How do I get Reject when I am connecting with the same user as I did to connect LDAP??? I get bind successful so why is this not successful? rad_recv: Access-Request packet from host 10.0.1.56 port 62107, id=21, length=46 User-Name = "radius" User-Password = "ceadmin" # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "radius", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry DEFAULT at line 67 ++[files] returns ok [sql] expand: %{User-Name} -> radius [sql] sql_set_user escaped user --> 'radius' rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'radius' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'radius' ORDER BY priority rlm_sql (sql): Released sql socket id: 4 [sql] User radius not found ++[sql] returns notfound [ldap] performing user authorization for radius [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> radius [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=radius) [ldap] expand: dc=corp,dc=clearedgeit,dc=com -> dc=corp,dc=clearedgeit,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to dc1.corp.clearedgeit.com:389, authentication 0 [ldap] bind as cn=radius,ou=users,ou=jessup,ou=clearedge,dc=corp,dc=clearedgeit,dc=com/ceadmin to dc1.corp.clearedgeit.com:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in dc=corp,dc=clearedgeit,dc=com, with filter (uid=radius) [ldap] rebind to URL ldap:// ForestDnsZones.corp.clearedgeit.com/DC=ForestDnsZones,DC=corp,DC=clearedgeit,DC=com [ldap] rebind to URL ldap:// DomainDnsZones.corp.clearedgeit.com/DC=DomainDnsZones,DC=corp,DC=clearedgeit,DC=com [ldap] rebind to URL ldap:// corp.clearedgeit.com/CN=Configuration,DC=corp,DC=clearedgeit,DC=com [ldap] object not found [ldap] search failed [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = LDAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group LDAP {...} [ldap] login attempt by "radius" with password "ceadmin" [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> radius [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=radius) [ldap] expand: dc=corp,dc=clearedgeit,dc=com -> dc=corp,dc=clearedgeit,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=corp,dc=clearedgeit,dc=com, with filter (uid=radius) [ldap] rebind to URL ldap:// ForestDnsZones.corp.clearedgeit.com/DC=ForestDnsZones,DC=corp,DC=clearedgeit,DC=com [ldap] rebind to URL ldap:// DomainDnsZones.corp.clearedgeit.com/DC=DomainDnsZones,DC=corp,DC=clearedgeit,DC=com [ldap] rebind to URL ldap:// corp.clearedgeit.com/CN=Configuration,DC=corp,DC=clearedgeit,DC=com [ldap] object not found [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns notfound Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> radius attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.7 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 21 to 10.0.1.56 port 62107 Waking up in 4.9 seconds. Adam Schappell System Administrator II Clearedge IT Solutions, LLC 10620 Guilford Road Jessup, MD 20794 Office:443-212-4712 Fax:443-212-4809 www.ClearEdgeIT.com <http://www.clearedgeit.com/> On Fri, Mar 27, 2015 at 2:33 PM, Matthew Newton <mcn4@leicester.ac.uk> wrote:
On Fri, Mar 27, 2015 at 02:18:06PM -0400, Adam Schappell wrote:
I get that and see that but there is no ldap in radius.conf, do you all see anything wrong with my bind dn?
Ah... there is only one config file: radius.conf. This includes all the other configuration, so look in your ldap config.
Matthew
-- Matthew Newton, Ph.D. <mcn4@le.ac.uk>
Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html