Freeradius How to integrate Active Directory and return groupattribute to VPN Concentrator

Alhagie Puye APuye at datawave.com
Thu Dec 1 01:06:35 CET 2005


Ok, So I played around some more with the settings.

Actually "group" and "groupofnames" are not correct attributes for user.

It is supposed to be "memberof". So I changed line in ldap.attrmap to
look like:

replyItem       Class                           memberof

Now I'm getting replyItems but the data looks like garbage. I want it to
return the group name.

Here is the output:

* host: SERVER.corp.van.dwave  port: 389  (default)
  refcnt: 1  status: Connected
  last used: Wed Nov 30 15:43:08 2005

** Outstanding Requests:
 * msgid 19,  origid 16, status InProgress
   outstanding referrals 0, parent count 1
 * msgid 17,  origid 16, status Request Completed
   outstanding referrals 0, parent count 1
 * msgid 16,  origid 16, status Request Completed
   outstanding referrals 1, parent count 0
** Response Queue:
 * msgid 16,  type 100
ldap_chkResponseList for msgid=16, all=1
ldap_chkResponseList returns NULL
ldap_int_select
read1msg: msgid 16, all 1
ldap_read: message type search-result msgid 19, original id 16
new result:  res_errno: 0, res_error: <>, res_matched: <>
read1msg:  0 new referrals
read1msg:  mark request completed, id = 19
merged parent (id 16) error info:  result errno 0, error <>, matched <>
request 16 done
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 16, msgid 16)
ldap_free_request (origid 16, msgid 19)
ldap_free_request (origid 16, msgid 17)
ldap_free_connection
ldap_send_unbind
ldap_free_connection: actually freed
adding response id 16 type 101:
ldap_parse_result
ldap_get_dn
ldap_get_values
rlm_ldap: looking for check items in directory...
ldap_get_values
ldap_get_values
ldap_get_values
ldap_get_values
ldap_get_values
ldap_get_values
ldap_get_values
ldap_get_values
ldap_get_values
rlm_ldap: looking for reply items in directory...
ldap_get_values
ldap_get_values
ldap_get_values
ldap_get_values
ldap_get_values
ldap_get_values
ldap_get_values
ldap_get_values
ldap_get_values
ldap_get_values
ldap_get_values
ldap_get_values
rlm_ldap: Adding memberof as Class, value CN & op=11
rlm_ldap: Adding memberof as Class, value CN & op=11
rlm_ldap: Adding memberof as Class, value CN & op=11
rlm_ldap: Adding memberof as Class, value CN & op=11
ldap_get_values
ldap_get_values
ldap_get_values
ldap_get_values
ldap_get_values
ldap_get_values
ldap_get_values
ldap_get_values
ldap_get_values
ldap_get_values
ldap_get_values
ldap_get_values
ldap_get_values
ldap_get_values
ldap_get_values
ldap_get_values
ldap_get_values
rlm_ldap: user apuye authorized to use remote access
ldap_msgfree
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 0
modcall: group authorize returns ok for request 0
  rad_check_password:  Found Auth-Type LDAP
auth: type "LDAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 0
rlm_ldap: - authenticate
rlm_ldap: login attempt by "apuye" with password "XXXXXXXXX"
rlm_ldap: user DN: CN=Alhagie Puye,OU=Information Technology,OU=DataWave
Users,DC=corp,DC=van,DC=dwave
rlm_ldap: (re)connect to SERVER.corp.van.dwave:389, authentication 1
ldap_create
rlm_ldap: bind as CN=Alhagie Puye,OU=Information Technology,OU=DataWave
Users,DC=corp,DC=van,DC=dwave/XXXXXXXXX to SERVER.corp.van.dwave:389
ldap_bind
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: TCP SERVER.corp.van.dwave:389
ldap_new_socket: 7
ldap_prepare_socket: 7
ldap_connect_to_host: Trying w.x.y.z:389
ldap_connect_timeout: fd: 7 tm: 10 async: 0
ldap_ndelay_on: 7
ldap_is_sock_ready: 7
ldap_ndelay_off: 7
ldap_open_defconn: successful
ldap_send_server_request
rlm_ldap: waiting for bind result ...
ldap_result msgid 1
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
wait4msg (timeout 40 sec, 0 usec), msgid 1
wait4msg continue, msgid 1, all 1
** Connections:
* host: SERVER.corp.van.dwave  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Wed Nov 30 15:43:08 2005

** Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
** Response Queue:
   Empty
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
ldap_int_select
read1msg: msgid 1, all 1
ldap_read: message type bind msgid 1, original id 1
new result:  res_errno: 0, res_error: <>, res_matched: <>
read1msg:  0 new referrals
read1msg:  mark request completed, id = 1
request 1 done
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection
ldap_free_connection: refcnt 1
ldap_parse_result
ldap_msgfree
rlm_ldap: Bind was successful
rlm_ldap: user apuye authenticated succesfully
ldap_free_connection
ldap_send_unbind
ldap_free_connection: actually freed
  modcall[authenticate]: module "ldap" returns ok for request 0
modcall: group Auth-Type returns ok for request 0
Sending Access-Accept of id 225 to 127.0.0.1:54101
        Service-Type = Login-User
        Class = 0x434e
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 225 with timestamp 438e390c
Nothing to do.  Sleeping until we see a request.

