         User-Name = "[EMAIL PROTECTED]"
>         MS-CHAP-Challenge = 0xbb1e6896e761f32d9a6c7ac81451a974
>         MS-CHAP2-Response = 
> 0x01008ffd28c28741bdca50c3f4aa47c148ca00000000000000000b798d8e8c645e4eedecb42290684d221e8ef2a92b4527e6

> rlm_ldap: performing search in o=clients,dc=radiowave,dc=net, with filter 
> (&(radiusGroupName=lisdoonvarna)([EMAIL 
> PROTECTED],vd=radiowave.net,o=clients,dc=radiowave,dc=net))
> rlm_ldap: object not found or got ambiguous search result

> rlm_ldap: performing search in [EMAIL 
> PROTECTED],vd=radiowave.net,o=clients,dc=radiowave,dc=net, with filter 
> (objectclass=*)
> rlm_ldap::groupcmp: Group lisdoonvarna not found ????or user not a member

> rlm_ldap: performing search in o=clients,dc=radiowave,dc=net, with filter 
> (&(radiusGroupName=doolin)([EMAIL 
> PROTECTED],vd=radiowave.net,o=clients,dc=radiowave,dc=net))
> rlm_ldap: object not found or got ambiguous search result

> rlm_ldap: performing search in [EMAIL 
> PROTECTED],vd=radiowave.net,o=clients,dc=radiowave,dc=net, with filter 
> (objectclass=*)
> rlm_ldap::groupcmp: Group doolin not found ????or user not a member

> rlm_ldap: performing search in o=clients,dc=radiowave,dc=net, with filter 
> (&(radiusGroupName=fanore)([EMAIL 
> PROTECTED],vd=radiowave.net,o=clients,dc=radiowave,dc=net))
> rlm_ldap: object not found or got ambiguous search result

> rlm_ldap: performing search in [EMAIL 
> PROTECTED],vd=radiowave.net,o=clients,dc=radiowave,dc=net, with filter 
> (objectclass=*)
> rlm_ldap::groupcmp: Group fanore not found ????or user not a member
> rlm_ldap: ldap_release_conn: Release Id: 0
>     users: Matched entry DEFAULT at line 36

match

> This is the same as mine but you mention something about it needing to be on 
> the same line exactly what do you mean by this

read below

> ################################################################################
> #     default auth to get radius with ldap to work
> ####################################################################################
> DEFAULT       Ldap-Group == lisdoonvarna
>       Huntgroup-Name == internet,
>       User-Profile := 
> "cn=lisdoonvarna,ou=profiles,o=radius,dc=radiowave,dc=net",
>       Simultaneous-Use := 2,
>        Fall-Through = 1
>

Read man 5 users.  All check items must go on the first line.  All reply
items are followed on the rest of the lines and begin with a tab.

This should read:

DEFAULT Ldap-Group == lisdoonvarna, Huntgroup-Name == internet,
User-Profile := "cn=...", Simultaneous-User :=2
        Fall-Through = no

> DEFAULT       Ldap-Group == doolin
>       Huntgroup-Name == internet,
>       User-Profile := "cn=doolin,ou=profiles,o=radius,dc=radiowave,dc=net",
>       Simultaneous-Use := 2,
>        Fall-Through = 1

Same here.

>
> DEFAULT       Ldap-Group == fanore
>       Huntgroup-Name == internet,
>       User-Profile := "cn=fanore,ou=profiles,o=radius,dc=radiowave,dc=net",
>       Simultaneous-Use := 2,
>        Fall-Through = 1

Same Here

>
> #########################################################################
> ###  default ldap authentication fall through works
> ##########################################################################
>
> # DEFAULT     Auth-Type := Ldap
> #     Auth-Type := Accept,
> #     Simultaneous-Use := 1
>
> DEFAULT       Auth-Type := Reject
>               Reply-Message = "sorry you are not allowred to dial in here",
>               Simultaneous-Use := 0
>
> I would think the main issue lyes here which is the above command???
>     users: Matched entry DEFAULT at line 36
>


You need to fix your users file and put all the check items on the first
line.  I think that should do it.



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: ldap huntgroups and groups

Reply via email to