Re: Lost entries from reply with multiple instances of the same attribute
> Konstantin KABASSANOV wrote: > > Some months ago I mentioned a problem observed while sending Access- > Accept > > with multiple Cisco-AVPair="ssid=..." entries. Even if fields are > correctly > > retrieved from the LDAP server, only the first occurrence of the > attribute > > is sent in the packet. Can you tell me if recent developments have > solved > > this issue? > > This issue has been solved for almost 4 years now. Read > ldap.attrmap. > Alan, I'd be very happy if it was true, but: Even if my radius server gets the following from the rlm_ldap: rlm_ldap: looking for reply items in directory... rlm_ldap: LDAP attribute wireless as RADIUS attribute Cisco-AVPair = "ssid=mywifi1" rlm_ldap: LDAP attribute wireless as RADIUS attribute Cisco-AVPair = "ssid=mywifi2" the outgoing access-accept packet contains only the first entry: rlm_ldap: LDAP attribute wireless as RADIUS attribute Cisco-AVPair = "ssid=mywifi1" FYI the version I use for radius is 2.0.4 so I don't think it is more than 4 years old. In an email sent in April 2008, I saw somebody with a similar problem with another attribute and there was an information that the bug was corrected only in unlang. Am I wrong? Konstantin smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Lost entries from reply with multiple instances of the same attribute
Hi, Some months ago I mentioned a problem observed while sending Access-Accept with multiple Cisco-AVPair="ssid=..." entries. Even if fields are correctly retrieved from the LDAP server, only the first occurrence of the attribute is sent in the packet. Can you tell me if recent developments have solved this issue? Thanks. Konstantin _ Konstantin KABASSANOV LIP6/CNRS 104, avenue du Président Kennedy, 75016 Paris, France Phone: +33 (0) 1 44 27 71 26 Fax: +33 (0) 1 44 27 74 95 E-mail: [EMAIL PROTECTED] Web: http://www.kabassanov.com Certificate: http://igc.services.cnrs.fr/CNRS-Standard/recherche.html _ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
A way to use LDAP only for authentication
Hello, Using PEAP/mschapv2 with openldap through freeradius, I'd like to know if there is a way to allow all users in the authorize section of radiusd.conf (without doing ldap requests) and make the ldap request only in the authenticate section. It is useful for instance to avoid multiple ldap requests during authorization process in particular when a number of radius-request/challenges are exchanged between Access points and radius server. Thanks. Konstantin _____ Konstantin KABASSANOV LIP6/CNRS 104, avenue du Président Kennedy, 75016 Paris, France Phone: +33 (0) 1 44 27 71 26 Fax: +33 (0) 1 44 27 74 95 E-mail: [EMAIL PROTECTED] Web: http://www.kabassanov.com Certificate: http://igc.services.cnrs.fr/CNRS-Standard/recherche.html _ smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple instances of attribute in tunnelled reply
Hi, I think that I have a similar problem when freeradius has to send Access-Accept with multiple Cisco-AVPair="ssid=..." entries. Do you think it will be fixed in the near future ? Thanks. Konstantin _ Konstantin KABASSANOV LIP6/CNRS 104, avenue du Président Kennedy, 75016 Paris, France Phone: +33 (0) 1 44 27 71 26 Fax: +33 (0) 1 44 27 74 95 E-mail: [EMAIL PROTECTED] Web: http://www.kabassanov.com Certificate: http://igc.services.cnrs.fr/CNRS-Standard/recherche.html _ smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Secure TLS connection between Freeradius and Openldap