Hmm....I guess I would have to send both user and group information to
get this working. I would like to authenticate the user but it is
actually the group name that I need returned.

Here is the LDIF format for the group:

dn: CN=itops,OU=Information Technology,OU=DataWave
Users,DC=corp,DC=van,DC=dwave
changetype: add
member: 
 CN=Alhagie Puye,OU=Information Technology,OU=DataWave
Users,DC=corp,DC=van,
 DC=dwave
cn: itops
description: IT Operations Staff
dSCorePropagationData: 20041203232658.0Z
dSCorePropagationData: 20041203231653.0Z
dSCorePropagationData: 20041203221337.0Z
dSCorePropagationData: 20040820205210.0Z
dSCorePropagationData: 16020125025705.0Z
mail: all-itops at datawave.ca
groupType: -2147483646
instanceType: 4
distinguishedName: 
 CN=itops,OU=Information Technology,OU=DataWave
Users,DC=corp,DC=van,DC=dwave
objectCategory:
CN=Group,CN=Schema,CN=Configuration,DC=corp,DC=van,DC=dwave
objectClass: group
objectGUID:: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX==
objectSid:: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX==
name: itops
sAMAccountName: itops
sAMAccountType: 268435456
uSNChanged: 5713274
uSNCreated: 1615
whenChanged: 20050902200841.0Z
whenCreated: 20030119021132.0Z
msSFU30GidNumber: 1001
msSFU30Name: itops
msSFU30NisDomain: corp

It is the "name" or "sAMAccountName" attribute that I want returned when
a user is authenticated.

