<div dir="ltr">Logs<div>LDAP search fail, because LDAP-UserDN empty</div><div><div>Fri Nov 1 15:08:24 2013 : Info: +- entering group post-auth {...}</div><div>Fri Nov 1 15:08:24 2013 : Info: ++? if (LDAP-Group == "WIFI")</div>
<div>Fri Nov 1 15:08:24 2013 : Debug: rlm_ldap: Entering ldap_groupcmp()</div><div>Fri Nov 1 15:08:24 2013 : Info: expand: o=evrcargo -> o=evrcargo</div><div>Fri Nov 1 15:08:24 2013 : Info: expand: (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=)))</div>
<div>Fri Nov 1 15:08:24 2013 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0</div><div>Fri Nov 1 15:08:24 2013 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0</div><div>Fri Nov 1 15:08:24 2013 : Debug: rlm_ldap: performing search in o=evrcargo, with filter (&(cn=WIFI)(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))))</div>
<div>Fri Nov 1 15:08:24 2013 : Debug: rlm_ldap: object not found or got ambiguous search result</div><div>Fri Nov 1 15:08:24 2013 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0</div><div>Fri Nov 1 15:08:24 2013 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0</div>
<div>Fri Nov 1 15:08:24 2013 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0</div><div>Fri Nov 1 15:08:24 2013 : Debug: rlm_ldap: performing search in cn=Toomas,o=EVRCargo, with filter (objectclass=*)</div><div>Fri Nov 1 15:08:24 2013 : Debug: rlm_ldap::ldap_groupcmp: ldap_get_values() failed</div>
<div>Fri Nov 1 15:08:24 2013 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0</div><div>Fri Nov 1 15:08:24 2013 : Info: ++? elsif (LDAP-Group == "OPENVPN")</div><div>Fri Nov 1 15:08:24 2013 : Debug: rlm_ldap: Entering ldap_groupcmp()</div>
<div>Fri Nov 1 15:08:24 2013 : Info: expand: o=evrcargo -> o=evrcargo</div><div>Fri Nov 1 15:08:24 2013 : Info: expand: (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=)))</div>
<div>Fri Nov 1 15:08:24 2013 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0</div><div>Fri Nov 1 15:08:24 2013 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0</div><div>Fri Nov 1 15:08:24 2013 : Debug: rlm_ldap: performing search in o=evrcargo, with filter (&(cn=OPENVPN)(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))))</div>
<div>Fri Nov 1 15:08:24 2013 : Debug: rlm_ldap: object not found or got ambiguous search result</div><div>Fri Nov 1 15:08:24 2013 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0</div><div>Fri Nov 1 15:08:24 2013 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0</div>
<div>Fri Nov 1 15:08:24 2013 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0</div><div>Fri Nov 1 15:08:24 2013 : Debug: rlm_ldap: performing search in cn=Toomas,o=EVRCargo, with filter (objectclass=*)</div><div>Fri Nov 1 15:08:24 2013 : Debug: rlm_ldap::ldap_groupcmp: ldap_get_values() failed</div>
<div>Fri Nov 1 15:08:24 2013 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0</div><div>Fri Nov 1 15:08:24 2013 : Info: ++- entering else else {...}</div><div>Fri Nov 1 15:08:24 2013 : Info: +++[reject] returns reject</div>
<div>Fri Nov 1 15:08:24 2013 : Info: ++- else else returns reject</div><div>Fri Nov 1 15:08:24 2013 : Info: Using Post-Auth-Type Reject</div><div>Fri Nov 1 15:08:24 2013 : Info: +- entering group REJECT {...}</div></div>
<div><br></div><div>LDAP Bind</div><div><br></div><div><div>Fri Nov 1 15:08:24 2013 : Info: [ldap] performing user authorization for toomas</div><div>Fri Nov 1 15:08:24 2013 : Info: [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details</div>
<div>Fri Nov 1 15:08:24 2013 : Info: [ldap] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=toomas)</div><div>Fri Nov 1 15:08:24 2013 : Info: [ldap] expand: o=evrcargo -> o=evrcargo</div>
<div>Fri Nov 1 15:08:24 2013 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0</div><div>Fri Nov 1 15:08:24 2013 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0</div><div>Fri Nov 1 15:08:24 2013 : Debug: rlm_ldap: attempting LDAP reconnection</div>
<div>Fri Nov 1 15:08:24 2013 : Debug: rlm_ldap: (re)connect to <a href="http://192.168.99.60:636">192.168.99.60:636</a>, authentication 0</div><div>Fri Nov 1 15:08:24 2013 : Debug: rlm_ldap: setting TLS mode to 1</div><div>
Fri Nov 1 15:08:24 2013 : Debug: rlm_ldap: setting TLS CACert File to /etc/raddb/certs/evrc-ou.pam</div><div>Fri Nov 1 15:08:24 2013 : Debug: rlm_ldap: setting TLS Require Cert to demand</div><div>Fri Nov 1 15:08:24 2013 : Debug: rlm_ldap: bind as cn=anz,o=evrcargo/whatis to <a href="http://192.168.99.60:636">192.168.99.60:636</a></div>
<div>Fri Nov 1 15:08:24 2013 : Debug: rlm_ldap: waiting for bind result ...</div><div>Fri Nov 1 15:08:24 2013 : Debug: rlm_ldap: Bind was successful</div><div>Fri Nov 1 15:08:24 2013 : Debug: rlm_ldap: performing search in o=evrcargo, with filter (uid=toomas)</div>
<div>Fri Nov 1 15:08:24 2013 : Info: [ldap] checking if remote access for toomas is allowed by rADIUSEnableDialAccess</div><div>Fri Nov 1 15:08:24 2013 : Info: [ldap] Added the eDirectory password XXXXXXXXXXXX in check items as Cleartext-Password</div>
<div>Fri Nov 1 15:08:24 2013 : Info: [ldap] No default NMAS login sequence</div><div>Fri Nov 1 15:08:24 2013 : Info: [ldap] looking for check items in directory...</div><div>Fri Nov 1 15:08:24 2013 : Info: [ldap] looking for reply items in directory...</div>
<div>Fri Nov 1 15:08:24 2013 : Info: [ldap] user toomas authorized to use remote access</div><div>Fri Nov 1 15:08:24 2013 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0</div><div>Fri Nov 1 15:08:24 2013 : Info: ++[ldap] returns ok</div>
</div><div><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">2013/11/1 Phil Mayers <span dir="ltr"><<a href="mailto:p.mayers@imperial.ac.uk" target="_blank">p.mayers@imperial.ac.uk</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="HOEnZb"><div class="h5">On 01/11/13 12:11, Andres Septer wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
You need to read the documentation, and *understand* how FreeRADIUS<br>
works. The alternative is random changes, confusion, upset users, and<br>
*more* work and pain.<br>
<br>
<br>
Skipped the idea to use different LDAP attributes for WiFi and OpenVPN<br>
altogether and turned to the LDAP groups.<br>
<br>
But my Ldap-UserDn attribute wont get populated (even though user is<br>
successfully authenticated in LDAP). So group search obviously fails<br>
<br>
When I manually insert my test users DN, everything works as expected.<br>
<br>
read the rlm_ldap manual but i still do not understand why my<br>
LDAP-UserDn is not populated.<br>
</blockquote>
<br></div></div>
Sigh. Debug please, as gathered with "radiusd -X". We're not psychic.<br>
-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/<u></u>list/users.html</a><br>
</blockquote></div><br></div>