LDAP authentication
Lin Richardson
lin at xmission.com
Tue Aug 29 18:56:38 CEST 2006
Okay, feeling a bit stoopid at the moment. I did not have the User-Password
mapped. For some indefensible reason based on our environment I had changed
it simply to Password, and never changed it back. I should have tried that
mapping.
HOWEVER
It still doesn't work.
I can perform radtest queries username/LDAPpassword, and I get the accept
response.
If I use the query with username/remotepassword, I get rejected.
It appears that rlm_ldap does an initial lookup in LDAP and then tries to
reconnect and bind as the user via the unitnumber.
It uses (I can only assume) the User-Password to bind, and if that is not
set to the value of the LDAP password, it fails and the requst is rejected.
I can see this happening in the log snippets included below.
Note also that I removed the two $GENERIC$ lines from the
ldap.attrmapfile... does that matter? I still don't understand their
function.
Also, can I make arbitrary variable assignments in the ldap.attrmap file?
like Some-Attriabute := %Some-Other-Attribute?
-----------------------------------------------------------------
My entire ldap.attrmap (without comments) is as follows:
checkItem Account-Enabled isaccountenabled
checkItem User-Password remotepassword
replyItem Access-List accesslist
replyItem Class remotegroup
(I am trying to recreate settings from another radius product I would like
to replace)
---------------------------------------
My command line radtest for a failed and successful attempt
bash-3.00# /usr/local/freeradius/bin/radtest testuser "TESTpwd"
localhost:1815 35000 SECRET
Sending Access-Request of id 50 to 127.0.0.1 port 1815
User-Name = "testuser"
User-Password = "TESTpwd"
NAS-IP-Address = 255.255.255.255
NAS-Port = 35000
rad_recv: Access-Reject packet from host 127.0.0.1:1815, id=50, length=20
bash-3.00# /usr/local/freeradius/bin/radtest testuser "LDAPpwd"
localhost:1815 35000 SECRET
Sending Access-Request of id 59 to 127.0.0.1 port 1815
User-Name = "testuser"
User-Password = "LDAPpwd"
NAS-IP-Address = 255.255.255.255
NAS-Port = 35000
rad_recv: Access-Accept packet from host 127.0.0.1:1815, id=59, length=34
Class = 0x6f753d456d706c6f79656573
---------------------------------------------------
Debug output for the above requests is as follows:
(see attached file "radius-debug.txt" for full log)
REQUEST ONE FAILED
...
rlm_ldap: Setting Auth-Type = ldap
rlm_ldap: user testuser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type ldap
auth: type "LDAP"
Processing the authenticate section of radiusd.conf
modcall: entering group LDAP for request 0
rlm_ldap: - authenticate
rlm_ldap: login attempt by "testuser" with password "TESTpwd"
rlm_ldap: user DN:
unitnumber=547258278,ou=mspr,ou=mycompanypeople,o=mycompany
rlm_ldap: (re)connect to ldapvip.co.mycompany.com:389, authentication 1
rlm_ldap: bind as
unitnumber=547258278,ou=mspr,ou=mycompanypeople,o=mycompany/TESTpwd to
ldapvip.co.mycompany.com:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind failed with invalid credentials
modcall[authenticate]: module "ldap" returns reject for request 0
modcall: leaving group LDAP (returns reject) for request 0
auth: Failed to validate the user.
Login incorrect (rlm_ldap: Bind as user failed): [testuser/TESTpwd] (from
client localhost port 35000)
Delaying request 0 for 1 seconds
Finished request 0
...
REQUEST TWO SUCCESSFUL
...
rlm_ldap: Setting Auth-Type = ldap
rlm_ldap: user testuser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 1
modcall: leaving group authorize (returns ok) for request 1
rad_check_password: Found Auth-Type ldap
auth: type "LDAP"
Processing the authenticate section of radiusd.conf
modcall: entering group LDAP for request 1
rlm_ldap: - authenticate
rlm_ldap: login attempt by "testuser" with password "LDAPpwd"
rlm_ldap: user DN:
unitnumber=547258278,ou=mspr,ou=mycompanypeople,o=mycompany
rlm_ldap: (re)connect to ldapvip.co.mycompany.com:389, authentication 1
rlm_ldap: bind as
unitnumber=547258278,ou=mspr,ou=mycompanypeople,o=mycompany/LDAPpwd to
ldapvip.co.mycompany.com:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: user testuser authenticated succesfully
modcall[authenticate]: module "ldap" returns ok for request 1
modcall: leaving group LDAP (returns ok) for request 1
Login OK: [testuser] (from client localhost port 35000)
Sending Access-Accept of id 59 to 127.0.0.1 port 43466
Class = 0x6f753d456d706c6f79656573
Finished request 1
.....
