Sébastien Cantos wrote:
>>I had the same problem a few weeks ago. In fact the ldap wasn't returning
>>the user-password so it wasn't working. Chack with ldapsearch to make the
>>querry directly to the ldap as if you were the radius and I think that you
>>will see that the userpassword is not returned.
>
>
Thxs for your help, but it still doesn't work .... :-(
Ok, I store the passwords in cleartext (just base64encoded), ldapsearch
works:
ldapsearch -x -D "cn=Manager,dc=gibraltar,dc=local" -w secret
"(&(objectclass=gibraltaruser)(uid=testuser))" userPassword
# extended LDIF
#
# LDAPv3
# base <> with scope sub
# filter: (&(objectclass=gibraltaruser)(uid=testuser))
# requesting: userPassword
#
# testuser, users, gibraltar.local
dn: uid=testuser,ou=users,dc=gibraltar,dc=local
userPassword:: MTIzNDU2
# search result
search: 2
result: 0 Success
>Make sure that the user/password in radiusd.conf for the user that will make
>the search in the ldap is valid. I think that the radius is binding
>anonymously on the ldap so it can read passwords. Another thing to note is
>that you have to store passwords in clear text into the ldap.
> ldap {
> server = "myserver.mydomain.com"
> identity =
>"cn=some_user_that_can_read_passwords_on_the_ldap"
> password = "password_for_this_user"
> ....
hm, my LDAP is still in testing, therefor everyone is allowed
everthing... But I also tried it
with the rootdn, but no difference. But I don't think thats the problem,
because the
authorization-part works fine, "user testuser authorized to use remote
access",
just that damned authentication part ...
rad_recv: Access-Request packet from host 127.0.0.1:1025, id=55, length=54
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = "testuser"
NAS-IP-Address = 69.25.27.173
NAS-Port = 0
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
users: Matched DEFAULT at 153
users: Matched DEFAULT at 172
users: Matched DEFAULT at 185
modcall[authorize]: module "files" returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for testuser
radius_xlat: '(&(objectclass=gibraltarUser)(uid=testuser))'
radius_xlat: 'ou=users,dc=gibraltar,dc=local'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as cn=Manager,dc=gibraltar,dc=local/secret to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=users,dc=gibraltar,dc=local, with
filter (&(objectclass=gibraltarUser)(uid=testuser))
rlm_ldap: checking if remote access for testuser is allowed by isVPNUser
rlm_ldap: performing search in
uid=testuser,ou=radius,dc=gibraltar,dc=local, with filter
(objectclass=radiusprofile)
rlm_ldap: Adding radiusAuthType as Auth-Type, value LDAP & op=21
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user testuser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type LDAP
auth: type "LDAP"
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 0
rlm_ldap: - authenticate
rlm_ldap: Attribute "User-Password" is required for authentication.
modcall[authenticate]: module "ldap" returns invalid for request 0
modcall: group Auth-Type returns invalid for request 0
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 55 to 127.0.0.1:1025
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 55 with timestamp 422dc076
Nothing to do. Sleeping until we see a request.
Any other ideas? How did you solve your problem?
regards
peda
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
