Hello,
freeradius-0.9.3_1
openldap-2.2.6
freebsd-4.9-p11
For some reason this isn't working. I could have sworn I got it working
before doing this. But this is my setup:
radius.conf:
ldap dialup {
server = "localhost"
identity = "cn=Manager,dc=gwi,dc=net"
password = "********************"
basedn = "ou=Users,o=gwi.net,dc=gwi,dc=net"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
start_tls = no
tls_mode = no
dictionary_mapping = ${raddbdir}/ldap-dialup.attrmap
ldap_connections_number = 5
groupname_attribute = gidNumber
groupmembership_filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
timeout = 4
timelimit = 3
net_timeout = 1
compare_check_items = no
}
users:
# Setup Auth Attributes
DEFAULT Auth-Type = LDAP, Autz-Type = LDAP
Fall-Through = Yes
#Regular POP connection, then check for Static IP/Subnet POP connections
DEFAULT Huntgroup-Name == dialup, Autz-Type := DIALUP
Fall-Through = Yes
#Reject mbox accounts
DEFAULT Ldap-Group == "27"
Idle-Timeout = "1",
Filter-Id = "denied"
It hits the first default, hits the second default, but doesn't hit the
third default. I've read that groupname_attribute should = cn, but we'd
really like to just use gidNumber (that's the group their in). Here is a
log of a user connecting (that should be getting the denied filter-id).
For some reason it's completely ignoring my groupname_attribute and
groupmembership_filter settings, and just using the defaults.
rad_recv: Access-Request packet from host 127.0.0.1:4272, id=221,
length=61
User-Name = "celtadmin"
User-Password = "***"
NAS-IP-Address = 207.5.128.1
NAS-Port = 2
modcall: entering group authorize for request 68
modcall[authorize]: module "preprocess" returns ok for request 68
rlm_realm: No '@' in User-Name = "celtadmin", looking up realm NULL
rlm_realm: Found realm "NULL"
rlm_realm: Adding Stripped-User-Name = "celtadmin"
rlm_realm: Proxying request from user celtadmin to realm NULL
rlm_realm: Adding Realm = "NULL"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "suffix" returns noop for request 68
users: Matched DEFAULT at 49
huntgroups: Matched dialup at 47
users: Matched DEFAULT at 57
rlm_ldap: Entering ldap_groupcmp()
radius_xlat: 'ou=Users,o=gwi.net,dc=gwi,dc=net'
radius_xlat: '(uid=celtadmin)'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=Users,o=gwi.net,dc=gwi,dc=net, with
filter (uid=celtadmin)
ldap_release_conn: Release Id: 0
radius_xlat:
'(|(&(objectClass=GroupOfNames)(member=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net)))'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=Users,o=gwi.net,dc=gwi,dc=net, with
filter
(&(cn=25)(|(&(objectClass=GroupOfNames)(member=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net))))
rlm_ldap: object not found or got ambiguous search result
ldap_release_conn: Release Id: 0
rlm_ldap::ldap_groupcmp: Group 25 not found or user is not a member.
rlm_ldap: Entering ldap_groupcmp()
radius_xlat: 'ou=Users,o=gwi.net,dc=gwi,dc=net'
radius_xlat:
'(|(&(objectClass=GroupOfNames)(member=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net)))'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=Users,o=gwi.net,dc=gwi,dc=net, with
filter
(&(cn=26)(|(&(objectClass=GroupOfNames)(member=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net))))
rlm_ldap: object not found or got ambiguous search result
ldap_release_conn: Release Id: 0
rlm_ldap::ldap_groupcmp: Group 26 not found or user is not a member.
rlm_ldap: Entering ldap_groupcmp()
radius_xlat: 'ou=Users,o=gwi.net,dc=gwi,dc=net'
radius_xlat:
'(|(&(objectClass=GroupOfNames)(member=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net)))'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=Users,o=gwi.net,dc=gwi,dc=net, with
filter
(&(cn=27)(|(&(objectClass=GroupOfNames)(member=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net))))
rlm_ldap: object not found or got ambiguous search result
ldap_release_conn: Release Id: 0
rlm_ldap::ldap_groupcmp: Group 27 not found or user is not a member.
rlm_ldap: Entering ldap_groupcmp()
radius_xlat: 'ou=Users,o=gwi.net,dc=gwi,dc=net'
radius_xlat:
'(|(&(objectClass=GroupOfNames)(member=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net)))'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=Users,o=gwi.net,dc=gwi,dc=net, with
filter
(&(cn=28)(|(&(objectClass=GroupOfNames)(member=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net))))
rlm_ldap: object not found or got ambiguous search result
ldap_release_conn: Release Id: 0
rlm_ldap::ldap_groupcmp: Group 28 not found or user is not a member.
rlm_ldap: Entering ldap_groupcmp()
radius_xlat: 'ou=Users,o=gwi.net,dc=gwi,dc=net'
radius_xlat:
'(|(&(objectClass=GroupOfNames)(member=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net)))'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=Users,o=gwi.net,dc=gwi,dc=net, with
filter
(&(cn=29)(|(&(objectClass=GroupOfNames)(member=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net))))
rlm_ldap: object not found or got ambiguous search result
ldap_release_conn: Release Id: 0
rlm_ldap::ldap_groupcmp: Group 29 not found or user is not a member.
modcall[authorize]: module "files" returns ok for request 68
modcall: group authorize returns ok for request 68
modcall: entering group Autz-Type for request 68
rlm_ldap: - authorize
rlm_ldap: performing user authorization for celtadmin
radius_xlat: '(uid=celtadmin)'
radius_xlat: 'ou=Users,o=gwi.net,dc=gwi,dc=net'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=Users,o=gwi.net,dc=gwi,dc=net, with
filter (uid=celtadmin)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user celtadmin authorized to use remote access
ldap_release_conn: Release Id: 0
modcall[authorize]: module "dialup" returns ok for request 68
modcall: group Autz-Type returns ok for request 68
rad_check_password: Found Auth-Type LDAP
auth: type "LDAP"
modcall: entering group Auth-Type for request 68
rlm_ldap: - authenticate
rlm_ldap: login attempt by "celtadmin" with password "***"
rlm_ldap: user DN: uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net
rlm_ldap: (re)connect to localhost:389, authentication 1
rlm_ldap: bind as uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net/hucKle to
localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: user celtadmin authenticated succesfully
modcall[authenticate]: module "ldap" returns ok for request 68
modcall: group Auth-Type returns ok for request 68
Sending Access-Accept of id 221 to 127.0.0.1:4272
Thank you,
Lew A
GWI Operations
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
