oups forget a sample of radiusd.conf<br>
<br>
# Uncomment it if you want to use ldap for authentication<br>
#<br>
# Note that this means "check plain-text password against<br>
# the ldap database", which means that EAP won't work,<br>
# as it does not supply a plain-text password.<br>
Auth-Type LDAP {<br>
ldap<br>
}<br>
<br>
<br>
as you can authentifaction with LDAP is well activated<br><br><div><span class="gmail_quote">2006/5/29, thomas hahusseau <<a href="mailto:thomas.hahusseau@gmail.com">thomas.hahusseau@gmail.com</a>>:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div>Hello,<br>
<br>
I try to use Freeradius and OpenLDAP for authentification and I'be got some problems about binding.<br>
<br>
First of all OpenLDAP works well I'm able to connect to the database
with anonymous connection and perform search in the database (no write
access of course).<br>
<br>
freeRadius works well when the user and the password is directly
inclued on the conf file "clients" but when i try radtest with a user
wich is the LDAP database it doiesn't work here the command performed :<br>
<br>
radtest test 4886 localhost 1812 testing123<br>
<br>
an user with uid=test and password is already created in LDAP database.<br>
<br>
here is the freeradius output :<br>
<br>
modcall: leaving group authorize (returns ok) for request 0<br>
rad_check_password: Found Auth-Type LDAP<br>
auth: type "LDAP"<br>
Processing the authenticate section of radiusd.conf<br>
modcall: entering group LDAP for request 0<br>
rlm_ldap: - authenticate<br>
rlm_ldap: login attempt by "test" with password "4886"<br>
radius_xlat: '(uid=test)'<br>
radius_xlat: 'dc=dist,dc=demo,dc=net'<br>
rlm_ldap: ldap_get_conn: Checking Id: 0<br>
rlm_ldap: ldap_get_conn: Got Id: 0<br>
rlm_ldap: attempting LDAP reconnection<br>
rlm_ldap: (re)connect to localhost:389, authentication 0<br>
rlm_ldap: bind as / to localhost:389<br>
rlm_ldap: waiting for bind result ...<br>
rlm_ldap: Bind was successful<br>
rlm_ldap: performing search in dc=dist,dc=demo,dc=net, with filter (uid=test)<br>
rlm_ldap: ldap_release_conn: Release Id: 0<br>
rlm_ldap: user DN: uid=test,ou=utilisateurs,dc=dist,dc=demo,dc=net<br>
rlm_ldap: (re)connect to localhost:389, authentication 1<br>
rlm_ldap: bind as uid=test,ou=utilisateurs,dc=dist,dc=demo,dc=net/4886 to localhost:389<br>
rlm_ldap: waiting for bind result ...<br>
rlm_ldap: Bind failed with invalid credentials<br>
rlm_ldap: <br>
modcall[authenticate]: module "ldap" returns reject for request 0<br>
modcall: leaving group LDAP (returns reject) for request 0<br>
auth: Failed to validate the user.<br>
Login incorrect (rlm_ldap: Bind as user failed): [test/4886] (from client localhost port 1812)<br>
Delaying request 0 for 1 seconds<br>
Finished request 0<br>
Going to the next request<br>
--- Walking the entire request list ---<br>
Waking up in 1 seconds...<br>
--- Walking the entire request list ---<br>
Waking up in 1 seconds...<br>
--- Walking the entire request list ---<br>
Sending Access-Reject of id 89 to <a href="http://127.0.0.1" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">127.0.0.1</a> port 32768<br>
Reply-Message = ""<br>
Waking up in 4 seconds...<br>
--- Walking the entire request list ---<br>
Cleaning up request 0 ID 89 with timestamp 447ad91a<br>
Nothing to do. Sleeping until we see a request.<br>
<br>
As you can the binding in anonymous mode works well and the search is
performed and 1 result is found : <a href="http://test.utilisateurs.dist.demo.net" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">test.utilisateurs.dist.demo.net</a><br>
<br>
