Hey, thanks for the help. yeah, this part seems to be ok, the second part i wrongly quoted if i undertood this, freeradius can authorizate but no authenticate, look the full result of freeradius -X # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} [ldap] performing user authorization for user1 [ldap] expand: (uid=%u) -> (uid=user1) [ldap] expand: dc=xxxx,dc=edu,dc=br -> dc=ifsudeste,dc=edu,dc=br [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to 200.xx.xx.47:389, authentication 0 [ldap] bind as cn=admin,dc=xxxx,dc=edu,dc=br/123abc to 200.xxx.xx.47:389 [ldap] waiting for bind result ... [ldap] Bind was successful *here he makes the bind and return ok, right?* * * [ldap] performing search in dc=xxxx,dc=edu,dc=br, with filter (uid=user1) <-------- *now he try to find user1 on LDAP base.* [ldap] checking if remote access for user1 is allowed by uid [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] userPassword -> Password-With-Header == "{MD5}ICy5YqxZB1uWSwcVLSNLcA==" [ldap] looking for reply items in directory... [ldap] Setting Auth-Type = LDAP [ldap] user user1 authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok <---- *so far... everything o**k * ++[expiration] returns noop ++[logintime] returns noop *now he do that and i dont know why correctly, but i guess now he try to authenticate, am i right?* Found Auth-Type = LDAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group LDAP {...} [ldap] login attempt by "user1" with password "123" [ldap] user DN: cn=user1,ou=People,dc=xxxxxxx,dc=edu,dc=br * <--------------- here he try to bind again!?* [ldap] (re)connect to 200.xxx.xxx.47:389, authentication 1 [ldap] bind as cn=user1,ou=People,dc=xxxxxxx,dc=edu,dc=br/123 to 200.xxx.xx.47:389 *<----- and seems to try to use user1 to bind, but user 1 isn't a bind user* [ldap] waiting for bind result ... [ldap] Bind failed with invalid credentials *<---------- This is what i'm complaining.* ++[ldap] returns reject Failed to authenticate the user. Login incorrect ( [ldap] Bind as user failed): [user1/123] (from client localhost port 10) Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> user1 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated *and the result of radtest is:* radtest user1 123 127.0.0.1 10 testing123 Sending Access-Request of id 156 to 127.0.0.1 port 1812 User-Name = "user1" User-Password = "123" NAS-IP-Address = 200.131.96.47 NAS-Port = 10 rad_recv: *Access-Reject* packet from host 127.0.0.1 port 1812, id=156, length=20 any idea why? 2013/3/14 Arran Cudbard-Bell <a.cudbardb@freeradius.org>
On 13 Mar 2013, at 22:03, fernando.sg1@gmail.com wrote:
now at the PC, i can write better:
1st: shout i uncoment this 2 lines on /modules/ldap # identity = "cn=admin,dc=xxxxx,dc=edu,dc=br" # password = "123abc" ?
Um yes if you need to do an authenticated bind to search in the directory.
i tryed both configs with ou=People or without and dont work.
uncomenting the 2 lines i get this on freeradius -X:
[ldap] performing user authorization for user1 [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang"
for details
[ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> user1 [ldap] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=user1) [ldap] expand: ou=People,dc=xxxx,dc=edu,dc=br -> ou=People,dc=xxxxxx,dc=edu,dc=br [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to 200.131.96.47:389, authentication 0 [ldap] bind as cn=admin,dc=xxxxxx,dc=edu,dc=br/123abc to 200.131.96.47:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in ou=People,dc=xxxxx,dc=edu,dc=br, with filter (uid=user1) [ldap] checking if remote access for user1 is allowed by uid [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] userPassword -> Password-With-Header == "{MD5}ICy5YqxZB1uWSwcVLSNLcA==" [ldap] looking for reply items in directory... [ldap] Setting Auth-Type = LDAP [ldap] user user1 authorized to use remote access
Which seems to be correct?
-Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html