using DN from previous default entry

Rohaizam Abu Bakar haizam at myjaring.net
Thu Aug 24 13:27:05 CEST 2006 


FreeBSD 6.1 with FR 1.1.2

I'm trying to detect user that has attribute Service=REAL and search through 
different LDAP tree as below config in users file.
The problem happened when both tree (DIALUP & LDAP) has user's entry with 
same uid. So although first DEFAULT entry is not match when searching for 
attribute Service=REAL...  the 2nd DEFAULT will use DN from first DEFAULT 
for authenticate...

Why Feeradius not using the DN from 2nd query?? It should use ou=RADIUS not 
ou=DIALUP for auth. Please refer below debug log..

thanks..

#######################################
users:-

DEFAULT         ldapdialup1-Ldap-Group == "REAL", Autz-Type := DIALUP
## NORMAL DIALUP
DEFAULT         Autz-Type := LDAP



rad_recv: Access-Request packet from host 192.228.137.77:55146, id=13, 
length=46
        User-Name = "bacang"
        User-Password = "xxxxxxxxx"
rad_rmspace_pair:  User-Name now 'bacang'
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
    rlm_realm: No '/' in User-Name = "bacang", skipping NULL due to config.
  modcall[authorize]: module "IPASS" returns noop for request 0
    rlm_realm: No '@' in User-Name = "bacang", looking up realm NULL
    rlm_realm: Found realm "NULL"
    rlm_realm: Adding Stripped-User-Name = "bacang"
    rlm_realm: Proxying request from user bacang to realm NULL
    rlm_realm: Adding Realm = "NULL"
    rlm_realm: Authentication realm is LOCAL.
  modcall[authorize]: module "suffix" returns noop for request 0
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 0
rlm_ldap: Entering ldap_groupcmp()
radius_xlat:  'ou=DIALUP,ou=AAA,ou=People,dc=xxxxx,dc=xxxx'
radius_xlat:  '(uid=bacang)'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 127.0.0.1:389, authentication 0
rlm_ldap: bind as cn=Sysadmin,ou=Applications,dc=xxxxxx,dc=xxxx/xxxxxxxxxx 
to 127.0.0.1:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=DIALUP,ou=AAA,ou=People,dc=xxxxx,dc=xxxx, 
with filter (uid=bacang)
rlm_ldap: ldap_release_conn: Release Id: 0
radius_xlat:  '(&(uid=bacang)(objectclass=radiusprofile))'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in 
ou=DIALUP,ou=AAA,ou=People,dc=xxxxxxx,dc=xxxx, with filter 
(&(jaringService=REAL)(&(uid=bacang)(objectclass=radiusprofile)))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap::ldap_groupcmp: Group REAL not found or user is not a member.
rlm_ldap: Entering ldap_groupcmp()
radius_xlat:  'ou=DIALUP,ou=AAA,ou=People,dc=xxxxx,dc=xxx'
radius_xlat:  '(&(uid=bacang)(objectclass=radiusprofile))'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 61.6.32.201:389, authentication 0
rlm_ldap: bind as 
cn=Sysadmin,ou=Applications,dc=xxxxxxx,dc=xxxxx/xxxxxxxxxxxxxx to 
xxxxxxxx:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=DIALUP,ou=AAA,ou=People,dc=xxxxxx,dc=xxxx, 
with filter 
(&(jaringService=REAL)(&(uid=bacang)(objectclass=radiusprofile)))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap::ldap_groupcmp: Group REAL not found or user is not a member.
    users: Matched entry DEFAULT at line 23
  modcall[authorize]: module "files" returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
  Found Autz-Type LDAP
  Processing the authorize section of radiusd.conf
modcall: entering group LDAP for request 0
modcall: entering group redundant  for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for bacang
radius_xlat:  '(uid=bacang)'
radius_xlat:  'ou=RADIUS,ou=People,dc=xxxxx,dc=xxx'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 127.0.0.1:389, authentication 0
rlm_ldap: bind as cn=Sysadmin,ou=Applications,dc=xxxxx,dc=xxx/xxxxxxxxxxxxx 
to 127.0.0.1:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=RADIUS,ou=People,dc=xxxxx,dc=xxxx, with 
filter (uid=bacang)
rlm_ldap: checking if remote access for bacang is allowed by dialupAccess
rlm_ldap: Added password {CRYPT}Y3EhshegMNPxA in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusFramedCompression as Framed-Compression, value 
Van-Jacobson-TCP-IP & op=11
rlm_ldap: Adding radiusFramedMTU as Framed-MTU, value 1500 & op=11
rlm_ldap: Adding radiusFramedProtocol as Framed-Protocol, value PPP & op=11
rlm_ldap: Adding radiusServiceType as Service-Type, value Framed-User & 
op=11
rlm_ldap: Setting Auth-Type = ldap1
rlm_ldap: user bacang authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap1" returns ok for request 0
modcall: leaving group redundant  (returns ok) for request 0
modcall: leaving group LDAP (returns ok) for request 0
  rad_check_password:  Found Auth-Type ldap1
auth: type "ldap1"
  Processing the authenticate section of radiusd.conf
modcall: entering group ldap1 for request 0
rlm_ldap: - authenticate
rlm_ldap: login attempt by "bacang" with password "xxxxxxxx"
rlm_ldap: user DN: 
uniqueIdentifier=10614,ou=DIALUP,ou=AAA,ou=People,dc=xxxxx,dc=xxx
rlm_ldap: (re)connect to 127.0.0.1:389, authentication 1
rlm_ldap: bind as 
uniqueIdentifier=10614,ou=DIALUP,ou=AAA,ou=People,dc=xxxxxx,dc=xxx/xxxxxx to 
127.0.0.1:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: user bacang authenticated succesfully
  modcall[authenticate]: module "ldap1" returns ok for request 0
modcall: leaving group ldap1 (returns ok) for request 0
Login OK: [bacang] (from client sysadmin port 0)
Sending Access-Accept of id 13 to 192.228.137.77 port 55146
        Framed-Compression = Van-Jacobson-TCP-IP
        Framed-MTU = 1500
        Framed-Protocol = PPP
        Service-Type = Framed-User

More information about the Freeradius-Users mailing list