RE: LDAP groups send reply
Thank you for the reply. Here is the output from radius. The problem im having is that only one group name is returned. As show below I have value testgroup2 and users not being returned. Ready to process requests. rad_recv: Access-Request packet from host 10.32.2.108:1142, id=3, length=48 User-Name = testuser User-Password = test123 modcall: entering group authorize for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for testuser radius_xlat: '(uid=testuser)' radius_xlat: 'o=PUSD,c=US' ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 127.0.0.1:389, authentication 0 rlm_ldap: bind as / to 127.0.0.1:389 rlm_ldap: waiting for bind result ... rlm_ldap: performing search in o=PUSD,c=US, with filter (uid=testuser) rlm_ldap: looking for check items in directory... rlm_ldap: Adding ntPassword as NT-Password, value C5A237B7E9D8E708D8436B6148A25FA1 op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: Adding securityRole as Filter-Id, value testgroup1 op=11 rlm_ldap: Adding securityRole as Filter-Id, value testgroup2 op=11 rlm_ldap: Adding securityRole as Filter-Id, value Users op=11 rlm_ldap: user testuser authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module files returns notfound for request 0 modcall[authorize]: module eap returns noop for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type LDAP auth: type LDAP modcall: entering group authenticate for request 0 rlm_ldap: - authenticate rlm_ldap: login attempt by testuser with password test123 rlm_ldap: user DN: uid=testuser,ou=Information Technology,o=PUSD,c=US rlm_ldap: (re)connect to 127.0.0.1:389, authentication 1 rlm_ldap: bind as uid=testuser,ou=Information Technology,o=PUSD,c=US/test123 to 127.0.0.1:389 rlm_ldap: waiting for bind result ... rlm_ldap: user testuser authenticated succesfully modcall[authenticate]: module ldap returns ok for request 0 modcall: group authenticate returns ok for request 0 Login OK: [testuser/test123] (from client edcenter port 0) Sending Access-Accept of id 3 to 10.32.2.108:1142 Filter-Id = testgroup1 Finished request 0 -Original Message- From: Dustin Doris [mailto:[EMAIL PROTECTED] Sent: Thursday, June 17, 2004 11:12 AM To: '[EMAIL PROTECTED]' Subject: Re: LDAP groups send reply Hello, I would like to know if this is possible Send a Class or Filter-Id attribute to the NAS, with the content being the names of the LDAP groups to which the user belongs. Thank you, denis How does the NAS expect the group to come back? Class: Sorry, I guess I hit send too early. What I meant was what radius attribute the nas expecting for the groups? An example could be the radius attribute Class. In that case, you would make sure the following is in ldap.attrmap replyItem Class radiusClass Then in your ldap directory, you would store the reply items. radiusClass: OU=group.com; The one above is an example for Cisco VPN concentrators. Need to add more use +=, read the man page on users. -Dusty Doris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_ldap (values with space)
Hello, I have group values with spaces in them the rml_ldap is not reading the value after the space is this a bug? Values in my securityRole values are Change Password and Luisa Admin. I'm using freeRadius 0.9.3 and OpenLDAP 2.1.25 ad_recv: Access-Request packet from host 10.32.2.108:1164, id=4, length=52 User-Name = testuser User-Password = test123 modcall: entering group authorize for request 1 rlm_ldap: - authorize rlm_ldap: performing user authorization for testuser radius_xlat: '(uid=testuser)' radius_xlat: 'o=PUSD,c=US' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=PUSD,c=US, with filter (uid=testuser) rlm_ldap: looking for check items in directory... rlm_ldap: Adding ntPassword as NT-Password, value A4F51A8F148FF0FB30DB313FD41E2282 op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: Adding securityRole as Filter-Id, value Change op=11 rlm_ldap: Adding securityRole as Filter-Id, value Luisa op=11 rlm_ldap: Adding securityRole as Filter-Id, value Users op=11 rlm_ldap: Adding securityRole as Filter-Id, value testgroup1 op=11 rlm_ldap: Adding securityRole as Filter-Id, value testgroup2 op=11 rlm_ldap: user testuser authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 1 modcall[authorize]: module preprocess returns ok for request 1 modcall[authorize]: module files returns notfound for request 1 modcall[authorize]: module eap returns noop for request 1 modcall: group authorize returns ok for request 1 rad_check_password: Found Auth-Type LDAP auth: type LDAP modcall: entering group authenticate for request 1 rlm_ldap: - authenticate rlm_ldap: login attempt by testuser with password test123 rlm_ldap: user DN: uid=testuser,ou=Information Technology,o=PUSD,c=US rlm_ldap: (re)connect to 127.0.0.1:389, authentication 1 rlm_ldap: bind as uid=testuser,ou=Information Technology,o=PUSD,c=US/test123 to 127.0.0.1:389 rlm_ldap: waiting for bind result ... rlm_ldap: user testuser authenticated succesfully modcall[authenticate]: module ldap returns ok for request 1 modcall: group authenticate returns ok for request 1 Login OK: [testuser/test123] (from client edcenter port 0) Sending Access-Accept of id 4 to 10.32.2.108:1164 Filter-Id = Change Finished request 1 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP groups send reply
Hello, I would like to know if this is possible Send a Class or Filter-Id attribute to the NAS, with the content being the names of the LDAP groups to which the user belongs. Thank you, denis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Need Assistance please
Alan, the User Change Password Administrator etc., are already part of the LDAP schema (under the attribute securityRole) e.g. Uid=testuser Attribute Value securityRoleUsers Alan DeKok wrote: The value should have the operator in it. e.g. +=Users Is the value you've mentioned in the LDAP schema? Or in radiusd.conf? or ldap.attrmap? Where do I make the operator change? Is this a dumb question to ask? I can't find this answer?? Thank you for any input, -denis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FW: Need Assistance please