On 8/29/06, Stefan Winter <stefan.winter at restena.lu> wrote:
>
> > Modify ldap.attrmap so that _your_ attribute is mapped into User-Name,
> not
> > the default one.
>
> User-Password of course.
>
> --
> Stefan WINTER
>
> Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de
> la Recherche - Ingénieur de recherche
>
> 6, rue Richard Coudenhove-Kalergi
> L-1359 Luxembourg
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20060829/9a298d4c/attachment.html>
-------------- next part --------------
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/freeradius-1.1.3/etc/raddb/proxy.conf
Config: including file: /usr/local/freeradius-1.1.3/etc/raddb/clients.conf
Config: including file: /usr/local/freeradius-1.1.3/etc/raddb/snmp.conf
Config: including file: /usr/local/freeradius-1.1.3/etc/raddb/eap.conf
Config: including file: /usr/local/freeradius-1.1.3/etc/raddb/sql.conf
main: prefix = "/usr/local/freeradius-1.1.3"
main: localstatedir = "/usr/local/freeradius-1.1.3/var"
main: logdir = "/usr/local/freeradius-1.1.3/var/log/radius"
main: libdir = "/usr/local/freeradius-1.1.3/lib"
main: radacctdir = "/usr/local/freeradius-1.1.3/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 1815
main: allow_core_dumps = no
main: log_stripped_names = yes
main: log_file = "/usr/local/freeradius-1.1.3/var/log/radius/radius.log"
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = no
main: pidfile = "/usr/local/freeradius-1.1.3/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "after"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/freeradius-1.1.3/sbin/checkrad"
main: proxy_requests = no
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/freeradius-1.1.3/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
exec: wait = yes
exec: program = "/usr/local/freeradius/etc/scripts/mycompany_wireless.atz %{User-Name}"
exec: input_pairs = "request"
exec: output_pairs = "config"
exec: packet_type = "(null)"
Module: Instantiated exec (mycompany_wireless)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded LDAP
ldap: server = "ldapvip.co.mycompany.com"
ldap: port = 389
ldap: net_timeout = 1
ldap: timeout = 4
ldap: timelimit = 3
ldap: identity = "appl=VPN Radius Server, ou=applications, o=mycompany"
ldap: tls_mode = no
ldap: start_tls = no
ldap: tls_cacertfile = "(null)"
ldap: tls_cacertdir = "(null)"
ldap: tls_certfile = "(null)"
ldap: tls_keyfile = "(null)"
ldap: tls_randfile = "(null)"
ldap: tls_require_cert = "allow"
ldap: password = "FRRADpw"
ldap: basedn = "o=mycompany"
ldap: filter = "(&(uid=%{User-Name})(isaccountenabled=true))"
ldap: base_filter = "(objectclass=radiusprofile)"
ldap: default_profile = "(null)"
ldap: profile_attribute = "(null)"
ldap: password_header = "(null)"
ldap: password_attribute = "(null)"
ldap: access_attr = "(null)"
ldap: groupname_attribute = "cn"
ldap: groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
ldap: groupmembership_attribute = "(null)"
ldap: dictionary_mapping = "/usr/local/freeradius-1.1.3/etc/raddb/ldap.attrmap"
ldap: ldap_debug = 0
ldap: ldap_connections_number = 5
ldap: compare_check_items = no
ldap: access_attr_used_for_allow = yes
ldap: do_xlat = yes
ldap: set_auth_type = yes
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: reading ldap<->radius mappings from file /usr/local/freeradius-1.1.3/etc/raddb/ldap.attrmap
rlm_ldap: LDAP isaccountenabled mapped to RADIUS Account-Enabled
rlm_ldap: LDAP remotepassword mapped to RADIUS User-Password
rlm_ldap: LDAP accesslist mapped to RADIUS Access-List
rlm_ldap: LDAP remotegroup mapped to RADIUS Class
conns: bd508
Module: Instantiated ldap (ldap)
Module: Loaded preprocess
preprocess: huntgroups = "/usr/local/freeradius-1.1.3/etc/raddb/huntgroups"
preprocess: hints = "/usr/local/freeradius-1.1.3/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
preprocess: with_alvarion_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded detail
detail: detailfile = "/usr/local/freeradius-1.1.3/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (auth_log)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded files
files: usersfile = "/usr/local/freeradius-1.1.3/etc/raddb/users"
files: acctusersfile = "/usr/local/freeradius-1.1.3/etc/raddb/acct_users"
files: preproxy_usersfile = "/usr/local/freeradius-1.1.3/etc/raddb/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
detail: detailfile = "/usr/local/freeradius-1.1.3/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "(null)"
