Please help me in fixing this issus.
Still im not able to fix it...
My access-request is not successed when i configure multiple ldap instances. I read the rlm_ldap document, according to that,
I have the following configuration in radiusd.conf
authorize {
...
files
redundant {
ldap_primary
ldap_secondary
}
eap
}
..
authenticate {
.....
Auth-Type LDAP {
redundant {
ldap_primary
ldap_secondary
}
}
...# primary ldap configuration
ldap ldap_primary {
server = 1.1.1.1
....
}
In my users file i have the following policy:
# Primary ldap server's group policy - accept
DEFAULT ldap_primary-Ldap-Group == "ads-group1", Symbol-Wlan-Index =~ wlan1,Login-Time := "Any0000-2359"
#Primary ldap server's group policy- reject
DEFAULT ldap_primary-Ldap-Group == "ads-group1", Symbol-Wlan-Index =~ wlan2|wlan3|wlan4, Auth-Type := Reject
DEFAULT Auth-Type := Reject
Please find the logs below..
rad_recv: Access-Request packet from host 127.0.0.1:41256, id=85, length=277
User-Name = "sumithra"
Called-Station-Id = "00-A0-F8-BF-E9-BC:wlan1"
Calling-Station-Id = "00-0F-3D-E9-A6-54"
NAS-Port = 1
NAS-Port-Type = Wireless-802.11
Framed-MTU = 1400
NAS-IP-Address = 127.0.0.1
NAS-Identifier = "WS5100"
Symbol-Wlan-Index = "wlan1"
NAS-Port-Id = "WLAN1"
Connect-Info = "CONNECT 54Mbps 802.11a"
State = 0x3477b37e06e1959a106065fa6b552b46
EAP-Message = 0x0205004715800000003d170301003865d55f3cd46e8f5b7036c78d38a3a9fc51dbdff5f8f256cedd0b1e3da150ed5a4f7f605fdced3725189e4836dc817af1cea9c7047ff1073e
Message-Authenticator = 0x16f08ab431d475e4a824d796da35d410
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
modcall[authorize]: module "preprocess" returns ok for request 5
modcall[authorize]: module "chap" returns noop for request 5
modcall[authorize]: module "mschap" returns noop for request 5
rlm_realm: No '/' in User-Name = "sumithra", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix_oblic" returns noop for request 5
rlm_realm: No '/' in User-Name = "sumithra", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "prefix_oblic" returns noop for request 5
rlm_realm: No '@' in User-Name = "sumithra", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix_at" returns noop for request 5
rlm_realm: No '@' in User-Name = "sumithra", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "prefix_at" returns noop for request 5
rlm_realm: No '%' in User-Name = "sumithra", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix_percent" returns noop for request 5
rlm_realm: No '%' in User-Name = "sumithra", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "prefix_percent" returns noop for request 5
rlm_ldap: Entering ldap_groupcmp()
radius_xlat: 'ou=123,dc=123,dc=123,dc=com'
radius_xlat: '(sAMAccountName=sumithra)'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=123,dc=123,dc=123,dc=com, with filter (sAMAccountName=sumithra)
rlm_ldap: ldap_release_conn: Release Id: 0
radius_xlat: '(|(&(objectClass=GroupOfNames)(member=CN=sumithra,OU=123,DC=123,DC=123,DC=com))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN=sumithra,OU=123,DC=123,DC=123,DC=com)))'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=123,dc=123,dc=123,dc=com, with filter (&(cn=ads-group1)(|(&(objectClass=GroupOfNames)(member=CN=sumithra,OU=123,DC=123,DC=123,DC=com))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN=sumithra,OU=123,DC=123,DC=123,DC=com))))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in CN=sumithra,OU=123,DC=123,DC=123,DC=com, with filter (objectclass=*)
rlm_ldap::ldap_groupcmp: ldap_get_values() failed
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: Entering ldap_groupcmp()
radius_xlat: 'ou=123,dc=123,dc=123,dc=com'
radius_xlat: '(|(&(objectClass=GroupOfNames)(member=CN=sumithra,OU=123,DC=123,DC=123,DC=com))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN=sumithra,OU=WIOS,DC=wios,DC=symbol,DC=com)))'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=123,dc=123,dc=123,dc=com, with filter (&(cn=ads-group1)(|(&(objectClass=GroupOfNames)(member=CN=sumithra,OU=123,DC=123,DC=123,DC=com))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN=sumithra,OU=123,DC=123,DC=123,DC=com))))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in CN=sumithra,OU=123,DC=123,DC=123,DC=com, with filter (objectclass=*)
rlm_ldap::ldap_groupcmp: ldap_get_values() failed
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "files" returns notfound for request 5
modcall: entering group redundant for request 5
rlm_ldap: - authorize
rlm_ldap: performing user authorization for sumithra
radius_xlat: '(sAMAccountName=sumithra)'
radius_xlat: 'ou=123,dc=123,dc=123,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=123,dc=123,dc=123,dc=com, with filter (sAMAccountName=sumithra)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user sumithra authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap_primary" returns ok for request 5
modcall: leaving group redundant (returns ok) for request 5
rlm_eap: EAP packet type response id 5 length 71
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 5
modcall: leaving group authorize (returns updated) for request 5
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
rlm_eap: Request not found in the list
rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request
rlm_eap: Failed in handler
modcall[authenticate]: module "eap" returns invalid for request 5
modcall: leaving group authenticate (returns invalid) for request 5
auth: Failed to validate the user.
Delaying request 5 for 1 seconds
Finished request 5
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 81 with timestamp 4450b417
Cleaning up request 1 ID 82 with timestamp 4450b417
Cleaning up request 2 ID 83 with timestamp 4450b417
Cleaning up request 3 ID 84 with timestamp 4450b417
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 85 to 127.0.0.1 port 41256
Waking up in 4 seconds...
Please reply me if you have any idea where the configuration is wrong.
Thanks in advance.
Regards
Sumithra
On 4/25/06, sumi thra <
[EMAIL PROTECTED]> wrote:
Yes. i got it now.
Thank you so much for your information. :-)
RegardsSumiOn 4/25/06, Alan DeKok < [EMAIL PROTECTED]> wrote:"sumi thra" < [EMAIL PROTECTED]> wrote:
> 1. When i configure the free-radius to use redundant ldap, the radius server
> contacts the secondary ldap server first.
It works for me.
And since you haven't posted the debugging output as suggested in
the README, FAQ, INSTALL, etc., my guess is you're doing something
else wrong that causes the problem.
> 2. My users file has : DEFAULT LDAP-Group := "groupname1" some vendor
> specific attributes follows..
> DEFAULT LDAP-Group := "groupname2" .....
>
> Do i need to specify it as ldap_primary-LDAP-Group := "groupname1"
Did you read doc/rlm_ldap?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
