Sorry, "dc=xxxx,dc=it" is the correct not "dc=uniroma1,dc=it" as appear in the other configuration file. Giusy Venezia On 7/20/06, Giuseppina Venezia <giusy.venezia@gmail.com> wrote:
Here is mi slapd.conf
# # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/samba.schema include /usr/local/etc/openldap/schema/RADIUS-LDAPv3.schema # Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org
#Aggiungiamo il livello di logging loglevel 296 pidfile /usr/local/var/run/slapd.pid argsfile /usr/local/var/run/slapd.args
#Direttive SSL #TLSCipherSuite HIGH #TLSCertificateFile /usr/local/etc/openldap/slapd-cert.pem #TLSCertificateKeyFile /usr/local/etc/openldap/slapd- key.pem # Load dynamic backend modules: # modulepath /usr/local/libexec/openldap # moduleload back_bdb.la # moduleload back_ldap.la # moduleload back_ldbm.la # moduleload back_passwd.la # moduleload back_shell.la
# Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # Directives needed to implement policy: # access to dn.base= "" by * read # access to dn.base="cn=Subschema" by * read # access to * # by self write # by users read # by anonymous auth # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING!
####################################################################### # BDB database definitions #######################################################################
database bdb suffix "dc=xxxx,dc=it" rootdn "cn=Manager,dc=xxxx,dc=it" # Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw {SSHA}gUlr8Lqr7eYgfSti9+Dl76lbkbgK3fqc # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /usr/local/var/openldap-data/xxxx.it mode 0600 # Indices to maintain index objectClass eq,pres index cn eq,pres index uid eq,pres index userPassword eq,pres cachesize 2000
Thanks in advance Giusy Venezia
On 7/20/06, Thibault Le Meur <Thibault.LeMeur@supelec.fr> wrote:
rad_recv: Access-Request packet from host 127.0.0.1:32801, id=0, length=217 User-Name = "misterc" CHAP-Challenge = 0xa26932d73791f27d1314426f740ab34e CHAP-Password = 0x002e07a2cc1f27e7fbd22e7bb3721a3986 NAS-IP-Address = 0.0.0.0 Service-Type = Login-User Framed-IP-Address = 192.168.182.2 Calling-Station-Id = "XX-XX-XX-XX-XX-XX" Called-Station-Id = "AA-AA-AA-AA-DD-AA" NAS-Identifier = "nas01" Acct-Session-Id = "44bfd15d00000000" NAS-Port-Type = Wireless-802.11 NAS-Port = 0 Message-Authenticator = 0xf61479bee3c987c66cca254dcfa39c0a WISPr-Logoff-URL = " http://192.168.182.1:3990/logoff"
Thu Jul 20 20:54:50 2006 : Debug: rlm_ldap: - authorize Thu Jul 20 20:54:50 2006 : Debug: rlm_ldap: performing user authorization for misterc Thu Jul 20 20:54:50 2006 : Debug: radius_xlat: '(uid=misterc)' Thu Jul 20 20:54:50 2006 : Debug: radius_xlat: 'ou=utenti,dc=XXXX,dc=it'
Ok rlm_ldap is initialized
Thu Jul 20 20:54:50 2006 : Debug: rlm_ldap: bind as / to 192.168.1.221:389 Thu Jul 20 20:54:50 2006 : Debug: rlm_ldap: waiting for bind result ... Thu Jul 20 20:54:51 2006 : Debug: rlm_ldap: Bind was successful
bind to the directory is Ok
Thu Jul 20 20:54:51 2006 : Debug: rlm_ldap: performing search in ou=utenti,dc=XXXX,dc=it, with filter (uid=misterc) Thu Jul 20 20:54:51 2006 : Debug: rlm_ldap: object not found or got ambiguous search result Thu Jul 20 20:54:51 2006 : Debug: rlm_ldap: search failed
Ah... Seems that the used bound to the ldap directory can't find uid=misterc in ou=utenti,dc=XXXX,dc=it
Thu Jul 20 20:54:51 2006 : Debug: auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
So Auth-Type isn't setted to Ldap
Thu Jul 20 20:54:51 2006 : Debug: auth: Failed to validate the user.
This is logical
ldap { server="192.168.1.221" port="389" basedn="ou=utenti,dc=uniroma1,dc=it" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" start_tls = no access_attr = "uid" dictionary_mapping = ${raddbdir}/ldap.attrmap authtype = ldap ldap_connections_number = 5 password_header = "{SHA}" password_attribute = userPassword } }
Well isn't it a pb of rights ? Is the anonymous user able to search the openldap directory for users entries ?
What is the result of a simple "ldapsearch" with the same ldap filter.
If you need any other information please ask us; sorry if we are boring you but we are trying and trying without any significant result. Thanks.
Have you got ACLs in your openldap directory configuration files ?
Regards, Thibault