Kostas-
Thanks for your response. Now, what to do with the groupname items? If I
comment them out, I end up with:
rlm_ldap: performing search in o=CTTEL,c=US, with filter (uid=gozilla)
rlm_ldap: checking if remote access for gozilla is allowed by
radiusClass
rlm_ldap: checking user membership in dialup-enabling group
radiusClass=AnalogUser
radius_xlat: 'radiusClass=AnalogUser'
radius_xlat: '(uid=gozilla)'
rlm_ldap: performing search in radiusClass=AnalogUser, with filter
(uid=gozilla)
rlm_ldap: ldap_search() failed: No such object
My goal is- if (obviously) username and password match, then see if the
user is an AnalogUser (radiusClass=AnalogUser). If so- then allow them
access.
Should I make my filter be ((uid=%u)(radiusClass=AnalogUser))?
Thanks again...
Michael
On Mon, 2002-05-13 at 14:17, Kostas Kalevras wrote:
On 13 May 2002, Michael Klatsky wrote:
I thought I would place a general post regarding the Access packets...
While I successfully authenticate, I cannot seem to formulate a working
packet which authenticates AND authorizes. With 3 1/2 years of working
with 2 other (commercial) radius servers, I thought I would have gotten
this by now.:(
Below is the response from my test:
rad# radclient -f test.auth localhost auth x
Received response ID 90, code 3, length = 20
Here is my test.auth:
User-Name = gozilla
User-Password = x
Nas-IP-Address = 127.0.0.1
Nas-Port-ID = 0
Service-Type = Framed-User
Class = AnalogUser
And here are some log entries:
rlm_ldap: checking if remote access for gozilla is allowed by
radiusClass
rlm_ldap: checking user membership in dialup-enabling group
ou=People,o=CTTEL,c=US
radius_xlat: 'ou=People,o=CTTEL,c=US'
radius_xlat: ''((uid=gozilla)(o=cttel.net))''
rlm_ldap: performing search in ou=People,o=CTTEL,c=US, with filter
'((uid=gozilla)(o=cttel.net))'
rlm_ldap: object not found or got ambiguous search result
ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns userlock
modcall: group authorize returns userlock
Invalid user (rlm_ldap: User is not an access group member):
[gozilla/xx] (from nas local port 0)
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
Thread 1 waiting to be assigned a request
rad_recv: Access-Request packet from host 127.0.0.1:33879, id=90,
length=74
Sending duplicate authentication reply to client localhost:33879 - ID:
90
Sending Access-Reject of id 90 to 127.0.0.1:33879
The result of an ldapsearch as below returns what is expected.
ldapsearch -x -v -hloon.cttel.net -bou=People,o=CTTEL,c=US
'((uid=gozilla)(o=cttel.net))'
I am running my ldap server in debug mode, and am seeing a failed
inquiry, using exactly the information above- so I am wondering whether
there is a bug, or a fundamental misunderstanding in how to either
configure this portion of a freeradius server.
If more info is needed - please let me know. Thanks again as I'm sure I
am not unique in hoping to document step by step the process of setting
up and testing the freeradius server. It IS a very nice piece of
software.
--
Sincerely,
Michael Klatsky
Senior Unix Administrator
Connecticut Telephone
1 Talcott Plaza
Hartford, CT 06103
1-860-240-6496
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
You are using group membership access without having defined a group. The way
you have configured it the ldap module will try to find if user godzilla is a
member of the group ou=People,o=CTTEL,c=US. In your case though
ou=People,o=CTTEL,c=US is just the base for your ldap search and not an ldap
group. So you should either use a valid group or disable the access_group
configuration directive (just comment it out).
The comment in doc/rlm_ldap:
'means all users located in the LDAP tree under specified basedn'
applies for the default access_group (NULL).
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]National Technical University of Athens, Greece
Work Phone: +30 10 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Sincerely,
Michael Klatsky
Senior Unix Administrator
Connecticut Telephone
1 Talcott Plaza
Hartford, CT 06103
1-860-240-6496
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html