On 7/20/06, Thibault Le Meur <Thibault.LeMeur@supelec.fr> wrote:
Well isn't it a pb of rights ? Is the anonymous user able to search the openldap directory for users entries ?
Yes, the anonymous user is able to search. What is the result of a simple "ldapsearch" with the same ldap filter. ldapsearch -x -b "dc=xxxx,dc=it" "(uid=misterc)" # extended LDIF # # LDAPv3 # base <dc=xxxx,dc=it> with scope subtree # filter: (uid=misterc) # requesting: ALL # # Vito Cu, utenti, xxxx.it dn: cn=Vito Cu,ou=utenti,dc=xxxx,dc=it uid: misterc description: bel giovine sn: Cu cn: newperson cn: Vito Cu userPassword:: e1NIQX1TQ01UU1l5cVpESHcvSXhqRUJGWHdQQnFTTXM9 objectClass: radiusprofile objectClass: inetOrgPerson radiusA 10:21 uthType: LDAP # search result search: 2 result: 0 Success 10:21 # numResponses: 2 # numEntries: 1 Have you got ACLs in your openldap directory configuration files ? All the users have the rights. Well, after some changes in OpenLDAP config, this is the result: Fri Jul 21 11:15:51 2006 : Debug: Processing the authorize section of radiusd.conf Fri Jul 21 11:15:51 2006 : Debug: modcall: entering group authorize for request 0 Fri Jul 21 11:15:51 2006 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 0 Fri Jul 21 11:15:51 2006 : Debug: rlm_eap: No EAP-Message, not doing EAP Fri Jul 21 11:15:51 2006 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 0 Fri Jul 21 11:15:51 2006 : Debug: modcall[authorize]: module "eap" returns noop for request 0 Fri Jul 21 11:15:51 2006 : Debug: modsingle[authorize]: calling ldap (rlm_ldap) for request 0 Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: - authorize Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: performing user authorization for misterc Fri Jul 21 11:15:51 2006 : Debug: radius_xlat: '(uid=misterc)' Fri Jul 21 11:15:51 2006 : Debug: radius_xlat: 'ou=utenti,dc=xxxx,dc=it' Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0 Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0 Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: attempting LDAP reconnection Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: (re)connect to 192.168.1.221:389, authentication 0 Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: bind as cn=Manager,dc=xxxx,dc=it/PASSWORD to 192.168.1.221:389 Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: waiting for bind result ... Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: Bind was successful Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: performing search in ou=utenti,dc=xxxx,dc=it, with filter (uid=misterc) Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: checking if remote access for misterc is allowed by userPassword Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: Added password {SHA}SCMTSYyqZDHw/IxjEBFXwPBqSMs= in check items Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: looking for check items in directory... Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: Adding radiusAuthType as Auth-Type, value LDAP & op=21 Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: Adding userPassword as User-Password, value {SHA}SCMTSYyqZDHw/IxjEBFXwPBqSMs= & op=21 Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: looking for reply items in directory... Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: user misterc authorized to use remote access Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Fri Jul 21 11:15:51 2006 : Debug: modsingle[authorize]: returned from ldap (rlm_ldap) for request 0 Fri Jul 21 11:15:51 2006 : Debug: modcall[authorize]: module "ldap" returns ok for request 0 Fri Jul 21 11:15:51 2006 : Debug: modcall: leaving group authorize (returns ok) for request 0 Fri Jul 21 11:15:51 2006 : Debug: rad_check_password: Found Auth-Type LDAP Fri Jul 21 11:15:51 2006 : Debug: auth: type "LDAP" Fri Jul 21 11:15:51 2006 : Debug: Processing the authenticate section of radiusd.conf Fri Jul 21 11:15:51 2006 : Debug: modcall: entering group LDAP for request 0 Fri Jul 21 11:15:51 2006 : Debug: modsingle[authenticate]: calling pap (rlm_pap) for request 0 Fri Jul 21 11:15:51 2006 : Auth: rlm_pap: Attribute "Password" is required for authentication. Cannot use "CHAP-Password". Fri Jul 21 11:15:51 2006 : Debug: modsingle[authenticate]: returned from pap (rlm_pap) for request 0 Fri Jul 21 11:15:51 2006 : Debug: modcall[authenticate]: module "pap" returns invalid for request 0 Fri Jul 21 11:15:51 2006 : Debug: modsingle[authenticate]: calling ldap (rlm_ldap) for request 0 Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: - authenticate Fri Jul 21 11:15:51 2006 : Auth: rlm_ldap: Attribute "User-Password" is required for authentication. Cannot use "CHAP-Password". Fri Jul 21 11:15:51 2006 : Debug: modsingle[authenticate]: returned from ldap (rlm_ldap) for request 0 Fri Jul 21 11:15:51 2006 : Debug: modcall[authenticate]: module "ldap" returns invalid for request 0 Fri Jul 21 11:15:51 2006 : Debug: modcall: leaving group LDAP (returns invalid) for request 0 Fri Jul 21 11:15:51 2006 : Debug: auth: Failed to validate the user. Config files are the same of above. Best regards. Giusy Venezia