Zitat von Roger Thomas <[EMAIL PROTECTED]>: > Quoting Alan DeKok <[EMAIL PROTECTED]>: > > > Roger Thomas <[EMAIL PROTECTED]> wrote: > > > My LDAP knowledge is quite shallow and as such I would like to use > > > > > - openLDAP only for authentication > > > - MySQL for authorization and accounting > > > > > > If that is possible, do I *still* need to extend my LDAP schema > > with ~/doc/examples/openldap.schema ? > > > > I don't think so. If all you're using LDAP for is usernames & > > passwords, that should be in the default schema. > > > > Alan DeKok. > > -- > > http://deployingradius.com - The web site of the book > > http://deployingradius.com/blog/ - The blog > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > > I ran radtest and it complained that there is no dialupAccess attribute, so > access is denied by default. > > -- snippet from debug screen -- > ... > ... > rlm_ldap: Bind was successful > rlm_ldap: performing search in dc=example,dc=com, with filter > ([EMAIL PROTECTED]) > rlm_ldap: no dialupAccess attribute - access denied by default > rlm_ldap: ldap_release_conn: Release Id: 0 > modcall[authorize]: module "ldap" returns userlock for request 0 > modcall: leaving group authorize (returns userlock) for request 0 > Invalid user (rlm_ldap: Access Attribute denies access): > [EMAIL PROTECTED]/thepassword] (from client localhost port 10) > Delaying request 0 for 1 seconds > Finished request 0 > Going to the next request > --- Walking the entire request list --- > Waking up in 1 seconds... > --- Walking the entire request list --- > Waking up in 1 seconds... > --- Walking the entire request list --- > Sending Access-Reject of id 144 to 127.0.0.1 port 32803 > Waking up in 4 seconds... > --- Walking the entire request list --- > Cleaning up request 0 ID 144 with timestamp 44cff3d6 > Nothing to do. Sleeping until we see a request. > > > > I noticed that 'dialupAccess' attribute is defined in the radiusprofile > objectClass (openldap.schema). Means radiusd expects that objectClass to be > made available. Wonder if there is any way around this?
just comment out the line access_attr = "dialupAccess" in the ldap section of your module definition. hth markus > > -- > Roger > > > --------------------------------------------------- > Sign Up for free Email at http://ureg.home.net.my/ > --------------------------------------------------- > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- Markus Krause email: [EMAIL PROTECTED] Mogli-Soft: Support for Mac OS X, Webmail/Horde, LDAP, RADIUS by order of the Computing Center of the Max-Planck-Institute of Biochemistry Tel.: 089 - 89 40 85 99 Fax.: 089 - 89 40 85 98 --------------------------------------------------------------------- This message was sent using https://webmail.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html