Thanks,


Alhagie Puye - Network Engineer
Datawave Group of Companies
(604)295-1817  

> >-----Original Message-----
> >From: freeradius-users-bounces at lists.freeradius.org 
> >[mailto:freeradius-users-bounces at lists.freeradius.org] On 
> >Behalf Of Alhagie Puye
> >Sent: November 30, 2005 10:35 AM
> >To: FreeRadius users mailing list
> >Subject: RE: Freeradius How to integrate Active Directory 
> >and return groupattribute to VPN Concentrator
> >
> >Here is an ldap query output for a user:
> >
> >
> >waggawagga raddb # ldapsearch -LLL -h w.x.y.z -x -b 
> >'dc=corp,dc=van,dc=dwave' '(&(memberof=CN=rptpcps,OU=DataWave
> >Users,DC=corp,DC=van,DC=dwave)(samaccountname=apuye))' -D 
> >apuye at corp.van.dwave -w XXXXXXXX
> >
> >
> >dn: CN=Alhagie Puye,OU=Information Technology,OU=DataWave 
> >Users,DC=corp,DC=van  ,DC=dwave
> >memberOf: CN=itops-folder,OU=SHARED FOLDERS,OU=DataWave 
> >Users,DC=corp,DC=van,D  C=dwave
> >memberOf: CN=rptpcps,OU=DataWave Users,DC=corp,DC=van,DC=dwave
> >memberOf: CN=itops,OU=Information Technology,OU=DataWave 
> >Users,DC=corp,DC=van,  DC=dwave
> >memberOf: CN=datawave,OU=DataWave Users,DC=corp,DC=van,DC=dwave
> >accountExpires: 9223372036854775807
> >badPasswordTime: 127778245108916810
> >badPwdCount: 0
> >codePage: 0
> >cn: Alhagie Puye
> >countryCode: 0
> >description: IT Operations
> >displayName: Alhagie Puye
> >givenName: Alhagie
> >homeDirectory: \\fs1\apuye
> >homeDrive: H:
> >instanceType: 4
> >lastLogoff: 0
> >lastLogon: 127778426282888816
> >logonCount: 196
> >msNPAllowDialin: TRUE
> >distinguishedName: CN=Alhagie Puye,OU=Information 
> >Technology,OU=DataWave Users  ,DC=corp,DC=van,DC=dwave
> >objectCategory:
> >CN=Person,CN=Schema,CN=Configuration,DC=corp,DC=van,DC=dwave
> >objectClass: top
> >objectClass: person
> >objectClass: organizationalPerson
> >objectClass: user
> >objectGUID:: oO1UkRu8RkScNIOHmaB/qw==
> >objectSid:: AQUAAAAAAAUVAAAAzSmuLihcKk12fipaZwkAAA==
> >primaryGroupID: 513
> >profilePath: \\fs2\profiles\apuye
> >pwdLastSet: 127771529310887572
> >name: Alhagie Puye
> >sAMAccountName: apuye
> >sAMAccountType: 805306368
> >sn: Puye
> >userAccountControl: 512
> >userParameters::
> >bTogICAgICAgICAgICAgICAgICAgIGQJICAgICAgICAgICAgICAgICAgICAgI
> > 
> >CAgUBAaCAFDdHhDZmdQcmVzZW5045S15pSx5oiw44GiGAgBQ3R4Q2ZnRmxhZ3
> >Mx44Cw44Gm4
> >6Cy44
> > 
> >C5FggBQ3R4Q2FsbGJhY2vjgLDjgLDjgLDjgLASCAFDdHhTaGFkb3fjhLDjgLD
> >jgLDjgLAoCA
> >FDdHh
> > 
> >NYXhDb25uZWN0aW9uVGltZeOAsOOAsOOAsOOAsC4IAUN0eE1heERpc2Nvbm5l
> >Y3Rpb25UaW1
> >l44Cw
> > 
> >44Cw44Cw44CwHAgBQ3R4TWF4SWRsZVRpbWXjgLDjgLDjgLDjgLAiCAFDdHhLZ
> >Xlib2FyZExh
> >eW91d
> > 
> >OOAsOOAsOOAsOOAsCoCAUN0eE1pbkVuY3J5cHRpb25MZXZlbOOEsCACAUN0eF
> >dvcmtEaXJlY
> >3Rvcn
> > 
> >njgLAgAgFDdHhOV0xvZ29uU2VydmVy44CwGAIBQ3R4V0ZIb21lRGly44CwIgI
> >BQ3R4V0ZIb2
> >1lRGl
> > 
> >yRHJpdmXjgLAgAgFDdHhXRlByb2ZpbGVQYXRo44CwIgIBQ3R4SW5pdGlhbFBy
> >b2dyYW3jgLA
> >iAgFD
> > dHhDYWxsYmFja051bWJlcuOAsA==
> >userPrincipalName: apuye at corp.van.dwave
> >uSNChanged: 7588047
> >uSNCreated: 5713011
> >whenChanged: 20051122170851.0Z
> >whenCreated: 20050902184213.0Z
> >
> ># refldap://corp.van.dwave/CN=Configuration,DC=corp,DC=van,DC=dwave
> >
> >
> >
> >I would like the group that the user is a member of to be 
> >sent back in the replyItem. I need this value for locking 
> >the user into groups on the Cisco VPN Concentrator. That's 
> >the only portion I'm missing.
> >
> >Here is an output of the debug when I authenticate the user:
> >
> >put_filter: "(cn=itops)"
> >put_filter: simple
> >put_simple_filter: "cn=itops"
> >ldap_send_initial_request
> >ldap_send_server_request
> >ldap_result msgid 15
> >ldap_chkResponseList for msgid=15, all=1 
> >ldap_chkResponseList returns NULL wait4msg (timeout 40 sec, 
> >0 usec), msgid 15 wait4msg continue, msgid 15, all 1
> >** Connections:
> >* host: SERVER.corp.van.dwave  port: 389  (default)
> >  refcnt: 2  status: Connected
> >  last used: Wed Nov 30 10:18:54 2005
> >
> >** Outstanding Requests:
> > * msgid 15,  origid 15, status InProgress
> >   outstanding referrals 0, parent count 0
> >** Response Queue:
> >   Empty
> >ldap_chkResponseList for msgid=15, all=1 
> >ldap_chkResponseList returns NULL ldap_int_select
> >read1msg: msgid 15, all 1
> >ldap_read: message type search-entry msgid 15, original id 15
> >wait4msg:  39 secs to go
> >wait4msg continue, msgid 15, all 1
> >** Connections:
> >* host: SERVER.corp.van.dwave  port: 389  (default)
> >  refcnt: 2  status: Connected
> >  last used: Wed Nov 30 10:18:54 2005
> >
> >** Outstanding Requests:
> > * msgid 15,  origid 15, status InProgress
> >   outstanding referrals 0, parent count 0
> >** Response Queue:
> > * msgid 15,  type 100
> >ldap_chkResponseList for msgid=15, all=1 
> >ldap_chkResponseList returns NULL ldap_int_select
> >read1msg: msgid 15, all 1
> >ldap_read: message type search-result msgid 15, original id 
> >15 new result:  res_errno: 0, res_error: <>, res_matched: <>
> >read1msg:  0 new referrals
> >read1msg:  mark request completed, id = 15 request 15 done
