I thought I would place a general post regarding the Access packets... While I successfully authenticate, I cannot seem to formulate a working packet which authenticates AND authorizes. With 3 1/2 years of working with 2 other (commercial) radius servers, I thought I would have gotten this by now.:(
Below is the response from my test: rad# radclient -f test.auth localhost auth xxxxx Received response ID 90, code 3, length = 20 Here is my test.auth: User-Name = gozilla User-Password = xxxxx Nas-IP-Address = 127.0.0.1 Nas-Port-ID = 0 Service-Type = Framed-User Class = AnalogUser And here are some log entries: rlm_ldap: checking if remote access for gozilla is allowed by radiusClass rlm_ldap: checking user membership in dialup-enabling group ou=People,o=CTTEL,c=US radius_xlat: 'ou=People,o=CTTEL,c=US' radius_xlat: ''(&(uid=gozilla)(o=cttel.net))'' rlm_ldap: performing search in ou=People,o=CTTEL,c=US, with filter '(&(uid=gozilla)(o=cttel.net))' rlm_ldap: object not found or got ambiguous search result ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns userlock modcall: group authorize returns userlock Invalid user (rlm_ldap: User is not an access group member): [gozilla/xxxxxx] (from nas local port 0) Delaying request 0 for 1 seconds Finished request 0 Going to the next request Thread 1 waiting to be assigned a request rad_recv: Access-Request packet from host 127.0.0.1:33879, id=90, length=74 Sending duplicate authentication reply to client localhost:33879 - ID: 90 Sending Access-Reject of id 90 to 127.0.0.1:33879 The result of an ldapsearch as below returns what is expected. ldapsearch -x -v -hloon.cttel.net -bou=People,o=CTTEL,c=US '(&(uid=gozilla)(o=cttel.net))' I am running my ldap server in debug mode, and am seeing a failed inquiry, using exactly the information above- so I am wondering whether there is a bug, or a fundamental misunderstanding in how to either configure this portion of a freeradius server. If more info is needed - please let me know. Thanks again as I'm sure I am not unique in hoping to document step by step the process of setting up and testing the freeradius server. It IS a very nice piece of software. -- Sincerely, Michael Klatsky Senior Unix Administrator Connecticut Telephone 1 Talcott Plaza Hartford, CT 06103 1-860-240-6496 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
