On Thu, 26 Nov 2009 18:21:29 -0000 (UTC) t...@kalik.net wrote: > > As i doesn't have any other auth rather LDAP it is done > > automatically. I hope so. ;-) > > Enable files (and comment out ldap entries) and put: > > DEFAULT Auth-Type := tam > > at the top of the users file. That's much cheaper way.
Hm... I think i don't understand you. What to disable in what section? authorize or authentificate? > Check base_dn. You say it is different but server debug > would disagree. > But they are. ldap tam { server = "skoll-vm1.kmz.ts" basedn = "o=tamknown" filter = "(uid=%{User-Name})" authtype = tam start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 compare_check_items = no do_xlat = no access_attr_used_for_allow = no set_auth_type = yes } ldap lotus { server = "ldap.kmz.ts" basedn = "o=tsas" filter = "(uid=%{User-Name})" authtype = lotus start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 compare_check_items = no do_xlat = no access_attr_used_for_allow = no set_auth_type = yes } Previous version have written different base dn on the screen on every debug. You can see it in my first message. Now i cannot see it on the screen. Below is unmodified output. rad_recv: Access-Request packet from host 192.168.110.3 port 52866, id=87, length=64 User-Name = "vmendelevich" User-Password = "33333333" NAS-IP-Address = 192.168.110.3 NAS-Port = 10 +- entering group authorize {...} ++- entering group ldap {...} [tam] performing user authorization for vmendelevich [tam] expand: (uid=%{User-Name}) -> (uid=vmendelevich) [tam] expand: o=tamknown -> o=tamknown rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to skoll-vm1.kmz.ts:389, authentication 0 rlm_ldap: bind as / to skoll-vm1.kmz.ts:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in o=tamknown, with filter (uid=vmendelevich) [tam] looking for check items in directory... [tam] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [tam] Setting Auth-Type = tam [tam] user vmendelevich authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 +++[tam] returns ok ++- group ldap returns ok Found Auth-Type = tam +- entering group tam {...} [tam] login attempt by "vmendelevich" with password "33333333" [tam] user DN: uid=vmendelevich,o=tamknown rlm_ldap: (re)connect to skoll-vm1.kmz.ts:389, authentication 1 rlm_ldap: bind as uid=vmendelevich,o=tamknown/33333333 to skoll-vm1.kmz.ts:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind failed with invalid credentials ++[tam] returns reject ++? if (reject) ? Evaluating (reject) -> TRUE ++? if (reject) -> TRUE ++- entering if (reject) {...} [lotus] login attempt by "vmendelevich" with password "33333333" [lotus] user DN: uid=vmendelevich,o=tamknown rlm_ldap: (re)connect to ldap.kmz.ts:389, authentication 1 rlm_ldap: bind as uid=vmendelevich,o=tamknown/33333333 to ldap.kmz.ts:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind failed with invalid credentials +++[lotus] returns reject ++- if (reject) returns reject Failed to authenticate the user. Login incorrect (rlm_ldap: Bind as user failed): [vmendelevich] (from client VMendelevich port 10) Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 87 to 192.168.110.3 port 52866 Waking up in 4.9 seconds. Cleaning up request 0 ID 87 with timestamp +14 Ready to process requests. My problem has begun exactly at this point. When authentification is passed on the second server base_dn is used from the first request to first server. UIN:9244669 Phone:+7(495)727-0982 ext.4162 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html