Hello, I just installed FreeRadius-1.0.0 on my test workstation, I get the same results.
I have this setup: radiusd.conf: ldap dialup { server = "hoggle.gwi" identity = "cn=Manager,dc=gwi,dc=net" password = "jogging cures the common cold" basedn = "ou=Users,o=gwi.net,dc=gwi,dc=net" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" start_tls = no tls_mode = no dictionary_mapping = ${raddbdir}/ldap-dialup.attrmap ldap_connections_number = 5 groupname_attribute = gidNumber groupmembership_filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" groupmembership_attribute = gidNumber timeout = 4 timelimit = 3 net_timeout = 1 compare_check_items = no } users: DEFAULT Huntgroup-Name == dialup, Autz-Type := DIALUP Fall-Through = Yes ... #Reject mbox accounts DEFAULT Ldap-Group == "27", Auth-Type := Reject Idle-Timeout = "1", Filter-Id = "denied" radtest celtadmin ********** localhost 2 testing123 "" 207.5.182.1 Sending Access-Request of id 49 to 127.0.0.1:1812 User-Name = "celtadmin" User-Password = "******" NAS-IP-Address = 207.5.182.1 NAS-Port = 2 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=49, length=20 chimbro# radtest celtadmin hucKle localhost 2 testing123 "" 207.5.182.1 Sending Access-Request of id 55 to 127.0.0.1:1812 User-Name = "celtadmin" User-Password = "********" NAS-IP-Address = 207.5.182.1 NAS-Port = 2 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=55, length=20 output of radiusd is: rad_recv: Access-Request packet from host 127.0.0.1:1838, id=55, length=61 User-Name = "celtadmin" User-Password = "********" NAS-IP-Address = 207.5.182.1 NAS-Port = 2 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 rlm_realm: No '@' in User-Name = "celtadmin", looking up realm NULL rlm_realm: Found realm "NULL" rlm_realm: Adding Stripped-User-Name = "celtadmin" rlm_realm: Proxying request from user celtadmin to realm NULL rlm_realm: Adding Realm = "NULL" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 1 users: Matched DEFAULT at 49 users: Matched DEFAULT at 57 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'ou=Users,o=gwi.net,dc=gwi,dc=net' radius_xlat: '(uid=celtadmin)' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=Users,o=gwi.net,dc=gwi,dc=net, with filter (uid=celtadmin) rlm_ldap: ldap_release_conn: Release Id: 0 radius_xlat: '(|(&(objectClass=GroupOfNames)(member=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net)))' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=Users,o=gwi.net,dc=gwi,dc=net, with filter (&(cn=27)(|(&(objectClass=GroupOfNames)(member=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net)))) rlm_ldap: object not found or got ambiguous search result rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap::ldap_groupcmp: Group 27 not found or user is not a member. modcall[authorize]: module "files" returns ok for request 1 modcall: group authorize returns ok for request 1 Processing the authorize section of radiusd.conf modcall: entering group Autz-Type for request 1 rlm_ldap: - authorize rlm_ldap: performing user authorization for celtadmin radius_xlat: '(uid=celtadmin)' radius_xlat: 'ou=Users,o=gwi.net,dc=gwi,dc=net' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=Users,o=gwi.net,dc=gwi,dc=net, with filter (uid=celtadmin) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user celtadmin authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "dialup" returns ok for request 1 modcall: group Autz-Type returns ok for request 1 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 1 rlm_ldap: - authenticate rlm_ldap: login attempt by "celtadmin" with password "hucKle" rlm_ldap: user DN: uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net rlm_ldap: (re)connect to hoggle.gwi:389, authentication 1 rlm_ldap: bind as uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net/hucKle