Okay, feeling a bit stoopid at the moment. I did not have the User-Password mapped. For some indefensible reason based on our environment I had changed it simply to Password, and never changed it back. I should have tried that mapping.
HOWEVER
It still doesn't work.
I can perform radtest queries username/LDAPpassword, and I get the accept response.
If I use the query with username/remotepassword, I get rejected.
It appears that rlm_ldap does an initial lookup in LDAP and then tries to reconnect and bind as the user via the unitnumber.
It uses (I can only assume) the User-Password to bind, and if that is not set to the value of the LDAP password, it fails and the requst is rejected.
I can see this happening in the log snippets included below.
Note also that I removed the two $GENERIC$ lines from the ldap.attrmap file... does that matter? I still don't understand their function.
Also, can I make arbitrary variable assignments in the ldap.attrmap file? like Some-Attriabute := %Some-Other-Attribute?
-----------------------------------------------------------------
My entire ldap.attrmap (without comments) is as follows:
checkItem Account-Enabled isaccountenabled
checkItem User-Password remotepassword
replyItem Access-List accesslist
replyItem Class remotegroup
(I am trying to recreate settings from another radius product I would like to replace)
---------------------------------------
My command line radtest for a failed and successful attempt
bash-3.00# /usr/local/freeradius/bin/radtest testuser "TESTpwd" localhost:1815 35000 SECRET
Sending Access-Request of id 50 to 127.0.0.1 port 1815
User-Name = "testuser"
User-Password = "TESTpwd"
NAS-IP-Address =
255.255.255.255
NAS-Port = 35000
rad_recv: Access-Reject packet from host 127.0.0.1:1815, id=50, length=20
bash-3.00# /usr/local/freeradius/bin/radtest testuser "LDAPpwd" localhost:1815 35000 SECRET
Sending Access-Request of id 59 to 127.0.0.1 port 1815
User-Name = "testuser"
User-Password = "LDAPpwd"
NAS-IP-Address =
255.255.255.255
NAS-Port = 35000
rad_recv: Access-Accept packet from host 127.0.0.1:1815, id=59, length=34
Class = 0x6f753d456d706c6f79656573
---------------------------------------------------
Debug output for the above requests is as follows:
(see attached file "radius-debug.txt" for full log)
REQUEST ONE FAILED
...
rlm_ldap: Setting Auth-Type = ldap
rlm_ldap: user testuser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type ldap
auth: type "LDAP"
Processing the authenticate section of radiusd.conf
modcall: entering group LDAP for request 0
rlm_ldap: - authenticate
rlm_ldap: login attempt by "testuser" with password "TESTpwd"
rlm_ldap: user DN: unitnumber=547258278,ou=mspr,ou=mycompanypeople,o=mycompany
rlm_ldap: (re)connect to ldapvip.co.mycompany.com:389, authentication 1
rlm_ldap: bind as unitnumber=547258278,ou=mspr,ou=mycompanypeople,o=mycompany/TESTpwd to
ldapvip.co.mycompany.com:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind failed with invalid credentials
modcall[authenticate]: module "ldap" returns reject for request 0
modcall: leaving group LDAP (returns reject) for request 0
auth: Failed to validate the user.
Login incorrect (rlm_ldap: Bind as user failed): [testuser/TESTpwd] (from client localhost port 35000)
Delaying request 0 for 1 seconds
Finished request 0
...
REQUEST TWO SUCCESSFUL
...
rlm_ldap: Setting Auth-Type = ldap
rlm_ldap: user testuser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 1
modcall: leaving group authorize (returns ok) for request 1
rad_check_password: Found Auth-Type ldap
auth: type "LDAP"
Processing the authenticate section of radiusd.conf
modcall: entering group LDAP for request 1
rlm_ldap: - authenticate
rlm_ldap: login attempt by "testuser" with password "LDAPpwd"
rlm_ldap: user DN: unitnumber=547258278,ou=mspr,ou=mycompanypeople,o=mycompany
rlm_ldap: (re)connect to
ldapvip.co.mycompany.com:389, authentication 1
rlm_ldap: bind as unitnumber=547258278,ou=mspr,ou=mycompanypeople,o=mycompany/LDAPpwd to
ldapvip.co.mycompany.com:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: user testuser authenticated succesfully
modcall[authenticate]: module "ldap" returns ok for request 1
modcall: leaving group LDAP (returns ok) for request 1
Login OK: [testuser] (from client localhost port 35000)
Sending Access-Accept of id 59 to 127.0.0.1 port 43466
Class = 0x6f753d456d706c6f79656573
Finished request 1
.....
> Modify ldap.attrmap so that _your_ attribute is mapped into User-Name, not
> the default one.
User-Password of course.
--
Stefan WINTER
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de
la Recherche - Ingénieur de recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html