Trying to integrate with LDAP
Hey, first of all, sorry my poor english, im trying to integrate my LDAP server with the freeradius, before 2 days searching on google i didnt solved the problem. when i use the command: ldapsearch -b "ou=People,dc=xxxxxx,dc=edu,dc=br" -h 200.131.96.47 uid=user1 -D "cn=admin,dc=ifsudeste,dc=edu,dc=br" -W i get this result: # extended LDIF # # LDAPv3 # base <ou=People,dc=xxxxxx,dc=edu,dc=br> with scope subtree # filter: uid=user1 # requesting: ALL # # user1, People, xxxxx.edu.br dn: cn=user1,ou=People,dc=xxxxxx,dc=edu,dc=br cn: user1 givenName: user gidNumber: 501 homeDirectory: /home/users/user1 sn: 1 objectClass: inetOrgPerson objectClass: posixAccount objectClass: top userPassword:: e01ENX1JQ3k1WXF4WkIxdVdTd2NWTFNOTGNBPT0= uidNumber: 1001 uid: user1 when i try: radtest user1 123 127.0.0.1 0 testing123 i get: Sending Access-Request of id 225 to 127.0.0.1 port 1812 User-Name = "user1" User-Password = "123" NAS-IP-Address = 200.131.96.49 NAS-Port = 0 rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=225, length=20 and using freeradius -X i see this: rad_recv: Access-Request packet from host 127.0.0.1 port 56729, id=225, length=57 User-Name = "user1" User-Password = "123" NAS-IP-Address = 200.131.96.49 NAS-Port = 0 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} [ldap] performing user authorization for user1 [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> user1 [ldap] expand: (cn=%{Stripped-User-Name:-%{User-Name}}) -> (cn=user1) [ldap] expand: ou=People,dc=xxxxx,dc=edu,dc=br -> ou=People,dc=xxxxxxx,dc=edu,dc=br [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in ou=People,dc=xxxxxx,dc=edu,dc=br, with filter (cn=user1) [ldap] object not found [ldap] search failed [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns notfound ++[expiration] returns noop ++[logintime] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Login incorrect ( [ldap] User not found): [user1/123] (from client localhost port 0) Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> user1 can anyone, please, help me? sorry if this is too obvious for someone, for me isnt. thanks.
On 13 Mar 2013, at 18:35, fernando.sg1@gmail.com wrote:
Hey, first of all, sorry my poor english, im trying to integrate my LDAP server with the freeradius, before 2 days searching on google i didnt solved the problem.
when i use the command:
ldapsearch -b "ou=People,dc=xxxxxx,dc=edu,dc=br" -h 200.131.96.47 uid=user1 -D "cn=admin,dc=ifsudeste,dc=edu,dc=br" -W
Here were filtering using the attribute 'uid'
[ldap] expand: %{User-Name} -> user1 [ldap] expand: (cn=%{Stripped-User-Name:-%{User-Name}}) -> (cn=user1) [ldap] expand: ou=People,dc=xxxxx,dc=edu,dc=br -> ou=People,dc=xxxxxxx,dc=edu,dc=br
And here were filtering using the attribute 'cn' edit 'filter' in your ldap configuration file. -Arran
hey, thanks for the quickly repply changed in /modules/ldap ldap { server = "200.xxx.xx.47" # identity = "cn=admin,dc=xxxxx,dc=edu,dc=br" # password = "123abc" basedn = "dc=ifsudeste,dc=edu,dc=br" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" but still dont working rad_recv: Access-Request packet from host 127.0.0.1 port 46813, id=147, length=57 User-Name = "user1" User-Password = "123" NAS-IP-Address = 200.131.96.49 NAS-Port = 0 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} [ldap] performing user authorization for user1 [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> user1 [ldap] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=user1) [ldap] expand: dc=xxxx,dc=edu,dc=br -> dc=xxxxx,dc=edu,dc=br [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=xxxxxx,dc=edu,dc=br, with filter (uid=user1) [ldap] object not found [ldap] search failed [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns notfound ++[expiration] returns noop ++[logintime] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Login incorrect ( [ldap] User not found): [user1/123] (from client localhost port 0) Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> user1 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 2 for 1 seconds on a tutorial says i need to put that on radiusd.conf: ldap { server = "200.xxx.xx.47" identity = "cn=admin,dc=xxxxx,dc=edu,dc=br" password = "123abc" basedn = "ou=People,dc=xxxxx,dc=edu,dc=br" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" } authenticate { pam unix ldap } i really need to put that? -----Mensagem Original----- From: Arran Cudbard-Bell Sent: Wednesday, March 13, 2013 7:43 PM To: FreeRadius users mailing list Subject: Re: Trying to integrate with LDAP On 13 Mar 2013, at 18:35, fernando.sg1@gmail.com wrote:
Hey, first of all, sorry my poor english, im trying to integrate my LDAP server with the freeradius, before 2 days searching on google i didnt solved the problem.
