Okay, feeling a bit stoopid at the moment.  I did not have the User-Password mapped.  For some indefensible reason based on our environment I had changed it simply to Password, and never changed it back.  I should have tried that mapping.

HOWEVER

It still doesn't work. 
I can perform radtest queries  username/LDAPpassword, and I get the accept response.
If I use the query with username/remotepassword, I get rejected.

It appears that rlm_ldap does an initial lookup in LDAP and then tries to reconnect and bind as the user via the unitnumber.
It uses (I can only assume) the User-Password to bind, and if that is not set to the value of the LDAP password, it fails and the requst is rejected.

I can see this happening in the log snippets included below.

Note also that I removed the two $GENERIC$ lines from the ldap.attrmap file... does that matter?  I still don't understand their function.
Also, can I make arbitrary variable assignments in the ldap.attrmap file?  like Some-Attriabute := %Some-Other-Attribute?

-----------------------------------------------------------------
My entire ldap.attrmap (without comments) is as follows:

checkItem       Account-Enabled                 isaccountenabled
checkItem       User-Password                   remotepassword

replyItem       Access-List                     accesslist
replyItem       Class                           remotegroup


(I am trying to recreate settings from another radius product I would like to replace)

---------------------------------------
My command line radtest for a failed and successful attempt

bash-3.00# /usr/local/freeradius/bin/radtest  testuser "TESTpwd" localhost:1815 35000 SECRET
Sending Access-Request of id 50 to 127.0.0.1 port 1815
        User-Name = "testuser"
        User-Password = "TESTpwd"
        NAS-IP-Address = 255.255.255.255
        NAS-Port = 35000
rad_recv: Access-Reject packet from host 127.0.0.1:1815, id=50, length=20
bash-3.00# /usr/local/freeradius/bin/radtest  testuser "LDAPpwd" localhost:1815 35000 SECRET
Sending Access-Request of id 59 to 127.0.0.1 port 1815
        User-Name = "testuser"
        User-Password = "LDAPpwd"
        NAS-IP-Address = 255.255.255.255
        NAS-Port = 35000
rad_recv: Access-Accept packet from host 127.0.0.1:1815, id=59, length=34
        Class = 0x6f753d456d706c6f79656573

---------------------------------------------------
Debug output for the above requests is as follows:

(see attached file "radius-debug.txt" for full log)

REQUEST ONE FAILED
...
rlm_ldap: Setting Auth-Type = ldap
rlm_ldap: user testuser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
  rad_check_password:  Found Auth-Type ldap
auth: type "LDAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group LDAP for request 0
rlm_ldap: - authenticate
rlm_ldap: login attempt by "testuser" with password "TESTpwd"
rlm_ldap: user DN: unitnumber=547258278,ou=mspr,ou=mycompanypeople,o=mycompany
rlm_ldap: (re)connect to ldapvip.co.mycompany.com:389, authentication 1
rlm_ldap: bind as unitnumber=547258278,ou=mspr,ou=mycompanypeople,o=mycompany/TESTpwd to ldapvip.co.mycompany.com:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind failed with invalid credentials
  modcall[authenticate]: module "ldap" returns reject for request 0
modcall: leaving group LDAP (returns reject) for request 0
auth: Failed to validate the user.
Login incorrect (rlm_ldap: Bind as user failed): [testuser/TESTpwd] (from client localhost port 35000)
Delaying request 0 for 1 seconds
Finished request 0
...


REQUEST TWO SUCCESSFUL
...
rlm_ldap: Setting Auth-Type = ldap
rlm_ldap: user testuser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 1
modcall: leaving group authorize (returns ok) for request 1
  rad_check_password:  Found Auth-Type ldap
auth: type "LDAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group LDAP for request 1
rlm_ldap: - authenticate
rlm_ldap: login attempt by "testuser" with password "LDAPpwd"
rlm_ldap: user DN: unitnumber=547258278,ou=mspr,ou=mycompanypeople,o=mycompany
rlm_ldap: (re)connect to ldapvip.co.mycompany.com:389, authentication 1
rlm_ldap: bind as unitnumber=547258278,ou=mspr,ou=mycompanypeople,o=mycompany/LDAPpwd to ldapvip.co.mycompany.com:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: user testuser authenticated succesfully
  modcall[authenticate]: module "ldap" returns ok for request 1
modcall: leaving group LDAP (returns ok) for request 1
Login OK: [testuser] (from client localhost port 35000)
Sending Access-Accept of id 59 to 127.0.0.1 port 43466
        Class = 0x6f753d456d706c6f79656573
Finished request 1
.....





On 8/29/06, Stefan Winter <stefan.winter@restena.lu> wrote:
> Modify ldap.attrmap so that _your_ attribute is mapped into User-Name, not
> the default one.

User-Password of course.

--
Stefan WINTER

Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de
la Recherche - Ingénieur de recherche

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html