unix: group = "(null)"
unix: radwtmp = "/usr/local/freeradius-1.1.3/var/log/radius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded radutmp
radutmp: filename = "/usr/local/freeradius-1.1.3/var/log/radius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Module: Loaded eap
eap: default_eap_type = "md5"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = "Password: "
gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Listening on authentication *:1815
Listening on accounting *:1816
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1:43455, id=50, length=60
User-Name = "testuser"
User-Password = "TESTpwd"
NAS-IP-Address = 255.255.255.255
NAS-Port = 35000
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
radius_xlat: '/usr/local/freeradius/etc/scripts/mycompany_wireless.atz testuser'
Exec-Program: /usr/local/freeradius/etc/scripts/mycompany_wireless.atz testuser
Exec-Program output:
Exec-Program: returned: 0
modcall[authorize]: module "mycompany_wireless" returns ok for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat: '/usr/local/freeradius-1.1.3/var/log/radius/radacct/127.0.0.1/auth-detail-20060829'
rlm_detail: /usr/local/freeradius-1.1.3/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/freeradius-1.1.3/var/log/radius/radacct/127.0.0.1/auth-detail-20060829
modcall[authorize]: module "auth_log" returns ok for request 0
rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for testuser
radius_xlat: '(&(uid=testuser)(isaccountenabled=true))'
radius_xlat: 'o=mycompany'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldapvip.co.mycompany.com:389, authentication 0
rlm_ldap: bind as appl=VPN Radius Server, ou=applications, o=mycompany/FRRADpw to ldapvip.co.mycompany.com:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in o=mycompany, with filter (&(uid=testuser)(isaccountenabled=true))
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding remotepassword as User-Password, value TESTpwd & op=21
rlm_ldap: Adding isaccountenabled as Account-Enabled, value TRUE & op=21
rlm_ldap: Failed to create the pair: Unknown attribute "Account-Enabled"
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding remotegroup as Class, value ou=Employees & op=11
rlm_ldap: Adding accesslist as Access-List, value Proxy & op=11
rlm_ldap: Failed to create the pair: Unknown attribute "Access-List"
rlm_ldap: Adding accesslist as Access-List, value HostLink & op=11
rlm_ldap: Failed to create the pair: Unknown attribute "Access-List"
rlm_ldap: Adding accesslist as Access-List, value WebLink & op=11
rlm_ldap: Failed to create the pair: Unknown attribute "Access-List"
rlm_ldap: Adding accesslist as Access-List, value HELP & op=11
rlm_ldap: Failed to create the pair: Unknown attribute "Access-List"
rlm_ldap: Adding accesslist as Access-List, value VPN & op=11
rlm_ldap: Failed to create the pair: Unknown attribute "Access-List"
rlm_ldap: Adding accesslist as Access-List, value mycompanynet & op=11
rlm_ldap: Failed to create the pair: Unknown attribute "Access-List"
rlm_ldap: Adding accesslist as Access-List, value Remedy & op=11
rlm_ldap: Failed to create the pair: Unknown attribute "Access-List"
rlm_ldap: Adding accesslist as Access-List, value Perimeter Team & op=11
rlm_ldap: Failed to create the pair: Unknown attribute "Access-List"
rlm_ldap: Adding accesslist as Access-List, value Kronos & op=11
rlm_ldap: Failed to create the pair: Unknown attribute "Access-List"
rlm_ldap: Adding accesslist as Access-List, value SecureAccess & op=11
rlm_ldap: Failed to create the pair: Unknown attribute "Access-List"
rlm_ldap: Setting Auth-Type = ldap
rlm_ldap: user testuser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type ldap
auth: type "LDAP"
Processing the authenticate section of radiusd.conf
modcall: entering group LDAP for request 0
rlm_ldap: - authenticate
rlm_ldap: login attempt by "testuser" with password "TESTpwd"
rlm_ldap: user DN: unitnumber=547258278,ou=mspr,ou=mycompanypeople,o=mycompany
rlm_ldap: (re)connect to ldapvip.co.mycompany.com:389, authentication 1
rlm_ldap: bind as unitnumber=547258278,ou=mspr,ou=mycompanypeople,o=mycompany/TESTpwd to ldapvip.co.mycompany.com:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind failed with invalid credentials
modcall[authenticate]: module "ldap" returns reject for request 0
modcall: leaving group LDAP (returns reject) for request 0
auth: Failed to validate the user.
