Receivin a full DN in a radius request

Jean-Francois Gobin gobin at gobinjf.be
Wed Sep 14 15:55:39 CEST 2005


So ...

>From the preceding, preceding mail, you should have seen that %{User-Name} 
is equal to something like "uid=P0..., o=nrb, c=be" ... which is what I 
want to have checked against the LDAP.

For now, when I implement your suggestion, I just come out with

"checking for dn=o=nrb,c=be, (uid=uid)", which corresponds to the 
truncating of my requesting DN.

jF


On Wed, 14 Sep 2005, Kostas Kalevras wrote:

> On Wed, 14 Sep 2005, Jean-Francois Gobin wrote:
>
>> Here is my whole ldap definition :
>>
>>        ldap {
>>                server = "ldap.xxxx.xxx"
>>                # identity = "cn=admin,o=My Org,c=UA"
>>                # password = mypass
>>                basedn = " "
>
> This should be an actual DN of your tree. Something like:
> ou=people,dc=company,dc=com
>
>>                filter = "(%{User-Name})"
>
> This is wrong. It should most probably read filter = "(uid=%{User-Name})"
>
>
>>                # base_filter = "(objectclass=radiusprofile)"
>>
>>                # set this to 'yes' to use TLS encrypted connections
>>                # to the LDAP database by using the StartTLS extended
>>                # operation.
>>                # The StartTLS operation is supposed to be used with normal
>>                # ldap connections instead of using ldaps (port 689) 
>> connections
>>                start_tls = no
>>
>>                # tls_cacertfile        = /path/to/cacert.pem
>>                # tls_cacertdir         = /path/to/ca/dir/
>>                # tls_certfile          = /path/to/radius.crt
>>                # tls_keyfile           = /path/to/radius.key
>>                # tls_randfile          = /path/to/rnd
>>                # tls_require_cert      = "demand"
>>
>>                # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
>>                # profile_attribute = "radiusProfileDn"
>>                # access_attr = "dialupAccess"
>>
>>                # Mapping of RADIUS dictionary attributes to LDAP
>>                # directory attributes.
>>                dictionary_mapping = ${raddbdir}/ldap.attrmap
>>
>>                ldap_connections_number = 5
>>
>>                #
>>                # NOTICE: The password_header directive is NOT case 
>> insensitive
>>                #
>>                # password_header = "{clear}"
>>                #
>>                # Set:
>>                #       password_attribute = nspmPassword
>>                #
>>                # to get the user's password from a Novell eDirectory
>>                # backend. This will work *only if* freeRADIUS is
>>                # configured to build with --with-edir option.
>>                #
>>                #
>>                #  The server can usually figure this out on its own, and 
>> pull
>>                #  the correct User-Password or NT-Password from the 
>> database.
>>                #
>>                #  Note that NT-Passwords MUST be stored as a 32-digit hex
>>                #  string, and MUST start off with "0x", such as:
>>                #
>>                #       0x000102030405060708090a0b0c0d0e0f
>>                #
>>                #  Without the leading "0x", NT-Passwords will not work.
>>                #  This goes for NT-Passwords stored in SQL, too.
>>                #
>>                # password_attribute = userPassword
>>                #
>>                # Un-comment the following to disable Novell eDirectory 
>> account
>>                # policy check and intruder detection. This will work *only 
>> if*
>>                # FreeRADIUS is configured to build with --with-edir option.
>>                #
>>                # edir_account_policy_check=no
>>                #
>>                # groupname_attribute = cn
>>                # groupmembership_filter = 
>> "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqu
>> eNames)(uniquemember=%{Ldap-UserDn})))"
>>                # groupmembership_attribute = radiusGroupName
>>                timeout = 4
>>                timelimit = 3
>>                net_timeout = 1
>>                # compare_check_items = yes
>>                # do_xlat = yes
>>                # access_attr_used_for_allow = yes
>>        }
>> 
>> 
>> On Tue, 13 Sep 2005, Nicolas Baradakis wrote:
>> 
>>> Jean-Francois Gobin wrote:
>>> 
>>>> rlm_ldap: - authorize
>>>> rlm_ldap: performing user authorization for 
>>>> uid=P06227,ou=people,o=nrb,c=be
>>>> radius_xlat:  '(uid)'
>>>> radius_xlat:  ' '
>>>> rlm_ldap: ldap_get_conn: Checking Id: 0
>>>> rlm_ldap: ldap_get_conn: Got Id: 0
>>>> rlm_ldap: performing search in  , with filter (uid)
>>>> rlm_ldap: ldap_search() failed: Bad search filter: (uid)
>>> 
>>> What is your filter in section ldap of radiusd.conf ?
>>> 
>>> -- 
>>> Nicolas Baradakis
>>> 
>>> -
>>> List info/subscribe/unsubscribe? See 
>>> http://www.freeradius.org/list/users.html
>>> 
>> 
>> ----------
>> Jean-Francois Gobin - Administrateur gobinjf.be
>> http://www.gobinjf.be   mailto:gobin at gobinjf.be
>> - List info/subscribe/unsubscribe? See 
>> http://www.freeradius.org/list/users.html
>> 
>
> --
> Kostas Kalevras		Network Operations Center
> kkalev at noc.ntua.gr	National Technical University of Athens, Greece
> Work Phone:		+30 210 7721861
> 'Go back to the shadow'	Gandalf
> - List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
>

----------
Jean-Francois Gobin - Administrateur gobinjf.be
http://www.gobinjf.be   mailto:gobin at gobinjf.be



More information about the Freeradius-Users mailing list