ldap control access

Rafael Roldán rafael.roldan at panel.es
Wed Feb 1 11:42:10 CET 2006


Hy all,

I have configured my LDAP server with the following control access. In the slapd.conf:


access to *

       by self write

       by dn="cn=replica,ou=admins,ou=radius,dc=mydomain,dc=com" write

       by anonymous auth

       by * none 
---------------------------------------
My users file:

DEFAULT Ldap-Group == isdn, NAS-Port == 58, User-Profile := "uid=isdn,ou=profiles,ou=radius,dc=mydomain,dc=com"

DEFAULT Auth-Type := Reject
        Reply-Message = "Llamse a servicio tecnico" 

-------------------------------------------
My directory:

dn: dc=mydomain,dc=com
objectclass: dcObject
objectclass: organizationalUnit
ou: Mydomain.com Radius
dc: mydomain

dn: ou=radius,dc=mydomain,dc=com
objectclass: organizationalUnit
ou: radius

dn: ou=profiles,ou=radius,dc=mydomain,dc=com
objectclass: organizationalUnit
ou: profiles

dn: ou=users,ou=radius,dc=mydomain,dc=com
objectclass: organizationalUnit
ou: users

dn: ou=admins,ou=radius,dc=mydomain,dc=com
objectclass: organizationalUnit
ou: admins

dn: uid=dial,ou=profiles,ou=radius,dc=mydomain,dc=com
objectclass: radiusprofile
uid: dial
radiusServiceType: Framed-User
radiusFramedProtocol: PPP
radiusFramedIPNetmask: 255.255.255.0
radiusFramedRouting: None

dn: uid=isdn,ou=profiles,ou=radius,dc=mydomain,dc=com
objectclass: radiusprofile
uid: isdn
radiusServiceType: Framed-User
radiusFramedProtocol: PPP
radiusFramedIPNetmask: 255.255.254.0
radiusFramedRouting: None

dn: uid=example,ou=users,ou=radius,dc=mydomain,dc=com
objectclass: radiusprofile
uid: example
userPassword: test
radiusGroupName: dial
radiusGroupName: isdn

dn: cn=freeradius,ou=admins,ou=radius,dc=mydomain,dc=com
objectclass: person
sn: freeradius
cn: freeradius
userPassword: freeradius

dn: cn=billing,ou=admins,ou=radius,dc=mydomain,dc=com
objectclass: person
sn: billing 
cn: billing 
userPassword: billing

dn: cn=replica,ou=admins,ou=radius,dc=mydomain,dc=com
objectclass: person
sn: replica
cn: replica
userPassword: replica 
------------------------------------------------

When I try to authorize a user, it fails:


rad_recv: Access-Request packet from host 127.0.0.1:39035, id=223, length=59
        User-Name = "example"
        User-Password = "test"
        NAS-IP-Address = xx.yy.cc.vv
        NAS-Port = 58
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
    rlm_realm: No '@' in User-Name = "example", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 0
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 0
rlm_ldap: Entering ldap_groupcmp()
radius_xlat:  'ou=users,ou=radius,dc=mydomain,dc=com'
radius_xlat:  '(uid=example)'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as / to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=users,ou=radius,dc=mydomain,dc=com, with filter (uid=example)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap::ldap_groupcmp: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
    users: Matched entry DEFAULT at line 3
  modcall[authorize]: module "files" returns ok for request 0
rlm_ldap: - authorize


If I remove the access control lines from slapd.conf, it works well.

What am I doing wrong?

Regards, 
Rafa
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20060201/2164a778/attachment.html>


More information about the Freeradius-Users mailing list