Login incorrect (rlm_ldap: Bind as user failed): [testuser/TESTpwd] (from client localhost port 35000)
rad_lowerpair: User-Name now 'testuser'
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
radius_xlat: '/usr/local/freeradius/etc/scripts/mycompany_wireless.atz testuser'
Exec-Program: /usr/local/freeradius/etc/scripts/mycompany_wireless.atz testuser
Exec-Program output:
Exec-Program: returned: 0
modcall[authorize]: module "mycompany_wireless" returns ok for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat: '/usr/local/freeradius-1.1.3/var/log/radius/radacct/127.0.0.1/auth-detail-20060829'
rlm_detail: /usr/local/freeradius-1.1.3/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/freeradius-1.1.3/var/log/radius/radacct/127.0.0.1/auth-detail-20060829
modcall[authorize]: module "auth_log" returns ok for request 0
rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for testuser
radius_xlat: '(&(uid=testuser)(isaccountenabled=true))'
radius_xlat: 'o=mycompany'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=mycompany, with filter (&(uid=testuser)(isaccountenabled=true))
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding remotepassword as User-Password, value TESTpwd & op=21
rlm_ldap: Adding isaccountenabled as Account-Enabled, value TRUE & op=21
rlm_ldap: Failed to create the pair: Unknown attribute "Account-Enabled"
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding remotegroup as Class, value ou=Employees & op=11
rlm_ldap: Adding accesslist as Access-List, value Proxy & op=11
rlm_ldap: Failed to create the pair: Unknown attribute "Access-List"
rlm_ldap: Adding accesslist as Access-List, value HostLink & op=11
rlm_ldap: Failed to create the pair: Unknown attribute "Access-List"
rlm_ldap: Adding accesslist as Access-List, value WebLink & op=11
rlm_ldap: Failed to create the pair: Unknown attribute "Access-List"
rlm_ldap: Adding accesslist as Access-List, value HELP & op=11
rlm_ldap: Failed to create the pair: Unknown attribute "Access-List"
rlm_ldap: Adding accesslist as Access-List, value VPN & op=11
rlm_ldap: Failed to create the pair: Unknown attribute "Access-List"
rlm_ldap: Adding accesslist as Access-List, value mycompanynet & op=11
rlm_ldap: Failed to create the pair: Unknown attribute "Access-List"
rlm_ldap: Adding accesslist as Access-List, value Remedy & op=11
rlm_ldap: Failed to create the pair: Unknown attribute "Access-List"
rlm_ldap: Adding accesslist as Access-List, value Perimeter Team & op=11
rlm_ldap: Failed to create the pair: Unknown attribute "Access-List"
rlm_ldap: Adding accesslist as Access-List, value Kronos & op=11
rlm_ldap: Failed to create the pair: Unknown attribute "Access-List"
rlm_ldap: Adding accesslist as Access-List, value SecureAccess & op=11
rlm_ldap: Failed to create the pair: Unknown attribute "Access-List"
rlm_ldap: Setting Auth-Type = ldap
rlm_ldap: user testuser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type ldap
auth: type "LDAP"
Processing the authenticate section of radiusd.conf
modcall: entering group LDAP for request 0
rlm_ldap: - authenticate
rlm_ldap: login attempt by "testuser" with password "TESTpwd"
rlm_ldap: user DN: unitnumber=547258278,ou=mspr,ou=mycompanypeople,o=mycompany
rlm_ldap: (re)connect to ldapvip.co.mycompany.com:389, authentication 1
rlm_ldap: bind as unitnumber=547258278,ou=mspr,ou=mycompanypeople,o=mycompany/TESTpwd to ldapvip.co.mycompany.com:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind failed with invalid credentials
modcall[authenticate]: module "ldap" returns reject for request 0
modcall: leaving group LDAP (returns reject) for request 0
auth: Failed to validate the user.
