Hello,
I just installed FreeRadius-1.0.0 on my test workstation, I get the same
results.
I have this setup:
radiusd.conf:
ldap dialup {
server = "hoggle.gwi"
identity = "cn=Manager,dc=gwi,dc=net"
password = "jogging cures the common cold"
basedn = "ou=Users,o=gwi.net,dc=gwi,dc=net"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
start_tls = no
tls_mode = no
dictionary_mapping = ${raddbdir}/ldap-dialup.attrmap
ldap_connections_number = 5
groupname_attribute = gidNumber
groupmembership_filter =
"(uid=%{Stripped-User-Name:-%{User-Name}})"
groupmembership_attribute = gidNumber
timeout = 4
timelimit = 3
net_timeout = 1
compare_check_items = no
}
users:
DEFAULT Huntgroup-Name == dialup, Autz-Type := DIALUP
Fall-Through = Yes
...
#Reject mbox accounts
DEFAULT Ldap-Group == "27", Auth-Type := Reject
Idle-Timeout = "1",
Filter-Id = "denied"
radtest celtadmin ********** localhost 2 testing123 "" 207.5.182.1
Sending Access-Request of id 49 to 127.0.0.1:1812
User-Name = "celtadmin"
User-Password = "******"
NAS-IP-Address = 207.5.182.1
NAS-Port = 2
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=49, length=20
chimbro# radtest celtadmin hucKle localhost 2 testing123 "" 207.5.182.1
Sending Access-Request of id 55 to 127.0.0.1:1812
User-Name = "celtadmin"
User-Password = "********"
NAS-IP-Address = 207.5.182.1
NAS-Port = 2
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=55, length=20
output of radiusd is:
rad_recv: Access-Request packet from host 127.0.0.1:1838, id=55, length=61
User-Name = "celtadmin"
User-Password = "********"
NAS-IP-Address = 207.5.182.1
NAS-Port = 2
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
rlm_realm: No '@' in User-Name = "celtadmin", looking up realm NULL
rlm_realm: Found realm "NULL"
rlm_realm: Adding Stripped-User-Name = "celtadmin"
rlm_realm: Proxying request from user celtadmin to realm NULL
rlm_realm: Adding Realm = "NULL"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "suffix" returns noop for request 1
users: Matched DEFAULT at 49
users: Matched DEFAULT at 57
rlm_ldap: Entering ldap_groupcmp()
radius_xlat: 'ou=Users,o=gwi.net,dc=gwi,dc=net'
radius_xlat: '(uid=celtadmin)'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=Users,o=gwi.net,dc=gwi,dc=net, with
filter (uid=celtadmin)
rlm_ldap: ldap_release_conn: Release Id: 0
radius_xlat:
'(|(&(objectClass=GroupOfNames)(member=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net)))'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=Users,o=gwi.net,dc=gwi,dc=net, with
filter
(&(cn=27)(|(&(objectClass=GroupOfNames)(member=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net))))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap::ldap_groupcmp: Group 27 not found or user is not a member.
modcall[authorize]: module "files" returns ok for request 1
modcall: group authorize returns ok for request 1
Processing the authorize section of radiusd.conf
modcall: entering group Autz-Type for request 1
rlm_ldap: - authorize
rlm_ldap: performing user authorization for celtadmin
radius_xlat: '(uid=celtadmin)'
radius_xlat: 'ou=Users,o=gwi.net,dc=gwi,dc=net'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=Users,o=gwi.net,dc=gwi,dc=net, with
filter (uid=celtadmin)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user celtadmin authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "dialup" returns ok for request 1
modcall: group Autz-Type returns ok for request 1
rad_check_password: Found Auth-Type LDAP
auth: type "LDAP"
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 1
rlm_ldap: - authenticate
rlm_ldap: login attempt by "celtadmin" with password "hucKle"
rlm_ldap: user DN: uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net
rlm_ldap: (re)connect to hoggle.gwi:389, authentication 1
rlm_ldap: bind as uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net/hucKle to
hoggle.gwi:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: user celtadmin authenticated succesfully
modcall[authenticate]: module "ldap" returns ok for request 1
modcall: group Auth-Type returns ok for request 1
Sending Access-Accept of id 55 to 127.0.0.1:1838
Finished request 1
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 1 ID 55 with timestamp 413dd98b
Nothing to do. Sleeping until we see a request.