when i use the command:
ldapsearch -b "ou=People,dc=xxxxxx,dc=edu,dc=br" -h 200.131.96.47 uid=user1 -D "cn=admin,dc=ifsudeste,dc=edu,dc=br" -W
Here were filtering using the attribute 'uid'
[ldap] expand: %{User-Name} -> user1 [ldap] expand: (cn=%{Stripped-User-Name:-%{User-Name}}) -> (cn=user1) [ldap] expand: ou=People,dc=xxxxx,dc=edu,dc=br -> ou=People,dc=xxxxxxx,dc=edu,dc=br
And here were filtering using the attribute 'cn' edit 'filter' in your ldap configuration file. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 13 Mar 2013, at 20:00, Fernando Barreto <fernando.sg1@gmail.com> wrote:
hey, thanks for the quickly repply
[ldap] expand: dc=xxxx,dc=edu,dc=br -> dc=xxxxx,dc=edu,dc=br
Bbecause you changed the search DN? In the original request it was:
[ldap] expand: ou=People,dc=xxxxx,dc=edu,dc=br -> ou=People,dc=xxxxxxx,dc=edu,dc=br
Now its:
[ldap] expand: dc=xxxx,dc=edu,dc=br -> dc=xxxxx,dc=edu,dc=br
The and the scope is probably set incorrectly. and no, you don't need to duplicate the ldap config in radiusd.conf. -Arran
I tryed both, with ou= or without I dont kwon what try :s Enviado do meu Android. -----Original Message----- From: Arran Cudbard-Bell <a.cudbardb@freeradius.org> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Sent: qua, 13 mar 2013 21:41 Subject: Re: Trying to integrate with LDAP On 13 Mar 2013, at 20:00, Fernando Barreto <fernando.sg1@gmail.com> wrote:
hey, thanks for the quickly repply
[ldap] expand: dc=xxxx,dc=edu,dc=br -> dc=xxxxx,dc=edu,dc=br
Bbecause you changed the search DN? In the original request it was:
[ldap] expand: ou=People,dc=xxxxx,dc=edu,dc=br -> ou=People,dc=xxxxxxx,dc=edu,dc=br
Now its:
[ldap] expand: dc=xxxx,dc=edu,dc=br -> dc=xxxxx,dc=edu,dc=br
The and the scope is probably set incorrectly. and no, you don't need to duplicate the ldap config in radiusd.conf. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
now at the PC, i can write better: 1st: shout i uncoment this 2 lines on /modules/ldap # identity = "cn=admin,dc=xxxxx,dc=edu,dc=br" # password = "123abc" ? i tryed both configs with ou=People or without and dont work. uncomenting the 2 lines i get this on freeradius -X: [ldap] performing user authorization for user1 [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> user1 [ldap] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=user1) [ldap] expand: ou=People,dc=xxxx,dc=edu,dc=br -> ou=People,dc=xxxxxx,dc=edu,dc=br [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to 200.131.96.47:389, authentication 0 [ldap] bind as cn=admin,dc=xxxxxx,dc=edu,dc=br/123abc to 200.131.96.47:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in ou=People,dc=xxxxx,dc=edu,dc=br, with filter (uid=user1) [ldap] checking if remote access for user1 is allowed by uid [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] userPassword -> Password-With-Header == "{MD5}ICy5YqxZB1uWSwcVLSNLcA==" [ldap] looking for reply items in directory... [ldap] Setting Auth-Type = LDAP [ldap] user user1 authorized to use remote access 2013/3/13 Arran Cudbard-Bell <a.cudbardb@freeradius.org>
On 13 Mar 2013, at 20:00, Fernando Barreto <fernando.sg1@gmail.com> wrote:
hey, thanks for the quickly repply
[ldap] expand: dc=xxxx,dc=edu,dc=br -> dc=xxxxx,dc=edu,dc=br
Bbecause you changed the search DN?
