RE: ldap huntgroups and groups

Dustin Doris Wed, 25 May 2005 09:07:02 -0700

On Wed, 25 May 2005, alan walters wrote:

> So I have groups working fine now if the client is in a group all is ok.
> as per the example below the client is not in a group. At the bottom is
> the  users file.
> Is there a reason why the client does not get a accept-reject ????
>
>
> rlm_ldap: Entering ldap_groupcmp()
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: (re)connect to 10.250.1.25:389, authentication 0
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: ldap_release_conn: Release Id: 0
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: object not found or got ambiguous search result
> rlm_ldap: ldap_release_conn: Release Id: 0
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap::groupcmp: Group lisdoonvarna not found ????or user not a
> member
> rlm_ldap: ldap_release_conn: Release Id: 0
> rlm_ldap: Entering ldap_groupcmp()
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: object not found or got ambiguous search result
> rlm_ldap: ldap_release_conn: Release Id: 0
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap::ldap_groupcmp: User found in group ballyvaughan


** User was found in ballyvaughn.

> rlm_ldap: ldap_release_conn: Release Id: 0
> rlm_ldap: Entering ldap_groupcmp()
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: object not found or got ambiguous search result
> rlm_ldap: ldap_release_conn: Release Id: 0
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap::groupcmp: Group doolin not found ????or user not a member
> rlm_ldap: ldap_release_conn: Release Id: 0
> rlm_ldap: Entering ldap_groupcmp()
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: object not found or got ambiguous search result
> rlm_ldap: ldap_release_conn: Release Id: 0
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap::groupcmp: Group fanore not found ????or user not a member
> rlm_ldap: ldap_release_conn: Release Id: 0
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for [EMAIL PROTECTED]
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: (re)connect to 10.250.1.25:389, authentication 0
> rlm_ldap: bind as cn=manager,dc=radiowave,dc=net/23ldap11safe to
> 10.250.1.25:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: checking if remote access for [EMAIL PROTECTED] is allowed by
> dialupAccess
> rlm_ldap: Added password porsche959 in check items
> rlm_ldap: looking for check items in directory...
> rlm_ldap: looking for reply items in directory...
> rlm_ldap: Adding radiusLoginIPHost as Login-IP-Host, value 10.4.230.210
> & op=11
> rlm_ldap: Adding radiusFramedIPNetmask as Framed-IP-Netmask, value
> 255.255.255.0 & op=11
> rlm_ldap: Adding radiusFramedIPAddress as Framed-IP-Address, value
> 10.4.230.10 & op=11
> rlm_ldap: user [EMAIL PROTECTED] authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0
> Login OK: [EMAIL PROTECTED]/<no User-Password attribute>] (from client
> m0n01 port 0 cli 10.250.1.229)
> Sending Access-Accept of id 185 to 10.250.1.1:52134
>         Login-IP-Host = 10.4.230.210
>         Framed-IP-Netmask = 255.255.255.0
>         Framed-IP-Address = 10.4.230.10
>         MS-CHAP2-Success =
> 0x01533d3035314630423746343042454144433136343439313143304138363445383241
> 4236423543384433
>         MS-MPPE-Recv-Key = 0xf4c68b3146e2f01275bfbb343f6b7155
>         MS-MPPE-Send-Key = 0xf65092b2b572fa48c0bf2c14b8a1ebe6
>         MS-MPPE-Encryption-Policy = 0x00000001
>         MS-MPPE-Encryption-Types = 0x00000006
> rad_recv: Accounting-Request packet from host 10.250.1.1:60954, id=213,
> length=158
>         NAS-Identifier = "radiowave-fw.radiowave.local"
>         NAS-Port = 0
>         NAS-Port-Type = Virtual
>         Service-Type = Framed-User
>         Framed-Protocol = PPP
>         Calling-Station-Id = "10.250.1.229"
>         User-Name = "[EMAIL PROTECTED]"
>         Framed-IP-Address = 10.250.4.96
>         Acct-Status-Type = Start
>         Acct-Session-Id = "7007248-pt0"
>         Acct-Multi-Session-Id = "7007248-pt0"
>         Acct-Link-Count = 1
>         Acct-Authentic = RADIUS
>
>
> ########################################################################
> ########
> #      default auth to get radius with ldap to work
> ########################################################################
> ############
> DEFAULT       Ldap-Group == lisdoonvarna, Huntgroup-Name == internet,
> User-Profile :=
> "cn=lisdoonvarna,ou=profiles,o=radius,dc=radiowave,dc=net",
> Simultaneous-Use := 2
>        Fall-Through = 1
>
> DEFAULT       Ldap-Group == ballyvaughan, Huntgroup-Name == internet,
> User-Profile :=
> "cn=ballyvaughan,ou=profiles,o=radius,dc=radiowave,dc=net",
> Simultaneous-Use := 2
>       Fall-Through = 1
>
> DEFAULT       Ldap-Group == doolin, Huntgroup-Name == internet,
> User-Profile := "cn=doolin,ou=profiles,o=radius,dc=radiowave,dc=net",
> Simultaneous-Use := 2
>        Fall-Through = 1
>
> DEFAULT       Ldap-Group == fanore, Huntgroup-Name == internet,
> User-Profile := "cn=fanore,ou=profiles,o=radius,dc=radiowave,dc=net",
> Simultaneous-Use := 2
>        Fall-Through = 1
>
> ########################################################################
> #
> ###  default ldap group does not succeed
> ########################################################################
> ##
>
> DEFAULT       Auth-Type := Reject, Reply-Message = "sorry you are not
> allowred to dial in here", Simultaneous-Use := 0
>

The reply message should go on the second line on this one.  Reply message
is not a check item.  Also, technically, you don't need Simultaneous User,
since they are being rejected this session will never be added.

Your user was found in a group, however, it should have been rejected
since you have fall-though = 1 (yes).  It should have fallen through to
the default reject line.  Note:  This is probably not what you want,
because all users will be rejected when you fix the Reject line.  I would
change Fall-Through = no (0), to all your Ldap-Group entries above it.

Move the Reply-Message to the second line.

DEFAULT         Auth-Type := Reject
                Reply-Message = "You cannot dial in here"



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: ldap huntgroups and groups

Reply via email to