<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.6000.16587" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2>I came across the same problem and my
debugging shows the following:</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>1) ldap_groupcmp calls </FONT> <FONT
face=Arial size=2>radius_xlat to replace Ldap_UserDn with the
value.</FONT></DIV>
<DIV><FONT face=Arial size=2>2) radius_xlat calls decode_attribute </FONT></DIV>
<DIV><FONT face=Arial size=2>3) decode_attribute calls xlat_packet with instance
1 and returns 0 (=nothing found)</FONT></DIV>
<DIV><FONT face=Arial
size=2>
if ((c = xlat_find(xlat_name)) != NULL)
{<BR>
if (!c->internal) DEBUG3("radius_xlat: Running registered xlat function of
module %s for string
\'%s\'",<BR>
c->module,
xlat_string);<BR>
retlen = c->do_xlat(c->instance, request,
xlat_string,<BR>
q, freespace,
func);<BR>
/* If retlen is 0, treat it as not found
*/<BR> if
(retlen > 0) found =
1;<BR>
}</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>If I look into xlat_packet there is a switch
statement for instance and 1 means select request->packet->vps, but if I
look into rlm_ldap.c the vps are in request->config_items (e.g instance=
0). If I change instance to 0 in the debugger the expansion seems to work.
Unfortunatly I don't know where this is set and what it means </FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2> switch
(*(int*) instance) {<BR> case
0:<BR>
vps =
request->config_items;<BR>
break;</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2> case
1:<BR>
vps =
request->packet->vps;<BR>
packet =
request->packet;<BR>
break;<BR></FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Markus</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<BLOCKQUOTE
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV>"Gopinath Reddy N" <<A
href="mailto:gnreddy@gmail.com">gnreddy@gmail.com</A>> wrote in message <A
href="news:c71dd3900801260505u49df7fe7g69bdb32823c155b8@mail.gmail.com">news:c71dd3900801260505u49df7fe7g69bdb32823c155b8@mail.gmail.com</A>...</DIV>
<DIV>Hi,</DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV>We have upgraded our freeradius1.6 to 2.0</DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV>We are using active directory for LDAP server.</DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV>We have not changed any data in AD. But when we upgrade and try to
connect using valid user id..user is getting rejected.</DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV>Please let me know if there any issues I need to take before ugprading to
2.0</DIV>
<DIV> </DIV>
<DIV>Iam using same bind DN and other strings in 2.0.</DIV>
<DIV> </DIV>
<DIV>rlm_ldap: ldap_get_conn: Checking Id: 0<BR>rlm_ldap: ldap_get_conn: Got
Id: 0<BR>rlm_ldap: attempting LDAP reconnection<BR>rlm_ldap: (re)connect to <A
href="http://157.235.205.31:389">157.235.205.31:389</A>, authentication
0<BR>rlm_ldap: bind as
cn=Administrator,cn=Users,dc=Crossfire,dc=symbol,dc=com/windows2003 to <A
href="http://157.235.205.31:389">157.235.205.31:389</A><BR>rlm_ldap: waiting
for bind result ...<BR>rlm_ldap: Bind was successful<BR>rlm_ldap: performing
search in cn=Users,dc=Crossfire,dc=symbol,dc=com, with filter
(sAMAccountName=satish)<BR>rlm_ldap: ldap_release_conn: Release Id:
0<BR> expand:
(|(&(objectClass=group)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
->
(|(&(objectClass=group)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=)))<BR>rlm_ldap:
ldap_get_conn: Checking Id: 0<BR>rlm_ldap: ldap_get_conn: Got Id: 0</DIV>
<DIV> </DIV>
<DIV>*******************************************************<BR>rlm_ldap:
performing search in cn=Users,dc=Crossfire,dc=symbol,dc=com, with filter
(&(cn=sales)(|(&(objectClass=group)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))))</DIV>
<DIV>rlm_ldap: object not found or got ambiguous search result</DIV>
<DIV>*******************************************************************************<BR>rlm_ldap:
ldap_release_conn: Release Id: 0<BR>rlm_ldap: ldap_get_conn: Checking Id:
0<BR>rlm_ldap: ldap_get_conn: Got Id: 0<BR>rlm_ldap: performing search in
CN=satish,CN=Users,DC=Crossfire,DC=symbol,DC=com, with filter
(objectclass=*)<BR>rlm_ldap::ldap_groupcmp: ldap_get_values()
failed<BR>rlm_ldap: ldap_release_conn: Release Id: 0<BR>rlm_ldap: Entering
ldap_groupcmp()<BR> expand:
cn=Users,dc=Crossfire,dc=symbol,dc=com ->
cn=Users,dc=Crossfire,dc=symbol,dc=com<BR>
expand:
(|(&(objectClass=group)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
->
(|(&(objectClass=group)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=)))<BR>rlm_ldap:
ldap_get_conn: Checking Id: 0<BR>rlm_ldap: ldap_get_conn: Got Id:
0<BR>rlm_ldap: performing search in cn=Users,dc=Crossfire,dc=symbol,dc=com,
with filter
(&(cn=sales)(|(&(objectClass=group)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))))<BR>rlm_ldap:
object not found or got ambiguous search result<BR>rlm_ldap:
ldap_release_conn: Release Id: 0<BR>rlm_ldap: ldap_get_conn: Checking Id:
0<BR>rlm_ldap: ldap_get_conn: Got Id: 0<BR>rlm_ldap: performing search in
CN=satish,CN=Users,DC=Crossfire,DC=symbol,DC=com, with filter
(objectclass=*)<BR>rlm_ldap::ldap_groupcmp: ldap_get_values()
failed<BR>rlm_ldap: ldap_release_conn: Release Id: 0<BR>
users: Matched entry DEFAULT at line 26<BR>++[files] returns ok<BR>++-
entering policy redundant<BR>rlm_ldap: - authorize<BR>rlm_ldap: performing
user authorization for satish<BR>
expand: (sAMAccountName=%{User-Name}) ->
(sAMAccountName=satish)<BR> expand:
cn=Users,dc=Crossfire,dc=symbol,dc=com ->
cn=Users,dc=Crossfire,dc=symbol,dc=com<BR>rlm_ldap: ldap_get_conn: Checking
Id: 0<BR>rlm_ldap: ldap_get_conn: Got Id: 0<BR>rlm_ldap: performing search in
cn=Users,dc=Crossfire,dc=symbol,dc=com, with filter
(sAMAccountName=satish)<BR>rlm_ldap: looking for check items in
directory...<BR>rlm_ldap: looking for reply items in directory...</DIV>
<DIV>******************************<BR>WARNING: No "known good" password was
found in LDAP. Are you sure that the user is configured correctly?</DIV>
<DIV>***************************************<BR>rlm_ldap: user satish
authorized to use remote access<BR>rlm_ldap: ldap_release_conn: Release Id:
0<BR>+++[ldap_secondary] returns ok<BR>++- policy redundant returns
ok<BR> rlm_eap: EAP packet type response id 1 length 11<BR>
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation<BR>++[eap]
returns updated<BR>rlm_pap: Found existing Auth-Type, not changing
it.<BR>++[pap] returns noop<BR> rad_check_password: Found
Auth-Type Reject<BR> rad_check_password: Auth-Type = Reject, rejecting
user<BR>auth: Failed to validate the user.<BR>Login incorrect: [satish/<via
Auth-Type = Reject>] (from client private-network-1 port 1 cli
00-16-CF-50-6C-8C)</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>Thanks</DIV>
<DIV>gnr<BR></DIV>
<P>
<HR>
<P></P>-<BR>List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html</BLOCKQUOTE></BODY></HTML>