to hoggle.gwi:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user celtadmin authenticated succesfully modcall[authenticate]: module "ldap" returns ok for request 1 modcall: group Auth-Type returns ok for request 1 Sending Access-Accept of id 55 to 127.0.0.1:1838 Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 55 with timestamp 413dd98b Nothing to do. Sleeping until we see a request. Why isn't the xlat stuff seeing the groupname_attribute stuff? Am I missing something? All the documentation I read seems to say that this should be working the way I have it setup. Thank you, Lew A GWI Operations On Fri, 3 Sep 2004, Lew A wrote: > Hello, > > freeradius-0.9.3_1 > openldap-2.2.6 > freebsd-4.9-p11 > > For some reason this isn't working. I could have sworn I got it working > before doing this. But this is my setup: > > radius.conf: > ldap dialup { > server = "localhost" > identity = "cn=Manager,dc=gwi,dc=net" > password = "********************" > basedn = "ou=Users,o=gwi.net,dc=gwi,dc=net" > filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" > start_tls = no > tls_mode = no > dictionary_mapping = ${raddbdir}/ldap-dialup.attrmap > ldap_connections_number = 5 > groupname_attribute = gidNumber > groupmembership_filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" > timeout = 4 > timelimit = 3 > net_timeout = 1 > compare_check_items = no > } > > users: > # Setup Auth Attributes > DEFAULT Auth-Type = LDAP, Autz-Type = LDAP > Fall-Through = Yes > > #Regular POP connection, then check for Static IP/Subnet POP connections > DEFAULT Huntgroup-Name == dialup, Autz-Type := DIALUP > Fall-Through = Yes > > #Reject mbox accounts > DEFAULT Ldap-Group == "27" > Idle-Timeout = "1", > Filter-Id = "denied" > > It hits the first default, hits the second default, but doesn't hit the > third default. I've read that groupname_attribute should = cn, but we'd > really like to just use gidNumber (that's the group their in). Here is a > log of a user connecting (that should be getting the denied filter-id). > For some reason it's completely ignoring my groupname_attribute and > groupmembership_filter settings, and just using the defaults. > > rad_recv: Access-Request packet from host 127.0.0.1:4272, id=221, > length=61 > User-Name = "celtadmin" > User-Password = "***" > NAS-IP-Address = 207.5.128.1 > NAS-Port = 2 > modcall: entering group authorize for request 68 > modcall[authorize]: module "preprocess" returns ok for request 68 > rlm_realm: No '@' in User-Name = "celtadmin", looking up realm NULL > rlm_realm: Found realm "NULL" > rlm_realm: Adding Stripped-User-Name = "celtadmin" > rlm_realm: Proxying request from user celtadmin to realm NULL > rlm_realm: Adding Realm = "NULL" > rlm_realm: Authentication realm is LOCAL. > modcall[authorize]: module "suffix" returns noop for request 68 > users: Matched DEFAULT at 49 > huntgroups: Matched dialup at 47 > users: Matched DEFAULT at 57 > rlm_ldap: Entering ldap_groupcmp() > radius_xlat: 'ou=Users,o=gwi.net,dc=gwi,dc=net' > radius_xlat: '(uid=celtadmin)' > ldap_get_conn: Got Id: 0 > rlm_ldap: performing search in ou=Users,o=gwi.net,dc=gwi,dc=net, with > filter (uid=celtadmin) > ldap_release_conn: Release Id: 0 > radius_xlat: > '(|(&(objectClass=GroupOfNames)(member=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net)))' > ldap_get_conn: Got Id: 0 > rlm_ldap: performing search in ou=Users,o=gwi.net,dc=gwi,dc=net, with > filter > (&(cn=25)(|(&(objectClass=GroupOfNames)(member=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net)))) > rlm_ldap: object not found or got ambiguous search result > ldap_release_conn: Release Id: 0 > rlm_ldap::ldap_groupcmp: Group 25 not found or user is not a member. > rlm_ldap: Entering ldap_groupcmp() > radius_xlat: 'ou=Users,o=gwi.net,dc=gwi,dc=net' > radius_xlat: > '(|(&(objectClass=GroupOfNames)(member=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net)))' > ldap_get_conn: Got Id: 0 > rlm_ldap: performing search in ou=Users,o=gwi.net,dc=gwi,dc=net, with > filter > (&(cn=26)(|(&(objectClass=GroupOfNames)(member=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net)))) > rlm_ldap: object not found or got ambiguous search result > ldap_release_conn: Release Id: 0 > rlm_ldap::ldap_groupcmp: Group 26 not found or user is not a member. > rlm_ldap: Entering ldap_groupcmp() > radius_xlat: 'ou=Users,o=gwi.net,dc=gwi,dc=net' > radius_xlat: > '(|(&(objectClass=GroupOfNames)(member=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net)))' > ldap_get_conn: Got Id: 0 > rlm_ldap: performing search in ou=Users,o=gwi.net,dc=gwi,dc=net, with > filter > (&(cn=27)(|(&(objectClass=GroupOfNames)(member=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net)))) > rlm_ldap: object not found or got ambiguous search result > ldap_release_conn: Release Id: 0 > rlm_ldap::ldap_groupcmp: Group 27 not found or user is not a member. > rlm_ldap: Entering ldap_groupcmp() > radius_xlat: 'ou=Users,o=gwi.net,dc=gwi,dc=net' > radius_xlat: > '(|(&(objectClass=GroupOfNames)(member=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net)))' > ldap_get_conn: Got Id: 0 > rlm_ldap: performing search in ou=Users,o=gwi.net,dc=gwi,dc=net, with > filter > (&(cn=28)(|(&(objectClass=GroupOfNames)(member=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net)))) > rlm_ldap: object not found or got ambiguous search result > ldap_release_conn: Release Id: 0 > rlm_ldap::ldap_groupcmp: Group 28 not found or user is not a member. > rlm_ldap: Entering ldap_groupcmp() > radius_xlat: 'ou=Users,o=gwi.net,dc=gwi,dc=net' > radius_xlat: > '(|(&(objectClass=GroupOfNames)(member=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net)))' > ldap_get_conn: Got Id: 0 > rlm_ldap: performing search in ou=Users,o=gwi.net,dc=gwi,dc=net, with > filter > (&(cn=29)(|(&(objectClass=GroupOfNames)(member=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net)))) > rlm_ldap: object not found or got ambiguous search result > ldap_release_conn: Release Id: 0 > rlm_ldap::ldap_groupcmp: Group 29 not found or user is not a member. > modcall[authorize]: module "files" returns ok for request 68 > modcall: group authorize returns ok for request 68 > modcall: entering group Autz-Type for request 68 > rlm_ldap: - authorize > rlm_ldap: performing user authorization for celtadmin > radius_xlat: '(uid=celtadmin)' > radius_xlat: 'ou=Users,o=gwi.net,dc=gwi,dc=net' > ldap_get_conn: Got Id: 0 > rlm_ldap: performing search in ou=Users,o=gwi.net,dc=gwi,dc=net, with > filter (uid=celtadmin) > rlm_ldap: looking for check items in directory... > rlm_ldap: looking for reply items in directory... > rlm_ldap: user celtadmin authorized to use remote access > ldap_release_conn: Release Id: 0 > modcall[authorize]: module "dialup" returns ok for request 68 > modcall: group Autz-Type returns ok for request 68 > rad_check_password: Found Auth-Type LDAP > auth: type "LDAP" > modcall: entering group Auth-Type for request 68 > rlm_ldap: - authenticate > rlm_ldap: login attempt by "celtadmin" with password "***" > rlm_ldap: user DN: uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net > rlm_ldap: (re)connect to localhost:389, authentication 1 > rlm_ldap: bind as uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net/hucKle to > localhost:389 > rlm_ldap: waiting for bind result ... > rlm_ldap: user celtadmin authenticated succesfully > modcall[authenticate]: module "ldap" returns ok for request 68 > modcall: group Auth-Type returns ok for request 68 > Sending Access-Accept of id 221 to 127.0.0.1:4272 > > Thank you, > Lew A > GWI Operations > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html