In the original request it was:
[ldap] expand: ou=People,dc=xxxxx,dc=edu,dc=br -> ou=People,dc=xxxxxxx,dc=edu,dc=br
Now its:
[ldap] expand: dc=xxxx,dc=edu,dc=br -> dc=xxxxx,dc=edu,dc=br
The and the scope is probably set incorrectly.
and no, you don't need to duplicate the ldap config in radiusd.conf.
-Arran
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 13 Mar 2013, at 22:03, fernando.sg1@gmail.com wrote:
now at the PC, i can write better:
1st: shout i uncoment this 2 lines on /modules/ldap # identity = "cn=admin,dc=xxxxx,dc=edu,dc=br" # password = "123abc" ?
Um yes if you need to do an authenticated bind to search in the directory.
i tryed both configs with ou=People or without and dont work.
uncomenting the 2 lines i get this on freeradius -X:
[ldap] performing user authorization for user1 [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> user1 [ldap] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=user1) [ldap] expand: ou=People,dc=xxxx,dc=edu,dc=br -> ou=People,dc=xxxxxx,dc=edu,dc=br [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to 200.131.96.47:389, authentication 0 [ldap] bind as cn=admin,dc=xxxxxx,dc=edu,dc=br/123abc to 200.131.96.47:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in ou=People,dc=xxxxx,dc=edu,dc=br, with filter (uid=user1) [ldap] checking if remote access for user1 is allowed by uid [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] userPassword -> Password-With-Header == "{MD5}ICy5YqxZB1uWSwcVLSNLcA==" [ldap] looking for reply items in directory... [ldap] Setting Auth-Type = LDAP [ldap] user user1 authorized to use remote access
Which seems to be correct? -Arran
I'm not sure if you are using Novell product or open ldap, but you can see the basic information on how to integrate with LDAP here https://www.netiq.com/documentation/edir_radius/pdfdoc/radiusadmin/radiusadm... -Danny On Thu, Mar 14, 2013 at 11:41 AM, Arran Cudbard-Bell < a.cudbardb@freeradius.org> wrote:
On 13 Mar 2013, at 22:03, fernando.sg1@gmail.com wrote:
now at the PC, i can write better:
1st: shout i uncoment this 2 lines on /modules/ldap # identity = "cn=admin,dc=xxxxx,dc=edu,dc=br" # password = "123abc" ?
Um yes if you need to do an authenticated bind to search in the directory.
i tryed both configs with ou=People or without and dont work.
uncomenting the 2 lines i get this on freeradius -X:
[ldap] performing user authorization for user1 [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang"
for details
[ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> user1 [ldap] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=user1) [ldap] expand: ou=People,dc=xxxx,dc=edu,dc=br -> ou=People,dc=xxxxxx,dc=edu,dc=br [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to 200.131.96.47:389, authentication 0 [ldap] bind as cn=admin,dc=xxxxxx,dc=edu,dc=br/123abc to 200.131.96.47:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in ou=People,dc=xxxxx,dc=edu,dc=br, with filter (uid=user1) [ldap] checking if remote access for user1 is allowed by uid [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] userPassword -> Password-With-Header == "{MD5}ICy5YqxZB1uWSwcVLSNLcA==" [ldap] looking for reply items in directory... [ldap] Setting Auth-Type = LDAP [ldap] user user1 authorized to use remote access
Which seems to be correct?
-Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Best Regards, Danny
im using openLDAP on ubunto 12.04 LTS i'll look the PDF, but if you can help in my last e-mail. thanks ;) 2013/3/14 Danny Kurniawan <danny.kurniawan@fairchildsemi.com>
I'm not sure if you are using Novell product or open ldap, but you can see the basic information on how to integrate with LDAP here
https://www.netiq.com/documentation/edir_radius/pdfdoc/radiusadmin/radiusadm...
