Are you trying to use Universal Password to authenticate? I don't see the TLS negotiation required for the admin to read the Universal Password. Why don't you post the entire debug log? Then we can see all the setup info as the radius server reads it. Mearl
jp@joshmp.com 7/19/2005 3:11:05 PM >>> Ok, I'm now one step closer. Mearl's solution worked somewhat. Here is the output from the debug:
Check the filter statement in the ldap portion of radiusd.conf. It's searching on "uid" which in eDirectory is an integer field and isn't populated by default.
Change the filter to filter = "(cn=%{Stripped-User-Name:-%{User-Name}})" and try it. That will get you past the "object not found" message. It will then be able to return the fully qualified DN of the user.
You can search on "cn" or any other ldap field that contains a unique ID. We're probably going to use uniqueID - the newer user creation API's populate it by default - in our environment because iPrint requires it.
Mearl
-----snip----- rlm_ldap: - authorize rlm_ldap: performing user authorization for gwaccesspo1 radius_xlat: '(cn=gwaccesspo1)' radius_xlat: 'o=services' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=services, with filter (cn=gwaccesspo1) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user gwaccesspo1 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 3 modcall: group authorize returns ok for request 3 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 3 rlm_ldap: - authenticate rlm_ldap: login attempt by "gwaccesspo1" with password "<password>" rlm_ldap: user DN: cn=gwaccessPO1,ou=GW,o=Services rlm_ldap: (re)connect to 10.254.8.25:389, authentication 1 rlm_ldap: bind as cn=gwaccessPO1,ou=GW,o=Services/<password> to 10.254.8.25:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind failed with invalid credentials rlm_ldap: NDS error: failed authentication (-669) -----snip----- To contrast, here is the output from debug when I attempt to authenticate a user in the root context: -----snip----- rlm_ldap: - authorize rlm_ldap: performing user authorization for zentest radius_xlat: '(cn=zentest)' radius_xlat: 'o=services' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=services, with filter (cn=zentest) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user zentest authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 2 modcall: group authorize returns ok for request 2 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 2 rlm_ldap: - authenticate rlm_ldap: login attempt by "zentest" with password "<password>" rlm_ldap: user DN: cn=zentest,o=Services rlm_ldap: (re)connect to 10.254.8.25:389, authentication 1 rlm_ldap: bind as cn=zentest,o=Services/<password> to 10.254.8.25:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user zentest authenticated succesfully -----snip----- Thanks in advance, Josh On Tuesday, July 19th, Mearl said: - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html