Configuring LDAP for query ONLY...
tnt at kalik.co.yu
tnt at kalik.co.yu
Fri Jan 4 16:29:22 CET 2008
OK, so password is not in LDAP. Where is it then? Are you trying to
accept users without passwords? Consider using a perl script to
implement that logic and forget about LDAP module in Freeradius.
Ivan Kalik
Kalik Informatika ISP
Dana 4/1/2008, "Eric Martell" <workoutexcite at yahoo.com> piše:
>Hi Alan,
> I am trying to do ldap query lookup in the authorize
>section and after successful authorization ( if ldap
>entry exists on search query) ....reply with
>Access-Accept if not reject.
>
>I do not want to do authentication in LDAP as we are
>not storing "userPassword" attribute in ldap schema.
>
>So in a way trying to do..
>
>if(ldap search success) {
> Access-Accept
>} else {
> Access-Reject
>}
>
>Please check the thread below what Phil told me to
>do...
>
>
>
>Hi Phil,
> Here is the detail configs and logs. Please let me
>know.
>Thanks and Regards.
>
>modules {
> ldap {
>
> server = "ldap://xxxxxxxxx:1389"
> identity =
>"uid=appuser,ou=appadm,o=entitlement"
> password = ******
> basedn = "ou=roles,o=entitlement"
>
> dictionary_mapping =
>${raddbdir}/ldap.attrmap
> filter =
>"(&(uid=%{Stripped-User-Name:-%{User-Name}})(entitlements=WIFILOC1)(attribute1=%{User-Password}))"
>
> start_tls = no
> ldap_connections_number = 5
>
> timeout = 4
> timelimit = 3
> net_timeout = 1
>
> set_auth_type = no
> }
>}
>
>authorize {
>...
>ldap
>pap
>}
>
>authenticate {
> Auth-Type PAP {
> pap
> }
>
>......
>}
>
>In the users files
>#DEFAULT Auth-Type := Local
> #Session-Timeout = 7200,
> #Fall-Through = Yes
>
>#DEFAULT Auth-Type := System
> #Session-Timeout = 7200,
> #Fall-Through = Yes
>
>
>
>Here is the detail log.
>
>
>
>rad_recv: Access-Request packet from host
>216.2.193.1:55729, id=2, length=48
> User-Name = "test1"
> User-Password = "11111"
> Processing the authorize section of radiusd.conf
>modcall: entering group authorize for request 0
> modcall[authorize]: module "preprocess" returns ok
>for request 0
> modcall[authorize]: module "chap" returns noop for
>request 0
> modcall[authorize]: module "mschap" returns noop for
>request 0
> rlm_realm: No '@' in User-Name = "test1", looking
>up realm NULL
> rlm_realm: No such realm "NULL"
> modcall[authorize]: module "suffix" returns noop for
>request 0
>rlm_ldap: - authorize
>rlm_ldap: performing user authorization for test1
>radius_xlat:
>'(&(uid=test1)(entitlements=WIFILOC1)(attribute1=11111))'
>radius_xlat: 'ou=roles,o=entitlement'
>rlm_ldap: ldap_get_conn: Checking Id: 0
>rlm_ldap: ldap_get_conn: Got Id: 0
>rlm_ldap: attempting LDAP reconnection
>rlm_ldap: (re)connect to ldap://xxxx:1389,
>authentication 0
>rlm_ldap: bind as
>uid=appuser,ou=appadm,o=entitlement/xxxx to
>ldap://xxxxxxx:1389
>rlm_ldap: waiting for bind result ...
>rlm_ldap: Bind was successful
>rlm_ldap: performing search in ou=roles,o=entitlement,
>with filter
>(&(uid=test1)(entitlements=WIFILOC1)(attribute1=11111))
>rlm_ldap: looking for check items in directory...
>rlm_ldap: looking for reply items in directory...
>rlm_ldap: user test1 authorized to use remote access
>rlm_ldap: ldap_release_conn: Release Id: 0
> modcall[authorize]: module "ldap" returns ok for
>request 0
>rlm_pap: WARNING! No "known good" password found for
>the user. Authentication may fail because of this.
> modcall[authorize]: module "pap" returns noop for
>request 0
>modcall: leaving group authorize (returns ok) for
>request 0
>auth: No authenticate method (Auth-Type) configuration
>found for the request: Rejecting the user
>auth: Failed to validate the user.
>Delaying request 0 for 1 seconds
>Finished request 0
>Going to the next request
>--- Walking the entire request list ---
>Waking up in 1 seconds...
>--- Walking the entire request list ---
>Sending Access-Reject of id 2 to 216.2.193.1 port
>55729
>Waking up in 4 seconds...
>--- Walking the entire request list ---
>Cleaning up request 0 ID 2 with timestamp 4761660e
>Nothing to do. Sleeping until we see a request.
>
>
>
>
>
>
>--- Phil Mayers <p.mayers at imperial.ac.uk> wrote:
>
>> >
>> > rlm_ldap: user test1 authorized to use remote
>> access
>> > rlm_ldap: ldap_release_conn: Release Id: 0
>> > modcall[authorize]: module "ldap" returns ok for
>> > request 0
>> > rlm_pap: WARNING! No "known good" password found
>> for
>> > the user. Authentication may fail because of
>> this.
>>
>> That's the problem.
>>
>> Your LDAP module should be copying the LDAP
>> attribute containing the
>> password to the relevant check item.
>>
>> Slightly confusing, there are two ways to do this:
>>
>> 1. ldap.attrmap
>> 2. password_attribute & password_header config
>> items of ldap module
>>
>> What are those setup to do?
>>
>> A full "-X" debug would help at this point.
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
>>>
>Assuming you are using a recent version of FreeRadius,
>you can do one of
>the following:
>
>modules {
> ldap {
> ...
> set_auth_type = no
> }
>}
>
>authorize {
> preprocess
> ldap
> pap
>}
>
>authenticate {
> Auth-Type PAP {
> pap
> }
>}
>
>>>
>
>
>--- Alan DeKok <aland at deployingradius.com> wrote:
>
>> Eric Martell wrote:
>> > Hi Alan,
>> > Can you please help me out with the LDAP query?
>> I
>> > am still stuck with the issue.
>>
>> What problem is left to solve?
>>
>> i.e. I read and answer a *lot* of email. I don't
>> recall much past
>> what's on my screen right now...
>>
>> Alan DeKok.
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
>
>
> ____________________________________________________________________________________
>Be a better friend, newshound, and
>know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
More information about the Freeradius-Users
mailing list