Searching Subcontexts in eDir

jp at joshmp.com jp at joshmp.com
Tue Jul 19 22:11:05 CEST 2005


Ok, I'm now one step closer.  Mearl's solution worked somewhat.  Here is the
output from the debug:

-----snip-----
rlm_ldap: - authorize
rlm_ldap: performing user authorization for gwaccesspo1
radius_xlat:  '(cn=gwaccesspo1)'
radius_xlat:  'o=services'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=services, with filter (cn=gwaccesspo1)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user gwaccesspo1 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 3
modcall: group authorize returns ok for request 3
  rad_check_password:  Found Auth-Type LDAP
auth: type "LDAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 3
rlm_ldap: - authenticate
rlm_ldap: login attempt by "gwaccesspo1" with password "<password>"
rlm_ldap: user DN: cn=gwaccessPO1,ou=GW,o=Services
rlm_ldap: (re)connect to 10.254.8.25:389, authentication 1
rlm_ldap: bind as cn=gwaccessPO1,ou=GW,o=Services/<password> to 10.254.8.25:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind failed with invalid credentials
rlm_ldap: NDS error: failed authentication (-669)
-----snip-----

To contrast, here is the output from debug when I attempt to authenticate a user
in the root context:

-----snip-----
rlm_ldap: - authorize
rlm_ldap: performing user authorization for zentest
radius_xlat:  '(cn=zentest)'
radius_xlat:  'o=services'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=services, with filter (cn=zentest)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user zentest authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 2
modcall: group authorize returns ok for request 2
  rad_check_password:  Found Auth-Type LDAP
auth: type "LDAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 2
rlm_ldap: - authenticate
rlm_ldap: login attempt by "zentest" with password "<password>"
rlm_ldap: user DN: cn=zentest,o=Services
rlm_ldap: (re)connect to 10.254.8.25:389, authentication 1
rlm_ldap: bind as cn=zentest,o=Services/<password> to 10.254.8.25:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: user zentest authenticated succesfully
-----snip-----


Thanks in advance,

Josh



On Tuesday, July 19th, Mearl said:

> Check the filter statement in the ldap portion of radiusd.conf. It's searching
> on "uid" which in eDirectory is an integer field and isn't populated by default.
>
> Change the filter to filter = "(cn=%{Stripped-User-Name:-%{User-Name}})" and try
> it. That will get you past the "object not found" message. It will then be able
> to return the fully qualified DN of the user.
>
> You can search on "cn" or any other ldap field that contains a unique ID. We're
> probably going to use uniqueID - the newer user creation API's populate it by
> default - in our environment because iPrint requires it.
>
> Mearl



More information about the Freeradius-Users mailing list