Kostas- Thanks for your response. Now, what to do with the groupname items? If I comment them out, I end up with:
rlm_ldap: performing search in o=CTTEL,c=US, with filter (uid=gozilla) rlm_ldap: checking if remote access for gozilla is allowed by radiusClass rlm_ldap: checking user membership in dialup-enabling group radiusClass=AnalogUser radius_xlat: 'radiusClass=AnalogUser' radius_xlat: '(uid=gozilla)' rlm_ldap: performing search in radiusClass=AnalogUser, with filter (uid=gozilla) rlm_ldap: ldap_search() failed: No such object My goal is- if (obviously) username and password match, then see if the user is an AnalogUser (radiusClass=AnalogUser). If so- then allow them access. Should I make my filter be (&(uid=%u)(radiusClass=AnalogUser))? Thanks again... Michael On Mon, 2002-05-13 at 14:17, Kostas Kalevras wrote: > On 13 May 2002, Michael Klatsky wrote: > > > I thought I would place a general post regarding the Access packets... > > > > While I successfully authenticate, I cannot seem to formulate a working > > packet which authenticates AND authorizes. With 3 1/2 years of working > > with 2 other (commercial) radius servers, I thought I would have gotten > > this by now.:( > > > > Below is the response from my test: > > > > rad# radclient -f test.auth localhost auth xxxxx > > Received response ID 90, code 3, length = 20 > > > > > > Here is my test.auth: > > > > User-Name = gozilla > > User-Password = xxxxx > > Nas-IP-Address = 127.0.0.1 > > Nas-Port-ID = 0 > > Service-Type = Framed-User > > Class = AnalogUser > > > > And here are some log entries: > > > > rlm_ldap: checking if remote access for gozilla is allowed by > > radiusClass > > rlm_ldap: checking user membership in dialup-enabling group > > ou=People,o=CTTEL,c=US > > radius_xlat: 'ou=People,o=CTTEL,c=US' > > radius_xlat: ''(&(uid=gozilla)(o=cttel.net))'' > > rlm_ldap: performing search in ou=People,o=CTTEL,c=US, with filter > > '(&(uid=gozilla)(o=cttel.net))' > > rlm_ldap: object not found or got ambiguous search result > > ldap_release_conn: Release Id: 0 > > modcall[authorize]: module "ldap" returns userlock > > modcall: group authorize returns userlock > > Invalid user (rlm_ldap: User is not an access group member): > > [gozilla/xxxxxx] (from nas local port 0) > > Delaying request 0 for 1 seconds > > Finished request 0 > > Going to the next request > > Thread 1 waiting to be assigned a request > > rad_recv: Access-Request packet from host 127.0.0.1:33879, id=90, > > length=74 > > Sending duplicate authentication reply to client localhost:33879 - ID: > > 90 > > Sending Access-Reject of id 90 to 127.0.0.1:33879 > > > > The result of an ldapsearch as below returns what is expected. > > > > ldapsearch -x -v -hloon.cttel.net -bou=People,o=CTTEL,c=US > > '(&(uid=gozilla)(o=cttel.net))' > > > > I am running my ldap server in debug mode, and am seeing a failed > > inquiry, using exactly the information above- so I am wondering whether > > there is a bug, or a fundamental misunderstanding in how to either > > configure this portion of a freeradius server. > > > > > > > > If more info is needed - please let me know. Thanks again as I'm sure I > > am not unique in hoping to document step by step the process of setting > > up and testing the freeradius server. It IS a very nice piece of > > software. > > > > > > > > > > -- > > > > > > Sincerely, > > > > > > Michael Klatsky > > Senior Unix Administrator > > Connecticut Telephone > > 1 Talcott Plaza > > Hartford, CT 06103 > > 1-860-240-6496 > > > > - > > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > You are using group membership access without having defined a group. The way > you have configured it the ldap module will try to find if user godzilla is a > member of the group ou=People,o=CTTEL,c=US. In your case though > ou=People,o=CTTEL,c=US is just the base for your ldap search and not an ldap > group. So you should either use a valid group or disable the access_group > configuration directive (just comment it out). > The comment in doc/rlm_ldap: > 'means all users located in the LDAP tree under specified "basedn"' > > applies for the default access_group (NULL). > > -- > Kostas Kalevras Network Operations Center > [EMAIL PROTECTED] National Technical University of Athens, Greece > Work Phone: +30 10 7721861 > 'Go back to the shadow' Gandalf > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Sincerely, Michael Klatsky Senior Unix Administrator Connecticut Telephone 1 Talcott Plaza Hartford, CT 06103 1-860-240-6496 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html