I had the same problem a few weeks ago. In fact the ldap wasn't returning
the user-password so it wasn't working. Chack with ldapsearch to make the
querry directly to the ldap as if you were the radius and I think that you
will see that the userpassword is not returned.
> rlm_ldap: bind as / to localhost:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: performing search in ou=users,dc=gibraltar,dc=local, with
Make sure that the user/password in radiusd.conf for the user that will make
the search in the ldap is valid. I think that the radius is binding
anonymously on the ldap so it can read passwords. Another thing to note is
that you have to store passwords in clear text into the ldap.
ldap {
server = "myserver.mydomain.com"
identity =
"cn=some_user_that_can_read_passwords_on_the_ldap"
password = "password_for_this_user"
....
Regards,
--
Sebastien Cantos <[EMAIL PROTECTED]>
Network / System Manager
Neopost DIVA
> -----Message d'origine-----
> De : [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] De la
> part de guest01
> Envoyé : mardi 8 mars 2005 15:44
> À : freeradius-users@lists.freeradius.org
> Objet : Re: rlm_ldap - Attribute "User-Password" is required
> for authentication
>
> hm, radius is very strange .... Can anyone please help me?
> this is the logfile output after testing with radexample:
>
> rad_recv: Access-Request packet from host 127.0.0.1:1025,
> id=40, length=66
> User-Name = "testuser"
> User-Password = "123456"
> Service-Type = Authenticate-Only
> NAS-IP-Address = 127.0.0.1
> NAS-Port = 0
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 0
> modcall[authorize]: module "preprocess" returns ok for request 0
> users: Matched DEFAULT at 152
> modcall[authorize]: module "files" returns ok for request 0
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for testuser
> radius_xlat: '(&(objectclass=gibraltarUser)(uid=testuser))'
> radius_xlat: 'ou=users,dc=gibraltar,dc=local'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to localhost:389, authentication 0
> rlm_ldap: bind as / to localhost:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: performing search in ou=users,dc=gibraltar,dc=local, with
> filter (&(objectclass=gibraltarUser)(uid=testuser))
> rlm_ldap: checking if remote access for testuser is allowed
> by isVPNUser
> rlm_ldap: looking for check items in directory...
> rlm_ldap: looking for reply items in directory...
> rlm_ldap: user testuser authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0
> modcall[authorize]: module "ldap" returns ok for request 0
> modcall: group authorize returns ok for request 0
> rad_check_password: Found Auth-Type LDAP
> auth: type "LDAP"
> Processing the authenticate section of radiusd.conf
> modcall: entering group Auth-Type for request 0
> rlm_ldap: - authenticate
> rlm_ldap: login attempt by "testuser" with password "123456"
> rlm_ldap: user DN: uid=testuser,ou=users,dc=gibraltar,dc=local
> rlm_ldap: (re)connect to localhost:389, authentication 1
> rlm_ldap: bind as
> uid=testuser,ou=users,dc=gibraltar,dc=local/123456 to
> localhost:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: user testuser authenticated succesfully
> modcall[authenticate]: module "ldap" returns ok for request 0
> modcall: group Auth-Type returns ok for request 0
> Sending Access-Accept of id 40 to 127.0.0.1:1025
> Finished request 0
> Going to the next request
> --- Walking the entire request list ---
> Waking up in 6 seconds...
> --- Walking the entire request list ---
> Cleaning up request 0 ID 40 with timestamp 422db560
> Nothing to do. Sleeping until we see a request.
>
> and this is the output after trying to connect via pptpd with
> winxp prof.
> Ready to process requests.
> rad_recv: Access-Request packet from host 127.0.0.1:1025,
> id=41, length=54
> Service-Type = Framed-User
> Framed-Protocol = PPP
> User-Name = "testuser"
> NAS-IP-Address = 66.150.161.140
> NAS-Port = 0
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 0
> modcall[authorize]: module "preprocess" returns ok for request 0
> users: Matched DEFAULT at 152
> users: Matched DEFAULT at 171
> users: Matched DEFAULT at 183
> modcall[authorize]: module "files" returns ok for request 0
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for testuser
> radius_xlat: '(&(objectclass=gibraltarUser)(uid=testuser))'
> radius_xlat: 'ou=users,dc=gibraltar,dc=local'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to localhost:389, authentication 0
> rlm_ldap: bind as / to localhost:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: performing search in ou=users,dc=gibraltar,dc=local, with
> filter (&(objectclass=gibraltarUser)(uid=testuser))
> rlm_ldap: checking if remote access for testuser is allowed
> by isVPNUser
> rlm_ldap: looking for check items in directory...
> rlm_ldap: looking for reply items in directory...
> rlm_ldap: user testuser authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0
> modcall[authorize]: module "ldap" returns ok for request 0
> modcall: group authorize returns ok for request 0
> rad_check_password: Found Auth-Type LDAP
> auth: type "LDAP"
> Processing the authenticate section of radiusd.conf
> modcall: entering group Auth-Type for request 0
> rlm_ldap: - authenticate
> rlm_ldap: Attribute "User-Password" is required for authentication.
> modcall[authenticate]: module "ldap" returns invalid for request 0
> modcall: group Auth-Type returns invalid for request 0
> auth: Failed to validate the user.
> Delaying request 0 for 1 seconds
> Finished request 0
> Going to the next request
> --- Walking the entire request list ---
> Waking up in 1 seconds...
> --- Walking the entire request list ---
> Waking up in 1 seconds...
> --- Walking the entire request list ---
> Sending Access-Reject of id 41 to 127.0.0.1:1025
> Waking up in 4 seconds...
> --- Walking the entire request list ---
> Cleaning up request 0 ID 41 with timestamp 422db59d
> Nothing to do. Sleeping until we see a request.
>
> The first part, the authorize-part works fine, but the
> authentication-part
> will not work!!! Any ideas? In my radiusd.conf, I configured
> everything
> right (I think). Otherwise it wouldn't work with radexample
> or radtest.
>
> Just for understanding, what the hell does the authentication
> part do? What
> attributes do I need for it to get it work? Isn't
> radiusauthtype enough?
>
> I just want my users to authenticate via radius to my pptp
> server, I don't
> need special authentication attributes like radiussessiontime or
> whatever...
> I tried to set authenticate-only as default, but it didn't work
>
> please help!
> best regards
> peda
>
> PS: Debian woody, with freeradius 1.0.1 and ppp 2.4.3
>
>
>
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