> >res_errno: 0, res_error: <>, res_matched: <> 
> >ldap_free_request (origid 15, msgid 15) ldap_free_connection
> >ldap_free_connection: refcnt 1
> >adding response id 15 type 101:
> >ldap_parse_result
> >ldap_msgfree
> >ldap_msgfree
> >rlm_ldap::ldap_groupcmp: User found in group itops
> >rlm_ldap: ldap_release_conn: Release Id: 0
> >    users: Matched entry DEFAULT at line 155
> >  modcall[authorize]: module "files" returns ok for request 0
> >rlm_ldap: - authorize
> >rlm_ldap: performing user authorization for apuye
> >radius_xlat:  '(&(sAMAccountName=apuye)(objectclass=user))'
> >radius_xlat:  'DC=corp,DC=van,DC=dwave'
> >rlm_ldap: ldap_get_conn: Checking Id: 0
> >rlm_ldap: ldap_get_conn: Got Id: 0
> >rlm_ldap: performing search in DC=corp,DC=van,DC=dwave, with filter
> >(&(sAMAccountName=apuye)(objectclass=user))
> >ldap_search
> >put_filter: "(&(sAMAccountName=apuye)(objectclass=user))"
> >put_filter: AND
> >put_filter_list "(sAMAccountName=apuye)(objectclass=user)"
> >put_filter: "(sAMAccountName=apuye)"
> >put_filter: simple
> >put_simple_filter: "sAMAccountName=apuye"
> >put_filter: "(objectclass=user)"
> >put_filter: simple
> >put_simple_filter: "objectclass=user"
> >ldap_send_initial_request
> >ldap_send_server_request
> >ldap_result msgid 16
> >ldap_chkResponseList for msgid=16, all=1 
> >ldap_chkResponseList returns NULL wait4msg (timeout 40 sec, 
> >0 usec), msgid 16 wait4msg continue, msgid 16, all 1
> >** Connections:
> >* host: SERVER.corp.van.dwave  port: 389  (default)
> >  refcnt: 2  status: Connected
> >  last used: Wed Nov 30 10:18:54 2005
> >
> >** Outstanding Requests:
> > * msgid 16,  origid 16, status InProgress
> >   outstanding referrals 0, parent count 0
> >** Response Queue:
> >   Empty
> >ldap_chkResponseList for msgid=16, all=1 
> >ldap_chkResponseList returns NULL ldap_int_select
> >read1msg: msgid 16, all 1
> >ldap_read: message type search-entry msgid 16, original id 16
> >wait4msg:  39 secs to go
> >wait4msg continue, msgid 16, all 1
> >** Connections:
> >* host: SERVER.corp.van.dwave  port: 389  (default)
> >  refcnt: 2  status: Connected
> >  last used: Wed Nov 30 10:18:54 2005
> >
> >** Outstanding Requests:
> > * msgid 16,  origid 16, status InProgress
> >   outstanding referrals 0, parent count 0
> >** Response Queue:
> > * msgid 16,  type 100
> >ldap_chkResponseList for msgid=16, all=1 
> >ldap_chkResponseList returns NULL ldap_int_select
> >read1msg: msgid 16, all 1
> >ldap_read: message type search-reference msgid 16, original 
> >id 16 ldap_chase_v3referrals 
> >ldap_url_parse_ext(ldap://corp.van.dwave/CN=Configuration,DC=
> >corp,DC=van
> >,DC=dwave)
> >re_encode_request: new msgid 17, new dn
> ><CN=Configuration,DC=corp,DC=van,DC=dwave>
> >re_encode_request new request is:
> >ber_dump: buf=0x0815ec00 ptr=0x0815ef76 end=0x0815fbdc len=886
> >  0000:  72 64 72 64 00 00 00 00  00 00 00 00 00 00 00 00 
> >rdrd............  
> >  0010:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  0020:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  0030:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  0040:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  0050:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  0060:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  0070:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  0080:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  0090:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  00a0:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  00b0:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  00c0:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  00d0:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  00e0:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  00f0:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  0100:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  0110:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  0120:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  0130:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  0140:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  0150:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  0160:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  0170:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  0180:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  0190:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  01a0:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  01b0:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  01c0:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  01d0:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  01e0:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  01f0:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  0200:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  0210:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  0220:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  0230:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  