Alan, the User Change Password Administrator etc., are already part of the LDAP schema (under the attribute securityRole) e.g. Uid=testuser Attribute Value securityRoleUsers Alan DeKok wrote: The value should have the operator in it. e.g. +=Users is the value you've mentioned in the LDAP schema (LDAP config file)? Or in radiusd.conf? or ldap.attrmap? I've modified the file ldap.attrmap as follow (this is the only change I've made) replyItemLogin-LAT-Group securityRole That should work. I thought by modifying this line to match the LDAP attribute would return all values for the user (testuser) in the LDAP schema. Alan DeKok wrote: No. The operators are still important. Alan DeKok. Alright... so this maybe a misconfiguration in LDAP? -denis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Need Assistance please
Alan, the User Change Password Administrator etc., are already part of the LDAP schema (under the attribute securityRole) e.g. Uid=testuser Attribute Value securityRoleUsers Alan DeKok wrote: The value should have the operator in it. e.g. +=Users Is the value you've mentioned in the LDAP schema (LDAP config file)? Or in radiusd.conf? or ldap.attrmap? Where do I make the change? Thank you, -denis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FW: Need Assistance please
Alan, I'd first would like to extend my gratitude for answering my email. I'd also like to apoligize to everyone on the list for my confusion. I've been reading the book RADIUS by Jonathan Hassell, I've been reading archives for a while now. Can anyone suggest a good book with sample information? My problem is as follow: Is radius supposed to only return back a single attribute? That's what you told it to do. An attribute with one value (even with commas) is very different than attributes with multiple values. My suggestion is to create multiple entries in the LDAP schema for the Login-LAT-Group, as there is no Login-LAT-GroupS attribute. Each value should then be +=User(first) +=Change Password (second) etc... Alan DeKok. Alan, the User Change Password Administrator etc., are already part of the LDAP schema (under the attribute securityRole) e.g. Uid=testuser Attribute Value securityRoleUsers securityRoletestgroup1 securityRoletestgroup2 securityRoleChange Password securityRoleLuisa Administrator I've modified the file ldap.attrmap as follow (this is the only change I've made) replyItem Login-LAT-Group securityRole I thought by modifying this line to match the LDAP attribute would return all values for the user (testuser) in the LDAP schema. When I use NTRadPing the response is: Sending authentication request to server test.server:1645 Transmitting packet, code=1 id=0 length=50 Received response from the server in 10 milliseconds Reply packet code=2 id0 length=27 Response: Access-Accept attribute dump-- Login-LAT-Group=Users Can you or anyone suggest any howto site. I've read the LDAP doc and it doesn't mention how to implement this. Is this possible? Did I miss a step? Thank you -denis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Need Assistance please
Alan, I'd first would like to extend my gratitude for answering my email. I'd also like to apoligize for my confusion. Is radius supposed to only return back a single attribute? That's what you told it to do. An attribute with one value (even with commas) is very different than attributes with multiple values. My suggestion is to create multiple entries in the LDAP schema for the Login-LAT-Group, as there is no Login-LAT-GroupS attribute. Each value should then be +=User(first) +=Change Password (second) etc... Alan DeKok. Alan, the User Change Password Administrator etc., are already part of the LDAP schema (under the attribute securityRole) e.g. Uid=testuser Attribute Value securityRoleUsers securityRoletestgroup1 securityRoletestgroup2 securityRoleChange Password securityRoleLuisa Administrator I've modified the file ldap.attrmap as follow (this is the only change I've made) replyItem Login-LAT-Group securityRole I thought by modifying this line to match the LDAP attribute it would return all values for the user (testuser). When I use NTRadPing the response is: Sending authentication request to server test.server:1645 Transmitting packet, code=1 id=0 length=50 Received response from the server in 10 milliseconds Reply packet code=2 id0 length=27 Response: Access-Accept attribute dump-- Login-LAT-Group=Users Can you or anyone suggest any howto site. I've read the LDAP doc and they don't mention how to do this. Is this possible? Thank you -denis Rivera, Denis [EMAIL PROTECTED] wrote: -Attribute Dump- Login-LAT-Groups=Users I was expecting the value Change Password and Users and Luisa Administrator. ---Attribute Dump- Login-LAT-Groups=Users, Change Password, Administrator The string Change Password has a space in it - is this why the full string is not replied? No. There's a comma after Users. If the other space was the problem, you would see Users, Change being returned. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Need Assistance please
Hello everyone, I'm new to the Linux / Radius. I would greatly appreciate feedback to the problem I'm encountering. I'm using Luisa v. 5 freeRadius v. 0.9.3 and OpenLDAP 2.1.25 To troubleshoot I'm utility NTRadPing v.1.5 When I test a user account [NTRadPing] I get response: Access-Accept (everything seems ok - the user authenticates fine) The problem is that [attribute dump] does not show what groups the user belongs to. Steps I've taken so far: I modified the ldap.attrmap file as follow: replyItem Login-LAT-Group securityRole securityRole is the attribute I see in the OpenLDAP After modifying the file... I'm now receiving a reply in attribute Dump (not what I expected)the only value I see is Users e.g. -Attribute Dump- Login-LAT-Groups=Users I was expecting the value Change Password and Users and Luisa Administrator. ---Attribute Dump- Login-LAT-Groups=Users, Change Password, Administrator The string Change Password has a space in it - is this why the full string is not replied? Is radius supposed to only return back a single attribute? My objective is for radius to return a list of the groups the user belongs to. Thank you, Denis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html