Re:LDAP basedn context
Correct, it is unable to find the user. When set at a higher context I receive the following error: rlm_ldap: performing search in o=wheaton, with filter (cn=testacct) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed My ldap config is as follows. If I change the basedn to where the user is located (ou=cs,ou=srvc,o=wheaton) then it works. ldap test-ldap{ server = "ldapserver.wheaton.edu" identity = "cn=admin,o=wheaton" password = password basedn = "o=wheaton" filter = "(cn=%{Stripped-User-Name:-%{User-Name}})" start_tls = yes tls_cacertfile = /etc/raddb/certs/wheatonCA/wheatonca.b64 tls_require_cert= "demand" access_attr = "cn" dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 password_attribute = nspmPassword timeout = 4 timelimit = 3 net_timeout = 1 } matt... >> Is it possible to specify the basedn above where the users are actually >> located and have freeradius find the user in a subcontext? For instance >> if my ldap is setup as ou=users1,ou=loc1,o=org and >> ou=users2,ou=loc2,ou=o=org can I specify basedn="o=org" and find users >> in both users1 and users2? >> >> Thanks. > >I think so, is it not working for you? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP basedn context
Is it possible to specify the basedn above where the users are actually located and have freeradius find the user in a subcontext? For instance if my ldap is setup as ou=users1,ou=loc1,o=org and ou=users2,ou=loc2,ou=o=org can I specify basedn="o=org" and find users in both users1 and users2? Thanks. Matt McFarlane - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users digest, Vol 1 #4631 - 12 msgs
> > You can't use PEAP unless you have plaintext passwords stored in the > LDAP or NT/LM password hashes. To use LDAP bind to authenticate you will > need to use TTLS with PAP as inner tunnel authentication. This is how > you can configure your clients to use TTLS+PAP > The passwords are revealed in plaintext. Would prefer to use PEAP w/MsChapv2 as any XP client on our network will already have that. Is there anything special to configure in the eap.conf. I used certs.sh to create the demoCA which I'm using for testing. Thanks. eap.conf eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no tls { private_key_password = whatever private_key_file = ${raddbdir}/certs/cert-srv.pem certificate_file = ${raddbdir}/certs/cert-srv.pem CA_file = ${raddbdir}/certs/demoCA/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random } peap { default_eap_type = mschapv2 } mschapv2 { } } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
WinXP 802.1X/Radius/eDir (LDAP)
Totally new to radius. I've installed freeradius 1.02 --with-edir on Suse 9. Attempting to use 802.1X auth from wireless user behind HP 420 AP using WinXP to an eDir tree via LDAP. When I use radtest the bind is successful. However when using the 802.1X supplicant I get the output below. Two things I've noticed are that the password appears to not be received (via PEAP) and that the bind password is being sent as "aassword" instead of "password" no matter what I enter on the supplicant. ldap: base_filter = "(objectclass=radiusprofile)" ldap: default_profile = "(null)" ldap: profile_attribute = "(null)" ldap: password_header = "(null)" ldap: password_attribute = "nspmPassword" ldap: access_attr = "uid" ldap: groupname_attribute = "cn" ldap: groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" ldap: groupmembership_attribute = "(null)" ldap: dictionary_mapping = "/etc/raddb/ldap.attrmap" ldap: ldap_debug = 0 ldap: ldap_connections_number = 5 ldap: compare_check_items = no ldap: access_attr_used_for_allow = yes ldap: do_xlat = yes ldap: edir_account_policy_check = yes rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Creating new attribute test-ldap-Ldap-Group rlm_ldap: Registering ldap_groupcmp for test-ldap-Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name test-ldap rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP nspmPassword mapped to RADIUS User-Password rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port conns: 0x8151848 Module: Instantiated ldap (test-ldap) Module: Loaded preprocess preprocess: huntgroups = "/etc/raddb/huntgroups" preprocess: hints = "/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded files files: usersfile = "/etc/raddb/users" files: acctusersfile = "/etc/raddb/acct_users" files: preproxy_usersfile = "/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detai