At 02:39 AM 12/1/2009, Alan DeKok wrote:
Because you've forced the "ntlm_auth" module to be run. That module ONLY checks clear-text passwords, and there is NO clear-text password in the request.
Change the line having ... Auth-Type := ntlm_auth, ... to ... Auth-Type = ntlm_auth, ...
DEFAULT Huntgroup-Name == Cisco_Huntgroup, Auth-Type:=ntlm_auth, Ldap-Group == "Infrastructure" Service-Type:=NAS-Prompt-User,cisco-avpair:="shell:priv-lvl=15" DEFAULT Huntgroup-Name == VPN_Huntgroup, Auth-Type=ntlm_auth, Ldap-Group == "VPN_Users" It runs the LDAP group check, but still lets the user log in even when he's not in the VPN_Users group: rlm_ldap::groupcmp: Group VPN_Users not found or user not a member rlm_ldap: ldap_release_conn: Release Id: 0 ++[files] returns noop [ldap] performing user authorization for ciscorsteeves [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] expand: (&(sAMAccountname=%{Stripped-User-Name:-%{User-Name}})(objectClass=person)) -> (&(sAMAccountname=ciscorsteeves)(objectClass=person)) [ldap] expand: OU=Enterprise,DC=example,DC=com -> OU=Enterprise,DC=example,DC=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in OU=Enterprise,DC=example,DC=com, with filter (&(sAMAccountname=ciscorsteeves)(objectClass=person)) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user ciscorsteeves authorized to use remote access
And read "man users" to see what the difference is.
Ahh, man 5 users. cool. Rick
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html