i tryed to set access_attr = "uid" access_attr_used_for_allow = yes but still authentication is succesful using EAP-TLS even if user is not in LDAP Directory. any hints ? thanks Rick Riccardo Veraldi ha scritto:
ok changing the ldap filter everything seems to work and I am authorized.
but if the user is not found in LDAP it is authorized anyway and authenticated at the end
rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed
Login OK: [Riccardo.Veraldi@city.myorg.it] (from client ciscoap3 port 273 cli 001e.5271.e700)
iI would like the login to fail. Basically I Want to check against certificate subject and allow or not allow users to get access to WiFi.
ho can I configure freeradius to drop users not recognized inside ldap ?
thanks
Rick
Ranner, Frank MR ha scritto:
UNCLASSIFIED
-----Original Message----- From: freeradius-users-bounces+frank.ranner=defence.gov.au@lists.fre
eradius.org [mailto:freeradius-users-> bounces+frank.ranner=defence.gov.au@lists.freeradius.org] On
Behalf Of Riccardo Veraldi Sent: Friday, 23 May 2008 16:43 To: FreeRadius users mailing list Subject: Re: radius x509 authentication + LDAP ?
I have this problem.
if I authenticate with EAP-TLS (I am using Max OS X 10.5 as supplicant)
my email address is extracted in some way as the user name. the uid is recognized as the parte before the "@" so my real username in LDAP (which is different) is not recognized as a valid user.
Neverless I am authenticated anyway.
So I have a doulbe problem
1) How to check against LDAP correctly, thus extracting my correct username from email address upon radius authorization request to ldap.
2) if a user is not found how to drop it, avoiding radius authorization to take place
rlm_ldap: performing user authorization for Riccardo.Veraldi radius_xlat: '(uid=Riccardo.Veraldi)' radius_xlat: 'ou=people,o=city,o=myorg,c=it' rlm_ldap: ldap_get_conn: Checking Id: 0
Does the string Riccardo.Veraldi exist in another attribute, like CN or Mail?
If so change your filter:
filter = "(|(cn=%{User-Name})(uid=%{User-Name})(mail=%{User-Name}@city.myorg.it)) "
Provided that the record is located, radius will use the dn of the record to authenticate.
I don't know why failed ldap lookups aren't rejecting the request. Maybe you don't have ldap block in the authenticate section.
Regards, Frank Ranner
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html