I came across the same problem and my debugging shows the following:
1) ldap_groupcmp calls radius_xlat to replace Ldap_UserDn with the value.
2) radius_xlat calls decode_attribute
3) decode_attribute calls xlat_packet with instance 1 and returns 0 (=nothing
found)
if ((c = xlat_find(xlat_name)) != NULL) {
if (!c->internal) DEBUG3("radius_xlat: Running
registered xlat function of module %s for string \'%s\'",
c->module, xlat_string);
retlen = c->do_xlat(c->instance, request, xlat_string,
q, freespace, func);
/* If retlen is 0, treat it as not found */
if (retlen > 0) found = 1;
}
If I look into xlat_packet there is a switch statement for instance and 1 means
select request->packet->vps, but if I look into rlm_ldap.c the vps are in
request->config_items (e.g instance= 0). If I change instance to 0 in the
debugger the expansion seems to work. Unfortunatly I don't know where this is
set and what it means
switch (*(int*) instance) {
case 0:
vps = request->config_items;
break;
case 1:
vps = request->packet->vps;
packet = request->packet;
break;
Markus
"Gopinath Reddy N" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]
Hi,
We have upgraded our freeradius1.6 to 2.0
We are using active directory for LDAP server.
We have not changed any data in AD. But when we upgrade and try to connect
using valid user id..user is getting rejected.
Please let me know if there any issues I need to take before ugprading to 2.0
Iam using same bind DN and other strings in 2.0.
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 157.235.205.31:389, authentication 0
rlm_ldap: bind as
cn=Administrator,cn=Users,dc=Crossfire,dc=symbol,dc=com/windows2003 to
157.235.205.31:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in cn=Users,dc=Crossfire,dc=symbol,dc=com, with
filter (sAMAccountName=satish)
rlm_ldap: ldap_release_conn: Release Id: 0
expand:
(|(&(objectClass=group)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
->
(|(&(objectClass=group)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=)))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
*******************************************************
rlm_ldap: performing search in cn=Users,dc=Crossfire,dc=symbol,dc=com, with
filter
(&(cn=sales)(|(&(objectClass=group)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))))
rlm_ldap: object not found or got ambiguous search result
*******************************************************************************
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in
CN=satish,CN=Users,DC=Crossfire,DC=symbol,DC=com, with filter (objectclass=*)
rlm_ldap::ldap_groupcmp: ldap_get_values() failed
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: Entering ldap_groupcmp()
expand: cn=Users,dc=Crossfire,dc=symbol,dc=com ->
cn=Users,dc=Crossfire,dc=symbol,dc=com
expand:
(|(&(objectClass=group)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
->
(|(&(objectClass=group)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=)))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in cn=Users,dc=Crossfire,dc=symbol,dc=com, with
filter
(&(cn=sales)(|(&(objectClass=group)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in
CN=satish,CN=Users,DC=Crossfire,DC=symbol,DC=com, with filter (objectclass=*)
rlm_ldap::ldap_groupcmp: ldap_get_values() failed
rlm_ldap: ldap_release_conn: Release Id: 0
users: Matched entry DEFAULT at line 26
++[files] returns ok
++- entering policy redundant
rlm_ldap: - authorize
rlm_ldap: performing user authorization for satish
expand: (sAMAccountName=%{User-Name}) -> (sAMAccountName=satish)
expand: cn=Users,dc=Crossfire,dc=symbol,dc=com ->
cn=Users,dc=Crossfire,dc=symbol,dc=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in cn=Users,dc=Crossfire,dc=symbol,dc=com, with
filter (sAMAccountName=satish)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
******************************
WARNING: No "known good" password was found in LDAP. Are you sure that the
user is configured correctly?
***************************************
rlm_ldap: user satish authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
+++[ldap_secondary] returns ok
++- policy redundant returns ok
rlm_eap: EAP packet type response id 1 length 11
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type Reject
rad_check_password: Auth-Type = Reject, rejecting user
auth: Failed to validate the user.
Login incorrect: [satish/<via Auth-Type = Reject>] (from client
private-network-1 port 1 cli 00-16-CF-50-6C-8C)
Thanks
gnr
------------------------------------------------------------------------------
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
