rlm_ldap: no dialupAccess attribute - access denied by default

Ivan Kalik tnt at kalik.net
Fri May 30 13:49:50 CEST 2008


Again:

http://wiki.freeradius.org/index.php/Rlm_ldap

Access attribute and it's use is explained in there. You can disable it
if you want. Or allow access if it doesn't exist.

Ivan Kalik
Kalik Informatika ISP


Dana 30/5/2008, "youness hsina" <youness.hsina at gmail.com> piše:

>Hi Lists,
>sorry for my english and thank you very much in advance for your help.
>
>I'm trying to make a test in radius server  with a user who is locate in
>ldap server with this commande :
>*# radtest yhsina yhsina localhost 0 test
>*and i'm getting this message :
>Sending Access-Request of id 36 to 127.0.0.1 port 1812
>        User-Name = "yhsina"
>        User-Password = "yhsina"
>        NAS-IP-Address = 255.255.255.255
>        NAS-Port = 0
>*rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=36, length=20
>*in debugging mode i have this error : *
>**rlm_ldap: no dialupAccess attribute - access denied by default*
>*
>*Have you any ideas please why it doen't work ?
>
>here's my debugging message :
>
>radius# radiusd -X -A &
>[1] 4889
>radius# Starting - reading configuration files ...
>reread_config:  reading radiusd.conf
>Config:   including file: /usr/local/etc/raddb/proxy.conf
>Config:   including file: /usr/local/etc/raddb/clients.conf
>Config:   including file: /usr/local/etc/raddb/snmp.conf
>Config:   including file: /usr/local/etc/raddb/eap.conf
>Config:   including file: /usr/local/etc/raddb/sql.conf
> main: prefix = "/usr/local"
> main: localstatedir = "/var"
> main: logdir = "/var/log"
> main: libdir = "/usr/local/lib"
> main: radacctdir = "/var/log/radacct"
> main: hostname_lookups = no
> main: snmp = no
> main: max_request_time = 30
> main: cleanup_delay = 5
> main: max_requests = 1024
> main: delete_blocked_requests = 0
> main: port = 0
> main: allow_core_dumps = no
> main: log_stripped_names = no
> main: log_file = "/var/log/radius.log"
> main: log_auth = no
> main: log_auth_badpass = no
> main: log_auth_goodpass = no
> main: pidfile = "/var/run/radiusd/radiusd.pid"
> main: user = "(null)"
> main: group = "(null)"
> main: usercollide = no
> main: lower_user = "no"
> main: lower_pass = "no"
> main: nospace_user = "no"
> main: nospace_pass = "no"
> main: checkrad = "/usr/local/sbin/checkrad"
> main: proxy_requests = yes
> proxy: retry_delay = 5
> proxy: retry_count = 3
> proxy: synchronous = yes
> proxy: default_fallback = yes
> proxy: dead_time = 120
> proxy: post_proxy_authorize = no
> proxy: wake_all_if_all_dead = no
> security: max_attributes = 200
> security: reject_delay = 1
> security: status_server = no
> main: debug_level = 0
>read_config_files:  reading dictionary
>read_config_files:  reading naslist
>Using deprecated naslist file.  Support for this will go away soon.
>read_config_files:  reading clients
>read_config_files:  reading realms
>radiusd:  entering modules setup
>Module: Library search path is /usr/local/lib
>Module: Loaded exec
> exec: wait = yes
> exec: program = "(null)"
> exec: input_pairs = "request"
> exec: output_pairs = "(null)"
> exec: packet_type = "(null)"
>rlm_exec: Wait=yes but no output defined. Did you mean output=none?
>Module: Instantiated exec (exec)
>Module: Loaded expr
>Module: Instantiated expr (expr)
>Module: Loaded PAP
> pap: encryption_scheme = "crypt"
> pap: auto_header = yes
>Module: Instantiated pap (pap)
>Module: Loaded CHAP
>Module: Instantiated chap (chap)
>Module: Loaded MS-CHAP
> mschap: use_mppe = yes
> mschap: require_encryption = no
> mschap: require_strong = no
> mschap: with_ntdomain_hack = no
> mschap: passwd = "(null)"
> mschap: ntlm_auth = "(null)"
>Module: Instantiated mschap (mschap)
>Module: Loaded System
> unix: cache = no
> unix: passwd = "(null)"
> unix: shadow = "(null)"
> unix: group = "(null)"
> unix: radwtmp = "/var/log/radwtmp"
> unix: usegroup = no
> unix: cache_reload = 600
>Module: Instantiated unix (unix)
>Module: Loaded LDAP
> ldap: server = "192.168.33.33"
> ldap: port = 389
> ldap: net_timeout = 1
> ldap: timeout = 4
> ldap: timelimit = 3
> ldap: identity = "cn=Manager,dc=iut-velizy,dc=uvsq,dc=fr"
> ldap: tls_mode = no
> ldap: start_tls = no
> ldap: tls_cacertfile = "(null)"
> ldap: tls_cacertdir = "(null)"
> ldap: tls_certfile = "(null)"
> ldap: tls_keyfile = "(null)"
> ldap: tls_randfile = "(null)"
> ldap: tls_require_cert = "allow"
> ldap: password = "secret"
> ldap: basedn = "dc=iut-velizy,dc=uvsq,dc=fr"
> ldap: filter = "(uid=%u)"
> ldap: base_filter = "(objectclass=radiusprofile)"
> ldap: default_profile = "(null)"
> ldap: profile_attribute = "(null)"
> ldap: password_header = "(null)"
