check-Item checked by ldap

Florian Prester Florian.Prester at rrze.uni-erlangen.de
Fri Mar 17 08:48:20 CET 2006 

Hi,

 I am using a LDAP-Directory as Information-DB for authorisation.
Now my question is:

 I want to grant access, if a user fullfills a LDAP-attribute, for example:

users-file:
...
test  LDAP-Group == "test"
        Service-Type = "Administrative-User",
        cisco-avpair= "shell:priv-lvl=15"
...


ldap.attrmap:
...
checkItem       LDAP-Group                      Userid
...

In LDAP the Iserid for the user test is test, therfore it should be 
mapped to the LDAP-Group-attribute
and therfore the user should be granted access, or not?

But the debug output shows something different:
######################################
./radiusd -XXX
rad_recv: Access-Request packet from host 232.122.28.222:2084, id=59, 
length=47
        User-Name = "test"
        User-Password = "XXX"
Fri Mar 17 08:31:44 2006 : Debug:   Processing the authorize section of 
radiusd.conf
Fri Mar 17 08:31:44 2006 : Debug: modcall: entering group authorize for 
request 0
Fri Mar 17 08:31:44 2006 : Debug:   modsingle[authorize]: calling 
preprocess (rlm_preprocess) for request 0
Fri Mar 17 08:31:44 2006 : Debug:   modsingle[authorize]: returned from 
preprocess (rlm_preprocess) for request 0
Fri Mar 17 08:31:44 2006 : Debug:   modcall[authorize]: module 
"preprocess" returns ok for request 0
Fri Mar 17 08:31:44 2006 : Debug:   modsingle[authorize]: calling chap 
(rlm_chap) for request 0
Fri Mar 17 08:31:44 2006 : Debug:   modsingle[authorize]: returned from 
chap (rlm_chap) for request 0
Fri Mar 17 08:31:44 2006 : Debug:   modcall[authorize]: module "chap" 
returns noop for request 0
Fri Mar 17 08:31:44 2006 : Debug:   modsingle[authorize]: calling mschap 
(rlm_mschap) for request 0
Fri Mar 17 08:31:44 2006 : Debug:   modsingle[authorize]: returned from 
mschap (rlm_mschap) for request 0
Fri Mar 17 08:31:44 2006 : Debug:   modcall[authorize]: module "mschap" 
returns noop for request 0
Fri Mar 17 08:31:44 2006 : Debug:   modsingle[authorize]: calling eap 
(rlm_eap) for request 0
Fri Mar 17 08:31:44 2006 : Debug:   rlm_eap: No EAP-Message, not doing EAP
Fri Mar 17 08:31:44 2006 : Debug:   modsingle[authorize]: returned from 
eap (rlm_eap) for request 0
Fri Mar 17 08:31:44 2006 : Debug:   modcall[authorize]: module "eap" 
returns noop for request 0
Fri Mar 17 08:31:44 2006 : Debug:   modsingle[authorize]: calling files 
(rlm_files) for request 0
Fri Mar 17 08:31:44 2006 : Debug: rlm_ldap: Entering ldap_groupcmp()
Fri Mar 17 08:31:44 2006 : Debug: radius_xlat:  'ou=AAAuse ... '
Fri Mar 17 08:31:44 2006 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0
Fri Mar 17 08:31:44 2006 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0
Fri Mar 17 08:31:44 2006 : Debug: rlm_ldap: attempting LDAP reconnection
Fri Mar 17 08:31:44 2006 : Debug: rlm_ldap: (re)connect to 
232.122.3.22:400, authentication 0
Fri Mar 17 08:31:44 2006 : Debug: rlm_ldap: bind as cn=
Fri Mar 17 08:31:44 2006 : Debug: rlm_ldap: waiting for bind result ...
request done: ld 3501a58 msgid 1
Fri Mar 17 08:31:44 2006 : Debug: rlm_ldap: Bind was successful
Fri Mar 17 08:31:44 2006 : Debug: rlm_ldap: performing search in ou=AA 
... request done: ld 3501a58 msgid 2
Fri Mar 17 08:31:44 2006 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0
Fri Mar 17 08:31:44 2006 : Debug: radius_xlat:  
'(|(&(objectClass=GroupOfNames)(member=...'
Fri Mar 17 08:31:44 2006 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0
Fri Mar 17 08:31:44 2006 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0
Fri Mar 17 08:31:44 2006 : Debug: rlm_ldap: performing search in ou=AAA 
... request done: ld 3501a58 msgid 3
Fri Mar 17 08:31:44 2006 : Debug: rlm_ldap: object not found or got 
ambiguous search result
###############################

Now, somemore questions:
1.) why is there a reconnect? I thought I connect to the ldap once, 
retrieve user-information and then all comparsion iis done by the RADIUS?

2.) why is there no mapping from the Userid to the LDAP-Group, but a new 
search for the ldap-attribute:
     Fri Mar 17 08:31:44 2006 : Debug: radius_xlat:  
'(|(&(objectClass=GroupOfNames)(member=...'???

Thanks
 Florian

-- 
Dipl. Inf. Florian Prester
Network Administration
Regionales RechenZentrum Erlangen
Universitaet Erlangen-Nuernberg
Martensstr. 1
91052 Erlangen
Germany

Tel.: +499131 8527813

More information about the Freeradius-Users mailing list