Hello, freeradius-0.9.3_1 openldap-2.2.6 freebsd-4.9-p11
For some reason this isn't working. I could have sworn I got it working before doing this. But this is my setup: radius.conf: ldap dialup { server = "localhost" identity = "cn=Manager,dc=gwi,dc=net" password = "********************" basedn = "ou=Users,o=gwi.net,dc=gwi,dc=net" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" start_tls = no tls_mode = no dictionary_mapping = ${raddbdir}/ldap-dialup.attrmap ldap_connections_number = 5 groupname_attribute = gidNumber groupmembership_filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" timeout = 4 timelimit = 3 net_timeout = 1 compare_check_items = no } users: # Setup Auth Attributes DEFAULT Auth-Type = LDAP, Autz-Type = LDAP Fall-Through = Yes #Regular POP connection, then check for Static IP/Subnet POP connections DEFAULT Huntgroup-Name == dialup, Autz-Type := DIALUP Fall-Through = Yes #Reject mbox accounts DEFAULT Ldap-Group == "27" Idle-Timeout = "1", Filter-Id = "denied" It hits the first default, hits the second default, but doesn't hit the third default. I've read that groupname_attribute should = cn, but we'd really like to just use gidNumber (that's the group their in). Here is a log of a user connecting (that should be getting the denied filter-id). For some reason it's completely ignoring my groupname_attribute and groupmembership_filter settings, and just using the defaults. rad_recv: Access-Request packet from host 127.0.0.1:4272, id=221, length=61 User-Name = "celtadmin" User-Password = "***" NAS-IP-Address = 207.5.128.1 NAS-Port = 2 modcall: entering group authorize for request 68 modcall[authorize]: module "preprocess" returns ok for request 68 rlm_realm: No '@' in User-Name = "celtadmin", looking up realm NULL rlm_realm: Found realm "NULL" rlm_realm: Adding Stripped-User-Name = "celtadmin" rlm_realm: Proxying request from user celtadmin to realm NULL rlm_realm: Adding Realm = "NULL" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 68 users: Matched DEFAULT at 49 huntgroups: Matched dialup at 47 users: Matched DEFAULT at 57 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'ou=Users,o=gwi.net,dc=gwi,dc=net' radius_xlat: '(uid=celtadmin)' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=Users,o=gwi.net,dc=gwi,dc=net, with filter (uid=celtadmin) ldap_release_conn: Release Id: 0 radius_xlat: '(|(&(objectClass=GroupOfNames)(member=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net)))' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=Users,o=gwi.net,dc=gwi,dc=net, with filter (&(cn=25)(|(&(objectClass=GroupOfNames)(member=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net)))) rlm_ldap: object not found or got ambiguous search result ldap_release_conn: Release Id: 0 rlm_ldap::ldap_groupcmp: Group 25 not found or user is not a member. rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'ou=Users,o=gwi.net,dc=gwi,dc=net' radius_xlat: '(|(&(objectClass=GroupOfNames)(member=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net)))' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=Users,o=gwi.net,dc=gwi,dc=net, with filter (&(cn=26)(|(&(objectClass=GroupOfNames)(member=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net)))) rlm_ldap: object not found or got ambiguous search result ldap_release_conn: Release Id: 0 rlm_ldap::ldap_groupcmp: Group 26 not found or user is not a member. rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'ou=Users,o=gwi.net,dc=gwi,dc=net' radius_xlat: '(|(&(objectClass=GroupOfNames)(member=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net)))' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=Users,o=gwi.net,dc=gwi,dc=net, with filter (&(cn=27)(|(&(objectClass=GroupOfNames)(member=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net)))) rlm_ldap: object not found or got ambiguous search result ldap_release_conn: Release Id: 0 rlm_ldap::ldap_groupcmp: Group 27 not found or user is not a member. rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'ou=Users,o=gwi.net,dc=gwi,dc=net' radius_xlat: '(|(&(objectClass=GroupOfNames)(member=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net)))' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=Users,o=gwi.net,dc=gwi,dc=net, with filter (&(cn=28)(|(&(objectClass=GroupOfNames)(member=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net)))) rlm_ldap: object not found or got ambiguous search result ldap_release_conn: Release Id: 0 rlm_ldap::ldap_groupcmp: Group 28 not found or user is not a member. rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'ou=Users,o=gwi.net,dc=gwi,dc=net' radius_xlat: '(|(&(objectClass=GroupOfNames)(member=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net)))' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=Users,o=gwi.net,dc=gwi,dc=net, with filter (&(cn=29)(|(&(objectClass=GroupOfNames)(member=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net)))) rlm_ldap: object not found or got ambiguous search result ldap_release_conn: Release Id: 0 rlm_ldap::ldap_groupcmp: Group 29 not found or user is not a member. modcall[authorize]: module "files" returns ok for request 68 modcall: group authorize returns ok for request 68 modcall: entering group Autz-Type for request 68 rlm_ldap: - authorize rlm_ldap: performing user authorization for celtadmin radius_xlat: '(uid=celtadmin)' radius_xlat: 'ou=Users,o=gwi.net,dc=gwi,dc=net' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=Users,o=gwi.net,dc=gwi,dc=net, with filter (uid=celtadmin) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user celtadmin authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module "dialup" returns ok for request 68 modcall: group Autz-Type returns ok for request 68 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" modcall: entering group Auth-Type for request 68 rlm_ldap: - authenticate rlm_ldap: login attempt by "celtadmin" with password "***" rlm_ldap: user DN: uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net rlm_ldap: (re)connect to localhost:389, authentication 1 rlm_ldap: bind as uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net/hucKle to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: user celtadmin authenticated succesfully modcall[authenticate]: module "ldap" returns ok for request 68 modcall: group Auth-Type returns ok for request 68 Sending Access-Accept of id 221 to 127.0.0.1:4272 Thank you, Lew A GWI Operations - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html