Porting ldap module configuration from 2.2.9 to 3.0.15
Fajar A. Nugraha
list at fajar.net
Tue Sep 19 14:24:19 CEST 2017
On Tue, Sep 19, 2017 at 4:04 PM, Olivier <Olivier.Nicole at cs.ait.ac.th>
wrote:
> "Fajar A. Nugraha" <list at fajar.net> writes:
>
> > On Tue, Sep 19, 2017 at 3:06 PM, Olivier <Olivier.Nicole at cs.ait.ac.th>
> > wrote:
> >
> >> >> I need only authentication, but the authentication should be done
> inside
> >> >> LDAP, with a binding using the User-Name that is provided to
> FreeRadius
> >> >>
> >> >
> >> > ... which, to the best of my knowledge, the link pretty tells you how
> you
> >> > can achieve that.
> >> >
> >> >
> >> >> but what LDAP tells me is that I am binding with no username.
> >> >>
> >> >>
> >> > Because it needs to fill Ldap-UserDN attribute.
> >> >
> >> > Did you read the link? Did you follow what it says to 'avoid the ldap
> >> > search completely'?
> >>
> >> Yes I did and I added:
> >>
> >> DEFAULT Ldap-UserDN := "uid=%{User-Name},ou=People,
> >> ou=csim,dc=cs,dc=ait,dc=ac,dc=th"
> >>
> >> in the file raddb/users. But it does not change the behaviour. Also, I
> >>
> >
> > That is odd.
> >
> > Try running freeradius in debug mode (with -X), test authentication from
> > client, and read the result (or post it here). What you should watch out
> > for:
> > - whether the files module are loaded and processed before ldap module
> > - and whether Ldap-UserDN is correctly aded
> > - what ldap module does
> >
> >
> > am wondering, because the top of the file users mention that
> >> # Configuration file for the rlm_files module.
> >>
> >>
> > Correct.
> >
> > One module can affect others. In this case, if the wiki is correct, the
> > files module (rlm_files) can be used to add an attribute (Ldap-UserDN).
> If
> > that attribute is already present, ldap module will behave
> > differently.
>
> OK, I did not know about that and I had disabled the files module
> because I don't use it.
>
> I enabled it and the output is attached below.
>
>
At first glance I see this
(0) Received Access-Request Id 149 from 192.41.170.3:30992 to
192.41.170.3:1812 length 72
(0) User-Name = "on"
...
(0) authorize {
...
(0) [files] = noop
The last part shouldn't be there, since you should've had an entry that
adds Ldap-UserDN.
It should print something like this
(0) authorize {
(0) files: EXPAND uid=%{User-Name},ou=people,dc=company,dc=com
(0) files: --> uid=testuser,ou=people,dc=company,dc=com
(0) files: users: Matched entry DEFAULT at line 1
...
(0) [files] = ok
Did you edit the correct file? The default (in ubuntu)
is /etc/freeradius/users (or /etc/raddb/users in most other distros), which
is a symlink to mods-config/files/authorize
--
Fajar
More information about the Freeradius-Users
mailing list