Here is mi slapd.conf<br><br>#<br># See slapd.conf(5) for details on configuration options.<br># This file should NOT be world readable.<br>#<br>include /usr/local/etc/openldap/schema/core.schema<br>include /usr/local/etc/openldap/schema/cosine.schema
<br>include /usr/local/etc/openldap/schema/inetorgperson.schema<br>include /usr/local/etc/openldap/schema/samba.schema<br>include /usr/local/etc/openldap/schema/RADIUS-LDAPv3.schema<br># Define global ACLs to disable default read access.
<br><br># Do not enable referrals until AFTER you have a working directory<br># service AND an understanding of referrals.<br>#referral ldap://root.openldap.org<br><br>#Aggiungiamo il livello di logging<br>loglevel 296
<br>pidfile /usr/local/var/run/slapd.pid<br>argsfile /usr/local/var/run/slapd.args<br><br>#Direttive SSL<br>#TLSCipherSuite HIGH<br>#TLSCertificateFile /usr/local/etc/openldap/slapd-cert.pem<br>#TLSCertificateKeyFile /usr/local/etc/openldap/slapd-
key.pem<br># Load dynamic backend modules:<br># modulepath /usr/local/libexec/openldap<br># moduleload back_bdb.la<br># moduleload back_ldap.la<br># moduleload back_ldbm.la<br># moduleload back_passwd.la<br>
# moduleload back_shell.la<br><br># Sample security restrictions<br># Require integrity protection (prevent hijacking)<br># Require 112-bit (3DES or better) encryption for updates<br># Require 63-bit encryption for simple bind
<br># security ssf=1 update_ssf=112 simple_bind=64<br><br># Sample access control policy:<br># Root DSE: allow anyone to read it<br># Subschema (sub)entry DSE: allow anyone to read it<br># Other DSEs:<br>
# Allow self write access<br># Allow authenticated users read access<br># Allow anonymous users to authenticate<br># Directives needed to implement policy:<br># access to dn.base=
"" by * read<br># access to dn.base="cn=Subschema" by * read<br># access to *<br># by self write<br># by users read<br># by anonymous auth<br>#<br># if no access controls are present, the default policy
<br># allows anyone and everyone to read anything but restricts<br># updates to rootdn. (e.g., "access to * by * read")<br>#<br># rootdn can always read and write EVERYTHING!<br><br>#######################################################################
<br># BDB database definitions<br>#######################################################################<br><br>database bdb<br>suffix "dc=uniroma1,dc=it"<br>rootdn "cn=Manager,dc=uniroma1,dc=it"
<br># Cleartext passwords, especially for the rootdn, should<br># be avoid. See slappasswd(8) and slapd.conf(5) for details.<br># Use of strong authentication encouraged.<br>rootpw {SSHA}gUlr8Lqr7eYgfSti9+Dl76lbkbgK3fqc
<br># The database directory MUST exist prior to running slapd AND <br># should only be accessible by the slapd and slap tools.<br># Mode 700 recommended.<br>directory /usr/local/var/openldap-data/uniroma1.it<br>mode 0600
<br># Indices to maintain<br>index objectClass eq,pres<br>index cn eq,pres<br>index uid eq,pres<br>index userPassword eq,pres<br>cachesize 2000<br><br>Thanks in advance<br>Giusy Venezia
<br><br><div><span class="gmail_quote">On 7/20/06, <b class="gmail_sendername">Thibault Le Meur</b> <<a href="mailto:Thibault.LeMeur@supelec.fr">Thibault.LeMeur@supelec.fr</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
> rad_recv: Access-Request packet from host <a href="http://127.0.0.1:32801">127.0.0.1:32801</a>, id=0, length=217<br>> User-Name = "misterc"<br>> CHAP-Challenge = 0xa26932d73791f27d1314426f740ab34e
<br>> CHAP-Password = 0x002e07a2cc1f27e7fbd22e7bb3721a3986<br>> NAS-IP-Address = <a href="http://0.0.0.0">0.0.0.0</a><br>> Service-Type = Login-User<br>> Framed-IP-Address = <a href="http://192.168.182.2">
192.168.182.2</a><br>> Calling-Station-Id = "XX-XX-XX-XX-XX-XX"<br>> Called-Station-Id = "AA-AA-AA-AA-DD-AA"<br>> NAS-Identifier = "nas01"<br>> Acct-Session-Id = "44bfd15d00000000"
<br>> NAS-Port-Type = Wireless-802.11<br>> NAS-Port = 0<br>> Message-Authenticator = 0xf61479bee3c987c66cca254dcfa39c0a<br>> WISPr-Logoff-URL = "<a href="http://192.168.182.1:3990/logoff">
http://192.168.182.1:3990/logoff</a>"<br>><br><br>> Thu Jul 20 20:54:50 2006 : Debug: rlm_ldap: - authorize<br>> Thu Jul 20 20:54:50 2006 : Debug: rlm_ldap: performing user authorization<br>> for misterc<br>
> Thu Jul 20 20:54:50 2006 : Debug: radius_xlat: '(uid=misterc)'<br>> Thu Jul 20 20:54:50 2006 : Debug: radius_xlat: 'ou=utenti,dc=XXXX,dc=it'<br><br>Ok rlm_ldap is initialized<br><br><br>> Thu Jul 20 20:54:50 2006 : Debug: rlm_ldap: bind as / to
<a href="http://192.168.1.221:389">192.168.1.221:389</a><br>> Thu Jul 20 20:54:50 2006 : Debug: rlm_ldap: waiting for bind result ...<br>> Thu Jul 20 20:54:51 2006 : Debug: rlm_ldap: Bind was successful<br><br>bind to the directory is Ok
<br><br>> Thu Jul 20 20:54:51 2006 : Debug: rlm_ldap: performing search in<br>> ou=utenti,dc=XXXX,dc=it, with filter (uid=misterc)<br>> Thu Jul 20 20:54:51 2006 : Debug: rlm_ldap: object not found or got<br>> ambiguous search result
<br>> Thu Jul 20 20:54:51 2006 : Debug: rlm_ldap: search failed<br><br>Ah...<br>Seems that the used bound to the ldap directory can't find uid=misterc<br>in ou=utenti,dc=XXXX,dc=it<br><br><br>> Thu Jul 20 20:54:51 2006 : Debug: auth: No authenticate method (Auth-Type)
<br>> configuration found for the request: Rejecting the user<br><br>So Auth-Type isn't setted to Ldap<br><br>> Thu Jul 20 20:54:51 2006 : Debug: auth: Failed to validate the user.<br><br>This is logical<br><br>> ldap {
<br>> server="<a href="http://192.168.1.221">192.168.1.221</a>"<br>> port="389"<br>> basedn="ou=utenti,dc=uniroma1,dc=it"<br>> filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
<br>> start_tls = no<br>> access_attr = "uid"<br>> dictionary_mapping = ${raddbdir}/ldap.attrmap<br>> authtype = ldap<br>> ldap_connections_number = 5
<br>> password_header = "{SHA}"<br>> password_attribute = userPassword<br>> }<br>> }<br><br>Well isn't it a pb of rights ? Is the anonymous user able to search the
<br>openldap directory for users entries ?<br><br>What is the result of a simple "ldapsearch" with the same ldap filter.<br><br>> If you need any other information please ask us; sorry if we are boring you<br>
> but we are trying and trying without any significant result.<br>> Thanks.<br><br>Have you got ACLs in your openldap directory configuration files ?<br><br>Regards,<br>Thibault<br><br></blockquote></div><br>