little bugs that appear to have appeared ...

Arran Cudbard-Bell A.Cudbard-Bell at
Thu Sep 27 12:23:10 CEST 2007


rlm_ldap: performing user authorization for
        expand: %{Stripped-User-Name} -> eun20
        expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=eun20)
        expand: ou=unix ,ou=uscs, o=University of Sussex -> ou=unix 
,ou=uscs, o=University of Sussex
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=unix ,ou=uscs, o=University of Sussex, 
with filter (uid=eun20)
rlm_ldap: checking if remote access for eun20 at is allowed by 
rlm_ldap: Added Crypt-Password = gsQB00xxxxxx in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: LDAP attribute ntPassword as RADIUS attribute NT-Password == 
rlm_ldap: looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that 
the user is configured correctly?
rlm_ldap: user eun20 at authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0

2 good passwords found, should not be be being warned.
Passwords are being stored in the standard password LDAP attributes, in 
the standard ldap attribute map file.

So thats UserPassword and NTPassword , header recognition is on in LDAP 
The crypt passwords are in format {crypt}56bit des salted hash.

NT4 Passwords without the 0x prefix are also printed wrong, which is 
problematic for debugging.

    426         Post-Auth-Type REJECT {
    427                 update reply {
    428                         # Update event type for logging in 
events table.
    429                         Event-Type := '12'
    430                 }
    431                 # Log rejected attempts to help with debugging
    432                 sql
    433                 attr_filter.access_reject
    434                 # SQL Clients generates event with limited 
information in roaming table
    435                 sql_roaming
    436         }

update reply in the Post-Auth-Type blocks doesn't work.

%{reply:Event-Type} in the sql query expands to ''

Event-Type is an int defined in the sussex_vendor dictionary.

Setting Event-Type in the main body of Post-Auth works fine.

Arran Cudbard-Bell (A.Cudbard-Bell at
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08 
University Of Sussex, Brighton
EXT:01273 873900 | INT: 3900

More information about the Freeradius-Devel mailing list