AAA

Roger Thomas sniper at home.net.my
Wed Aug 2 04:37:15 CEST 2006


Quoting Markus Krause <krause at biochem.mpg.de>:

> Zitat von Roger Thomas <sniper at home.net.my>:
> > Quoting Alan DeKok <aland at deployingradius.com>:
> >
> > > Roger Thomas <sniper at home.net.my> wrote:
> > > > My LDAP knowledge is quite shallow and as such I would like to
> use
> > >
> > > > - openLDAP only for authentication
> > > > - MySQL for authorization and accounting
> > > >
> > > > If that is possible, do I *still* need to extend my LDAP
> schema
> > > with ~/doc/examples/openldap.schema ?
> > >
> > >   I don't think so.  If all you're using LDAP for is usernames &
> > > passwords, that should be in the default schema.
> > >
> > >   Alan DeKok.
> > > --
> > >   http://deployingradius.com       - The web site of the book
> > >   http://deployingradius.com/blog/ - The blog
> > > -
> > > List info/subscribe/unsubscribe? See
> > > http://www.freeradius.org/list/users.html
> > >
> >
> > I ran radtest and it complained that there is no dialupAccess
> attribute, so
> > access is denied by default.
> >
> > -- snippet from debug screen --
> > ...
> > ...
> > rlm_ldap: Bind was successful
> > rlm_ldap: performing search in dc=example,dc=com, with filter
> > (uid=bob at example.com)
> > rlm_ldap: no dialupAccess attribute - access denied by default
> > rlm_ldap: ldap_release_conn: Release Id: 0
> >   modcall[authorize]: module "ldap" returns userlock for request 0
> > modcall: leaving group authorize (returns userlock) for request 0
> > Invalid user (rlm_ldap: Access Attribute denies access):
> > [bob at example.com/thepassword] (from client localhost port 10)
> > Delaying request 0 for 1 seconds
> > Finished request 0
> > Going to the next request
> > --- Walking the entire request list ---
> > Waking up in 1 seconds...
> > --- Walking the entire request list ---
> > Waking up in 1 seconds...
> > --- Walking the entire request list ---
> > Sending Access-Reject of id 144 to 127.0.0.1 port 32803
> > Waking up in 4 seconds...
> > --- Walking the entire request list ---
> > Cleaning up request 0 ID 144 with timestamp 44cff3d6
> > Nothing to do.  Sleeping until we see a request.
> >
> >
> >
> > I noticed that 'dialupAccess' attribute is defined in the
> radiusprofile
> > objectClass (openldap.schema). Means radiusd expects that
> objectClass to be
> > made available. Wonder if there is any way around this?
> 
> 
> just comment out the line
>   access_attr = "dialupAccess"
> in the ldap section of your module definition.
> 
> 
> hth
>   markus

That helps. Thanks Markus.



---------------------------------------------------
Sign Up for free Email at http://ureg.home.net.my/
---------------------------------------------------



More information about the Freeradius-Users mailing list