0240:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  0250:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  0260:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  0270:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  0280:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  0290:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  02a0:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  02b0:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  02c0:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  02d0:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  02e0:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  02f0:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  0300:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  0310:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  0320:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  0330:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  0340:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  0350:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  0360:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  0370:  00 00 00 00 00 00                                  ......
> >
> >ldap_chase_v3referral: msgid 16, url
> >"ldap://corp.van.dwave/CN=Configuration,DC=corp,DC=van,DC=dwave"
> >ldap_send_server_request
> >ldap_new_connection
> >ldap_int_open_connection
> >ldap_connect_to_host: TCP corp.van.dwave:389
> >ldap_new_socket: 7
> >ldap_prepare_socket: 7
> >ldap_connect_to_host: Trying w.x.y.z:389
> >ldap_connect_timeout: fd: 7 tm: 10 async: 0
> >ldap_ndelay_on: 7
> >ldap_is_sock_ready: 7
> >ldap_ndelay_off: 7
> >anonymous rebind via ldap_bind_s
> >ldap_bind_s
> >ldap_simple_bind_s
> >ldap_sasl_bind_s
> >ldap_sasl_bind
> >ldap_send_initial_request
> >ldap_send_server_request
> >ldap_result msgid 18
> >ldap_chkResponseList for msgid=18, all=1 
> >ldap_chkResponseList returns NULL wait4msg (infinite 
> >timeout), msgid 18 wait4msg continue, msgid 18, all 1
> >** Connections:
> >* host: corp.van.dwave  port: 0
> >  refcnt: 2  status: Connected
> >  last used: Wed Nov 30 10:18:54 2005
> >  rebind in progress
> >    queue is empty
> >
> >* host: SERVER.corp.van.dwave  port: 389  (default)
> >  refcnt: 2  status: Connected
> >  last used: Wed Nov 30 10:18:54 2005
> >
> >** Outstanding Requests:
> > * msgid 18,  origid 18, status InProgress
> >   outstanding referrals 0, parent count 0
> > * msgid 16,  origid 16, status InProgress
> >   outstanding referrals 1, parent count 0
> >** Response Queue:
> > * msgid 16,  type 100
> >ldap_chkResponseList for msgid=18, all=1 
> >ldap_chkResponseList returns NULL ldap_int_select
> >read1msg: msgid 18, all 1
> >ldap_read: message type search-result msgid 16, original id 
> >16 new result:  res_errno: 0, res_error: <>, res_matched: <>
> >read1msg:  0 new referrals
> >read1msg:  mark request completed, id = 16 ldap_free_connection
> >ldap_free_connection: refcnt 1
> >wait4msg continue, msgid 18, all 1
> >** Connections:
> >* host: corp.van.dwave  port: 0
> >  refcnt: 2  status: Connected
> >  last used: Wed Nov 30 10:18:54 2005
> >  rebind in progress
> >    queue is empty
> >
> >* host: SERVER.corp.van.dwave  port: 389  (default)
> >  refcnt: 1  status: Connected
> >  last used: Wed Nov 30 10:18:54 2005
> >
> >** Outstanding Requests:
> > * msgid 18,  origid 18, status InProgress
> >   outstanding referrals 0, parent count 0
> > * msgid 16,  origid 16, status Request Completed
> >   outstanding referrals 1, parent count 0
> >** Response Queue:
> > * msgid 16,  type 100
> >ldap_chkResponseList for msgid=18, all=1 
> >ldap_chkResponseList returns NULL ldap_int_select
> >read1msg: msgid 18, all 1
> >ldap_read: message type bind msgid 18, original id 18 new 
> >result:  res_errno: 0, res_error: <>, res_matched: <>
> >read1msg:  0 new referrals
> >read1msg:  mark request completed, id = 18 request 18 done
> >res_errno: 0, res_error: <>, res_matched: <> 
> >ldap_free_request (origid 18, msgid 18) ldap_free_connection
> >ldap_free_connection: refcnt 1
> >ldap_parse_result
> >ldap_msgfree
> >read1msg:  1 new referrals
> >wait4msg:  39 secs to go
> >wait4msg continue, msgid 16, all 1
> >** Connections:
> >* host: corp.van.dwave  port: 0
> >  refcnt: 1  status: Connected
> >  last used: Wed Nov 30 10:18:54 2005
> >
> >* host: SERVER.corp.van.dwave  port: 389  (default)
> >  refcnt: 1  status: Connected
> >  last used: Wed Nov 30 10:18:54 2005
> >
> >** Outstanding Requests:
> > * msgid 17,  origid 16, status InProgress
> >   outstanding referrals 0, parent count 1
> > * msgid 16,  origid 16, status Request Completed
> >   outstanding referrals 1, parent count 0
> >** Response Queue:
> > * msgid 16,  type 100
> >ldap_chkResponseList for msgid=16, all=1 
> >ldap_chkResponseList returns NULL ldap_int_select
> >read1msg: msgid 16, all 1
> >ldap_read: message type search-reference msgid 17, original 
> >id 16 ldap_chase_v3referrals 
> >ldap_url_parse_ext(ldap://corp.van.dwave/CN=Schema,CN=Configu
