hello *
i try to transfer a working configuration from an very old (1.x) freeradius
version to a more recent radius version:
FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Nov 14 2010
at 21:14:10
My problem: after authenticate against ldap and auth-type = ldap is
set, no authorize step is done
the next step happening is trying the next entry from the users file
expected: authenticate with bind as user and password hash of the user
against ldap
here the snippet from debug log i assume relevant:
hu Apr 7 12:45:28 2011 : Info: [auth_log] expand: %t -> Thu Apr 7
12:45:28 2011
Thu Apr 7 12:45:28 2011 : Info: ++[auth_log] returns ok
Thu Apr 7 12:45:28 2011 : Info: ++[mschap] returns noop
Thu Apr 7 12:45:28 2011 : Info: [suffix] No '@' in User-Name = "pilot1",
looking up realm NULL
Thu Apr 7 12:45:28 2011 : Info: [suffix] No such realm "NULL"
Thu Apr 7 12:45:28 2011 : Info: ++[suffix] returns noop
Thu Apr 7 12:45:28 2011 : Info: [ldap] performing user authorization for
pilot1
Thu Apr 7 12:45:28 2011 : Info: [ldap] WARNING: Deprecated conditional
expansion ":-". See "man unlang" for details
Thu Apr 7 12:45:28 2011 : Info: [ldap] ... expanding second conditional
Thu Apr 7 12:45:28 2011 : Info: [ldap] expand: %{User-Name} ->
pilot1
Thu Apr 7 12:45:28 2011 : Info: [ldap] expand:
(uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=pilot1)
Thu Apr 7 12:45:28 2011 : Info: [ldap] expand: l=Berlin,dc=de,o=ABC->
l=Berlin,dc=de,o=ABC
Thu Apr 7 12:45:28 2011 : Debug: [ldap] ldap_get_conn: Checking Id: 0
Thu Apr 7 12:45:28 2011 : Debug: [ldap] ldap_get_conn: Got Id: 0
Thu Apr 7 12:45:28 2011 : Debug: [ldap] attempting LDAP reconnection
Thu Apr 7 12:45:28 2011 : Debug: [ldap] (re)connect to 10.128.1.1:389,
authentication 0
Thu Apr 7 12:45:28 2011 : Debug: [ldap] bind as cn=Manager,o=ABC/xyz to
10.128.1.1:389
Thu Apr 7 12:45:28 2011 : Debug: [ldap] waiting for bind result ...
Thu Apr 7 12:45:28 2011 : Debug: [ldap] Bind was successful
Thu Apr 7 12:45:28 2011 : Debug: [ldap] performing search in
l=Berlin,dc=de,o=ABC, with filter (uid=pilot1)
Thu Apr 7 12:45:28 2011 : Info: [ldap] No default NMAS login sequence
Thu Apr 7 12:45:28 2011 : Info: [ldap] looking for check items in directory...
Thu Apr 7 12:45:28 2011 : Debug: [ldap] userPassword -> Password-With-Header
== "{MD5}hashvalueD1xtOw=="<- the sequence after the hashed pw astonishes
me, the D1xt0w
Thu Apr 7 12:45:28 2011 : Info: [ldap] looking for reply items in directory...
Thu Apr 7 12:45:28 2011 : Info: [ldap] Setting Auth-Type = LDAP
Thu Apr 7 12:45:28 2011 : Info: [ldap] user pilot1 authorized to use
remote access
Thu Apr 7 12:45:28 2011 : Debug: [ldap] ldap_release_conn: Release Id: 0
Thu Apr 7 12:45:28 2011 : Info: ++[ldap] returns ok
Thu Apr 7 12:45:28 2011 : Info: [eap] No EAP-Message, not doing EAP
Thu Apr 7 12:45:28 2011 : Info: ++[eap] returns noop
... next line / match in users file is done next
...in the old config next step was authenticate
So clearly i do a mistake and have overlooked a neccessary config option
any hints where to look next ?
The hint to transfer a deprecated expression from users file to unlang
will be done when i succeed with auth
TIA
Micha
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
