Sébastien Cantos wrote: >>I had the same problem a few weeks ago. In fact the ldap wasn't returning >>the user-password so it wasn't working. Chack with ldapsearch to make the >>querry directly to the ldap as if you were the radius and I think that you >>will see that the userpassword is not returned. > > Thxs for your help, but it still doesn't work .... :-(
Ok, I store the passwords in cleartext (just base64encoded), ldapsearch works: ldapsearch -x -D "cn=Manager,dc=gibraltar,dc=local" -w secret "(&(objectclass=gibraltaruser)(uid=testuser))" userPassword # extended LDIF # # LDAPv3 # base <> with scope sub # filter: (&(objectclass=gibraltaruser)(uid=testuser)) # requesting: userPassword # # testuser, users, gibraltar.local dn: uid=testuser,ou=users,dc=gibraltar,dc=local userPassword:: MTIzNDU2 # search result search: 2 result: 0 Success >Make sure that the user/password in radiusd.conf for the user that will make >the search in the ldap is valid. I think that the radius is binding >anonymously on the ldap so it can read passwords. Another thing to note is >that you have to store passwords in clear text into the ldap. > ldap { > server = "myserver.mydomain.com" > identity = >"cn=some_user_that_can_read_passwords_on_the_ldap" > password = "password_for_this_user" > .... hm, my LDAP is still in testing, therefor everyone is allowed everthing... But I also tried it with the rootdn, but no difference. But I don't think thats the problem, because the authorization-part works fine, "user testuser authorized to use remote access", just that damned authentication part ... rad_recv: Access-Request packet from host 127.0.0.1:1025, id=55, length=54 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "testuser" NAS-IP-Address = 69.25.27.173 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 users: Matched DEFAULT at 153 users: Matched DEFAULT at 172 users: Matched DEFAULT at 185 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for testuser radius_xlat: '(&(objectclass=gibraltarUser)(uid=testuser))' radius_xlat: 'ou=users,dc=gibraltar,dc=local' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=Manager,dc=gibraltar,dc=local/secret to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=users,dc=gibraltar,dc=local, with filter (&(objectclass=gibraltarUser)(uid=testuser)) rlm_ldap: checking if remote access for testuser is allowed by isVPNUser rlm_ldap: performing search in uid=testuser,ou=radius,dc=gibraltar,dc=local, with filter (objectclass=radiusprofile) rlm_ldap: Adding radiusAuthType as Auth-Type, value LDAP & op=21 rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user testuser authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_ldap: - authenticate rlm_ldap: Attribute "User-Password" is required for authentication. modcall[authenticate]: module "ldap" returns invalid for request 0 modcall: group Auth-Type returns invalid for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 55 to 127.0.0.1:1025 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 55 with timestamp 422dc076 Nothing to do. Sleeping until we see a request. Any other ideas? How did you solve your problem? regards peda - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html