On 12/03/2010 08:43 PM, James Winter wrote:
On Dec 3, 2010, at 10:52 AM, Phil Mayers wrote:
You haven't said what your problem is
Sorry! My server tells me that it ldap did not find a correct matchup,
but then returns true.
No. It says is found a match, but that:
[ldap] performing search in cn=Users,dc=ds,dc=saintjoe,dc=edu, with
filter (samaccountname=jwn6657)
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure
that the user is configured correctly?
...there was no "userPassword" (or it wasn't readable)
[ldap] user jwn6657 authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
It also then continues to search through other forms of
authentication, and then it seems to return false to the remote device
if any of these are false.
Firstly, radius and the modules don't return "false". The modules return
one of a number of error codes (e.g. "ok", above) and the server returns
either an Access-Accept or Access-Reject.
Secondly, the debug output you posted returns an "Access-Accept"
because, although the LDAP module was unable to see a userPassword
attribute on the LDAP entry, a later module sets the Auth-Type to
"ntlm_auth" and your server then obeys that.
This is all a non-standard config, so *someone* has configured the
server - was it you?
The remote device also told me that the authentication was invalid. I
Well, FreeRadius sent an Access-Accept. What is the remote device? If
you hadn't trimmed the debugging output I might be able to suggest more.
was able to successfully authenticate on this device by using the
local users file(on the radius server).
So compare the reply in that case with the reply in this case, and
configure the radius server to send the same attributes.
The radius server is authenticating the user successfully:
Sending Access-Accept of id 186 to 131.93.254.2 port 4844
Finished request 3.
Going to the next request
Like I said - FreeRadius is sending an Access-Accept.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
