What's in your users file? Check http://doris.cc/radius it explains how to use the User-Profile to send back group reply attributes. Here is some relevent parts.
LDAP Entry dn: uid=dial,ou=profiles,ou=radius,dc=mydomain,dc=com objectclass: radiusprofile uid: dial radiusServiceType: Framed-User radiusFramedProtocol: PPP radiusFramedIPNetmask: 255.255.255.0 radiusFramedRouting: None Users File DEFAULT Huntgroup-Name == dial, Ldap-Group == dial, User-Profile := "uid=dial,ou=profiles,ou=radius,dc=mydomain,dc=com" Fall-Through = no The users file is saying if you are in the Huntgroup of dial and the ldap-group of dial, then your reply attributes will be found in uid=dial,ou=profiles,ou=radius,dc=mydomain,dc=com Hope that helps Dusty Doris On Fri, 6 Feb 2004, Sam Silvester wrote: > Hi Everybody! > > I'm stuck trying to implement an LDAP based FreeRADIUS server - > basically I've got Authorization working perfectly, but at the > Authentication stage, no group reply attributes are set. I'm obviously > not sure what the problem is, but from reading the debug output, it > looks almost as if a ldap search to get the reply attributes is not > being executed. > > If I manually execute the search using ldapsearch, using the same bind > options as I see in the debug log, and with the filter specified by > groupmembership_filter, then I get the output that I would like to have > returned by FreeRADIUS as reply items, so I don't think it's a problem > with my LDAP data/schema etc. It just seems like I haven't correctly > instructed FreeRADIUS to actually "do it" - to go and get the group > information. > > Here's the relevent section of my debug output... > > ---start debug output--- > rlm_ldap: - authorize > rlm_ldap: performing user authorization for hugh > radius_xlat: '(&(objectClass=radiusProfile)(uid=hugh))' > radius_xlat: 'dc=e-access,dc=com,dc=au' > ldap_get_conn: Got Id: 0 > rlm_ldap: performing search in dc=e-access,dc=com,dc=au, with filter > (&(objectClass=radiusProfile)(uid=hugh)) > rlm_ldap: checking if remote access for hugh is allowed by dialupAccess > rlm_ldap: looking for check items in directory... > rlm_ldap: looking for reply items in directory... > rlm_ldap: user hugh authorized to use remote access > ldap_release_conn: Release Id: 0 > modcall[authorize]: module "ldap" returns ok for request 1 > modcall: group authorize returns ok for request 1 > rad_check_password: Found Auth-Type LDAP > auth: type "LDAP" > modcall: entering group Auth-Type for request 1 > rlm_ldap: - authenticate > rlm_ldap: login attempt by "hugh" with password "testpass" > rlm_ldap: user DN: > cn=hugh,cn=3,cn=2000,cn=package,cn=hugh,cn=user,ou=eaccounts,dc=e-access > ,dc=com,dc=au > rlm_ldap: (re)connect to 127.0.0.1:389, authentication 1 > rlm_ldap: bind as > cn=hugh,cn=3,cn=2000,cn=package,cn=hugh,cn=user,ou=eaccounts,dc=e-access > ,dc=com,dc=au/testpass to 127.0.0.1:389 > rlm_ldap: waiting for bind result ... > rlm_ldap: user hugh authenticated succesfully > modcall[authenticate]: module "ldap" returns ok for request 1 > modcall: group Auth-Type returns ok for request 1 > Sending Access-Accept of id 40 to 192.168.1.50:49167 > Finished request 1 > Going to the next request > ---end debug output--- > > Here is the output from radtest > > [EMAIL PROTECTED] raddb]# radtest hugh sportswater 127.0.0.1 1 testing123 > Sending Access-Request of id 40 to 127.0.0.1:1812 > User-Name = "hugh" > User-Password = "testpass" > NAS-IP-Address = 127.0.0.1 > NAS-Port = 1 > rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=40, > length=20 > > Here is the ldap part of my radiusd.conf file, if you need any more > information don't hesistate to ask - I won't include the whole file here > just because it's so big! > > ldap { > server = "127.0.0.1" > identity = "cn=root,dc=e-access,dc=com,dc=au" > password = test1234 > basedn = "dc=e-access,dc=com,dc=au" > filter = > "(&(objectClass=radiusProfile)(uid=%{Stripped-User-Name:-%{User-Name}})) > " > > # set this to 'yes' to use TLS encrypted connections > # to the LDAP database by using the StartTLS extended > # operation. > # The StartTLS operation is supposed to be used with > normal > # ldap connections instead of using ldaps (port 689) > connections > start_tls = no > > # default_profile = "cn=radprofile,ou=dialup,o=My > Org,c=UA" > # profile_attribute = "radiusProfileDn" > access_attr = "dialupAccess" > > # Mapping of RADIUS dictionary attributes to LDAP > # directory attributes. > dictionary_mapping = ${raddbdir}/ldap.attrmap > > ldap_connections_number = 5 > # password_header = "{clear}" > # password_attribute = userPassword > groupname_attribute = uid > groupmembership_filter = > "(&(objectClass=radiusProfile)(uid=dialup))" > groupmembership_attribute = radiusGroupName > timeout = 4 > timelimit = 3 > net_timeout = 1 > # compare_check_items = yes > # access_attr_used_for_allow = yes > } > > Thanks in advance, > > Sam Silvester > Systems Administrator > > E-Access Internet > Customer Service: 1300 13 88 10 > Our technical support hours are 9am - 9pm everyday (ACST) > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html