More documentation on Auth-Type

Rohaizam Abu Bakar haizam at myjaring.net
Fri Aug 18 03:25:15 CEST 2006 

Just managed to try ur 2nd suggestion... but giving below error in debug 
logs.. refer debug logs.

ERROR: Unknown value specified for Auth-Type.  Cannot perform requested 
action


modules {
   ldap ldap1 {
     basedn = "ou=RADIUS......"
     set_auth_type = yes
   }
   ldap ldapdialup1 {
     basedn = "ou=DIALUP......"
     set_auth_type = yes
   }


authorize {
Autz-Type LDAP {
     ldap1
}
Autz-Type DIALUP {
     ldapdialup1
}
}

 authenticate {
Auth-Type ldap1 {
     ldap1
}
Auth-Type ldapdialup1 {
    ldapdialup1
}
}

DEFAULT         ldapdialup1-Ldap-Group == "REAL", Autz-Type := DIALUP
DEFAULT         Autz-Type := LDAP


#############################################################
lm_ldap: performing user authorization for bacang
radius_xlat:  '(uid=bacang)'
radius_xlat:  'ou=RADIUS,ou=People,.........'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to :389, authentication 0
rlm_ldap: bind as cn=Sysadmin,ou=Applications,............./xxxxxxxxx to 
xxxxxxx:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=RADIUS,ou=People,..........., with filter 
(uid=bacang)
rlm_ldap: checking if remote access for bacang is allowed by attrRoaming
rlm_ldap: Added password {CRYPT}Y3EhshegMNPxA in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusFramedCompression as Framed-Compression, value 
Van-Jacobson-TCP-IP & op=11
rlm_ldap: Adding radiusFramedMTU as Framed-MTU, value 1500 & op=11
rlm_ldap: Adding radiusFramedProtocol as Framed-Protocol, value PPP & op=11
rlm_ldap: Adding radiusServiceType as Service-Type, value Framed-User & 
op=11
rlm_ldap: user bacang authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap1" returns ok for request 0
modcall: group Autz-Type returns ok for request 0
  rad_check_password:  Found Auth-Type LDAP
auth: type "LDAP"
  ERROR: Unknown value specified for Auth-Type.  Cannot perform requested 
action.
auth: Failed to validate the user.
Login incorrect: [bacang] (from client sysadmin port 0)



----- Original Message ----- 
From: "Phil Mayers" <p.mayers at imperial.ac.uk>
To: "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org>
Sent: Tuesday, August 08, 2006 6:28 PM
Subject: Re: More documentation on Auth-Type


> Rohaizam Abu Bakar wrote:
>> any docs to help on my problem... ? in doc/rlm_ldap, there is section 
>> about LDAP XLAT.. Is it the one ?
>
> As far as I know, you should be able to do something like:
>
> modules {
>   files {
>     usersfile = users
>   }
>   files wireless_files {
>     usersfile = wireless_users
>   }
>   files vpn_files {
>     usersfile = vpn_users
>   }
>   ldap {
>     basedn = "%{reply:Tmp-String-1}"
>     ...
>   }
> }
>
> authorize {
>   files
>   Autz-Type WIRELESS {
>     wireless_files
>     ldap
>   }
>   Autz-Type VPN {
>     vpn_files
>     ldap
>   }
> }
>
> users:
>
> DEFAULT Huntgroup-Name == "whatever", Autz-Type := WIRELESS
>
> DEFAULT Huntgroup-Name == "something", Autz-Type := VPN
>
> users_vpn:
>
> DEFAULT
> Tmp-String-1 = "ou=vpnusers,dc=mydomain,dc=org"
>
> users_wireless:
>
> DEFAULT
> Tmp-String-1 = "ou=wireless,dc=anotherdomain,dc=com"
>
> You may need to add Tmp-String-1 to a local dictionary if you're running 
> an older server, e.g. in "dictionary"
>
> ATTRIBUTE Tmp-String-1 3000 string
>
>
> Alternatively, 1.1.0 and up can do this I think?
>
> modules {
>   ldap wireless_ldap {
>     basedn = "ou=wireless,dc=domain,dc=com"
>     set_auth_type = yes
>   }
>   ldap vpn_ldap {
>     basedn = "ou=vpn,dc=example,dc=org"
>     set_auth_type = yes
>   }
>   files {
>    ...
>   }
> }
>
> authorize {
>   preprocess
>   files
>   Autz-Type WIRELESS {
>     wireless_ldap
>   }
>   Autz-Type VPN {
>     vpn_ldap
>   }
> }
>
> authenticate {
>   Auth-Type wireless_ldap {
>     wireless_ldap
>   }
>   Auth-Type vpn_ldap {
>     vpn_ldap
>   }
> }
>
> and in users:
>
> DEFAULT Huntgroup-Name == "VPN", Autz-Type := VPN
>
> DEFAULT Huntgroup-Name == "WIRELESS", Autz-Type := WIRELESS
>
>
> Basically, what happens then is:
>
>  1. preprocess run
>  2. files run, autz-type set
>  3. authorize re-run, autz-type section run
>  4. appropriate LDAP module run, and IF AND ONLY IF the Auth-Type is NOT 
> SET, set Auth-Type to "modulename" - i.e. "wireless_ldap" or "vpn_ldap"
>  5. authenticate run, appropriate LDAP module run
> - List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
>

More information about the Freeradius-Users mailing list