At 02:39 AM 12/1/2009, Alan DeKok wrote:
Because you've forced the "ntlm_auth" module to be run. That module
ONLY checks clear-text passwords, and there is NO clear-text password in
the request.
Change the line having
... Auth-Type := ntlm_auth, ...
to
... Auth-Type = ntlm_auth, ...
DEFAULT Huntgroup-Name == Cisco_Huntgroup, Auth-Type:=ntlm_auth,
Ldap-Group == "Infrastructure"
Service-Type:=NAS-Prompt-User,cisco-avpair:="shell:priv-lvl=15"
DEFAULT Huntgroup-Name == VPN_Huntgroup, Auth-Type=ntlm_auth,
Ldap-Group == "VPN_Users"
It runs the LDAP group check, but still lets the user log in even
when he's not in the VPN_Users group:
rlm_ldap::groupcmp: Group VPN_Users not found or user not a member
rlm_ldap: ldap_release_conn: Release Id: 0
++[files] returns noop
[ldap] performing user authorization for ciscorsteeves
[ldap] WARNING: Deprecated conditional expansion ":-". See "man
unlang" for details
[ldap] expand:
(&(sAMAccountname=%{Stripped-User-Name:-%{User-Name}})(objectClass=person))
-> (&(sAMAccountname=ciscorsteeves)(objectClass=person))
[ldap] expand: OU=Enterprise,DC=example,DC=com ->
OU=Enterprise,DC=example,DC=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in OU=Enterprise,DC=example,DC=com, with
filter (&(sAMAccountname=ciscorsteeves)(objectClass=person))
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure
that the user is configured correctly?
[ldap] user ciscorsteeves authorized to use remote access
And read "man users" to see what the difference is.
Ahh, man 5 users. cool.
Rick
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
