Configuring LDAP for query ONLY...

Eric Martell workoutexcite at yahoo.com
Thu Dec 13 18:13:26 CET 2007 

Hi Phil,
   Here is the detail configs and logs. Please let me
know.
Thanks and Regards.

modules {
        ldap {

                server = "ldap://xxxxxxxxx:1389"
                identity =
"uid=appuser,ou=appadm,o=entitlement"
                password = ******
                basedn = "ou=roles,o=entitlement"

                dictionary_mapping =
${raddbdir}/ldap.attrmap
                filter =
"(&(uid=%{Stripped-User-Name:-%{User-Name}})(entitlements=WIFILOC1)(attribute1=%{User-Password}))"

                start_tls = no
                ldap_connections_number = 5

                timeout = 4
                timelimit = 3
                net_timeout = 1

                set_auth_type = no
        }
}

authorize {
..
ldap
pap
}

authenticate {
        Auth-Type PAP {
                pap
        }

.....
}

In the users files
#DEFAULT  Auth-Type := Local
         #Session-Timeout = 7200,
         #Fall-Through = Yes

#DEFAULT  Auth-Type := System
         #Session-Timeout = 7200,
         #Fall-Through = Yes



Here is the detail log.



rad_recv: Access-Request packet from host
216.2.193.1:55729, id=2, length=48
        User-Name = "test1"
        User-Password = "11111"
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok
for request 0
  modcall[authorize]: module "chap" returns noop for
request 0
  modcall[authorize]: module "mschap" returns noop for
request 0
    rlm_realm: No '@' in User-Name = "test1", looking
up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for
request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for test1
radius_xlat: 
'(&(uid=test1)(entitlements=WIFILOC1)(attribute1=11111))'
radius_xlat:  'ou=roles,o=entitlement'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap://xxxx:1389,
authentication 0
rlm_ldap: bind as
uid=appuser,ou=appadm,o=entitlement/xxxx to
ldap://xxxxxxx:1389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=roles,o=entitlement,
with filter
(&(uid=test1)(entitlements=WIFILOC1)(attribute1=11111))
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user test1 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for
request 0
rlm_pap: WARNING! No "known good" password found for
the user.  Authentication may fail because of this.
  modcall[authorize]: module "pap" returns noop for
request 0
modcall: leaving group authorize (returns ok) for
request 0
auth: No authenticate method (Auth-Type) configuration
found for the request: Rejecting the user
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 2 to 216.2.193.1 port
55729
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 2 with timestamp 4761660e
Nothing to do.  Sleeping until we see a request.






--- Phil Mayers <p.mayers at imperial.ac.uk> wrote:

> > 
> > rlm_ldap: user test1 authorized to use remote
> access
> > rlm_ldap: ldap_release_conn: Release Id: 0
> >   modcall[authorize]: module "ldap" returns ok for
> > request 0
> > rlm_pap: WARNING! No "known good" password found
> for
> > the user.  Authentication may fail because of
> this.
> 
> That's the problem.
> 
> Your LDAP module should be copying the LDAP
> attribute containing the 
> password to the relevant check item.
> 
> Slightly confusing, there are two ways to do this:
> 
>   1. ldap.attrmap
>   2. password_attribute & password_header config
> items of ldap module
> 
> What are those setup to do?
> 
> A full "-X" debug would help at this point.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 



     
____________________________________________________________________________________
Never miss a thing.  Make Yahoo your home page. 
http://www.yahoo.com/r/hs


      ____________________________________________________________________________________
Be a better friend, newshound, and 
know-it-all with Yahoo! Mobile.  Try it now.  http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ

More information about the Freeradius-Users mailing list