Mik J wrote:
I disabled SQL because I assumed radiusd shouldn't look into the radcheck table to perform an authentication since I wanted to use LDAP.
That's your problem in a nutshell. You *assume* how things work. You don't *understand*. There's a huge difference between the two. The difference is why you're having problems.
To me it's a bit strange that radiusd will query this table everytime knowing that it won't be used because the authentication is based on LDAP.
Do you understand the difference between SQL and LDAP databases? Or the difference between the information FreeRADIUS gets from SQL and from LDAP?
To make my tests I have:
Maybe that works. I don't know, because you have divided the problem into pieces, and tested each piece. You're doing lots of things all at the same time.
Unfortunately # radtest myuser mypassword 127.0.0.1 1812 mysecret doesn't send me the attributes. I received rad_recv: Access-Accept though
So... you ran the server in debugging mode, but didn't bother to look at the output. Instead, you're only looking at the output of radtest. Do you want to solve the problem? If so, why are you trying HARD to avoid solving it?
I have a few questions:
So do I. Why am I answering your questions when you're not following instructions? You've followed some, sure. But the main one is to READ the output of debug mode, or at least post it here. You're not doing that.
a) My users are sitting in my ldap server and not in mysql so I'm not supposed to have a Fall-Through entry in the radreply table for myuser. Right ? And should I have read_groups=yes in sql.conf (section authorize {) ?
How about you read doc/rlm_sql? This is documented. I could cut & paste the answer here. But if you're too lazy to read the docs, I'm too lazy to cut & paste them here.
b) In /etc/raddb/sites-enabled/default, is the order important: first sql then ldap (default) or should it be first ldap then sql.
What do the docs say?
I've noticed the debug output is different when I change the order.
So you do read it... you just don't pay much attention to it.
The reason is that, the user credential should be checked against ldap first and then according to its group the attributes should be sent by radiusd. That's why I tried to put ldap before sql c) I'm very confused about the line "groupmembership_attribute = radiusGroupName". Should I replace radiusGroupName by something else such as radiusldapgroup ?
You should definitely NOT make random changes. It's clear you don't understand how it works. That's OK, but you should be asking questions about HOW it works, rather than looking for magical solutions.
d) When I start radiusd -X (ldap_debug = 0x0028 is not commented), I don't see my ldap server returning a group in the output on the screen.
It doesn't. It's not supposed to.
I would like to make sure that my groupname_attribute, groupmembership_filter and groupmembership_attribute are correct. How can I see what user's groups are received by the radiusd server ?
You don't. You use the LDAP-Group == "name" check, and the server does LDAP queries to see if the user is a member of that group. Again, you're stuck in magical thinking. You believe some random change will make it all magically work. It won't. You need to UNDERSTAND how it works. How the pieces work together. Only then will you be able to create a solution. Alan DeKok.