Christophe Gravier <christophe.gravier@univ-st-etienne.fr>wrote:
Removing the ldap entry, radtest no longer works of course.
Did you put "ldap" in the "authorize" section? That would allow radtest to work, as I said.
Yes, I did like we said: - did put ldap (it was already indeed) in authorize section. - did remove ldap from authenticate (since ldap will only be a "password storage").
rlm_ldap: looking for check items in directory...
Can you say which LDAP server you're using?
ist-guizay:/root# /usr/sbin/slapd -V @(#) $OpenLDAP: slapd 2.2.26 (Oct 31 2005 09:10:53) $ This is slapd package on current debian testing tree. This is a v3 openldap server, if I am right. If I make slapd log things and then observe I've got on a freeradius request: Dec 14 21:48:03 ist-guizay slapd[31741]: conn=2 fd=10 ACCEPT from IP=161.3.50.125:1490 (IP=0.0.0.0:389)Dec 14 21:48:03 ist-guizay slapd[31741]: conn=2 op=0 BIND dn="" method=128 Dec 14 21:48:03 ist-guizay slapd[31741]: conn=2 op=0 RESULT tag=97 err=0 text=Dec 14 21:48:03 ist-guizay slapd[31741]: conn=2 op=1 SRCH base="ou=person,o=istase,c=fr" scope=2 deref=0 filter="(uid=gravier.christophe)"Dec 14 21:48:03 ist-guizay slapd[31741]: conn=2 op=1 SRCH attr=radiusExpiration acctFlags ntPassword lmPassword radiusCallingStationId radiusCalledStationId radiusSimultaneousUse eap userPassword radiusCheckItem radiusLoginLATPort radiusPortLimit radiusFramedAppleTalkZone radiusFramedAppleTalkNetwork radiusFramedAppleTalkLink radiusLoginLATGroup radiusLoginLATNode radiusLoginLATService radiusTerminationAction radiusIdleTimeout radiusSessionTimeout radiusClass radiusFramedIPXNetwork radiusCallbackId radiusCallbackNumber radiusLoginTCPPort radiusLoginService radiusLoginIPHost radiusFramedCompression radiusFramedMTU radiusFilterId radiusFramedRouting radiusFramedRoute radiusFramedIPNetmask radiusFramedIPAddress radiusFramedProtocol radiusServiceType radiusReplyItem userPasswordDec 14 21:50:47 ist-guizay slapd[31741]: <= bdb_equality_candidates: (uid) index_param failed (18)Dec 14 21:50:47 ist-guizay slapd[31741]: conn=2 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= Whaou .. person doesn't have all those attributes on my schema. (note that this search got a result: nentries = 1 !) I edited /etc/freeradius/ldap.attr, so that now the trace is a little more correct: Dec 14 21:55:27 ist-guizay slapd[31741]: conn=76 op=2 SRCH base="ou=person,o=istase,c=fr" scope=2 deref=0 filter="(uid=gravier.christophe)"Dec 14 21:55:27 ist-guizay slapd[31741]: conn=76 op=2 SRCH attr=userPassword Dec 14 21:55:27 ist-guizay slapd[31741]: <= bdb_equality_candidates: (uid) index_param failed (18)Dec 14 21:55:27 ist-guizay slapd[31741]: conn=76 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= (please ignore the bdb_equality_candidates). I thought this has to do with the policy regarding access to userPassword field, so I gave full rights for a test via slapd.access.con: still not good. (that sounds ok since if it was a read/write/search/auth problem, I would had seen it in the slapd logging). I think it is OK with ldap because "nentries = 1" for the search (it finnds me). The problem should be for freeradius to use that password to match it against the one given by the user. For autorize and authenticate I have: authorize { preprocess chap mschap suffix files ldap } authenticate { Auth-Type PAP { pap } unix eap } As I said, I think this is freeradius related since openldap log that it finds the userPassword for the given user and scope. But I can't set freeradius in a more verbose mode to understand the problem. I still receive: (...) rlm_ldap: - authorize rlm_ldap: performing user authorization for gravier.christophe radius_xlat: '(uid=gravier.christophe)' radius_xlat: 'ou=person,o=istase,c=fr' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ist-guizay.univ-st-etienne.fr:389, authentication 0 rlm_ldap: bind as / to ist-guizay.univ-st-etienne.fr:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=person,o=istase,c=fr, with filter (uid=gravier.christophe)rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Adding userPassword as User-Password, value { & op=11 rlm_ldap: user gravier.christophe authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" ERROR: Unknown value specified for Auth-Type. Cannot perform requested action.auth: Failed to validate the user. When running /usr/sbin/freeradius -X -f
It is NOT returning the User-Password attribute. My previous message said that the goal was for the ldap module to return the password in the "authorize" section.
Make that work. radtest will work, and then everything else will work.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html