"Fajar A. Nugraha" <list@fajar.net> writes:
The last part shouldn't be there, since you should've had an entry that adds Ldap-UserDN.
It should print something like this (0) authorize { (0) files: EXPAND uid=%{User-Name},ou=people,dc=company,dc=com (0) files: --> uid=testuser,ou=people,dc=company,dc=com (0) files: users: Matched entry DEFAULT at line 1 ... (0) [files] = ok
Did you edit the correct file? The default (in ubuntu) is /etc/freeradius/users (or /etc/raddb/users in most other distros), which is a symlink to mods-config/files/authorize
I found my mistake. When setting the chroot, I copied all raddb with cp(1) and the symlinks got overwritten by plain files. raddb/users was not a symlink anymore. Now I get the correct result for authorize/files. I removed any reference to ldap in the authorize section of sites-enable/default. Now I get the error "ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject" With the full messages being: Ready to process requests (0) Received Access-Request Id 162 from 192.41.170.3:19766 to 192.41.170.3:1812 length 72 (0) User-Name = "on" (0) User-Password = "***** password redeacted" (0) NAS-IP-Address = 192.41.170.6 (0) NAS-Port = 0 (0) Message-Authenticator = 0x768ce2f6e2d22042c783973be35af3b8 (0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) policy filter_password { (0) if (&User-Password && (&User-Password != "%{string:User-Password}")) { (0) EXPAND %{string:User-Password} (0) --> ***** password redeacted (0) if (&User-Password && (&User-Password != "%{string:User-Password}")) -> FALSE (0) } # policy filter_password = notfound (0) [preprocess] = ok (0) auth_log: EXPAND /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (0) auth_log: --> /var/log/radacct/192.41.170.3/auth-detail-20170920 (0) auth_log: /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radacct/192.41.170.3/auth-detail-20170920 (0) auth_log: EXPAND %t (0) auth_log: --> Wed Sep 20 04:48:30 2017 (0) [auth_log] = ok (0) [mschap] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "on", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) files: EXPAND %{Client-IP-Address} (0) files: --> 192.41.170.3 (0) files: users: Matched entry DEFAULT at line 222 (0) files: EXPAND uid=%{User-Name},ou=People,ou=csim,dc=cs,dc=ait,dc=ac,dc=th (0) files: --> uid=on,ou=People,ou=csim,dc=cs,dc=ait,dc=ac,dc=th (0) [files] = ok (0) [expiration] = noop (0) [logintime] = noop (0) } # authorize = ok (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (0) Failed to authenticate the user (0) Using Post-Auth-Type Reject (0) Post-Auth-Type sub-section not found. Ignoring. (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (0) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject): [on/***** password redeacted] (from client fbsd35.cs.ait.ac.th port 0) Thank you, Olivier --