Quoting Alan DeKok <[EMAIL PROTECTED]>: > Roger Thomas <[EMAIL PROTECTED]> wrote: > > My LDAP knowledge is quite shallow and as such I would like to use > > > - openLDAP only for authentication > > - MySQL for authorization and accounting > > > > If that is possible, do I *still* need to extend my LDAP schema > with ~/doc/examples/openldap.schema ? > > I don't think so. If all you're using LDAP for is usernames & > passwords, that should be in the default schema. > > Alan DeKok. > -- > http://deployingradius.com - The web site of the book > http://deployingradius.com/blog/ - The blog > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html >
I ran radtest and it complained that there is no dialupAccess attribute, so access is denied by default. -- snippet from debug screen -- ... ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=example,dc=com, with filter ([EMAIL PROTECTED]) rlm_ldap: no dialupAccess attribute - access denied by default rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns userlock for request 0 modcall: leaving group authorize (returns userlock) for request 0 Invalid user (rlm_ldap: Access Attribute denies access): [EMAIL PROTECTED]/thepassword] (from client localhost port 10) Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 144 to 127.0.0.1 port 32803 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 144 with timestamp 44cff3d6 Nothing to do. Sleeping until we see a request. I noticed that 'dialupAccess' attribute is defined in the radiusprofile objectClass (openldap.schema). Means radiusd expects that objectClass to be made available. Wonder if there is any way around this? -- Roger --------------------------------------------------- Sign Up for free Email at http://ureg.home.net.my/ --------------------------------------------------- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