Well, finally I succeeded to do what I want... The reason of the failure was too stupid: In the radiusd.conf file, I've put the LDAP server address in ipv4 dotted address form. Of course, freeradius does not try to resolve it and of course the address obtained from the LDAP server certificate does not match... Thanks all who tried to help me. Konstantin >-Original Message- >From: Konstantin KABASSANOV [mailto:[EMAIL PROTECTED] >Sent: mardi 16 novembre 2004 15:46 >To: '[EMAIL PROTECTED]' >Subject: Secure TLS connection between Freeradius and Openldap > >Hello, > >I'm trying to establish a secure TLS connection between a Freeradius and >an Openldap server. > >The "openssl s_client -connect" command successfully establishes a >connection to the openldap server on the mentioned port with the following >certificates, but when trying to bind from freeradius I have the following >error message: > >rlm_ldap: ldap_get_conn: Checking Id: 0 >rlm_ldap: ldap_get_conn: Got Id: 0 >rlm_ldap: attempting LDAP reconnection >rlm_ldap: (re)connect to 10.0.3.2:636, authentication 0 >rlm_ldap: setting TLS mode to 1 >rlm_ldap: setting TLS CACert File to /etc/openssl/certs/root.pem >rlm_ldap: setting TLS CACert File to /etc/openssl/certs/ >rlm_ldap: setting TLS Require Cert to never >rlm_ldap: setting TLS Cert File to /etc/openssl/certs/cert.pem >rlm_ldap: setting TLS Key File to /etc/openssl/certs/key.pem >rlm_ldap: setting TLS Key File to /etc/openssl/certs/random >rlm_ldap: bind as cn=Manager,dc=MYDOMAIN,dc=COM/password t >o 10.0.3.2:636 >rlm_ldap: cn=Manager,dc=MYDOMAIN,dc=COM bind to 10.0.3.2:636 fail >ed: Can't contact LDAP server >rlm_ldap: (re)connection attempt failed >rlm_ldap: search failed > >Of course if I don't set the tls mode, the connection is ok. > >Any hints? > > >Thanks. > >Konstantin > >_ > >Konstantin K. KABASSANOV > >LIP6/CNRS >8, rue du Capitaine Scott >75015 Paris, France > >Phone: +33 (0) 1 44 27 71 26 >Fax: +33 (0) 1 44 27 74 95 > >E-mail: [EMAIL PROTECTED] >Web: http://www.kabassanov.com >_ > > >IMPORTANT! If you have tried to reply to this mail and you received a >stupid message, announcing that the mail had been rejected as spam, >please, resend your reply to the address above. > >The certificate used to sign this e-mail can be verified at: >http://igc.services.cnrs.fr/CNRS-Standard/recherche.html > >"Too much is never enough." ( Me ;) ) smime.p7s Description: S/MIME cryptographic signature
Secure TLS connection between Freeradius and Openldap
Hello, I'm trying to establish a secure TLS connection between a Freeradius and an Openldap server. The "openssl s_client -connect" command successfully establishes a connection to the openldap server on the mentioned port with the following certificates, but when trying to bind from freeradius I have the following error message: rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 10.0.3.2:636, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: setting TLS CACert File to /etc/openssl/certs/root.pem rlm_ldap: setting TLS CACert File to /etc/openssl/certs/ rlm_ldap: setting TLS Require Cert to never rlm_ldap: setting TLS Cert File to /etc/openssl/certs/cert.pem rlm_ldap: setting TLS Key File to /etc/openssl/certs/key.pem rlm_ldap: setting TLS Key File to /etc/openssl/certs/random rlm_ldap: bind as cn=Manager,dc=MYDOMAIN,dc=COM/password t o 10.0.3.2:636 rlm_ldap: cn=Manager,dc=MYDOMAIN,dc=COM bind to 10.0.3.2:636 fail ed: Can't contact LDAP server rlm_ldap: (re)connection attempt failed rlm_ldap: search failed Of course if I don't set the tls mode, the connection is ok. Any hints? Thanks. Konstantin _ Konstantin K. KABASSANOV LIP6/CNRS 8, rue du Capitaine Scott 75015 Paris, France Phone: +33 (0) 1 44 27 71 26 Fax: +33 (0) 1 44 27 74 95 E-mail: [EMAIL PROTECTED] Web: http://www.kabassanov.com _ IMPORTANT! If you have tried to reply to this mail and you received a stupid message, announcing that the mail had been rejected as spam, please, resend your reply to the address above. The certificate used to sign this e-mail can be verified at: http://igc.services.cnrs.fr/CNRS-Standard/recherche.html "Too much is never enough." ( Me ;) ) smime.p7s Description: S/MIME cryptographic signature