> >ration,DC=c
> >orp,DC=van,DC=dwave)
> >re_encode_request: new msgid 19, new dn
> ><CN=Schema,CN=Configuration,DC=corp,DC=van,DC=dwave>
> >re_encode_request new request is:
> >ber_dump: buf=0x0815fbe0 ptr=0x0815ff60 end=0x08160bbc len=896
> >  0000:  72 64 72 64 00 00 00 00  00 00 00 00 00 00 00 00 
> >rdrd............  
> >  0010:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  0020:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  0030:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  0040:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  0050:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  0060:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  0070:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  0080:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  0090:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  00a0:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  00b0:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  00c0:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  00d0:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  00e0:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  00f0:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  0100:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  0110:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  0120:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  0130:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  0140:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  0150:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  0160:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  0170:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  0180:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  0190:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  01a0:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  01b0:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  01c0:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  01d0:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  01e0:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  01f0:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  0200:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  0210:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  0220:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  0230:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  0240:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  0250:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  0260:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  0270:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  0280:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  0290:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  02a0:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  02b0:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  02c0:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  02d0:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  02e0:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  02f0:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  0300:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  0310:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  0320:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  0330:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  0340:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  0350:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  0360:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >  0370:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> >................  
> >ldap_chase_v3referral: msgid 17, url
> >"ldap://corp.van.dwave/CN=Schema,CN=Configuration,DC=corp,DC=
> >van,DC=dwav
> >e"
> >ldap_send_server_request
> >read1msg:  search ref chased, mark request chasing refs, id = 17
> >read1msg:  1 new referrals
> >wait4msg:  39 secs to go
> >wait4msg continue, msgid 16, all 1
> >** Connections:
> >* host: corp.van.dwave  port: 0
> >  refcnt: 2  status: Connected
> >  last used: Wed Nov 30 10:18:54 2005
> >
> >* host: SERVER.corp.van.dwave  port: 389  (default)
> >  refcnt: 1  status: Connected
> >  last used: Wed Nov 30 10:18:54 2005
> >
> >** Outstanding Requests:
> > * msgid 19,  origid 16, status InProgress
> >   outstanding referrals 0, parent count 1
> > * msgid 17,  origid 16, status ChasingRefs
> >   outstanding referrals 0, parent count 1
> > * msgid 16,  origid 16, status Request Completed
> >   outstanding referrals 2, parent count 0
> >** Response Queue:
> > * msgid 16,  type 100
> >ldap_chkResponseList for msgid=16, all=1 
> >ldap_chkResponseList returns NULL ldap_int_select
> >read1msg: msgid 16, all 1
> >ldap_read: message type search-result msgid 17, original id 
> >16 new result:  res_errno: 0, res_error: <>, res_matched: <>
> >read1msg:  0 new referrals
> >read1msg:  mark request completed, id = 17 merged parent (id 
> >16) error info:  result errno 0, error <>, matched <> 
