What's in your users file?
Check http://doris.cc/radius it explains how to use the User-Profile to
send back group reply attributes. Here is some relevent parts.
LDAP Entry
dn: uid=dial,ou=profiles,ou=radius,dc=mydomain,dc=com
objectclass: radiusprofile
uid: dial
radiusServiceType: Framed-User
radiusFramedProtocol: PPP
radiusFramedIPNetmask: 255.255.255.0
radiusFramedRouting: None
Users File
DEFAULT Huntgroup-Name == dial, Ldap-Group == dial, User-Profile :=
"uid=dial,ou=profiles,ou=radius,dc=mydomain,dc=com"
Fall-Through = no
The users file is saying if you are in the Huntgroup of dial and the
ldap-group of dial, then your reply attributes will be found in
uid=dial,ou=profiles,ou=radius,dc=mydomain,dc=com
Hope that helps
Dusty Doris
On Fri, 6 Feb 2004, Sam Silvester wrote:
> Hi Everybody!
>
> I'm stuck trying to implement an LDAP based FreeRADIUS server -
> basically I've got Authorization working perfectly, but at the
> Authentication stage, no group reply attributes are set. I'm obviously
> not sure what the problem is, but from reading the debug output, it
> looks almost as if a ldap search to get the reply attributes is not
> being executed.
>
> If I manually execute the search using ldapsearch, using the same bind
> options as I see in the debug log, and with the filter specified by
> groupmembership_filter, then I get the output that I would like to have
> returned by FreeRADIUS as reply items, so I don't think it's a problem
> with my LDAP data/schema etc. It just seems like I haven't correctly
> instructed FreeRADIUS to actually "do it" - to go and get the group
> information.
>
> Here's the relevent section of my debug output...
>
> ---start debug output---
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for hugh
> radius_xlat: '(&(objectClass=radiusProfile)(uid=hugh))'
> radius_xlat: 'dc=e-access,dc=com,dc=au'
> ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in dc=e-access,dc=com,dc=au, with filter
> (&(objectClass=radiusProfile)(uid=hugh))
> rlm_ldap: checking if remote access for hugh is allowed by dialupAccess
> rlm_ldap: looking for check items in directory...
> rlm_ldap: looking for reply items in directory...
> rlm_ldap: user hugh authorized to use remote access
> ldap_release_conn: Release Id: 0
> modcall[authorize]: module "ldap" returns ok for request 1
> modcall: group authorize returns ok for request 1
> rad_check_password: Found Auth-Type LDAP
> auth: type "LDAP"
> modcall: entering group Auth-Type for request 1
> rlm_ldap: - authenticate
> rlm_ldap: login attempt by "hugh" with password "testpass"
> rlm_ldap: user DN:
> cn=hugh,cn=3,cn=2000,cn=package,cn=hugh,cn=user,ou=eaccounts,dc=e-access
> ,dc=com,dc=au
> rlm_ldap: (re)connect to 127.0.0.1:389, authentication 1
> rlm_ldap: bind as
> cn=hugh,cn=3,cn=2000,cn=package,cn=hugh,cn=user,ou=eaccounts,dc=e-access
> ,dc=com,dc=au/testpass to 127.0.0.1:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: user hugh authenticated succesfully
> modcall[authenticate]: module "ldap" returns ok for request 1
> modcall: group Auth-Type returns ok for request 1
> Sending Access-Accept of id 40 to 192.168.1.50:49167
> Finished request 1
> Going to the next request
> ---end debug output---
>
> Here is the output from radtest
>
> [EMAIL PROTECTED] raddb]# radtest hugh sportswater 127.0.0.1 1 testing123
> Sending Access-Request of id 40 to 127.0.0.1:1812
> User-Name = "hugh"
> User-Password = "testpass"
> NAS-IP-Address = 127.0.0.1
> NAS-Port = 1
> rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=40,
> length=20
>
> Here is the ldap part of my radiusd.conf file, if you need any more
> information don't hesistate to ask - I won't include the whole file here
> just because it's so big!
>
> ldap {
> server = "127.0.0.1"
> identity = "cn=root,dc=e-access,dc=com,dc=au"
> password = test1234
> basedn = "dc=e-access,dc=com,dc=au"
> filter =
> "(&(objectClass=radiusProfile)(uid=%{Stripped-User-Name:-%{User-Name}}))
> "
>
> # set this to 'yes' to use TLS encrypted connections
> # to the LDAP database by using the StartTLS extended
> # operation.
> # The StartTLS operation is supposed to be used with
> normal
> # ldap connections instead of using ldaps (port 689)
> connections
> start_tls = no
>
> # default_profile = "cn=radprofile,ou=dialup,o=My
> Org,c=UA"
> # profile_attribute = "radiusProfileDn"
> access_attr = "dialupAccess"
>
> # Mapping of RADIUS dictionary attributes to LDAP
> # directory attributes.
> dictionary_mapping = ${raddbdir}/ldap.attrmap
>
> ldap_connections_number = 5
> # password_header = "{clear}"
> # password_attribute = userPassword
> groupname_attribute = uid
> groupmembership_filter =
> "(&(objectClass=radiusProfile)(uid=dialup))"
> groupmembership_attribute = radiusGroupName
> timeout = 4
> timelimit = 3
> net_timeout = 1
> # compare_check_items = yes
> # access_attr_used_for_allow = yes
> }
>
> Thanks in advance,
>
> Sam Silvester
> Systems Administrator
>
> E-Access Internet
> Customer Service: 1300 13 88 10
> Our technical support hours are 9am - 9pm everyday (ACST)
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
