Quoting Markus Krause <[EMAIL PROTECTED]>: > Zitat von Roger Thomas <[EMAIL PROTECTED]>: > > Quoting Alan DeKok <[EMAIL PROTECTED]>: > > > > > Roger Thomas <[EMAIL PROTECTED]> wrote: > > > > My LDAP knowledge is quite shallow and as such I would like to > use > > > > > > > - openLDAP only for authentication > > > > - MySQL for authorization and accounting > > > > > > > > If that is possible, do I *still* need to extend my LDAP > schema > > > with ~/doc/examples/openldap.schema ? > > > > > > I don't think so. If all you're using LDAP for is usernames & > > > passwords, that should be in the default schema. > > > > > > Alan DeKok. > > > -- > > > http://deployingradius.com - The web site of the book > > > http://deployingradius.com/blog/ - The blog > > > - > > > List info/subscribe/unsubscribe? See > > > http://www.freeradius.org/list/users.html > > > > > > > I ran radtest and it complained that there is no dialupAccess > attribute, so > > access is denied by default. > > > > -- snippet from debug screen -- > > ... > > ... > > rlm_ldap: Bind was successful > > rlm_ldap: performing search in dc=example,dc=com, with filter > > ([EMAIL PROTECTED]) > > rlm_ldap: no dialupAccess attribute - access denied by default > > rlm_ldap: ldap_release_conn: Release Id: 0 > > modcall[authorize]: module "ldap" returns userlock for request 0 > > modcall: leaving group authorize (returns userlock) for request 0 > > Invalid user (rlm_ldap: Access Attribute denies access): > > [EMAIL PROTECTED]/thepassword] (from client localhost port 10) > > Delaying request 0 for 1 seconds > > Finished request 0 > > Going to the next request > > --- Walking the entire request list --- > > Waking up in 1 seconds... > > --- Walking the entire request list --- > > Waking up in 1 seconds... > > --- Walking the entire request list --- > > Sending Access-Reject of id 144 to 127.0.0.1 port 32803 > > Waking up in 4 seconds... > > --- Walking the entire request list --- > > Cleaning up request 0 ID 144 with timestamp 44cff3d6 > > Nothing to do. Sleeping until we see a request. > > > > > > > > I noticed that 'dialupAccess' attribute is defined in the > radiusprofile > > objectClass (openldap.schema). Means radiusd expects that > objectClass to be > > made available. Wonder if there is any way around this? > > > just comment out the line > access_attr = "dialupAccess" > in the ldap section of your module definition. > > > hth > markus
That helps. Thanks Markus. --------------------------------------------------- Sign Up for free Email at http://ureg.home.net.my/ --------------------------------------------------- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html