compare check items in LDAP - pairs do not match
Hi, When I set compare_check_items in modules { ldap {} }, I'm getting the errors below: rad_recv: Access-Request packet from host 127.0.0.1 port 58575, id=39, length=96 User-Name = "user10" User-Password = "abc123" Calling-Station-Id = "00:18:DE:28:7C:7C" Message-Authenticator = 0xcfe57cf5ca3366338fd35142085e45b8 EAP-Message = 0x02d2000b01757365723130 +- entering group authorize ++[preprocess] returns ok rlm_ldap: - authorize rlm_ldap: performing user authorization for user10 expand: (uid=%u) -> (uid=user10) expand: dc=iiu,dc=edu,dc=my -> dc=iiu,dc=edu,dc=my rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=iiu,dc=edu,dc=my, with filter (uid=user10) rlm_ldap: checking if remote access for user10 is allowed by radiusFilterId rlm_ldap: looking for check items in directory... rlm_ldap: LDAP attribute macAddress as RADIUS attribute Calling-Station-Id == "00:18:DE:28:7C:7C" rlm_ldap: LDAP attribute userPassword as RADIUS attribute User-Password == "{sha}Y2fEjdGT1W6nsLqtJbGUVeUp9e4=" rlm_ldap: looking for reply items in directory... rlm_ldap: LDAP attribute radiusFilterId as RADIUS attribute Filter-Id = "1" rlm_ldap: Pairs do not match. Rejecting user. rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns reject Invalid user (rlm_ldap: Pairs do not match): [user10/abc123] (from client localhost port 0 cli 00:18:DE:28:7C:7C) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> user10 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 39 to 127.0.0.1 port 58575 Finished request 2. Going to the next request Waking up in 4.9 seconds. Cleaning up request 2 ID 39 with timestamp +42 Ready to process requests. In ldap.attr, Calling-Station-Id is mapped to macAddress. In modules checkval, item-name is Calling-Station-Id, while check-name is macAddress. The macAddress is stored using ":" as delimiter in OpenLDAP What I was tasked to do is to authorize the user based on the password and macAddress pair. Prior to this, I've been able to do the following successfully - basic LDAP authentication with username/password stored in LDAP - EAP-TTLS with username/password stored in LDAP - EAP-GTC with username/password stored in LDAP - PAP with username/password stored in LDAP These have been tested locally (using radtest and radeapclient) and also via a NAS. Regards, --mel
participants (1)
-
mel