But I don't understand why radius try to bind again with the LDAP server using account <a href="http://test.utilisateurs.demo.net" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">test.utilisateurs.demo.net
</a><br>
Is there a mechanisme with LDAP authentification that I don't
Understand ? According to me as soon as freeradius found in LDAP the
user with the right password it should authorize acess.<br>
<br>
this is my radiusd.conf (samples)<br>
<br>
# Lightweight Directory Access Protocol (LDAP)<br>
#<br>
# This module definition allows you to use LDAP for<br>
# authorization and authentication (Auth-Type := LDAP)<br>
#<br>
# See doc/rlm_ldap for description of configuration options <br>
# and sample authorize{} and authenticate{} blocks <br>
ldap {<br>
server = localhost<br>
port = 389<br>
# identity = "cn=admin,dc=dist,dc=demo,dc=net"<br>
# password = *********<br>
basedn = "dc=dist,dc=demo,dc=net"<br>
# filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"<br>
# base_filter = "(objectclass=radiusprofile)"<br>
<br>
# set this to 'yes' to use TLS encrypted connections<br>
# to the LDAP database by using the StartTLS extended<br>
# operation.<br>
# The StartTLS operation is supposed to be used with normal<br>
# ldap connections instead of using ldaps (port 689) connections<br>
start_tls = no<br>
<br>
# tls_cacertfile = /path/to/cacert.pem<br>
# tls_cacertdir = /path/to/ca/dir/<br>
# tls_certfile = /path/to/radius.crt<br>
# tls_keyfile = /path/to/radius.key<br>
# tls_randfile = /path/to/rnd<br>
# tls_require_cert = "demand"<br>
<br>
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"<br>
# profile_attribute = "radiusProfileDn"<br>
access_attr = "uid"<br>
<br>
# Mapping of RADIUS dictionary attributes to LDAP<br>
# directory attributes.<br>
dictionary_mapping = ${raddbdir}/ldap.attrmap<br>
<br>
ldap_connections_number = 5<br>
<br>
#<br>
# NOTICE: The password_header directive is NOT case insensitive<br>
#<br>
# password_header = "{clear}"<br>
#<br>
# Set:<br>
# password_attribute = nspmPassword<br>
#<br>
# to get the user's password from a Novell eDirectory<br>
# backend. This will work *only if* freeRADIUS is<br>
# configured to build with --with-edir option.<br>
#<br>
#<br>
# The server can usually figure this out on its own, and pull<br>
# the correct User-Password or NT-Password from the database.<br>
#<br>
# Note that NT-Passwords MUST be stored as a 32-digit hex<br>
# string, and MUST start off with "0x", such as:<br>
#<br>
# 0x000102030405060708090a0b0c0d0e0f<br>
#<br>
# Without the leading "0x", NT-Passwords will not work.<br>
# This goes for NT-Passwords stored in SQL, too.<br>
#<br>
# password_attribute = userPassword<br>
#<br>
# Un-comment the following to disable Novell eDirectory account<br>
# policy check and intruder detection. This will work *only if*<br>
# FreeRADIUS is configured to build with --with-edir option.<br>
#<br>
# edir_account_policy_check=no<br>
#<br>
# groupname_attribute = cn<br>
# groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"<br>
# groupmembership_attribute = radiusGroupName<br>
timeout = 4<br>
timelimit = 3<br>
net_timeout = 1<br>
# compare_check_items = yes<br>
# do_xlat = yes<br>
# access_attr_used_for_allow = yes<br>
<br>
#<br>
# By default, if the packet contains a User-Password,<br>
# and no other module is configured to handle the<br>
# authentication, the LDAP module sets itself to do<br>
# LDAP bind for authentication.<br>
#<br>
# You can disable this behavior by setting the following<br>
# configuration entry to "no".<br>
#<br>
# allowed values: {no, yes}<br>
set_auth_type = no<br>
# authtype= LDAP<br>
}<br>
<br>
<br>
thank you for your help !!!!<br>
<br>
with regards<br></div><div><span class="sg">
Thomas<br>
<br>
<br>
</span></div></blockquote></div><br>