<div dir="ltr"><div>Hey, thanks for the help.<br></div><div><br></div><div>yeah, this part seems to be ok, the second part i wrongly quoted</div><div>if i undertood this, freeradius can authorizate but no authenticate, look the full result of freeradius -X</div>
<div><br></div>
<div><br></div><div># Executing section authorize from file /etc/freeradius/sites-enabled/default<br>+- entering group authorize {...}<br>[ldap] performing user authorization for user1<br>[ldap] expand: (uid=%u) -> (uid=user1)<br>
[ldap] expand: dc=xxxx,dc=edu,dc=br -> dc=ifsudeste,dc=edu,dc=br<br> [ldap] ldap_get_conn: Checking Id: 0<br> [ldap] ldap_get_conn: Got Id: 0<br> [ldap] attempting LDAP reconnection<br> [ldap] (re)connect to 200.xx.xx.47:389, authentication 0<br>
[ldap] bind as cn=admin,dc=xxxx,dc=edu,dc=br/123abc to 200.xxx.xx.47:389<br> [ldap] waiting for bind result ...<br> [ldap] Bind was successful</div><div><br></div><div><br></div><div><b>here he makes the bind and return ok, right?</b></div>
<div><b><br></b> [ldap] performing search in dc=xxxx,dc=edu,dc=br, with filter (uid=user1) <-------- <b>now he try to find user1 on LDAP base.</b><br>[ldap] checking if remote access for user1 is allowed by uid<br>
[ldap] No default NMAS login sequence<br>[ldap] looking for check items in directory...<br> [ldap] userPassword -> Password-With-Header == "{MD5}ICy5YqxZB1uWSwcVLSNLcA=="<br>[ldap] looking for reply items in directory...<br>
[ldap] Setting Auth-Type = LDAP<br>[ldap] user user1 authorized to use remote access<br> [ldap] ldap_release_conn: Release Id: 0<br>++[ldap] returns ok <---- <b>so far... everything o</b><b>k </b><br>
++[expiration] returns noop<br>++[logintime] returns noop<br></div><div><br></div><div><br></div><div><b>now he do that and i dont know why correctly, but i guess now he try to authenticate, am i right?</b></div>
<div><br></div><div><br></div><div>Found Auth-Type = LDAP<br># Executing group from file /etc/freeradius/sites-enabled/default<br>+- entering group LDAP {...}<br>[ldap] login attempt by "user1" with password "123"<br>
[ldap] user DN: cn=user1,ou=People,dc=xxxxxxx,dc=edu,dc=br <b> <--------------- here he try to bind again!?</b><br> [ldap] (re)connect to 200.xxx.xxx.47:389, authentication 1<br> [ldap] bind as cn=user1,ou=People,dc=xxxxxxx,dc=edu,dc=br/123 to 200.xxx.xx.47:389 <b><----- and seems to try to use user1 to bind, but user 1 isn't a bind user</b><br>
[ldap] waiting for bind result ...<br> [ldap] Bind failed with invalid credentials <b><---------- This is what i'm complaining.</b><br>++[ldap] returns reject<br>Failed to authenticate the user.<br>
Login incorrect ( [ldap] Bind as user failed): [user1/123] (from client localhost port 10)<br>Using Post-Auth-Type Reject<br># Executing group from file /etc/freeradius/sites-enabled/default<br>+- entering group REJECT {...}<br>
[attr_filter.access_reject] expand: %{User-Name} -> user1<br> attr_filter: Matched entry DEFAULT at line 11<br>++[attr_filter.access_reject] returns updated<br><br></div><div><b>and the result of radtest is:</b></div>
<div><br></div><div>radtest user1 <a href="tel:123%20127.0.0.1%2010" value="+12312700110" target="_blank">123 127.0.0.1 10</a> testing123<br>Sending Access-Request of id 156 to 127.0.0.1 port 1812<br> User-Name = "user1"<br>
User-Password = "123"<br> NAS-IP-Address = 200.131.96.47<br>
NAS-Port = 10<br>rad_recv: <b>Access-Reject</b> packet from host 127.0.0.1 port 1812, id=156, length=20<br></div><div><br></div><div><br></div><div>any idea why?<br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">
2013/3/14 Arran Cudbard-Bell <span dir="ltr"><<a href="mailto:a.cudbardb@freeradius.org" target="_blank">a.cudbardb@freeradius.org</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="im"><br>
On 13 Mar 2013, at 22:03, <a href="mailto:fernando.sg1@gmail.com">fernando.sg1@gmail.com</a> wrote:<br>
<br>
> now at the PC, i can write better:<br>
><br>
> 1st: shout i uncoment this 2 lines on /modules/ldap<br>
> # identity = "cn=admin,dc=xxxxx,dc=edu,dc=br"<br>
> # password = "123abc"<br>
> ?<br>
<br>
</div>Um yes if you need to do an authenticated bind to search in the directory.<br>
<div class="im"><br>
><br>
> i tryed both configs with ou=People or without and dont work.<br>
><br>
><br>
> uncomenting the 2 lines i get this on freeradius -X:<br>
><br>
> [ldap] performing user authorization for user1<br>
> [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details<br>
> [ldap] ... expanding second conditional<br>
> [ldap] expand: %{User-Name} -> user1<br>
> [ldap] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=user1)<br>
> [ldap] expand: ou=People,dc=xxxx,dc=edu,dc=br -> ou=People,dc=xxxxxx,dc=edu,dc=br<br>
> [ldap] ldap_get_conn: Checking Id: 0<br>
> [ldap] ldap_get_conn: Got Id: 0<br>
> [ldap] attempting LDAP reconnection<br>
> [ldap] (re)connect to <a href="http://200.131.96.47:389" target="_blank">200.131.96.47:389</a>, authentication 0<br>
> [ldap] bind as cn=admin,dc=xxxxxx,dc=edu,dc=br/123abc to <a href="http://200.131.96.47:389" target="_blank">200.131.96.47:389</a><br>
> [ldap] waiting for bind result ...<br>
> [ldap] Bind was successful<br>
> [ldap] performing search in ou=People,dc=xxxxx,dc=edu,dc=br, with filter (uid=user1)<br>
> [ldap] checking if remote access for user1 is allowed by uid<br>
> [ldap] No default NMAS login sequence<br>
> [ldap] looking for check items in directory...<br>
> [ldap] userPassword -> Password-With-Header == "{MD5}ICy5YqxZB1uWSwcVLSNLcA=="<br>
> [ldap] looking for reply items in directory...<br>
> [ldap] Setting Auth-Type = LDAP<br>
> [ldap] user user1 authorized to use remote access<br>
><br>
<br>
</div>Which seems to be correct?<br>
<div class="HOEnZb"><div class="h5"><br>
-Arran<br>
-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br>
</div></div></blockquote></div><br></div>