Alhagie Puye - Network Engineer Datawave Group of Companies (604)295-1817
> >-----Original Message----- > >From: [EMAIL PROTECTED] > >[mailto:[EMAIL PROTECTED] On > >Behalf Of Dusty Doris > >Sent: December 2, 2005 10:11 AM > >To: FreeRadius users mailing list > >Subject: RE: Freeradius How to integrate Active Directory > >and return groupattribute to VPN Concentrator > > > >On Wed, 30 Nov 2005, Alhagie Puye wrote: > > > >> Ok, So I played around some more with the settings. > >> > >> Actually "group" and "groupofnames" are not correct > >attributes for user. > >> > >> It is supposed to be "memberof". So I changed line in > >ldap.attrmap to > >> look like: > >> > >> replyItem Class memberof > >> > >> Now I'm getting replyItems but the data looks like > >garbage. I want it > >> to return the group name. > >> > > > >You are returning CN as the class in your radius packet. > > > >Class = CN > > > >Class is not a string, its an octet so what you are seeing > >434e is really CN. You must be returning something like > > > >memberof: CN=somegroup,ou=someou,... Yes, you are absolutely correct. I have now installed and configured OpenLdap and followed your intructions to the teeth because this is driving me to the wall. If I have to implement OpenLDAP to get this working, then that's what I will do....... Here is what I'm getting now: Cleaning up request 0 ID 183 with timestamp 4390a566 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 127.0.0.1:44210, id=250, length=57 User-Name = "user2" User-Password = "whatever" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 rlm_realm: No '@' in User-Name = "user2", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'DC=mydomain,DC=com' radius_xlat: '(uid=user2)' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in DC=mydomain,DC=com, with filter (uid=user2) rlm_ldap: ldap_release_conn: Release Id: 0 radius_xlat: '(&(uid=user2))(objectclass=radiusprofile)' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in DC=mydomain,DC=com, with filter (&(radiusGroupName=disabled)(&(uid=user2))(objectclass=radiusprofile)) rlm_ldap: object not found or got ambiguous search result rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in uid=user2,ou=users,ou=radius,dc=mydomain,dc=com, with filter (objectclass=*) rlm_ldap::groupcmp: Group disabled not found ????or user not a member rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'DC=mydomain,DC=com' radius_xlat: '(&(uid=user2))(objectclass=radiusprofile)' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in DC=mydomain,DC=com, with filter (&(radiusGroupName=dial)(&(uid=user2))(objectclass=radiusprofile)) rlm_ldap::ldap_groupcmp: User found in group dial rlm_ldap: ldap_release_conn: Release Id: 0 users: Matched entry DEFAULT at line 169 modcall[authorize]: module "files" returns ok for request 1 rlm_ldap: - authorize rlm_ldap: performing user authorization for user2 radius_xlat: '(uid=user2)' radius_xlat: 'DC=mydomain,DC=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in DC=mydomain,DC=com, with filter (uid=user2) rlm_ldap: performing search in uid=dial,ou=profiles,ou=radius,dc=mydomain,dc=com, with filter (objectclass=radiusprofile) rlm_ldap: Adding radiusFramedRouting as Framed-Routing, value None & op=11 rlm_ldap: Adding radiusFramedIPNetmask as Framed-IP-Netmask, value 255.255.255.0 & op=11 rlm_ldap: Adding radiusFramedProtocol as Framed-Protocol, value PPP & op=11 rlm_ldap: Adding radiusServiceType as Service-Type, value Framed-User & op=11 rlm_ldap: Added password whatever in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusgroupname as Class, value dial & op=11 rlm_ldap: Adding radiusgroupname as Class, value isdn & op=11 rlm_ldap: user user2 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 1 modcall: group authorize returns ok for request 1 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 1 rlm_ldap: - authenticate rlm_ldap: login attempt by "user2" with password "whatever" rlm_ldap: user DN: uid=user2,ou=users,ou=radius,dc=mydomain,dc=com rlm_ldap: (re)connect to localhost:389, authentication 1 rlm_ldap: bind as uid=user2,ou=users,ou=radius,dc=mydomain,dc=com/whatever to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user user2 authenticated succesfully modcall[authenticate]: module "ldap" returns ok for request 1 modcall: group Auth-Type returns ok for request 1 Sending Access-Accept of id 250 to 127.0.0.1:44210 Framed-Routing = None Framed-IP-Netmask = 255.255.255.0 Framed-Protocol = PPP Service-Type = Framed-User Class = 0x6469616c Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 250 with timestamp 4390a725 Nothing to do. Sleeping until we see a request. Dusty, I know you mentioned that you are implementing what I'm trying to achieve with the Cisco VPN Concentrator. Is this what I SHOULD expect to my setup to work? Thanks in advance, Alhagie. > > > >It seems like rlm_ldap is stripping anything after that = > >sign. You should check the bugs db and see if you can find > >something like this. > > > > > > > >- > >List info/subscribe/unsubscribe? See > >http://www.freeradius.org/list/users.html > > This message (including any attachments) is confidential, may be privileged and is only intended for the person to whom it is addressed. If you have received it by mistake please notify the sender by return e-mail and delete this message from your system. Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited. E-mail communications are inherently vulnerable to interception by unauthorized parties and are susceptible to change. We will use alternate communication means upon request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
