Upgrade error for LDAP in Freeradius2.0
as3ad jamous
asaad-j at hotmail.com
Sat Jan 26 18:28:08 CET 2008
thanks
note : i am not use ldap , only database (postgres) for auth and accountingis that affect?
To: freeradius-users at lists.freeradius.orgFrom: huaraz at moeller.plus.comSubject: Re: Upgrade error for LDAP in Freeradius2.0Date: Sat, 26 Jan 2008 16:51:10 +0000
I came across the same problem and my debugging shows the following:
1) ldap_groupcmp calls radius_xlat to replace Ldap_UserDn with the value.
2) radius_xlat calls decode_attribute
3) decode_attribute calls xlat_packet with instance 1 and returns 0 (=nothing found)
if ((c = xlat_find(xlat_name)) != NULL) { if (!c->internal) DEBUG3("radius_xlat: Running registered xlat function of module %s for string \'%s\'", c->module, xlat_string); retlen = c->do_xlat(c->instance, request, xlat_string, q, freespace, func); /* If retlen is 0, treat it as not found */ if (retlen > 0) found = 1; }
If I look into xlat_packet there is a switch statement for instance and 1 means select request->packet->vps, but if I look into rlm_ldap.c the vps are in request->config_items (e.g instance= 0). If I change instance to 0 in the debugger the expansion seems to work. Unfortunatly I don't know where this is set and what it means
switch (*(int*) instance) { case 0: vps = request->config_items; break;
case 1: vps = request->packet->vps; packet = request->packet; break;
Markus
"Gopinath Reddy N" <gnreddy at gmail.com> wrote in message news:c71dd3900801260505u49df7fe7g69bdb32823c155b8 at mail.gmail.com...
Hi,
We have upgraded our freeradius1.6 to 2.0
We are using active directory for LDAP server.
We have not changed any data in AD. But when we upgrade and try to connect using valid user id..user is getting rejected.
Please let me know if there any issues I need to take before ugprading to 2.0
Iam using same bind DN and other strings in 2.0.
rlm_ldap: ldap_get_conn: Checking Id: 0rlm_ldap: ldap_get_conn: Got Id: 0rlm_ldap: attempting LDAP reconnectionrlm_ldap: (re)connect to 157.235.205.31:389, authentication 0rlm_ldap: bind as cn=Administrator,cn=Users,dc=Crossfire,dc=symbol,dc=com/windows2003 to 157.235.205.31:389rlm_ldap: waiting for bind result ...rlm_ldap: Bind was successfulrlm_ldap: performing search in cn=Users,dc=Crossfire,dc=symbol,dc=com, with filter (sAMAccountName=satish)rlm_ldap: ldap_release_conn: Release Id: 0 expand: (|(&(objectClass=group)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) -> (|(&(objectClass=group)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=)))rlm_ldap: ldap_get_conn: Checking Id: 0rlm_ldap: ldap_get_conn: Got Id: 0
*******************************************************rlm_ldap: performing search in cn=Users,dc=Crossfire,dc=symbol,dc=com, with filter (&(cn=sales)(|(&(objectClass=group)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))))
rlm_ldap: object not found or got ambiguous search result
*******************************************************************************rlm_ldap: ldap_release_conn: Release Id: 0rlm_ldap: ldap_get_conn: Checking Id: 0rlm_ldap: ldap_get_conn: Got Id: 0rlm_ldap: performing search in CN=satish,CN=Users,DC=Crossfire,DC=symbol,DC=com, with filter (objectclass=*)rlm_ldap::ldap_groupcmp: ldap_get_values() failedrlm_ldap: ldap_release_conn: Release Id: 0rlm_ldap: Entering ldap_groupcmp() expand: cn=Users,dc=Crossfire,dc=symbol,dc=com -> cn=Users,dc=Crossfire,dc=symbol,dc=com expand: (|(&(objectClass=group)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) -> (|(&(objectClass=group)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=)))rlm_ldap: ldap_get_conn: Checking Id: 0rlm_ldap: ldap_get_conn: Got Id: 0rlm_ldap: performing search in cn=Users,dc=Crossfire,dc=symbol,dc=com, with filter (&(cn=sales)(|(&(objectClass=group)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))))rlm_ldap: object not found or got ambiguous search resultrlm_ldap: ldap_release_conn: Release Id: 0rlm_ldap: ldap_get_conn: Checking Id: 0rlm_ldap: ldap_get_conn: Got Id: 0rlm_ldap: performing search in CN=satish,CN=Users,DC=Crossfire,DC=symbol,DC=com, with filter (objectclass=*)rlm_ldap::ldap_groupcmp: ldap_get_values() failedrlm_ldap: ldap_release_conn: Release Id: 0 users: Matched entry DEFAULT at line 26++[files] returns ok++- entering policy redundantrlm_ldap: - authorizerlm_ldap: performing user authorization for satish expand: (sAMAccountName=%{User-Name}) -> (sAMAccountName=satish) expand: cn=Users,dc=Crossfire,dc=symbol,dc=com -> cn=Users,dc=Crossfire,dc=symbol,dc=comrlm_ldap: ldap_get_conn: Checking Id: 0rlm_ldap: ldap_get_conn: Got Id: 0rlm_ldap: performing search in cn=Users,dc=Crossfire,dc=symbol,dc=com, with filter (sAMAccountName=satish)rlm_ldap: looking for check items in directory...rlm_ldap: looking for reply items in directory...
******************************WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
***************************************rlm_ldap: user satish authorized to use remote accessrlm_ldap: ldap_release_conn: Release Id: 0+++[ldap_secondary] returns ok++- policy redundant returns ok rlm_eap: EAP packet type response id 1 length 11 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation++[eap] returns updatedrlm_pap: Found existing Auth-Type, not changing it.++[pap] returns noop rad_check_password: Found Auth-Type Reject rad_check_password: Auth-Type = Reject, rejecting userauth: Failed to validate the user.Login incorrect: [satish/<via Auth-Type = Reject>] (from client private-network-1 port 1 cli 00-16-CF-50-6C-8C)
Thanks
gnr
-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
_________________________________________________________________
Shed those extra pounds with MSN and The Biggest Loser!
http://biggestloser.msn.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080126/216b8f5d/attachment.html>
More information about the Freeradius-Users
mailing list