V1.10 File and LDAP Problems

Andrew Browning drew826 at gmail.com
Fri Feb 24 06:15:27 CET 2006


> NOT WORKING:
>
> Ready to process requests.
> rad_recv: Access-Request packet from host 10.0.90.32:2017, id=62, length=46
>          User-Name = "testme"
>          User-Password = "123456"
>    Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 0
>    modcall[authorize]: module "preprocess" returns ok for request 0
>      users: Matched entry testme at line 142
>    modcall[authorize]: module "files" returns ok for request 0
>    modcall[authorize]: module "mschap" returns noop for request 0
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for testme
> radius_xlat:  '(sAMAccountname=testme)'
> radius_xlat:  'dc=consolidated,dc=com'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to 10.0.60.177:389, authentication 0
> rlm_ldap: bind as cn=someuser,cn=Users,dc=ourcompany,dc=com/secret to
> 10.0.xx.xxx:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: LDAP login failed: check identity, password settings in
> ldap section of radiusd.conf

Looks like you don't have the LDAP information setup correctly.
FreeRADIUS can't login to LDAP with the settings (un)specified.

> rlm_ldap: (re)connection attempt failed
> rlm_ldap: search failed
> rlm_ldap: ldap_release_conn: Release Id: 0
>    modcall[authorize]: module "ldap" returns fail for request 0
> modcall: leaving group authorize (returns fail) for request 0

LDAP returns fail, which is weighted heavier than the both the "noop"
returned by mschap and the "ok" returned by files. Because LDAP
returns "fail," the entire request returns "fail." You can specify
different weighted settings for noop, fail, etc, but the obvious
answer is to fix your LDAP settings and then try again. Once you can
login to the LDAP, if the user does not exist in there then LDAP
should return "noop" for the request. If you want a user to exist in
both the LDAP and the users file with different passwords, that
requires a bit of tweaking but I've got it working if you need to see
how sometime.

Hope this helps!

Andrew




More information about the Freeradius-Users mailing list