AAA
Roger Thomas
sniper at home.net.my
Wed Aug 2 02:36:56 CEST 2006
Quoting Alan DeKok <aland at deployingradius.com>:
> Roger Thomas <sniper at home.net.my> wrote:
> > My LDAP knowledge is quite shallow and as such I would like to use
>
> > - openLDAP only for authentication
> > - MySQL for authorization and accounting
> >
> > If that is possible, do I *still* need to extend my LDAP schema
> with ~/doc/examples/openldap.schema ?
>
> I don't think so. If all you're using LDAP for is usernames &
> passwords, that should be in the default schema.
>
> Alan DeKok.
> --
> http://deployingradius.com - The web site of the book
> http://deployingradius.com/blog/ - The blog
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
I ran radtest and it complained that there is no dialupAccess attribute, so access is denied by default.
-- snippet from debug screen --
...
...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=example,dc=com, with filter (uid=bob at example.com)
rlm_ldap: no dialupAccess attribute - access denied by default
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns userlock for request 0
modcall: leaving group authorize (returns userlock) for request 0
Invalid user (rlm_ldap: Access Attribute denies access): [bob at example.com/thepassword] (from client localhost port 10)
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 144 to 127.0.0.1 port 32803
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 144 with timestamp 44cff3d6
Nothing to do. Sleeping until we see a request.
I noticed that 'dialupAccess' attribute is defined in the radiusprofile objectClass (openldap.schema). Means radiusd expects that objectClass to be made available. Wonder if there is any way around this?
--
Roger
---------------------------------------------------
Sign Up for free Email at http://ureg.home.net.my/
---------------------------------------------------
More information about the Freeradius-Users
mailing list