I tried updating to version 2.0. I like the debug interface much better, it makes it alot easier to read. Nice job!
Unfortunately, this upgrade introduced a new issue for me. When doing group ldap searches, it looks like the Ldap-UserDN variable doesn't get populated. The server successfully binds and finds the user, but in the expand section:
rlm_ldap: ldap_release_conn: Release Id: 0
expand: (|(&objectClass=GroupOfNames)(member=%{Ldap-UserDN}))(&objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDN})))->(|(&objectClass=GroupOfNames)(member=))(&(objectClass=GrouOfUniqueNames)(uniquemember=)))
It then fails to find the ldap group, because of the member= and uniquemember= are blank. A few lines below that, though, it comes up with the correct full DN search:
rlm_ldap: performing search in cn=somegroup,ou=something,ou=something with filter (|(&objectClass=GroupOfNames)(member=))(&(objectClass=GrouOfUniqueNames)(uniquemember=)))
rlm_ldap: object not found or got ambigous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing serach in cn=xxx,ou=something,ou=something with filter (objectclass=*)
rlm_ldap::ldap_groupcmp: ldap_get_values failed
I tried using my old config from 1.1, as well as re-writing it, as well as using the new and old ldap.attrmap. This is verified to work in version 1.1 for me.
This is against eDirectory, configured with the --with-edir option
----- Original Message ----
From: Alan DeKok <aland@deployingradius.com>
To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org>
Sent: Saturday, January 12, 2008 3:40:39 AM
Subject: Re: LDAP Groups and EAP
Brian Wilson wrote:
> I am running Freeradius 1.1.0
Please upgrade to at least 1.1.7. It solves a lot of security issues,
*and* helps with the problem you're seeing, too.
> When I try to authenticate, the radius server receives about 7
> Access-requests.
That's the way EAP works.
> Notice that there is no additional call to ldap_group between the
> authorize and the resulting failure in the files module.
The *inner* tunnel session doesn't match a huntgroup.
>
Is there something i'm missing in the configuration file?
I would suggest trying 2.0. The new virtual server feature should
make this configuration much simpler. The new "unlang" feature should
also simplify the writing of policies.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html