So ...
From the preceding, preceding mail, you should have seen that %{User-Name} is equal to something like "uid=P0..., o=nrb, c=be" ... which is what I want to have checked against the LDAP.
For now, when I implement your suggestion, I just come out with "checking for dn=o=nrb,c=be, (uid=uid)", which corresponds to the truncating of my requesting DN. jF On Wed, 14 Sep 2005, Kostas Kalevras wrote:
On Wed, 14 Sep 2005, Jean-Francois Gobin wrote:
Here is my whole ldap definition :
ldap { server = "ldap.xxxx.xxx" # identity = "cn=admin,o=My Org,c=UA" # password = mypass basedn = " "
This should be an actual DN of your tree. Something like: ou=people,dc=company,dc=com
filter = "(%{User-Name})"
This is wrong. It should most probably read filter = "(uid=%{User-Name})"
# base_filter = "(objectclass=radiusprofile)"
# set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # The StartTLS operation is supposed to be used with normal # ldap connections instead of using ldaps (port 689) connections start_tls = no
# tls_cacertfile = /path/to/cacert.pem # tls_cacertdir = /path/to/ca/dir/ # tls_certfile = /path/to/radius.crt # tls_keyfile = /path/to/radius.key # tls_randfile = /path/to/rnd # tls_require_cert = "demand"
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" # profile_attribute = "radiusProfileDn" # access_attr = "dialupAccess"
# Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
# # NOTICE: The password_header directive is NOT case insensitive # # password_header = "{clear}" # # Set: # password_attribute = nspmPassword # # to get the user's password from a Novell eDirectory # backend. This will work *only if* freeRADIUS is # configured to build with --with-edir option. # # # The server can usually figure this out on its own, and pull # the correct User-Password or NT-Password from the database. # # Note that NT-Passwords MUST be stored as a 32-digit hex # string, and MUST start off with "0x", such as: # # 0x000102030405060708090a0b0c0d0e0f # # Without the leading "0x", NT-Passwords will not work. # This goes for NT-Passwords stored in SQL, too. # # password_attribute = userPassword # # Un-comment the following to disable Novell eDirectory account # policy check and intruder detection. This will work *only if* # FreeRADIUS is configured to build with --with-edir option. # # edir_account_policy_check=no # # groupname_attribute = cn # groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqu eNames)(uniquemember=%{Ldap-UserDn})))" # groupmembership_attribute = radiusGroupName timeout = 4 timelimit = 3 net_timeout = 1 # compare_check_items = yes # do_xlat = yes # access_attr_used_for_allow = yes }
On Tue, 13 Sep 2005, Nicolas Baradakis wrote:
Jean-Francois Gobin wrote:
rlm_ldap: - authorize rlm_ldap: performing user authorization for uid=P06227,ou=people,o=nrb,c=be radius_xlat: '(uid)' radius_xlat: ' ' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in , with filter (uid) rlm_ldap: ldap_search() failed: Bad search filter: (uid)
What is your filter in section ldap of radiusd.conf ?
-- Nicolas Baradakis
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
---------- Jean-Francois Gobin - Administrateur gobinjf.be http://www.gobinjf.be mailto:gobin@gobinjf.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Kostas Kalevras Network Operations Center kkalev@noc.ntua.gr National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
---------- Jean-Francois Gobin - Administrateur gobinjf.be http://www.gobinjf.be mailto:gobin@gobinjf.be