tnt@kalik.net wrote:
Admittedly, the configuration file for the 2.0.5 server is a mixture of 1.1.0 config style, and 2.0.5 config style, leaning more towards the 1.1.0 style, so it could simply be a result of old style getting in the way of the new, but I have gone through both configs, and I can't find out where my access-reject message in my users file is being either a)overwritten, or b) ignored outright.
I've gone through the docs, and the wiki, but haven't found out what I'm missing. I'm running RADIUS 2.0.5 in debug mode (-XXX), but haven't found anything pointing out what I'm doing wrong. I can comment out the entries in ldap.attrmap, but that also means they don't get sent when the authentication succeeds.
Here's the last line of my users file, below all other local users, and default entries:
DEFAULT Auth-Type := Reject Reply-Message = "Please, call the help desk."
Post the debug. It's extremly likely that something before this entry matched but didn't have Fall-Through at the end.
Ivan Kalik Kalik Informatika ISP
I decided it would be easier (in the long run) to simply start with a default freeRadius 2.0.5 config file, and then adjust it to match our setup. This has so far been going well, except now I've run into a problem where variables in my users file are not being expanded. Example from the user's file: DEFAULT Huntgroup-Name == dsl, serveriron-Ldap-Group == dsl10m, User-Profile := "uid=dsl10m,ou =profiles,ou=radius,dc=mtaonline,dc=net", Ldap-UserDN := `uid=%{User-Name},ou=dsl,dc=domain ,dc=com` Fall-Through = no I have an ldap server named "serveriron"; if I remove the "serveriron-" from the Ldap-Group, my profiles aren't processed at all. With the serveriron-Ldap-Group, it will search through the profiles, find the right profile, and then attempt to authenticate the user. This is what debug shows: Thu Oct 23 17:55:50 2008 : Debug: rlm_ldap: login attempt by "testuser" with password "thisisnotapass" Thu Oct 23 17:55:50 2008 : Debug: rlm_ldap: user DN: uid=%{User-Name},ou=dsl,dc=domain,dc=com Thu Oct 23 17:55:50 2008 : Debug: rlm_ldap: (re)connect to x.x.x.x:389, authentication 1 Thu Oct 23 17:55:50 2008 : Debug: rlm_ldap: bind as uid=%{User-Name},ou=dsl,dc=mtaonline,dc=net/thisisnotapass to x.x.x.x:389 So, it's not actually turning the %{User-Name} into "testuser" - it's trying to authenticate with a uid of "%{User-Name}", which isn't right. I've read through the docs online, and using either backticks or double-quotes is supposed to turn the variable name into the value of the variable. It is worth noting that if I take the line in the users file for that profile and replace %{User-Name} with testuser, the user can authenticate fine, so the users file isn't being processed, having the variables replaced with the values... If I solve that, things will likely start working completely. I do have another question, though: If I have multiple LDAP servers, do I need multiple DEFAULTs in the users file, one for each LDAP server, for Ldap-Group? I'm unclear on that. I haven't tested a failure of the serveriron ldap server, so I don't know if that fails, if the next server down the line will have no Ldap-Group defined for it, and be unable to locate the profile. Adam