Configuring LDAP for query ONLY...

Eric Martell workoutexcite at yahoo.com
Fri Jan 4 15:59:58 CET 2008 

Hi Alan,
  I am trying to do ldap query lookup in the authorize
section and after successful authorization ( if ldap
entry exists on search query) ....reply with
Access-Accept if not reject.

I do not want to do authentication in LDAP as we are
not storing "userPassword" attribute in ldap schema.

So in a way trying to do..

if(ldap search success) {
  Access-Accept
} else {
  Access-Reject
}

Please check the thread below what Phil told me to
do...



Hi Phil,
   Here is the detail configs and logs. Please let me
know.
Thanks and Regards.

modules {
        ldap {

                server = "ldap://xxxxxxxxx:1389"
                identity =
"uid=appuser,ou=appadm,o=entitlement"
                password = ******
                basedn = "ou=roles,o=entitlement"

                dictionary_mapping =
${raddbdir}/ldap.attrmap
                filter =
"(&(uid=%{Stripped-User-Name:-%{User-Name}})(entitlements=WIFILOC1)(attribute1=%{User-Password}))"

                start_tls = no
                ldap_connections_number = 5

                timeout = 4
                timelimit = 3
                net_timeout = 1

                set_auth_type = no
        }
}

authorize {
..
ldap
pap
}

authenticate {
        Auth-Type PAP {
                pap
        }

.....
}

In the users files
#DEFAULT  Auth-Type := Local
         #Session-Timeout = 7200,
         #Fall-Through = Yes

#DEFAULT  Auth-Type := System
         #Session-Timeout = 7200,
         #Fall-Through = Yes



Here is the detail log.



rad_recv: Access-Request packet from host
216.2.193.1:55729, id=2, length=48
        User-Name = "test1"
        User-Password = "11111"
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok
for request 0
  modcall[authorize]: module "chap" returns noop for
request 0
  modcall[authorize]: module "mschap" returns noop for
request 0
    rlm_realm: No '@' in User-Name = "test1", looking
up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for
request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for test1
radius_xlat: 
'(&(uid=test1)(entitlements=WIFILOC1)(attribute1=11111))'
radius_xlat:  'ou=roles,o=entitlement'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap://xxxx:1389,
authentication 0
rlm_ldap: bind as
uid=appuser,ou=appadm,o=entitlement/xxxx to
ldap://xxxxxxx:1389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=roles,o=entitlement,
with filter
(&(uid=test1)(entitlements=WIFILOC1)(attribute1=11111))
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user test1 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for
request 0
rlm_pap: WARNING! No "known good" password found for
the user.  Authentication may fail because of this.
  modcall[authorize]: module "pap" returns noop for
request 0
modcall: leaving group authorize (returns ok) for
request 0
auth: No authenticate method (Auth-Type) configuration
found for the request: Rejecting the user
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 2 to 216.2.193.1 port
55729
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 2 with timestamp 4761660e
Nothing to do.  Sleeping until we see a request.






--- Phil Mayers <p.mayers at imperial.ac.uk> wrote:

> > 
> > rlm_ldap: user test1 authorized to use remote
> access
> > rlm_ldap: ldap_release_conn: Release Id: 0
> >   modcall[authorize]: module "ldap" returns ok for
> > request 0
> > rlm_pap: WARNING! No "known good" password found
> for
> > the user.  Authentication may fail because of
> this.
> 
> That's the problem.
> 
> Your LDAP module should be copying the LDAP
> attribute containing the 
> password to the relevant check item.
> 
> Slightly confusing, there are two ways to do this:
> 
>   1. ldap.attrmap
>   2. password_attribute & password_header config
> items of ldap module
> 
> What are those setup to do?
> 
> A full "-X" debug would help at this point.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 

>>
Assuming you are using a recent version of FreeRadius,
you can do one of 
the following:

modules {
   ldap {
     ...
     set_auth_type = no
   }
}

authorize {
   preprocess
   ldap
   pap
}

authenticate {
   Auth-Type PAP {
     pap
   }
}

>>


--- Alan DeKok <aland at deployingradius.com> wrote:

> Eric Martell wrote:
> > Hi Alan,
> >    Can you please help me out with the LDAP query?
> I
> > am still stuck with the issue.
> 
>   What problem is left to solve?
> 
>   i.e. I read and answer a *lot* of email.  I don't
> recall much past
> what's on my screen right now...
> 
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 



      ____________________________________________________________________________________
Be a better friend, newshound, and 
know-it-all with Yahoo! Mobile.  Try it now.  http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ

More information about the Freeradius-Users mailing list