OK, so password is not in LDAP. Where is it then? Are you trying to accept users without passwords? Consider using a perl script to implement that logic and forget about LDAP module in Freeradius.
Ivan Kalik Kalik Informatika ISP Dana 4/1/2008, "Eric Martell" <[EMAIL PROTECTED]> piše: >Hi Alan, > I am trying to do ldap query lookup in the authorize >section and after successful authorization ( if ldap >entry exists on search query) ....reply with >Access-Accept if not reject. > >I do not want to do authentication in LDAP as we are >not storing "userPassword" attribute in ldap schema. > >So in a way trying to do.. > >if(ldap search success) { > Access-Accept >} else { > Access-Reject >} > >Please check the thread below what Phil told me to >do... > > > >Hi Phil, > Here is the detail configs and logs. Please let me >know. >Thanks and Regards. > >modules { > ldap { > > server = "ldap://xxxxxxxxx:1389" > identity = >"uid=appuser,ou=appadm,o=entitlement" > password = ****** > basedn = "ou=roles,o=entitlement" > > dictionary_mapping = >${raddbdir}/ldap.attrmap > filter = >"(&(uid=%{Stripped-User-Name:-%{User-Name}})(entitlements=WIFILOC1)(attribute1=%{User-Password}))" > > start_tls = no > ldap_connections_number = 5 > > timeout = 4 > timelimit = 3 > net_timeout = 1 > > set_auth_type = no > } >} > >authorize { >... >ldap >pap >} > >authenticate { > Auth-Type PAP { > pap > } > >...... >} > >In the users files >#DEFAULT Auth-Type := Local > #Session-Timeout = 7200, > #Fall-Through = Yes > >#DEFAULT Auth-Type := System > #Session-Timeout = 7200, > #Fall-Through = Yes > > > >Here is the detail log. > > > >rad_recv: Access-Request packet from host >216.2.193.1:55729, id=2, length=48 > User-Name = "test1" > User-Password = "11111" > Processing the authorize section of radiusd.conf >modcall: entering group authorize for request 0 > modcall[authorize]: module "preprocess" returns ok >for request 0 > modcall[authorize]: module "chap" returns noop for >request 0 > modcall[authorize]: module "mschap" returns noop for >request 0 > rlm_realm: No '@' in User-Name = "test1", looking >up realm NULL > rlm_realm: No such realm "NULL" > modcall[authorize]: module "suffix" returns noop for >request 0 >rlm_ldap: - authorize >rlm_ldap: performing user authorization for test1 >radius_xlat: >'(&(uid=test1)(entitlements=WIFILOC1)(attribute1=11111))' >radius_xlat: 'ou=roles,o=entitlement' >rlm_ldap: ldap_get_conn: Checking Id: 0 >rlm_ldap: ldap_get_conn: Got Id: 0 >rlm_ldap: attempting LDAP reconnection >rlm_ldap: (re)connect to ldap://xxxx:1389, >authentication 0 >rlm_ldap: bind as >uid=appuser,ou=appadm,o=entitlement/xxxx to >ldap://xxxxxxx:1389 >rlm_ldap: waiting for bind result ... >rlm_ldap: Bind was successful >rlm_ldap: performing search in ou=roles,o=entitlement, >with filter >(&(uid=test1)(entitlements=WIFILOC1)(attribute1=11111)) >rlm_ldap: looking for check items in directory... >rlm_ldap: looking for reply items in directory... >rlm_ldap: user test1 authorized to use remote access >rlm_ldap: ldap_release_conn: Release Id: 0 > modcall[authorize]: module "ldap" returns ok for >request 0 >rlm_pap: WARNING! No "known good" password found for >the user. Authentication may fail because of this. > modcall[authorize]: module "pap" returns noop for >request 0 >modcall: leaving group authorize (returns ok) for >request 0 >auth: No authenticate method (Auth-Type) configuration >found for the request: Rejecting the user >auth: Failed to validate the user. >Delaying request 0 for 1 seconds >Finished request 0 >Going to the next request >--- Walking the entire request list --- >Waking up in 1 seconds... >--- Walking the entire request list --- >Sending Access-Reject of id 2 to 216.2.193.1 port >55729 >Waking up in 4 seconds... >--- Walking the entire request list --- >Cleaning up request 0 ID 2 with timestamp 4761660e >Nothing to do. Sleeping until we see a request. > > > > > > >--- Phil Mayers <p.mayers at imperial.ac.uk> wrote: > >> > >> > rlm_ldap: user test1 authorized to use remote >> access >> > rlm_ldap: ldap_release_conn: Release Id: 0 >> > modcall[authorize]: module "ldap" returns ok for >> > request 0 >> > rlm_pap: WARNING! No "known good" password found >> for >> > the user. Authentication may fail because of >> this. >> >> That's the problem. >> >> Your LDAP module should be copying the LDAP >> attribute containing the >> password to the relevant check item. >> >> Slightly confusing, there are two ways to do this: >> >> 1. ldap.attrmap >> 2. password_attribute & password_header config >> items of ldap module >> >> What are those setup to do? >> >> A full "-X" debug would help at this point. >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> > >>> >Assuming you are using a recent version of FreeRadius, >you can do one of >the following: > >modules { > ldap { > ... > set_auth_type = no > } >} > >authorize { > preprocess > ldap > pap >} > >authenticate { > Auth-Type PAP { > pap > } >} > >>> > > >--- Alan DeKok <[EMAIL PROTECTED]> wrote: > >> Eric Martell wrote: >> > Hi Alan, >> > Can you please help me out with the LDAP query? >> I >> > am still stuck with the issue. >> >> What problem is left to solve? >> >> i.e. I read and answer a *lot* of email. I don't >> recall much past >> what's on my screen right now... >> >> Alan DeKok. >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> > > > > > ____________________________________________________________________________________ >Be a better friend, newshound, and >know-it-all with Yahoo! Mobile. Try it now. >http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html