Searching Subcontexts in eDir

Mearl Danner jmdanner at samford.edu
Tue Jul 19 22:33:19 CEST 2005


Are you trying to use Universal Password to authenticate? I don't see the TLS negotiation required for the admin to read the Universal Password.

Why don't you post the entire debug log? Then we can see all the setup info as the radius server reads it.

Mearl

>>> jp at joshmp.com 7/19/2005 3:11:05 PM >>>
Ok, I'm now one step closer.  Mearl's solution worked somewhat.  Here is the
output from the debug:

-----snip-----
rlm_ldap: - authorize
rlm_ldap: performing user authorization for gwaccesspo1
radius_xlat:  '(cn=gwaccesspo1)'
radius_xlat:  'o=services'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=services, with filter (cn=gwaccesspo1)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user gwaccesspo1 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 3
modcall: group authorize returns ok for request 3
  rad_check_password:  Found Auth-Type LDAP
auth: type "LDAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 3
rlm_ldap: - authenticate
rlm_ldap: login attempt by "gwaccesspo1" with password "<password>"
rlm_ldap: user DN: cn=gwaccessPO1,ou=GW,o=Services
rlm_ldap: (re)connect to 10.254.8.25:389, authentication 1
rlm_ldap: bind as cn=gwaccessPO1,ou=GW,o=Services/<password> to 10.254.8.25:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind failed with invalid credentials
rlm_ldap: NDS error: failed authentication (-669)
-----snip-----

To contrast, here is the output from debug when I attempt to authenticate a user
in the root context:

-----snip-----
rlm_ldap: - authorize
rlm_ldap: performing user authorization for zentest
radius_xlat:  '(cn=zentest)'
radius_xlat:  'o=services'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=services, with filter (cn=zentest)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user zentest authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 2
modcall: group authorize returns ok for request 2
  rad_check_password:  Found Auth-Type LDAP
auth: type "LDAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 2
rlm_ldap: - authenticate
rlm_ldap: login attempt by "zentest" with password "<password>"
rlm_ldap: user DN: cn=zentest,o=Services
rlm_ldap: (re)connect to 10.254.8.25:389, authentication 1
rlm_ldap: bind as cn=zentest,o=Services/<password> to 10.254.8.25:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: user zentest authenticated succesfully
-----snip-----


Thanks in advance,

Josh



On Tuesday, July 19th, Mearl said:

> Check the filter statement in the ldap portion of radiusd.conf. It's searching
> on "uid" which in eDirectory is an integer field and isn't populated by default.
>
> Change the filter to filter = "(cn=%{Stripped-User-Name:-%{User-Name}})" and try
> it. That will get you past the "object not found" message. It will then be able
> to return the fully qualified DN of the user.
>
> You can search on "cn" or any other ldap field that contains a unique ID. We're
> probably going to use uniqueID - the newer user creation API's populate it by
> default - in our environment because iPrint requires it.
>
> Mearl
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





More information about the Freeradius-Users mailing list