Configuring LDAP for query ONLY...

tnt at kalik.co.yu tnt at kalik.co.yu
Fri Jan 4 16:29:22 CET 2008


OK, so password is not in LDAP. Where is it then? Are you trying to
accept users without passwords? Consider using a perl script to
implement that logic and forget about LDAP module in Freeradius.

Ivan Kalik
Kalik Informatika ISP


Dana 4/1/2008, "Eric Martell" <workoutexcite at yahoo.com> piše:

>Hi Alan,
>  I am trying to do ldap query lookup in the authorize
>section and after successful authorization ( if ldap
>entry exists on search query) ....reply with
>Access-Accept if not reject.
>
>I do not want to do authentication in LDAP as we are
>not storing "userPassword" attribute in ldap schema.
>
>So in a way trying to do..
>
>if(ldap search success) {
>  Access-Accept
>} else {
>  Access-Reject
>}
>
>Please check the thread below what Phil told me to
>do...
>
>
>
>Hi Phil,
>   Here is the detail configs and logs. Please let me
>know.
>Thanks and Regards.
>
>modules {
>        ldap {
>
>                server = "ldap://xxxxxxxxx:1389"
>                identity =
>"uid=appuser,ou=appadm,o=entitlement"
>                password = ******
>                basedn = "ou=roles,o=entitlement"
>
>                dictionary_mapping =
>${raddbdir}/ldap.attrmap
>                filter =
>"(&(uid=%{Stripped-User-Name:-%{User-Name}})(entitlements=WIFILOC1)(attribute1=%{User-Password}))"
>
>                start_tls = no
>                ldap_connections_number = 5
>
>                timeout = 4
>                timelimit = 3
>                net_timeout = 1
>
>                set_auth_type = no
>        }
>}
>
>authorize {
>...
>ldap
>pap
>}
>
>authenticate {
>        Auth-Type PAP {
>                pap
>        }
>
>......
>}
>
>In the users files
>#DEFAULT  Auth-Type := Local
>         #Session-Timeout = 7200,
>         #Fall-Through = Yes
>
>#DEFAULT  Auth-Type := System
>         #Session-Timeout = 7200,
>         #Fall-Through = Yes
>
>
>
>Here is the detail log.
>
>
>
>rad_recv: Access-Request packet from host
>216.2.193.1:55729, id=2, length=48
>        User-Name = "test1"
>        User-Password = "11111"
>  Processing the authorize section of radiusd.conf
>modcall: entering group authorize for request 0
>  modcall[authorize]: module "preprocess" returns ok
>for request 0
>  modcall[authorize]: module "chap" returns noop for
>request 0
>  modcall[authorize]: module "mschap" returns noop for
>request 0
>    rlm_realm: No '@' in User-Name = "test1", looking
>up realm NULL
>    rlm_realm: No such realm "NULL"
>  modcall[authorize]: module "suffix" returns noop for
>request 0
>rlm_ldap: - authorize
>rlm_ldap: performing user authorization for test1
>radius_xlat:
>'(&(uid=test1)(entitlements=WIFILOC1)(attribute1=11111))'
>radius_xlat:  'ou=roles,o=entitlement'
>rlm_ldap: ldap_get_conn: Checking Id: 0
>rlm_ldap: ldap_get_conn: Got Id: 0
>rlm_ldap: attempting LDAP reconnection
>rlm_ldap: (re)connect to ldap://xxxx:1389,
>authentication 0
>rlm_ldap: bind as
>uid=appuser,ou=appadm,o=entitlement/xxxx to
>ldap://xxxxxxx:1389
>rlm_ldap: waiting for bind result ...
>rlm_ldap: Bind was successful
>rlm_ldap: performing search in ou=roles,o=entitlement,
>with filter
>(&(uid=test1)(entitlements=WIFILOC1)(attribute1=11111))
>rlm_ldap: looking for check items in directory...
>rlm_ldap: looking for reply items in directory...
>rlm_ldap: user test1 authorized to use remote access
>rlm_ldap: ldap_release_conn: Release Id: 0
>  modcall[authorize]: module "ldap" returns ok for
>request 0
>rlm_pap: WARNING! No "known good" password found for
>the user.  Authentication may fail because of this.
>  modcall[authorize]: module "pap" returns noop for
>request 0
>modcall: leaving group authorize (returns ok) for
>request 0
>auth: No authenticate method (Auth-Type) configuration
>found for the request: Rejecting the user
>auth: Failed to validate the user.
>Delaying request 0 for 1 seconds
>Finished request 0
>Going to the next request
>--- Walking the entire request list ---
>Waking up in 1 seconds...
>--- Walking the entire request list ---
>Sending Access-Reject of id 2 to 216.2.193.1 port
>55729
>Waking up in 4 seconds...
>--- Walking the entire request list ---
>Cleaning up request 0 ID 2 with timestamp 4761660e
>Nothing to do.  Sleeping until we see a request.
>
>
>
>
>
>
>--- Phil Mayers <p.mayers at imperial.ac.uk> wrote:
>
>> >
>> > rlm_ldap: user test1 authorized to use remote
>> access
>> > rlm_ldap: ldap_release_conn: Release Id: 0
>> >   modcall[authorize]: module "ldap" returns ok for
>> > request 0
>> > rlm_pap: WARNING! No "known good" password found
>> for
>> > the user.  Authentication may fail because of
>> this.
>>
>> That's the problem.
>>
>> Your LDAP module should be copying the LDAP
>> attribute containing the
>> password to the relevant check item.
>>
>> Slightly confusing, there are two ways to do this:
>>
>>   1. ldap.attrmap
>>   2. password_attribute & password_header config
>> items of ldap module
>>
>> What are those setup to do?
>>
>> A full "-X" debug would help at this point.
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
>>>
>Assuming you are using a recent version of FreeRadius,
>you can do one of
>the following:
>
>modules {
>   ldap {
>     ...
>     set_auth_type = no
>   }
>}
>
>authorize {
>   preprocess
>   ldap
>   pap
>}
>
>authenticate {
>   Auth-Type PAP {
>     pap
>   }
>}
>
>>>
>
>
>--- Alan DeKok <aland at deployingradius.com> wrote:
>
>> Eric Martell wrote:
>> > Hi Alan,
>> >    Can you please help me out with the LDAP query?
>> I
>> > am still stuck with the issue.
>>
>>   What problem is left to solve?
>>
>>   i.e. I read and answer a *lot* of email.  I don't
>> recall much past
>> what's on my screen right now...
>>
>>   Alan DeKok.
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
>
>
>      ____________________________________________________________________________________
>Be a better friend, newshound, and
>know-it-all with Yahoo! Mobile.  Try it now.  http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>




More information about the Freeradius-Users mailing list