On 7/20/06, Thibault Le Meur <[EMAIL PROTECTED]> wrote:
Yes, the anonymous user is able to search.
ldapsearch -x -b "dc=xxxx,dc=it" "(uid=misterc)"
# extended LDIF
#
# LDAPv3
# base <dc=xxxx,dc=it> with scope subtree
# filter: (uid=misterc)
# requesting: ALL
#
# Vito Cu, utenti, xxxx.it
dn: cn=Vito Cu,ou=utenti,dc=xxxx,dc=it
uid: misterc
description: bel giovine
sn: Cu
cn: newperson
cn: Vito Cu
userPassword:: e1NIQX1TQ01UU1l5cVpESHcvSXhqRUJGWHdQQnFTTXM9
objectClass: radiusprofile
objectClass: inetOrgPerson
radiusA
10:21
uthType: LDAP
# search result
search: 2
result: 0 Success
10:21
# numResponses: 2
# numEntries: 1
All the users have the rights.
Well, after some changes in OpenLDAP config, this is the result:
Fri Jul 21 11:15:51 2006 : Debug: Processing the authorize section of radiusd.conf
Fri Jul 21 11:15:51 2006 : Debug: modcall: entering group authorize for request 0
Fri Jul 21 11:15:51 2006 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 0
Fri Jul 21 11:15:51 2006 : Debug: rlm_eap: No EAP-Message, not doing EAP
Fri Jul 21 11:15:51 2006 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 0
Fri Jul 21 11:15:51 2006 : Debug: modcall[authorize]: module "eap" returns noop for request 0
Fri Jul 21 11:15:51 2006 : Debug: modsingle[authorize]: calling ldap (rlm_ldap) for request 0
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: - authorize
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: performing user authorization for misterc
Fri Jul 21 11:15:51 2006 : Debug: radius_xlat: '(uid=misterc)'
Fri Jul 21 11:15:51 2006 : Debug: radius_xlat: 'ou=utenti,dc=xxxx,dc=it'
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: attempting LDAP reconnection
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: (re)connect to 192.168.1.221:389, authentication 0
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: bind as cn=Manager,dc=xxxx,dc=it/PASSWORD to 192.168.1.221:389
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: waiting for bind result ...
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: Bind was successful
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: performing search in ou=utenti,dc=xxxx,dc=it, with filter (uid=misterc)
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: checking if remote access for misterc is allowed by userPassword
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: Added password {SHA}SCMTSYyqZDHw/IxjEBFXwPBqSMs= in check items
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: looking for check items in directory...
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: Adding radiusAuthType as Auth-Type, value LDAP & op=21
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: Adding userPassword as User-Password, value {SHA}SCMTSYyqZDHw/IxjEBFXwPBqSMs= & op=21
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: looking for reply items in directory...
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: user misterc authorized to use remote access
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0
Fri Jul 21 11:15:51 2006 : Debug: modsingle[authorize]: returned from ldap (rlm_ldap) for request 0
Fri Jul 21 11:15:51 2006 : Debug: modcall[authorize]: module "ldap" returns ok for request 0
Fri Jul 21 11:15:51 2006 : Debug: modcall: leaving group authorize (returns ok) for request 0
Fri Jul 21 11:15:51 2006 : Debug: rad_check_password: Found Auth-Type LDAP
Fri Jul 21 11:15:51 2006 : Debug: auth: type "LDAP"
Fri Jul 21 11:15:51 2006 : Debug: Processing the authenticate section of radiusd.conf
Fri Jul 21 11:15:51 2006 : Debug: modcall: entering group LDAP for request 0
Fri Jul 21 11:15:51 2006 : Debug: modsingle[authenticate]: calling pap (rlm_pap) for request 0
Fri Jul 21 11:15:51 2006 : Auth: rlm_pap: Attribute "Password" is required for authentication. Cannot use "CHAP-Password".
Fri Jul 21 11:15:51 2006 : Debug: modsingle[authenticate]: returned from pap (rlm_pap) for request 0
Fri Jul 21 11:15:51 2006 : Debug: modcall[authenticate]: module "pap" returns invalid for request 0
Fri Jul 21 11:15:51 2006 : Debug: modsingle[authenticate]: calling ldap (rlm_ldap) for request 0
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: - authenticate
Fri Jul 21 11:15:51 2006 : Auth: rlm_ldap: Attribute "User-Password" is required for authentication. Cannot use "CHAP-Password".
Fri Jul 21 11:15:51 2006 : Debug: modsingle[authenticate]: returned from ldap (rlm_ldap) for request 0
Fri Jul 21 11:15:51 2006 : Debug: modcall[authenticate]: module "ldap" returns invalid for request 0
Fri Jul 21 11:15:51 2006 : Debug: modcall: leaving group LDAP (returns invalid) for request 0
Fri Jul 21 11:15:51 2006 : Debug: auth: Failed to validate the user.
Config files are the same of above.
Well isn't it a pb of rights ? Is the anonymous user able to search the
openldap directory for users entries ?
