Multi-valued LDAP attribute configuration

Srinivasa R srinivasa.r at icts.res.in
Thu Sep 14 17:18:32 CEST 2017 

Thanks a ton Alan! you just made my day. It worked like a charm.

Once again thanks a lot for your support.


On Thu, Sep 14, 2017 at 7:15 PM, Alan DeKok <aland at deployingradius.com>
wrote:

> On Sep 14, 2017, at 3:49 AM, Srinivasa R <srinivasa.r at icts.res.in> wrote:
> > I have gone through the Freeradius logs and found that Freeradius is able
> > to find the user id i.e macaddress which is multi value field from LDAP
> but
> > the problem is with the password. Freeradius is retrieving all the
> > three macaddress values for the password from the LDAP, but for some
> > reasons, it is trying to match with the first value all the time. I am
> > posting the detailed log. I am getting the Accept-Accept reply for the
> very
> > first value in the multivalued field. Could someone help me please?
> >
> > *Freeradius configuration:*
> > *LDAP conf file config:*
> > update {
> >                control:Password-With-Header    += 'macAddress'
>
>   Don't do that.  The "Password-With-Header" attribute is for LDAP
> passwords with headers.
>
>   e.g. {nt4}....
>
>   It is NOT for simple strings.
>
>   Delete that.  It's wrong.
>
> > Received Access-Request Id 22 from 172.16.XX.XX:35697 to
> 172.16.XX.XXX:1812
> > length 103
> > User-Name = 'e4:a4:71:a3:88:6f'
> > User-Password = 'e4:a4:71:a3:88:6f'
>
>   Since those are the same, you don't need to check passwords.  You just
> need to check that the MAC address is in LDAP.  Then, check that the
> User-Name is the same as the User-Password.
>
> >
> > (2)  ldap : Performing search in 'ou=People,dc=icts,dc=res,dc=in' with
> > filter '(macAddress=e4:a4:71:a3:88:6f)', scope 'sub'
> > (2)  ldap : Waiting for search result...
> > (2)  ldap : User object found at DN "cn=it
> > section,ou=People,dc=icts,dc=res,dc=in"
>
>   That's good...
>
> > (2)  ldap : Processing user attributes
> > (2)  ldap : control:Password-With-Header += '28:f1:0e:2a:c1:ac'
> > (2)  ldap : control:Password-With-Header += 'e4:a4:71:a3:88:6f'
> > (2)  ldap : control:Password-With-Header += '0c:c4:7a:22:63:23'
> > rlm_ldap (ldap): Released connection (4)
> > (2)   [ldap] = ok
>
>   You can then do:
>
>         ...
>         ldap
>         if (ok && (User-Name == User-Password)) {
>                 update control {
>                         Auth-Type := Accept
>                 }
>         }
>
>   And it will work.  Don't bother checking the password after that.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>


Regards,
-- 

Srinivas R

More information about the Freeradius-Users mailing list