ldap basedn assignment
ggreen at olemiss.edu
ggreen at olemiss.edu
Wed Aug 3 20:06:55 CEST 2005
> How do you have this setup? Check out
doc/configurable_failover. That
> should show you how to do it.
>
I'm using configurable failover to get it to roll as it is.
>From my radiusd.conf file:
Authorize{
ldap1{
reject=1
}
ldap2{
reject=1
ok=return
}
}
Authenticate{
Auth-Type LDAP {
ldap1{
reject=1
ok=return
}
ldap2{
reject=1
ok=return
}
}
}
The output I see when I try to authenticate with an openldap
username/password where the username is also in AD
rad_recv: Access-Request packet from host
130.74.186.38:17688, id=1, length=46
User-Name = "username"
User-Password = "test123"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for
request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for username
radius_xlat: '(sAMAccountName=username)'
radius_xlat: 'cn=Users,dc=dept,dc=university,dc=edu'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ad.dept.university.edu:389,
authentication 0
rlm_ldap: bind as
cn=aduser,cn=Users,dc=dept,dc=university,dc=edu/adpassword
to ad.dept.university.edu:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in
cn=Users,dc=dept,dc=university,dc=edu, with filter
(sAMAccountName=username)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user username authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap1" returns ok for request
0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for username
radius_xlat: '(uid=username)'
radius_xlat: 'dc=university,dc=edu,c=US'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to openldap.university.edu:1744,
authentication 0
rlm_ldap: bind as uid=ldapuser,ou=Special
Users,dc=university,dc=edu,c=US/ldappassword to
openldap.university.edu:1744
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=university,dc=edu,c=US,
with filter (uid=username)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user username authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap2" returns ok for request
0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type LDAP
auth: type "LDAP"
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 0
rlm_ldap: - authenticate
rlm_ldap: login attempt by "username" with password
"test123"
rlm_ldap: user DN: CN=name\,
user,CN=Users,DC=dept,DC=university,DC=edu
rlm_ldap: (re)connect to ad.dept.university.edu:389,
authentication 1
rlm_ldap: bind as CN=name\,
user,CN=Users,DC=dept,DC=university,DC=edu/test123 to
ad.dept.university.edu:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind failed with invalid credentials
modcall[authenticate]: module "ldap1" returns reject for
request 0
rlm_ldap: - authenticate
rlm_ldap: login attempt by "username" with password
"test123"
rlm_ldap: user DN: CN=name\,
user,CN=Users,DC=dept,DC=university,DC=edu
rlm_ldap: (re)connect to openldap.university.edu:1744,
authentication 1
(THIS LINE IS THE PROBLEM) rlm_ldap: bind as CN=name\,
user,CN=Users,DC=dept,DC=university,DC=edu/test123 to
openldap.university.edu:1744
rlm_ldap: waiting for bind result ...
rlm_ldap: CN=name\,
user,CN=Users,DC=dept,DC=university,DC=edu bind to
openldap.university.edu:1744 failed No such object
rlm_ldap: ldap_connect() failed
modcall[authenticate]: module "ldap2" returns fail for
request 0
modcall: group Auth-Type returns fail for request 0
auth: Failed to validate the user.
The above problem line should be:
rlm_ldap: bind as uid=username, ou=People,
dc=university,dc=edu,c=us/test123 to
openldap.university.edu:1744
However, it is taking the userdn from the ad server which
gave the first authorize ok. What I need is for it to
attempt to authenticate with the appropriate userdn
depending on which server it is authenticating to. So it
would use the userdn from AD authenticating to the AD server
and the openldap userdn when authenticating to the openldap
server.
Thanks
More information about the Freeradius-Users
mailing list