Okay, feeling a bit stoopid at the moment. I did not have the User-Password mapped. For some indefensible reason based on our environment I had changed it simply to Password, and never changed it back. I should have tried that mapping. HOWEVER It still doesn't work. I can perform radtest queries username/LDAPpassword, and I get the accept response. If I use the query with username/remotepassword, I get rejected. It appears that rlm_ldap does an initial lookup in LDAP and then tries to reconnect and bind as the user via the unitnumber. It uses (I can only assume) the User-Password to bind, and if that is not set to the value of the LDAP password, it fails and the requst is rejected. I can see this happening in the log snippets included below. Note also that I removed the two $GENERIC$ lines from the ldap.attrmapfile... does that matter? I still don't understand their function. Also, can I make arbitrary variable assignments in the ldap.attrmap file? like Some-Attriabute := %Some-Other-Attribute? ----------------------------------------------------------------- My entire ldap.attrmap (without comments) is as follows: checkItem Account-Enabled isaccountenabled checkItem User-Password remotepassword replyItem Access-List accesslist replyItem Class remotegroup (I am trying to recreate settings from another radius product I would like to replace) --------------------------------------- My command line radtest for a failed and successful attempt bash-3.00# /usr/local/freeradius/bin/radtest testuser "TESTpwd" localhost:1815 35000 SECRET Sending Access-Request of id 50 to 127.0.0.1 port 1815 User-Name = "testuser" User-Password = "TESTpwd" NAS-IP-Address = 255.255.255.255 NAS-Port = 35000 rad_recv: Access-Reject packet from host 127.0.0.1:1815, id=50, length=20 bash-3.00# /usr/local/freeradius/bin/radtest testuser "LDAPpwd" localhost:1815 35000 SECRET Sending Access-Request of id 59 to 127.0.0.1 port 1815 User-Name = "testuser" User-Password = "LDAPpwd" NAS-IP-Address = 255.255.255.255 NAS-Port = 35000 rad_recv: Access-Accept packet from host 127.0.0.1:1815, id=59, length=34 Class = 0x6f753d456d706c6f79656573 --------------------------------------------------- Debug output for the above requests is as follows: (see attached file "radius-debug.txt" for full log) REQUEST ONE FAILED ... rlm_ldap: Setting Auth-Type = ldap rlm_ldap: user testuser authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type ldap auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group LDAP for request 0 rlm_ldap: - authenticate rlm_ldap: login attempt by "testuser" with password "TESTpwd" rlm_ldap: user DN: unitnumber=547258278,ou=mspr,ou=mycompanypeople,o=mycompany rlm_ldap: (re)connect to ldapvip.co.mycompany.com:389, authentication 1 rlm_ldap: bind as unitnumber=547258278,ou=mspr,ou=mycompanypeople,o=mycompany/TESTpwd to ldapvip.co.mycompany.com:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind failed with invalid credentials modcall[authenticate]: module "ldap" returns reject for request 0 modcall: leaving group LDAP (returns reject) for request 0 auth: Failed to validate the user. Login incorrect (rlm_ldap: Bind as user failed): [testuser/TESTpwd] (from client localhost port 35000) Delaying request 0 for 1 seconds Finished request 0 ... REQUEST TWO SUCCESSFUL ... rlm_ldap: Setting Auth-Type = ldap rlm_ldap: user testuser authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 1 modcall: leaving group authorize (returns ok) for request 1 rad_check_password: Found Auth-Type ldap auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group LDAP for request 1 rlm_ldap: - authenticate rlm_ldap: login attempt by "testuser" with password "LDAPpwd" rlm_ldap: user DN: unitnumber=547258278,ou=mspr,ou=mycompanypeople,o=mycompany rlm_ldap: (re)connect to ldapvip.co.mycompany.com:389, authentication 1 rlm_ldap: bind as unitnumber=547258278,ou=mspr,ou=mycompanypeople,o=mycompany/LDAPpwd to ldapvip.co.mycompany.com:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user testuser authenticated succesfully modcall[authenticate]: module "ldap" returns ok for request 1 modcall: leaving group LDAP (returns ok) for request 1 Login OK: [testuser] (from client localhost port 35000) Sending Access-Accept of id 59 to 127.0.0.1 port 43466 Class = 0x6f753d456d706c6f79656573 Finished request 1 ..... On 8/29/06, Stefan Winter <stefan.winter@restena.lu> wrote:
Modify ldap.attrmap so that _your_ attribute is mapped into User-Name, not the default one.
User-Password of course.
-- Stefan WINTER
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche - Ingénieur de recherche
6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html