Configuring LDAP for query ONLY...
Eric Martell
workoutexcite at yahoo.com
Fri Jan 4 16:54:09 CET 2008
Hi Ivan,
Actually in the implementation we are going to treat
on the website zipcode as a password field. we are
asking people to enter username and zipcode which is
store in the LDAP Schema.
In the radius, I am going to receive username
(User-Name) and zipcode ( User-Password). In the ldap
module do query
filter =
"(&(uid=%{Stripped-User-Name:-%{User-Name}})(entitlements=WIFILOC1)(zipcode=%{User-Password}))"
and depends on the resultset, give access or reject.
Please let me know if this clear and any other better
way to handle this in radius.
Thanks and Regards.
Eric.
--- tnt at kalik.co.yu wrote:
> OK, so password is not in LDAP. Where is it then?
> Are you trying to
> accept users without passwords? Consider using a
> perl script to
> implement that logic and forget about LDAP module in
> Freeradius.
>
> Ivan Kalik
> Kalik Informatika ISP
>
>
> Dana 4/1/2008, "Eric Martell"
> <workoutexcite at yahoo.com> pi¹e:
>
> >Hi Alan,
> > I am trying to do ldap query lookup in the
> authorize
> >section and after successful authorization ( if
> ldap
> >entry exists on search query) ....reply with
> >Access-Accept if not reject.
> >
> >I do not want to do authentication in LDAP as we
> are
> >not storing "userPassword" attribute in ldap
> schema.
> >
> >So in a way trying to do..
> >
> >if(ldap search success) {
> > Access-Accept
> >} else {
> > Access-Reject
> >}
> >
> >Please check the thread below what Phil told me to
> >do...
> >
> >
> >
> >Hi Phil,
> > Here is the detail configs and logs. Please let
> me
> >know.
> >Thanks and Regards.
> >
> >modules {
> > ldap {
> >
> > server = "ldap://xxxxxxxxx:1389"
> > identity =
> >"uid=appuser,ou=appadm,o=entitlement"
> > password = ******
> > basedn = "ou=roles,o=entitlement"
> >
> > dictionary_mapping =
> >${raddbdir}/ldap.attrmap
> > filter =
>
>"(&(uid=%{Stripped-User-Name:-%{User-Name}})(entitlements=WIFILOC1)(attribute1=%{User-Password}))"
> >
> > start_tls = no
> > ldap_connections_number = 5
> >
> > timeout = 4
> > timelimit = 3
> > net_timeout = 1
> >
> > set_auth_type = no
> > }
> >}
> >
> >authorize {
> >...
> >ldap
> >pap
> >}
> >
> >authenticate {
> > Auth-Type PAP {
> > pap
> > }
> >
> >......
> >}
> >
> >In the users files
> >#DEFAULT Auth-Type := Local
> > #Session-Timeout = 7200,
> > #Fall-Through = Yes
> >
> >#DEFAULT Auth-Type := System
> > #Session-Timeout = 7200,
> > #Fall-Through = Yes
> >
> >
> >
> >Here is the detail log.
> >
> >
> >
> >rad_recv: Access-Request packet from host
> >216.2.193.1:55729, id=2, length=48
> > User-Name = "test1"
> > User-Password = "11111"
> > Processing the authorize section of radiusd.conf
> >modcall: entering group authorize for request 0
> > modcall[authorize]: module "preprocess" returns
> ok
> >for request 0
> > modcall[authorize]: module "chap" returns noop
> for
> >request 0
> > modcall[authorize]: module "mschap" returns noop
> for
> >request 0
> > rlm_realm: No '@' in User-Name = "test1",
> looking
> >up realm NULL
> > rlm_realm: No such realm "NULL"
> > modcall[authorize]: module "suffix" returns noop
> for
> >request 0
> >rlm_ldap: - authorize
> >rlm_ldap: performing user authorization for test1
> >radius_xlat:
>
>'(&(uid=test1)(entitlements=WIFILOC1)(attribute1=11111))'
> >radius_xlat: 'ou=roles,o=entitlement'
> >rlm_ldap: ldap_get_conn: Checking Id: 0
> >rlm_ldap: ldap_get_conn: Got Id: 0
> >rlm_ldap: attempting LDAP reconnection
> >rlm_ldap: (re)connect to ldap://xxxx:1389,
> >authentication 0
> >rlm_ldap: bind as
> >uid=appuser,ou=appadm,o=entitlement/xxxx to
> >ldap://xxxxxxx:1389
> >rlm_ldap: waiting for bind result ...
> >rlm_ldap: Bind was successful
> >rlm_ldap: performing search in
> ou=roles,o=entitlement,
> >with filter
>
>(&(uid=test1)(entitlements=WIFILOC1)(attribute1=11111))
> >rlm_ldap: looking for check items in directory...
> >rlm_ldap: looking for reply items in directory...
> >rlm_ldap: user test1 authorized to use remote
> access
> >rlm_ldap: ldap_release_conn: Release Id: 0
> > modcall[authorize]: module "ldap" returns ok for
> >request 0
> >rlm_pap: WARNING! No "known good" password found
> for
> >the user. Authentication may fail because of this.
> > modcall[authorize]: module "pap" returns noop for
> >request 0
> >modcall: leaving group authorize (returns ok) for
> >request 0
> >auth: No authenticate method (Auth-Type)
> configuration
> >found for the request: Rejecting the user
> >auth: Failed to validate the user.
> >Delaying request 0 for 1 seconds
> >Finished request 0
> >Going to the next request
> >--- Walking the entire request list ---
> >Waking up in 1 seconds...
> >--- Walking the entire request list ---
> >Sending Access-Reject of id 2 to 216.2.193.1 port
> >55729
> >Waking up in 4 seconds...
> >--- Walking the entire request list ---
> >Cleaning up request 0 ID 2 with timestamp 4761660e
> >Nothing to do. Sleeping until we see a request.
> >
> >
> >
> >
> >
> >
> >--- Phil Mayers <p.mayers at imperial.ac.uk> wrote:
> >
> >> >
> >> > rlm_ldap: user test1 authorized to use remote
> >> access
> >> > rlm_ldap: ldap_release_conn: Release Id: 0
> >> > modcall[authorize]: module "ldap" returns ok
> for
> >> > request 0
> >> > rlm_pap: WARNING! No "known good" password
> found
> >> for
> >> > the user. Authentication may fail because of
> >> this.
> >>
> >> That's the problem.
> >>
> >> Your LDAP module should be copying the LDAP
> >> attribute containing the
> >> password to the relevant check item.
> >>
> >> Slightly confusing, there are two ways to do
> this:
> >>
>
=== message truncated ===
____________________________________________________________________________________
Never miss a thing. Make Yahoo your home page.
http://www.yahoo.com/r/hs
More information about the Freeradius-Users
mailing list