Hi Alan, I am trying to do ldap query lookup in the authorize section and after successful authorization ( if ldap entry exists on search query) ....reply with Access-Accept if not reject. I do not want to do authentication in LDAP as we are not storing "userPassword" attribute in ldap schema. So in a way trying to do.. if(ldap search success) { Access-Accept } else { Access-Reject } Please check the thread below what Phil told me to do... Hi Phil, Here is the detail configs and logs. Please let me know. Thanks and Regards. modules { ldap { server = "ldap://xxxxxxxxx:1389" identity = "uid=appuser,ou=appadm,o=entitlement" password = ****** basedn = "ou=roles,o=entitlement" dictionary_mapping = ${raddbdir}/ldap.attrmap filter = "(&(uid=%{Stripped-User-Name:-%{User-Name}})(entitlements=WIFILOC1)(attribute1=%{User-Password}))" start_tls = no ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 set_auth_type = no } } authorize { .. ldap pap } authenticate { Auth-Type PAP { pap } ..... } In the users files #DEFAULT Auth-Type := Local #Session-Timeout = 7200, #Fall-Through = Yes #DEFAULT Auth-Type := System #Session-Timeout = 7200, #Fall-Through = Yes Here is the detail log. rad_recv: Access-Request packet from host 216.2.193.1:55729, id=2, length=48 User-Name = "test1" User-Password = "11111" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "test1", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for test1 radius_xlat: '(&(uid=test1)(entitlements=WIFILOC1)(attribute1=11111))' radius_xlat: 'ou=roles,o=entitlement' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap://xxxx:1389, authentication 0 rlm_ldap: bind as uid=appuser,ou=appadm,o=entitlement/xxxx to ldap://xxxxxxx:1389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=roles,o=entitlement, with filter (&(uid=test1)(entitlements=WIFILOC1)(attribute1=11111)) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user test1 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 0 modcall: leaving group authorize (returns ok) for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 2 to 216.2.193.1 port 55729 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 2 with timestamp 4761660e Nothing to do. Sleeping until we see a request. --- Phil Mayers <p.mayers at imperial.ac.uk> wrote:
rlm_ldap: user test1 authorized to use remote
access
rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this.
That's the problem.
Your LDAP module should be copying the LDAP attribute containing the password to the relevant check item.
Slightly confusing, there are two ways to do this:
1. ldap.attrmap 2. password_attribute & password_header config items of ldap module
What are those setup to do?
A full "-X" debug would help at this point. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Assuming you are using a recent version of FreeRadius, you can do one of the following:
modules { ldap { ... set_auth_type = no } } authorize { preprocess ldap pap } authenticate { Auth-Type PAP { pap } }
--- Alan DeKok <aland@deployingradius.com> wrote:
Eric Martell wrote:
Hi Alan, Can you please help me out with the LDAP query? I am still stuck with the issue.
What problem is left to solve?
i.e. I read and answer a *lot* of email. I don't recall much past what's on my screen right now...
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
____________________________________________________________________________________ Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