hi again....
now is fine.. the hint query was ...

1 configuration in the hints file.. left the default for users not with suffix.. and ldap.atrribmap.. miss Hint  --- radiusHint

again.. thanxs for all



2013/3/22 Tony Peña <emperor.cu@gmail.com>
Hi again...
I'm starting taking some confuse idea with this...

I use 3 checkvals.

1 for Calling-Station-Id
2 for Called-Station-Id
and 3 for Hints

and in the Hints file.. i setup my hints domains and filter to can apply for the suffix the correct acl/pool ip.

also have radiusHints and radiusFilterId in my OpenLDAP db.

now.. my question is.. why if Hints is not found in radius query... continue checking the rest for the values... and with any checkvals 1 or 2 works fine.. ??

so... if some user use other hints radius do access-accept... and not the reject like callings/called-station-id who with that... works fine..

simple debug.

[ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=gtm478)
[ldap]  expand: ou=institute,ou=users,dc=sld,dc=cu -> ou=institute,ou=users,dc=domain,dc=com
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in ou=institute,ou=users,dc=domain,dc=com, with filter (uid=gtm478)
  [ldap] performing search in cn=users.ppp,ou=profiles,ou=radius,ou=services,dc=domain,dc=com, with filter (objectclass=radiusprofile)
  [ldap] radiusCalledStationId -> Called-Station-Id == "999999"
  [ldap] radiusCalledStationId -> Called-Station-Id == "888888"
  [ldap] radiusCalledStationId -> Called-Station-Id == "111111"
  [ldap] extracted attribute Max-Monthly-Session from generic item Max-Monthly-Session := 90000
  [ldap] radiusIdleTimeout -> Idle-Timeout = 300
  [ldap] radiusSessionTimeout -> Session-Timeout = 7200
  [ldap] radiusFramedCompression -> Framed-Compression = Van-Jacobson-TCP-IP
  [ldap] radiusFramedMTU -> Framed-MTU = 576
  [ldap] radiusFilterId -> Filter-Id = "general.in"
  [ldap] radiusFramedProtocol -> Framed-Protocol = PPP
  [ldap] radiusServiceType -> Service-Type = Framed-User
[ldap] Added User-Password = {CRYPT}$1$passwordcrypted in check items
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
  [ldap] userPassword -> Password-With-Header == "{CRYPT}$1$cryptedpassword"
  [ldap] radiusCallingStationId -> Calling-Station-Id == "111111"
[ldap] looking for reply items in directory...
[ldap] user gtm478 authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
rlm_checkval: Item Name: Calling-Station-Id, Value: 111111
rlm_checkval: Value Name: Calling-Station-Id, Value: 111111
++[checkval1] returns ok
rlm_checkval: Item Name: Called-Station-Id, Value: 88888
rlm_checkval: Value Name: Called-Station-Id, Value: 999999
rlm_checkval: Value Name: Called-Station-Id, Value: 88888
++[checkval2] returns ok
rlm_checkval: Item Name: Hint, Value: userdefault
rlm_checkval: Could not find attribute named Hint in check pairs
++[checkval3] returns notfound

I need to stop here.. and reject the user..

++? if (User-Name =~ /^(.+)@institute.domain.com/)
? Evaluating (User-Name =~ /^(.+)@institute.domain.com/) -> TRUE
++? if (User-Name =~ /^(.+)@institute.domain.com/) -> TRUE
++- entering if (User-Name =~ /^(.+)@institute.domain.com/) {...}
rlm_sqlcounter: Entering module authorize code

NOT should be continue.....

the users .. logging on...ok. (with bad hints)
with hints works fine.

thanxs in advance... (i'm continue searching and try meanwhilte wait for this...)
sorry for my bad english ..  O:-)
regards.

--
Antonio Peña
Secure email with PGP 0x8B021001 available at http://pgp.mit.edu
Fingerprint: 74E6 2974 B090 366D CE71  7BB2 6476 FA09 8B02 1001



--
Antonio Peña
Secure email with PGP 0x8B021001 available at http://pgp.mit.edu
Fingerprint: 74E6 2974 B090 366D CE71  7BB2 6476 FA09 8B02 1001