Why isn't the xlat stuff seeing the groupname_attribute stuff?
Am I missing something? All the documentation I read seems to say that
this should be working the way I have it setup.
Thank you,
Lew A
GWI Operations
On Fri, 3 Sep 2004, Lew A wrote:
> Hello,
>
> freeradius-0.9.3_1
> openldap-2.2.6
> freebsd-4.9-p11
>
> For some reason this isn't working. I could have sworn I got it working
> before doing this. But this is my setup:
>
> radius.conf:
> ldap dialup {
> server = "localhost"
> identity = "cn=Manager,dc=gwi,dc=net"
> password = "********************"
> basedn = "ou=Users,o=gwi.net,dc=gwi,dc=net"
> filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
> start_tls = no
> tls_mode = no
> dictionary_mapping = ${raddbdir}/ldap-dialup.attrmap
> ldap_connections_number = 5
> groupname_attribute = gidNumber
> groupmembership_filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
> timeout = 4
> timelimit = 3
> net_timeout = 1
> compare_check_items = no
> }
>
> users:
> # Setup Auth Attributes
> DEFAULT Auth-Type = LDAP, Autz-Type = LDAP
> Fall-Through = Yes
>
> #Regular POP connection, then check for Static IP/Subnet POP connections
> DEFAULT Huntgroup-Name == dialup, Autz-Type := DIALUP
> Fall-Through = Yes
>
> #Reject mbox accounts
> DEFAULT Ldap-Group == "27"
> Idle-Timeout = "1",
> Filter-Id = "denied"
>
> It hits the first default, hits the second default, but doesn't hit the
> third default. I've read that groupname_attribute should = cn, but we'd
> really like to just use gidNumber (that's the group their in). Here is a
> log of a user connecting (that should be getting the denied filter-id).
> For some reason it's completely ignoring my groupname_attribute and
> groupmembership_filter settings, and just using the defaults.
>
> rad_recv: Access-Request packet from host 127.0.0.1:4272, id=221,
> length=61
> User-Name = "celtadmin"
> User-Password = "***"
> NAS-IP-Address = 207.5.128.1
> NAS-Port = 2
> modcall: entering group authorize for request 68
> modcall[authorize]: module "preprocess" returns ok for request 68
> rlm_realm: No '@' in User-Name = "celtadmin", looking up realm NULL
> rlm_realm: Found realm "NULL"
> rlm_realm: Adding Stripped-User-Name = "celtadmin"
> rlm_realm: Proxying request from user celtadmin to realm NULL
> rlm_realm: Adding Realm = "NULL"
> rlm_realm: Authentication realm is LOCAL.
> modcall[authorize]: module "suffix" returns noop for request 68
> users: Matched DEFAULT at 49
> huntgroups: Matched dialup at 47
> users: Matched DEFAULT at 57
> rlm_ldap: Entering ldap_groupcmp()
> radius_xlat: 'ou=Users,o=gwi.net,dc=gwi,dc=net'
> radius_xlat: '(uid=celtadmin)'
> ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in ou=Users,o=gwi.net,dc=gwi,dc=net, with
> filter (uid=celtadmin)
> ldap_release_conn: Release Id: 0
> radius_xlat:
> '(|(&(objectClass=GroupOfNames)(member=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net)))'
> ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in ou=Users,o=gwi.net,dc=gwi,dc=net, with
> filter
> (&(cn=25)(|(&(objectClass=GroupOfNames)(member=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net))))
> rlm_ldap: object not found or got ambiguous search result
> ldap_release_conn: Release Id: 0
> rlm_ldap::ldap_groupcmp: Group 25 not found or user is not a member.