> >ldap_free_connection
> >ldap_free_connection: refcnt 1
> >wait4msg:  39 secs to go
> >wait4msg continue, msgid 16, all 1
> >** Connections:
> >* host: corp.van.dwave  port: 0
> >  refcnt: 1  status: Connected
> >  last used: Wed Nov 30 10:18:54 2005
> >
> >* host: SERVER.corp.van.dwave  port: 389  (default)
> >  refcnt: 1  status: Connected
> >  last used: Wed Nov 30 10:18:54 2005
> >
> >** Outstanding Requests:
> > * msgid 19,  origid 16, status InProgress
> >   outstanding referrals 0, parent count 1
> > * msgid 17,  origid 16, status Request Completed
> >   outstanding referrals 0, parent count 1
> > * msgid 16,  origid 16, status Request Completed
> >   outstanding referrals 1, parent count 0
> >** Response Queue:
> > * msgid 16,  type 100
> >ldap_chkResponseList for msgid=16, all=1 
> >ldap_chkResponseList returns NULL ldap_int_select
> >read1msg: msgid 16, all 1
> >ldap_read: message type search-result msgid 19, original id 
> >16 new result:  res_errno: 0, res_error: <>, res_matched: <>
> >read1msg:  0 new referrals
> >read1msg:  mark request completed, id = 19 merged parent (id 
> >16) error info:  result errno 0, error <>, matched <> request 16 done
> >res_errno: 0, res_error: <>, res_matched: <> 
> >ldap_free_request (origid 16, msgid 16) ldap_free_request 
> >(origid 16, msgid 19) ldap_free_request (origid 16, msgid 
> >17) ldap_free_connection ldap_send_unbind
> >ldap_free_connection: actually freed
> >adding response id 16 type 101:
> >ldap_parse_result
> >ldap_get_dn
> >ldap_get_values
> >rlm_ldap: looking for check items in directory...
> >ldap_get_values
> >ldap_get_values
> >ldap_get_values
> >ldap_get_values
> >ldap_get_values
> >ldap_get_values
> >ldap_get_values
> >ldap_get_values
> >ldap_get_values
> >rlm_ldap: looking for reply items in directory...
> >ldap_get_values
> >ldap_get_values
> >ldap_get_values
> >ldap_get_values
> >ldap_get_values
> >ldap_get_values
> >ldap_get_values
> >ldap_get_values
> >ldap_get_values
> >ldap_get_values
> >ldap_get_values
> >ldap_get_values
> >ldap_get_values
> >ldap_get_values
> >ldap_get_values
> >ldap_get_values
> >ldap_get_values
> >ldap_get_values
> >ldap_get_values
> >ldap_get_values
> >ldap_get_values
> >ldap_get_values
> >ldap_get_values
> >ldap_get_values
> >ldap_get_values
> >ldap_get_values
> >ldap_get_values
> >ldap_get_values
> >ldap_get_values
> >rlm_ldap: user apuye authorized to use remote access ldap_msgfree
> >rlm_ldap: ldap_release_conn: Release Id: 0
> >  modcall[authorize]: module "ldap" returns ok for request 0
> >modcall: group authorize returns ok for request 0
> >  rad_check_password:  Found Auth-Type LDAP
> >auth: type "LDAP"
> >  Processing the authenticate section of radiusd.conf
> >modcall: entering group Auth-Type for request 0
> >rlm_ldap: - authenticate
> >rlm_ldap: login attempt by "apuye" with password "XXXXXXXX2"
> >rlm_ldap: user DN: CN=Alhagie Puye,OU=Information 
> >Technology,OU=DataWave Users,DC=corp,DC=van,DC=dwave
> >rlm_ldap: (re)connect to SERVER.corp.van.dwave:389, 
> >authentication 1 ldap_create
> >rlm_ldap: bind as CN=Alhagie Puye,OU=Information 
> >Technology,OU=DataWave
> >Users,DC=corp,DC=van,DC=dwave/XXXXXXXX2 to 
> >SERVER.corp.van.dwave:389 ldap_bind ldap_simple_bind 
> >ldap_sasl_bind ldap_send_initial_request ldap_new_connection 
> >ldap_int_open_connection
> >ldap_connect_to_host: TCP SERVER.corp.van.dwave:389
> >ldap_new_socket: 7
> >ldap_prepare_socket: 7
> >ldap_connect_to_host: Trying w.x.y.z:389
> >ldap_connect_timeout: fd: 7 tm: 10 async: 0
> >ldap_ndelay_on: 7
> >ldap_is_sock_ready: 7
> >ldap_ndelay_off: 7
> >ldap_open_defconn: successful
> >ldap_send_server_request
> >rlm_ldap: waiting for bind result ...
> >ldap_result msgid 1
> >ldap_chkResponseList for msgid=1, all=1
> >ldap_chkResponseList returns NULL
> >wait4msg (timeout 40 sec, 0 usec), msgid 1 wait4msg 
> >continue, msgid 1, all 1
> >** Connections:
> >* host: SERVER.corp.van.dwave  port: 389  (default)
> >  refcnt: 2  status: Connected
> >  last used: Wed Nov 30 10:18:54 2005
> >
> >** Outstanding Requests:
> > * msgid 1,  origid 1, status InProgress
> >   outstanding referrals 0, parent count 0
> >** Response Queue:
> >   Empty
> >ldap_chkResponseList for msgid=1, all=1
> >ldap_chkResponseList returns NULL
> >ldap_int_select
> >read1msg: msgid 1, all 1
> >ldap_read: message type bind msgid 1, original id 1 new 
> >result:  res_errno: 0, res_error: <>, res_matched: <>
> >read1msg:  0 new referrals
> >read1msg:  mark request completed, id = 1 request 1 done
> >res_errno: 0, res_error: <>, res_matched: <> 
> >ldap_free_request (origid 1, msgid 1) ldap_free_connection
> >ldap_free_connection: refcnt 1
> >ldap_parse_result
> >ldap_msgfree
> >rlm_ldap: Bind was successful
> >rlm_ldap: user apuye authenticated succesfully 
> >ldap_free_connection ldap_send_unbind
> >ldap_free_connection: actually freed
> >  modcall[authenticate]: module "ldap" returns ok for request 0
> >modcall: group Auth-Type returns ok for request 0 Sending 
> >Access-Accept of id 162 to 127.0.0.1:51232