Login incorrect (rlm_ldap: Bind as user failed): [testuser/TESTpwd] (from client localhost port 35000)
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 50 to 127.0.0.1 port 43455
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 50 with timestamp 44f467ce
Nothing to do. Sleeping until we see a request.
rad_recv: Access-Request packet from host 127.0.0.1:43466, id=59, length=60
User-Name = "testuser"
User-Password = "LDAPpwd"
NAS-IP-Address = 255.255.255.255
NAS-Port = 35000
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
radius_xlat: '/usr/local/freeradius/etc/scripts/mycompany_wireless.atz testuser'
Exec-Program: /usr/local/freeradius/etc/scripts/mycompany_wireless.atz testuser
Exec-Program output:
Exec-Program: returned: 0
modcall[authorize]: module "mycompany_wireless" returns ok for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
radius_xlat: '/usr/local/freeradius-1.1.3/var/log/radius/radacct/127.0.0.1/auth-detail-20060829'
rlm_detail: /usr/local/freeradius-1.1.3/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/freeradius-1.1.3/var/log/radius/radacct/127.0.0.1/auth-detail-20060829
modcall[authorize]: module "auth_log" returns ok for request 1
rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 1
rlm_ldap: - authorize
rlm_ldap: performing user authorization for testuser
radius_xlat: '(&(uid=testuser)(isaccountenabled=true))'
radius_xlat: 'o=mycompany'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=mycompany, with filter (&(uid=testuser)(isaccountenabled=true))
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding remotepassword as User-Password, value TESTpwd & op=21
rlm_ldap: Adding isaccountenabled as Account-Enabled, value TRUE & op=21
rlm_ldap: Failed to create the pair: Unknown attribute "Account-Enabled"
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding remotegroup as Class, value ou=Employees & op=11
rlm_ldap: Adding accesslist as Access-List, value Proxy & op=11
rlm_ldap: Failed to create the pair: Unknown attribute "Access-List"
rlm_ldap: Adding accesslist as Access-List, value HostLink & op=11
rlm_ldap: Failed to create the pair: Unknown attribute "Access-List"
rlm_ldap: Adding accesslist as Access-List, value WebLink & op=11
rlm_ldap: Failed to create the pair: Unknown attribute "Access-List"
rlm_ldap: Adding accesslist as Access-List, value HELP & op=11
rlm_ldap: Failed to create the pair: Unknown attribute "Access-List"
rlm_ldap: Adding accesslist as Access-List, value VPN & op=11
rlm_ldap: Failed to create the pair: Unknown attribute "Access-List"
rlm_ldap: Adding accesslist as Access-List, value mycompanynet & op=11
rlm_ldap: Failed to create the pair: Unknown attribute "Access-List"
rlm_ldap: Adding accesslist as Access-List, value Remedy & op=11
rlm_ldap: Failed to create the pair: Unknown attribute "Access-List"
rlm_ldap: Adding accesslist as Access-List, value Perimeter Team & op=11
rlm_ldap: Failed to create the pair: Unknown attribute "Access-List"
rlm_ldap: Adding accesslist as Access-List, value Kronos & op=11
rlm_ldap: Failed to create the pair: Unknown attribute "Access-List"
rlm_ldap: Adding accesslist as Access-List, value SecureAccess & op=11
rlm_ldap: Failed to create the pair: Unknown attribute "Access-List"
rlm_ldap: Setting Auth-Type = ldap
rlm_ldap: user testuser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 1
modcall: leaving group authorize (returns ok) for request 1
rad_check_password: Found Auth-Type ldap
auth: type "LDAP"
Processing the authenticate section of radiusd.conf
modcall: entering group LDAP for request 1
rlm_ldap: - authenticate
rlm_ldap: login attempt by "testuser" with password "LDAPpwd"
rlm_ldap: user DN: unitnumber=547258278,ou=mspr,ou=mycompanypeople,o=mycompany
rlm_ldap: (re)connect to ldapvip.co.mycompany.com:389, authentication 1
rlm_ldap: bind as unitnumber=547258278,ou=mspr,ou=mycompanypeople,o=mycompany/LDAPpwd to ldapvip.co.mycompany.com:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: user testuser authenticated succesfully
modcall[authenticate]: module "ldap" returns ok for request 1
modcall: leaving group LDAP (returns ok) for request 1
Login OK: [testuser] (from client localhost port 35000)
Sending Access-Accept of id 59 to 127.0.0.1 port 43466
Class = 0x6f753d456d706c6f79656573
Finished request 1
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 1 ID 59 with timestamp 44f467e2
Nothing to do. Sleeping until we see a request.
More information about the Freeradius-Users
mailing list