Re: LDAP check attributes

Mon, 22 May 2006 01:18:48 -0700 

Hallo, thanks for your answers.



  It's not in the conf files.  Read the debug output.  It's in LDAP.




Ok, the problem in the log file is this:

> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0

> rlm_ldap: performing search in dc=create-net,dc=org, with filter 
(uid=vlan3)

> rlm_ldap: Added password vlan3 in check items
> rlm_ldap: looking for check items in directory...

> rlm_ldap: Adding radiusCiscoAVPair as Cisco-AVPair, value ssid=VLAN3 
& op=21

> rlm_ldap: looking for reply items in directory...
> rlm_ldap: Adding radiusTunnelType as Tunnel-Type, value VLAN & op=11

> rlm_ldap: Adding radiusTunnelPrivateGroupId as 
Tunnel-Private-Group-Id, value 3 & op=11
> rlm_ldap: Adding radiusTunnelMediumType as Tunnel-Medium-Type, value 
IEEE-802 & op=11

> Invalid operator for item EAP-Type: reverting to '=='
> rlm_ldap: Pairs do not match. Rejecting user.
> rlm_ldap: ldap_release_conn: Release Id: 0
> modcall[authorize]: module "ldap" returns reject for request 5
> modcall: leaving group authorize (returns reject) for request 5

> Invalid user (rlm_ldap: Pairs do not match): [vlan3/<no User-Password 
attribute>] (from client cn-radius port 276 cli 000c.f135.f1ba)

>  PEAP: Tunneled authentication was rejected.
>  rlm_eap_peap: FAILURE


but in the ldap.attrmap I added to the original file only:

checkItem    Cisco-AVPair    radiusCiscoAVPair

and

replyItem    Tunnel-Medium-Type    radiusTunnelMediumType
replyItem    Tunnel-Private-Group-Id    radiusTunnelPrivateGroupId
replyItem    Tunnel-Type        radiusTunnelType


my user in LDAP directory has the following attributes:


# vlan3, people, create-net.org
dn: sn=vlan3,ou=people,dc=create-net,dc=org
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: radiusprofile
radiusTunnelPrivateGroupId: 3
radiusCiscoAVPair: ssid=VLAN3
sn: vlan3
uid: vlan3
radiusTunnelMediumType: IEEE-802
radiusTunnelType: VLAN
cn: vlan3
userPassword:: dmxhbjM=




I haven't an EAP-Type entry and I don't understand where freeradius 
finds this attribute....



Bye Antonio

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





















					Reply via email to