-Danny
On Thu, Mar 14, 2013 at 11:41 AM, Arran Cudbard-Bell < a.cudbardb@freeradius.org> wrote:
On 13 Mar 2013, at 22:03, fernando.sg1@gmail.com wrote:
now at the PC, i can write better:
1st: shout i uncoment this 2 lines on /modules/ldap # identity = "cn=admin,dc=xxxxx,dc=edu,dc=br" # password = "123abc" ?
Um yes if you need to do an authenticated bind to search in the directory.
i tryed both configs with ou=People or without and dont work.
uncomenting the 2 lines i get this on freeradius -X:
[ldap] performing user authorization for user1 [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang"
for details
[ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> user1 [ldap] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=user1) [ldap] expand: ou=People,dc=xxxx,dc=edu,dc=br -> ou=People,dc=xxxxxx,dc=edu,dc=br [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to 200.131.96.47:389, authentication 0 [ldap] bind as cn=admin,dc=xxxxxx,dc=edu,dc=br/123abc to 200.131.96.47:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in ou=People,dc=xxxxx,dc=edu,dc=br, with filter (uid=user1) [ldap] checking if remote access for user1 is allowed by uid [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] userPassword -> Password-With-Header == "{MD5}ICy5YqxZB1uWSwcVLSNLcA==" [ldap] looking for reply items in directory... [ldap] Setting Auth-Type = LDAP [ldap] user user1 authorized to use remote access
Which seems to be correct?
-Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Best Regards, Danny
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
i put on LDAP (/module) password_attribute = userPassword and now works fine... almost :S he only works with plaintext password, how i change that to use MD5 passwords? 2013/3/14 <fernando.sg1@gmail.com>
im using openLDAP on ubunto 12.04 LTS i'll look the PDF, but if you can help in my last e-mail. thanks ;)
2013/3/14 Danny Kurniawan <danny.kurniawan@fairchildsemi.com>
I'm not sure if you are using Novell product or open ldap, but you can see the basic information on how to integrate with LDAP here
https://www.netiq.com/documentation/edir_radius/pdfdoc/radiusadmin/radiusadm...
-Danny
On Thu, Mar 14, 2013 at 11:41 AM, Arran Cudbard-Bell < a.cudbardb@freeradius.org> wrote:
On 13 Mar 2013, at 22:03, fernando.sg1@gmail.com wrote:
now at the PC, i can write better:
1st: shout i uncoment this 2 lines on /modules/ldap # identity = "cn=admin,dc=xxxxx,dc=edu,dc=br" # password = "123abc" ?
Um yes if you need to do an authenticated bind to search in the directory.
i tryed both configs with ou=People or without and dont work.
uncomenting the 2 lines i get this on freeradius -X:
[ldap] performing user authorization for user1 [ldap] WARNING: Deprecated conditional expansion ":-". See "man
unlang" for details
[ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> user1 [ldap] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=user1) [ldap] expand: ou=People,dc=xxxx,dc=edu,dc=br -> ou=People,dc=xxxxxx,dc=edu,dc=br [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to 200.131.96.47:389, authentication 0 [ldap] bind as cn=admin,dc=xxxxxx,dc=edu,dc=br/123abc to 200.131.96.47:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in ou=People,dc=xxxxx,dc=edu,dc=br, with filter (uid=user1) [ldap] checking if remote access for user1 is allowed by uid [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] userPassword -> Password-With-Header == "{MD5}ICy5YqxZB1uWSwcVLSNLcA==" [ldap] looking for reply items in directory... [ldap] Setting Auth-Type = LDAP [ldap] user user1 authorized to use remote access
Which seems to be correct?
-Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Best Regards, Danny
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 03/14/2013 01:20 PM, fernando.sg1@gmail.com wrote:
i put on LDAP (/module) password_attribute = userPassword
and now works fine... almost :S he only works with plaintext password, how i change that to use MD5 passwords?
