*Matthew,* Thanks very much for the response. I have tried running the same after the suggested changes and below is what I am seeing. *=================================================================================[admin@radiustest ~]$ ldapsearch -x uid=admin* # extended LDIF # # LDAPv3 # base <dc=qi-cap,dc=com> (default) with scope subtree # filter: uid=admin # requesting: ALL # # admin, users, compat, qi-cap.com dn: uid=admin,cn=users,cn=compat,dc=qi-cap,dc=com objectClass: posixAccount objectClass: ipaOverrideTarget objectClass: top gecos: Administrator cn: Administrator uidNumber: 1283800000 gidNumber: 1283800000 loginShell: /bin/bash homeDirectory: /home/admin ipaAnchorUUID:: OklQQTpxaS1jYXAuY29tOmJjMzM0NDcyLWY2YzQtMTFlYy1iNjY4LTA4MDAyNz M2ZWMzOQ== uid: admin # admin, users, accounts, qi-cap.com dn: uid=admin,cn=users,cn=accounts,dc=qi-cap,dc=com objectClass: top objectClass: person objectClass: posixaccount objectClass: krbprincipalaux objectClass: krbticketpolicyaux objectClass: inetuser objectClass: ipaobject objectClass: ipasshuser objectClass: ipaSshGroupOfPubKeys objectClass: ipaNTUserAttrs objectClass: ipauserauthtypeclass objectClass: ipatokenradiusproxyuser uid: admin cn: Administrator sn: Administrator uidNumber: 1283800000 gidNumber: 1283800000 homeDirectory: /home/admin loginShell: /bin/bash gecos: Administrator ipaNTSecurityIdentifier: S-1-5-21-2716401607-2924185208-1841578509-500 # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2 ================================================================================================================================== Ready to process requests (0) Received Access-Request Id 0 from 122.1.5.84:44216 to 122.1.5.84:1812 length 75 (0) User-Name = "admin" (0) User-Password = "Freeip@1234" (0) NAS-IP-Address = 122.1.5.84 (0) NAS-Port = 1812 (0) Message-Authenticator = 0xdd3ddd98c48416cc471cdb5dd5fd527e (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "admin", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) [files] = noop rlm_ldap (ldap): Reserved connection (0) (0) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (0) ldap: --> (uid=admin) (0) ldap: Performing search in "dc=QI-CAP,dc=COM" with filter "(uid=admin)", scope "sub" (0) ldap: Waiting for search result... *(0) ldap: ERROR: Ambiguous search result, returned 2 unsorted entries (should return 1 or 0). Enable sorting, or specify a more restrictive base_dn, filter or scope(0) ldap: ERROR: The following entries were returned:(0) ldap: ERROR: uid=admin,cn=users,cn=compat,dc=qi-cap,dc=com(0) ldap: ERROR: uid=admin,cn=users,cn=accounts,dc=qi-cap,dc=com* rlm_ldap (ldap): Released connection (0) Need 5 more connections to reach 10 spares rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used rlm_ldap (ldap): Connecting to ldap://localhost:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (0) [ldap] = invalid (0) } # authorize = invalid (0) Invalid user (ldap: Ambiguous search result, returned 2 unsorted entries (should return 1 or 0). Enable sorting, or specify a more restrictive base_dn, filter or scope): [admin] (from client localhost port 1812) (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/raddb/sites-enabled/default (0) Post-Auth-Type REJECT { (0) attr_filter.access_reject: EXPAND %{User-Name} (0) attr_filter.access_reject: --> admin (0) attr_filter.access_reject: Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) [eap] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Delaying response for 1.000000 seconds Waking up in 0.1 seconds. Waking up in 0.8 seconds. (0) Sending delayed response (0) Sent Access-Reject Id 0 from 122.1.5.84:1812 to 122.1.5.84:44216 length 20 Waking up in 3.9 seconds. (0) Cleaning up request packet ID 0 with timestamp +3 Ready to process requests ================================================= Thanks *Krishna Chaitanya Ala* *Network and Operations Engineer* *QI Cap Markets LLP* *Bangalore,Karnataka* *Slack : krishna.chaitanya@qi-cap.com <krishna.chaitanya@qi-cap.com>* On Fri, 8 Jul 2022 at 15:34, Matthew Newton <mcn@freeradius.org> wrote:
On 08/07/2022 10:48, Krishna Chaitanya wrote:
rlm_ldap (ldap): Reserved connection (0) (0) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (0) ldap: --> (uid=admin) (0) ldap: Performing search in "dc=example,dc=org" with filter "(uid=admin)", scope "sub" (0) ldap: Waiting for search result... (0) ldap: The specified DN wasn't found
You've not configured mods-enabled/ldap with your own local settings for base_dn, so searches for example.org (the default) are failing.
Test your local settings with ldapsearch to make sure you get LDAP search results back as expected, and then put them into mods-enabled/ldap.
-- Matthew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html