LDAP check attributes

Antonio Matera antonio.matera at create-net.it
Mon May 22 10:04:04 CEST 2006

Hallo, thanks for your answers.

>   It's not in the conf files.  Read the debug output.  It's in LDAP.

Ok, the problem in the log file is this:

 > rlm_ldap: ldap_get_conn: Checking Id: 0
 > rlm_ldap: ldap_get_conn: Got Id: 0
 > rlm_ldap: performing search in dc=create-net,dc=org, with filter 
 > rlm_ldap: Added password vlan3 in check items
 > rlm_ldap: looking for check items in directory...
 > rlm_ldap: Adding radiusCiscoAVPair as Cisco-AVPair, value ssid=VLAN3 
& op=21
 > rlm_ldap: looking for reply items in directory...
 > rlm_ldap: Adding radiusTunnelType as Tunnel-Type, value VLAN & op=11
 > rlm_ldap: Adding radiusTunnelPrivateGroupId as 
Tunnel-Private-Group-Id, value 3 & op=11
 > rlm_ldap: Adding radiusTunnelMediumType as Tunnel-Medium-Type, value 
IEEE-802 & op=11
 > Invalid operator for item EAP-Type: reverting to '=='
 > rlm_ldap: Pairs do not match. Rejecting user.
 > rlm_ldap: ldap_release_conn: Release Id: 0
 > modcall[authorize]: module "ldap" returns reject for request 5
 > modcall: leaving group authorize (returns reject) for request 5
 > Invalid user (rlm_ldap: Pairs do not match): [vlan3/<no User-Password 
attribute>] (from client cn-radius port 276 cli 000c.f135.f1ba)
 >  PEAP: Tunneled authentication was rejected.
 >  rlm_eap_peap: FAILURE

but in the ldap.attrmap I added to the original file only:

checkItem    Cisco-AVPair    radiusCiscoAVPair


replyItem    Tunnel-Medium-Type    radiusTunnelMediumType
replyItem    Tunnel-Private-Group-Id    radiusTunnelPrivateGroupId
replyItem    Tunnel-Type        radiusTunnelType

my user in LDAP directory has the following attributes:

# vlan3, people, create-net.org
dn: sn=vlan3,ou=people,dc=create-net,dc=org
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: radiusprofile
radiusTunnelPrivateGroupId: 3
radiusCiscoAVPair: ssid=VLAN3
sn: vlan3
uid: vlan3
radiusTunnelMediumType: IEEE-802
radiusTunnelType: VLAN
cn: vlan3
userPassword:: dmxhbjM=

I haven't an EAP-Type entry and I don't understand where freeradius 
finds this attribute....

Bye Antonio

More information about the Freeradius-Users mailing list