Zitat von Roger Thomas <[EMAIL PROTECTED]>:
> Quoting Alan DeKok <[EMAIL PROTECTED]>:
>
> > Roger Thomas <[EMAIL PROTECTED]> wrote:
> > > My LDAP knowledge is quite shallow and as such I would like to use
> >
> > > - openLDAP only for authentication
> > > - MySQL for authorization and accounting
> > >
> > > If that is possible, do I *still* need to extend my LDAP schema
> > with ~/doc/examples/openldap.schema ?
> >
> >   I don't think so.  If all you're using LDAP for is usernames &
> > passwords, that should be in the default schema.
> >
> >   Alan DeKok.
> > --
> >   http://deployingradius.com       - The web site of the book
> >   http://deployingradius.com/blog/ - The blog
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
>
> I ran radtest and it complained that there is no dialupAccess attribute, so
> access is denied by default.
>
> -- snippet from debug screen --
> ...
> ...
> rlm_ldap: Bind was successful
> rlm_ldap: performing search in dc=example,dc=com, with filter
> ([EMAIL PROTECTED])
> rlm_ldap: no dialupAccess attribute - access denied by default
> rlm_ldap: ldap_release_conn: Release Id: 0
>   modcall[authorize]: module "ldap" returns userlock for request 0
> modcall: leaving group authorize (returns userlock) for request 0
> Invalid user (rlm_ldap: Access Attribute denies access):
> [EMAIL PROTECTED]/thepassword] (from client localhost port 10)
> Delaying request 0 for 1 seconds
> Finished request 0
> Going to the next request
> --- Walking the entire request list ---
> Waking up in 1 seconds...
> --- Walking the entire request list ---
> Waking up in 1 seconds...
> --- Walking the entire request list ---
> Sending Access-Reject of id 144 to 127.0.0.1 port 32803
> Waking up in 4 seconds...
> --- Walking the entire request list ---
> Cleaning up request 0 ID 144 with timestamp 44cff3d6
> Nothing to do.  Sleeping until we see a request.
>
>
>
> I noticed that 'dialupAccess' attribute is defined in the radiusprofile
> objectClass (openldap.schema). Means radiusd expects that objectClass to be
> made available. Wonder if there is any way around this?


just comment out the line
  access_attr = "dialupAccess"
in the ldap section of your module definition.


hth
  markus

>
> --
> Roger
>
>
> ---------------------------------------------------
> Sign Up for free Email at http://ureg.home.net.my/
> ---------------------------------------------------
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>


--
Markus Krause                                   email: [EMAIL PROTECTED]
Mogli-Soft: Support for Mac OS X, Webmail/Horde, LDAP, RADIUS
by order of the Computing Center of the Max-Planck-Institute of Biochemistry
Tel.: 089 - 89 40 85 99                         Fax.: 089 - 89 40 85 98

---------------------------------------------------------------------
     This message was sent using https://webmail.biochem.mpg.de
If you encounter any problems please report to [EMAIL PROTECTED]

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
  • Re: AAA Markus Krause

Reply via email to