You need to understand the information found here: http://deployingradius.com/documents/protocols/ You also need to understand the difference between using LDAP as an authentication data store (credential storage) and as an authentication oracle (i.e. authentication proxy). You also need to understand that the authorize step passes the incoming request to each module in the authorize section where the module is given a chance to examine the request and decide if it's capable of handling it, this is how the Auth-Type is set. Which modules are defined and their order is significant. This is documented in the raddb/sites-enabled/default config which is a recommended configuration. Until you have these concepts firmly under your grasp you'll likely be frustrated trying to modify the configuration. -- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/
Hey, thanks for the help. yeah, this part seems to be ok, the second part i wrongly quoted if i undertood this, freeradius can authorizate but no authenticate, look the full result of freeradius -X # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} [ldap] performing user authorization for user1 [ldap] expand: (uid=%u) -> (uid=user1) [ldap] expand: dc=xxxx,dc=edu,dc=br -> dc=ifsudeste,dc=edu,dc=br [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to 200.xx.xx.47:389, authentication 0 [ldap] bind as cn=admin,dc=xxxx,dc=edu,dc=br/123abc to 200.xxx.xx.47:389 [ldap] waiting for bind result ... [ldap] Bind was successful *here he makes the bind and return ok, right?* * * [ldap] performing search in dc=xxxx,dc=edu,dc=br, with filter (uid=user1) <-------- *now he try to find user1 on LDAP base.* [ldap] checking if remote access for user1 is allowed by uid [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] userPassword -> Password-With-Header == "{MD5}ICy5YqxZB1uWSwcVLSNLcA==" [ldap] looking for reply items in directory... [ldap] Setting Auth-Type = LDAP [ldap] user user1 authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok <---- *so far... everything o**k * ++[expiration] returns noop ++[logintime] returns noop *now he do that and i dont know why correctly, but i guess now he try to authenticate, am i right?* Found Auth-Type = LDAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group LDAP {...} [ldap] login attempt by "user1" with password "123" [ldap] user DN: cn=user1,ou=People,dc=xxxxxxx,dc=edu,dc=br * <--------------- here he try to bind again!?* [ldap] (re)connect to 200.xxx.xxx.47:389, authentication 1 [ldap] bind as cn=user1,ou=People,dc=xxxxxxx,dc=edu,dc=br/123 to 200.xxx.xx.47:389 *<----- and seems to try to use user1 to bind, but user 1 isn't a bind user* [ldap] waiting for bind result ... [ldap] Bind failed with invalid credentials *<---------- This is what i'm complaining.* ++[ldap] returns reject Failed to authenticate the user. Login incorrect ( [ldap] Bind as user failed): [user1/123] (from client localhost port 10) Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> user1 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated *and the result of radtest is:* radtest user1 123 127.0.0.1 10 testing123 Sending Access-Request of id 156 to 127.0.0.1 port 1812 User-Name = "user1" User-Password = "123" NAS-IP-Address = 200.131.96.47 NAS-Port = 10 rad_recv: *Access-Reject* packet from host 127.0.0.1 port 1812, id=156, length=20 any idea why? 2013/3/14 Arran Cudbard-Bell <a.cudbardb@freeradius.org>
On 13 Mar 2013, at 22:03, fernando.sg1@gmail.com wrote:
now at the PC, i can write better:
1st: shout i uncoment this 2 lines on /modules/ldap # identity = "cn=admin,dc=xxxxx,dc=edu,dc=br" # password = "123abc" ?
Um yes if you need to do an authenticated bind to search in the directory.
i tryed both configs with ou=People or without and dont work.
uncomenting the 2 lines i get this on freeradius -X:
[ldap] performing user authorization for user1 [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang"
for details
[ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> user1 [ldap] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=user1) [ldap] expand: ou=People,dc=xxxx,dc=edu,dc=br -> ou=People,dc=xxxxxx,dc=edu,dc=br [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to 200.131.96.47:389, authentication 0 [ldap] bind as cn=admin,dc=xxxxxx,dc=edu,dc=br/123abc to 200.131.96.47:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in ou=People,dc=xxxxx,dc=edu,dc=br, with filter (uid=user1) [ldap] checking if remote access for user1 is allowed by uid [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] userPassword -> Password-With-Header == "{MD5}ICy5YqxZB1uWSwcVLSNLcA==" [ldap] looking for reply items in directory... [ldap] Setting Auth-Type = LDAP [ldap] user user1 authorized to use remote access
Which seems to be correct?
-Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (5)
-
Arran Cudbard-Bell -
Danny Kurniawan -
Fernando Barreto -
fernando.sg1@gmail.com -
John Dennis