Yes, the anonymous user is able to search.
What is the result of a simple "ldapsearch" with the same ldap filter.
ldapsearch -x -b "dc=xxxx,dc=it" "(uid=misterc)"
# extended LDIF
#
# LDAPv3
# base <dc=xxxx,dc=it> with scope subtree
# filter: (uid=misterc)
# requesting: ALL
#
# Vito Cu, utenti, xxxx.it
dn: cn=Vito Cu,ou=utenti,dc=xxxx,dc=it
uid: misterc
description: bel giovine
sn: Cu
cn: newperson
cn: Vito Cu
userPassword:: e1NIQX1TQ01UU1l5cVpESHcvSXhqRUJGWHdQQnFTTXM9
objectClass: radiusprofile
objectClass: inetOrgPerson
radiusA
10:21
uthType: LDAP
# search result
search: 2
result: 0 Success
10:21
# numResponses: 2
# numEntries: 1
Have you got ACLs in your openldap directory configuration files ?
All the users have the rights.
Well, after some changes in OpenLDAP config, this is the result:
Fri Jul 21 11:15:51 2006 : Debug: Processing the authorize section of radiusd.conf
Fri Jul 21 11:15:51 2006 : Debug: modcall: entering group authorize for request 0
Fri Jul 21 11:15:51 2006 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 0
Fri Jul 21 11:15:51 2006 : Debug: rlm_eap: No EAP-Message, not doing EAP
Fri Jul 21 11:15:51 2006 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 0
Fri Jul 21 11:15:51 2006 : Debug: modcall[authorize]: module "eap" returns noop for request 0
Fri Jul 21 11:15:51 2006 : Debug: modsingle[authorize]: calling ldap (rlm_ldap) for request 0
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: - authorize
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: performing user authorization for misterc
Fri Jul 21 11:15:51 2006 : Debug: radius_xlat: '(uid=misterc)'
Fri Jul 21 11:15:51 2006 : Debug: radius_xlat: 'ou=utenti,dc=xxxx,dc=it'
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: attempting LDAP reconnection
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: (re)connect to 192.168.1.221:389, authentication 0
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: bind as cn=Manager,dc=xxxx,dc=it/PASSWORD to 192.168.1.221:389
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: waiting for bind result ...
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: Bind was successful
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: performing search in ou=utenti,dc=xxxx,dc=it, with filter (uid=misterc)
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: checking if remote access for misterc is allowed by userPassword
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: Added password {SHA}SCMTSYyqZDHw/IxjEBFXwPBqSMs= in check items
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: looking for check items in directory...
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: Adding radiusAuthType as Auth-Type, value LDAP & op=21
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: Adding userPassword as User-Password, value {SHA}SCMTSYyqZDHw/IxjEBFXwPBqSMs= & op=21
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: looking for reply items in directory...
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: user misterc authorized to use remote access
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0
Fri Jul 21 11:15:51 2006 : Debug: modsingle[authorize]: returned from ldap (rlm_ldap) for request 0
Fri Jul 21 11:15:51 2006 : Debug: modcall[authorize]: module "ldap" returns ok for request 0
Fri Jul 21 11:15:51 2006 : Debug: modcall: leaving group authorize (returns ok) for request 0
Fri Jul 21 11:15:51 2006 : Debug: rad_check_password: Found Auth-Type LDAP
Fri Jul 21 11:15:51 2006 : Debug: auth: type "LDAP"
Fri Jul 21 11:15:51 2006 : Debug: Processing the authenticate section of radiusd.conf
Fri Jul 21 11:15:51 2006 : Debug: modcall: entering group LDAP for request 0
Fri Jul 21 11:15:51 2006 : Debug: modsingle[authenticate]: calling pap (rlm_pap) for request 0
Fri Jul 21 11:15:51 2006 : Auth: rlm_pap: Attribute "Password" is required for authentication. Cannot use "CHAP-Password".
Fri Jul 21 11:15:51 2006 : Debug: modsingle[authenticate]: returned from pap (rlm_pap) for request 0
Fri Jul 21 11:15:51 2006 : Debug: modcall[authenticate]: module "pap" returns invalid for request 0
Fri Jul 21 11:15:51 2006 : Debug: modsingle[authenticate]: calling ldap (rlm_ldap) for request 0
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: - authenticate
Fri Jul 21 11:15:51 2006 : Auth: rlm_ldap: Attribute "User-Password" is required for authentication. Cannot use "CHAP-Password".
Fri Jul 21 11:15:51 2006 : Debug: modsingle[authenticate]: returned from ldap (rlm_ldap) for request 0
Fri Jul 21 11:15:51 2006 : Debug: modcall[authenticate]: module "ldap" returns invalid for request 0
Fri Jul 21 11:15:51 2006 : Debug: modcall: leaving group LDAP (returns invalid) for request 0
Fri Jul 21 11:15:51 2006 : Debug: auth: Failed to validate the user.
Best regards.
Giusy Venezia
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
