Roger Thomas sniper at
Wed Aug 2 02:36:56 CEST 2006

Quoting Alan DeKok <aland at>:

> Roger Thomas <sniper at> wrote:
> > My LDAP knowledge is quite shallow and as such I would like to use
> > - openLDAP only for authentication
> > - MySQL for authorization and accounting
> > 
> > If that is possible, do I *still* need to extend my LDAP schema
> with ~/doc/examples/openldap.schema ?
>   I don't think so.  If all you're using LDAP for is usernames &
> passwords, that should be in the default schema.
>   Alan DeKok.
> --
>       - The web site of the book
> - The blog
> - 
> List info/subscribe/unsubscribe? See

I ran radtest and it complained that there is no dialupAccess attribute, so access is denied by default.

-- snippet from debug screen --
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=example,dc=com, with filter (uid=bob at
rlm_ldap: no dialupAccess attribute - access denied by default
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns userlock for request 0
modcall: leaving group authorize (returns userlock) for request 0
Invalid user (rlm_ldap: Access Attribute denies access): [bob at] (from client localhost port 10)
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 144 to port 32803
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 144 with timestamp 44cff3d6
Nothing to do.  Sleeping until we see a request.

I noticed that 'dialupAccess' attribute is defined in the radiusprofile objectClass (openldap.schema). Means radiusd expects that objectClass to be made available. Wonder if there is any way around this?


Sign Up for free Email at

More information about the Freeradius-Users mailing list