> >        Service-Type = Login-User
> >Finished request 0
> >Going to the next request
> >--- Walking the entire request list ---
> >Waking up in 6 seconds...
> >--- Walking the entire request list ---
> >Cleaning up request 0 ID 162 with timestamp 438ded0e Nothing 
> >to do.  Sleeping until we see a request.
> >
> >
> >My radiusd.conf:
> >
> > filter =
> >"(&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})(objec
> >tclass=user
> >))"
> > groupname_attribute = "cn"
> > groupmembership_filter =
> >"(&(objectClass=group)(member=%{Ldap-UserDn}))(&(objectClass=
> >top)(unique
> >member=%{Ldap-UserDn}))"
> > groupmembership_attribute = memberOf
> > 
> >
> >
> >
> >My ldap.attrmap:
> >
> > replyItem       Class                           group
> >
> >
> >
> >My users file:
> >
> >DEFAULT     Ldap-Group == "itops"
> >                Auth-Type := LDAP,
> >                Service-Type = Login,
> >
> >
> >
> >
> >Thanks in advance
> >
> >Alhagie Puye - Network Engineer
> >Datawave Group of Companies
> >(604)295-1817  
> >
> >> >-----Original Message-----
> >> >From: freeradius-users-bounces at lists.freeradius.org
> >> >[mailto:freeradius-users-bounces at lists.freeradius.org] On 
> >Behalf Of 
> >> >Dusty Doris
> >> >Sent: November 30, 2005 7:16 AM
> >> >To: FreeRadius users mailing list
> >> >Subject: RE: Freeradius How to integrate Active Directory 
> >and return 
> >> >group attribute to VPN Concentrator
> >> >
> >> >> Radiusd.conf:
> >> >>
> >> >>                filter =
> >> >> 
> >> >"(&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})(membe
> >> >rOf=CN=rp
> >> >> tp cps,OU=Datawave Users,DC=corp,DC=van,DC=dwave))"
> >> >>
> >> >> This works fine. However I can't get it to return any
> >> >replyItems. Has
> >> >> anyone gotten this to work with Active Directory? All the
> >> >docs I see
> >> >> on the Net refeerence OpenLDAP. I'm sure there is a lot of
> >> >folks out
> >> >> there running Windows 2000/2003 Active Directory.
> >> >>
> >> >> I have spent a couple of days on this not having much
> >> >luck. Here are a
> >> >> few questions that would help me a bit.
> >> >>
> >> >> 1) Do I need groupname_attribute to get this to work?
> >> >>
> >> >> 2) What about groupmembership_filter and 
> >groupmembership_attribute?
> >> >>
> >> >> My ldap.attrmap looks like this:
> >> >>
> >> >> replyItem       Class                           groupofnames
> >> >> replyItem       Class                           group
> >> >>
> >> >> I think the above is correct. Can some shed some light on this?
> >> >
> >> >Is group and groupofnames something that is an attribute 
> >of a user?  
> >> >When freeradius searches for reply items it is searching for 
> >> >attributes of that user.
> >> >
> >> >eg:
> >> >
> >> >dn: cn=someuser,...
> >> >group: somegroup
> >> >
> >> >Should then add
> >> >
> >> >Class = somegroup
> >> >
> >> >to the reply items.
> >> >
> >> >If you want to make reply items attached to a group, 
> >rather than in 
> >> >individual, you will need to set the User-Profile attribute.
> >> >
> >> >For example,
> >> >
> >> >dn: cn=somegroup,ou=groups,...
> >> >group: somegroup
> >> >
> >> >Then in the users file.
> >> >
> >> >DEFAULT Ldap-Group == somegroup, User-Profile := 
> >> >"cn=somegroup,ou=groups,..."
> >> >
> >> >You may be able to do this dynamically using xlat or 
> >something like 
> >> >huntgroups too.  If you want an example, send us an 
> >example of a user 
> >> >and group from AD in ldif format and an example of a 
> >radius packet 
> >> >that you would expect in the reply and I'll see if I can 
> >come up with 
> >> >an idea for ya.
> >> >
> >> >
> >> >
> >> >-
> >> >List info/subscribe/unsubscribe? See 
> >> >http://www.freeradius.org/list/users.html
> >> >
> >
> >
> >Disclaimer: This message (including any attachments) is 
> >confidential, may be privileged and is only intended for the 
> >person to whom it is addressed.  If you have received it by 
> >mistake please notify the sender by return e-mail and delete 
> >this message from your system.  Any unauthorized use or 
> >dissemination of this message in whole or in part is 
> >strictly prohibited.  E-mail communications are inherently 
> >vulnerable to interception by unauthorized parties and are 
> >susceptible to change.  We will use alternate communication 
> >means upon request.
> >
> >-
> >List info/subscribe/unsubscribe? See 
> >http://www.freeradius.org/list/users.html
> >


Disclaimer: This message (including any attachments) is confidential, may be privileged and is only intended for the person to whom it is addressed.  If you have received it by mistake please notify the sender by return e-mail and delete this message from your system.  Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited.  E-mail communications are inherently vulnerable to interception by unauthorized parties and are susceptible to change.  We will use alternate communication means upon request.




More information about the Freeradius-Users mailing list