> rlm_ldap: Entering ldap_groupcmp()
> radius_xlat: 'ou=Users,o=gwi.net,dc=gwi,dc=net'
> radius_xlat:
> '(|(&(objectClass=GroupOfNames)(member=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net)))'
> ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in ou=Users,o=gwi.net,dc=gwi,dc=net, with
> filter
> (&(cn=26)(|(&(objectClass=GroupOfNames)(member=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net))))
> rlm_ldap: object not found or got ambiguous search result
> ldap_release_conn: Release Id: 0
> rlm_ldap::ldap_groupcmp: Group 26 not found or user is not a member.
> rlm_ldap: Entering ldap_groupcmp()
> radius_xlat: 'ou=Users,o=gwi.net,dc=gwi,dc=net'
> radius_xlat:
> '(|(&(objectClass=GroupOfNames)(member=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net)))'
> ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in ou=Users,o=gwi.net,dc=gwi,dc=net, with
> filter
> (&(cn=27)(|(&(objectClass=GroupOfNames)(member=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net))))
> rlm_ldap: object not found or got ambiguous search result
> ldap_release_conn: Release Id: 0
> rlm_ldap::ldap_groupcmp: Group 27 not found or user is not a member.
> rlm_ldap: Entering ldap_groupcmp()
> radius_xlat: 'ou=Users,o=gwi.net,dc=gwi,dc=net'
> radius_xlat:
> '(|(&(objectClass=GroupOfNames)(member=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net)))'
> ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in ou=Users,o=gwi.net,dc=gwi,dc=net, with
> filter
> (&(cn=28)(|(&(objectClass=GroupOfNames)(member=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net))))
> rlm_ldap: object not found or got ambiguous search result
> ldap_release_conn: Release Id: 0
> rlm_ldap::ldap_groupcmp: Group 28 not found or user is not a member.
> rlm_ldap: Entering ldap_groupcmp()
> radius_xlat: 'ou=Users,o=gwi.net,dc=gwi,dc=net'
> radius_xlat:
> '(|(&(objectClass=GroupOfNames)(member=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net)))'
> ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in ou=Users,o=gwi.net,dc=gwi,dc=net, with
> filter
> (&(cn=29)(|(&(objectClass=GroupOfNames)(member=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net))))
> rlm_ldap: object not found or got ambiguous search result
> ldap_release_conn: Release Id: 0
> rlm_ldap::ldap_groupcmp: Group 29 not found or user is not a member.
> modcall[authorize]: module "files" returns ok for request 68
> modcall: group authorize returns ok for request 68
> modcall: entering group Autz-Type for request 68
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for celtadmin
> radius_xlat: '(uid=celtadmin)'
> radius_xlat: 'ou=Users,o=gwi.net,dc=gwi,dc=net'
> ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in ou=Users,o=gwi.net,dc=gwi,dc=net, with
> filter (uid=celtadmin)
> rlm_ldap: looking for check items in directory...
> rlm_ldap: looking for reply items in directory...
> rlm_ldap: user celtadmin authorized to use remote access
> ldap_release_conn: Release Id: 0
> modcall[authorize]: module "dialup" returns ok for request 68
> modcall: group Autz-Type returns ok for request 68
> rad_check_password: Found Auth-Type LDAP
> auth: type "LDAP"
> modcall: entering group Auth-Type for request 68
> rlm_ldap: - authenticate
> rlm_ldap: login attempt by "celtadmin" with password "***"
> rlm_ldap: user DN: uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net
> rlm_ldap: (re)connect to localhost:389, authentication 1
> rlm_ldap: bind as uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net/hucKle to
> localhost:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: user celtadmin authenticated succesfully
> modcall[authenticate]: module "ldap" returns ok for request 68
> modcall: group Auth-Type returns ok for request 68
> Sending Access-Accept of id 221 to 127.0.0.1:4272
>
> Thank you,
> Lew A
> GWI Operations
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
