AAA

Markus Krause krause at biochem.mpg.de
Wed Aug 2 04:09:46 CEST 2006 

Zitat von Roger Thomas <sniper at home.net.my>:
> Quoting Alan DeKok <aland at deployingradius.com>:
>
> > Roger Thomas <sniper at home.net.my> wrote:
> > > My LDAP knowledge is quite shallow and as such I would like to use
> >
> > > - openLDAP only for authentication
> > > - MySQL for authorization and accounting
> > >
> > > If that is possible, do I *still* need to extend my LDAP schema
> > with ~/doc/examples/openldap.schema ?
> >
> >   I don't think so.  If all you're using LDAP for is usernames &
> > passwords, that should be in the default schema.
> >
> >   Alan DeKok.
> > --
> >   http://deployingradius.com       - The web site of the book
> >   http://deployingradius.com/blog/ - The blog
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
>
> I ran radtest and it complained that there is no dialupAccess attribute, so
> access is denied by default.
>
> -- snippet from debug screen --
> ...
> ...
> rlm_ldap: Bind was successful
> rlm_ldap: performing search in dc=example,dc=com, with filter
> (uid=bob at example.com)
> rlm_ldap: no dialupAccess attribute - access denied by default
> rlm_ldap: ldap_release_conn: Release Id: 0
>   modcall[authorize]: module "ldap" returns userlock for request 0
> modcall: leaving group authorize (returns userlock) for request 0
> Invalid user (rlm_ldap: Access Attribute denies access):
> [bob at example.com/thepassword] (from client localhost port 10)
> Delaying request 0 for 1 seconds
> Finished request 0
> Going to the next request
> --- Walking the entire request list ---
> Waking up in 1 seconds...
> --- Walking the entire request list ---
> Waking up in 1 seconds...
> --- Walking the entire request list ---
> Sending Access-Reject of id 144 to 127.0.0.1 port 32803
> Waking up in 4 seconds...
> --- Walking the entire request list ---
> Cleaning up request 0 ID 144 with timestamp 44cff3d6
> Nothing to do.  Sleeping until we see a request.
>
>
>
> I noticed that 'dialupAccess' attribute is defined in the radiusprofile
> objectClass (openldap.schema). Means radiusd expects that objectClass to be
> made available. Wonder if there is any way around this?


just comment out the line
  access_attr = "dialupAccess"
in the ldap section of your module definition.


hth
  markus

>
> --
> Roger
>
>
> ---------------------------------------------------
> Sign Up for free Email at http://ureg.home.net.my/
> ---------------------------------------------------
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>


--
Markus Krause                                   email: krause at biochem.mpg.de
Mogli-Soft: Support for Mac OS X, Webmail/Horde, LDAP, RADIUS
by order of the Computing Center of the Max-Planck-Institute of Biochemistry
Tel.: 089 - 89 40 85 99                         Fax.: 089 - 89 40 85 98

---------------------------------------------------------------------
     This message was sent using https://webmail.biochem.mpg.de
If you encounter any problems please report to rz-linux at biochem.mpg.de

More information about the Freeradius-Users mailing list