> ldap: password_attribute = "userPassword"
> ldap: access_attr = "dialupAccess"
> ldap: groupname_attribute = "cn"
> ldap: groupmembership_filter =
>"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
> ldap: groupmembership_attribute = "(null)"
> ldap: dictionary_mapping = "/usr/local/etc/raddb/ldap.attrmap"
> ldap: ldap_debug = 0
> ldap: ldap_connections_number = 5
> ldap: compare_check_items = no
> ldap: access_attr_used_for_allow = yes
> ldap: do_xlat = yes
> ldap: set_auth_type = yes
>rlm_ldap: Registering ldap_groupcmp for Ldap-Group
>rlm_ldap: Registering ldap_xlat with xlat_name ldap
>rlm_ldap: reading ldap<->radius mappings from file
>/usr/local/etc/raddb/ldap.attrmap
>rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
>rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
>rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
>rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
>rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
>rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
>rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
>rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
>rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
>rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
>rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
>rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
>rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
>rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
>rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
>rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
>rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
>rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
>rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
>rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
>rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
>rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
>rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
>rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
>rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
>rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
>rlm_ldap: LDAP radiusClass mapped to RADIUS Class
>rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
>rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
>rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
>rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
>rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
>rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
>rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS
>Framed-AppleTalk-Link
>rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS
>Framed-AppleTalk-Network
>rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS
>Framed-AppleTalk-Zone
>rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
>rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
>rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
>conns: 0x2840f290
>Module: Instantiated ldap (ldap)
>Module: Loaded eap
> eap: default_eap_type = "tls"
> eap: timer_expire = 60
> eap: ignore_unknown_eap_types = yes
> eap: cisco_accounting_username_bug = no
>rlm_eap: Loaded and initialized type md5
>rlm_eap: Loaded and initialized type leap
> gtc: challenge = "Password: "
> gtc: auth_type = "PAP"
>rlm_eap: Loaded and initialized type gtc
> tls: rsa_key_exchange = no
> tls: dh_key_exchange = yes
> tls: rsa_key_length = 512
> tls: dh_key_length = 512
> tls: verify_depth = 0
> tls: CA_path = "(null)"
> tls: pem_file_type = yes
> tls: private_key_file = "/usr/local/etc/raddb/certs/serveur.pem"
> tls: certificate_file = "/usr/local/etc/raddb/certs/serveur.pem"
> tls: CA_file = "/usr/local/etc/raddb/certs/root.pem"
> tls: private_key_password = "whatever"
> tls: dh_file = "/usr/local/etc/raddb/certs/dh"
> tls: random_file = "/usr/local/etc/raddb/certs/random"
> tls: fragment_size = 1024
> tls: include_length = yes
> tls: check_crl = no
> tls: check_cert_cn = "%{User-Name}"
> tls: cipher_list = "(null)"
> tls: check_cert_issuer = "(null)"
>rlm_eap_tls: Loading the certificate file as a chain
>WARNING: rlm_eap_tls: Unable to set DH parameters.  DH cipher suites may not
>work!
>WARNING: Fix this by running the OpenSSL command listed in eap.conf
>rlm_eap: Loaded and initialized type tls
> mschapv2: with_ntdomain_hack = no
>rlm_eap: Loaded and initialized type mschapv2
>Module: Instantiated eap (eap)
>radiusd.conf Auth-Type eap already configured - skipping
>Module: Loaded preprocess
> preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups"
> preprocess: hints = "/usr/local/etc/raddb/hints"
> preprocess: with_ascend_hack = no
> preprocess: ascend_channels_per_line = 23
> preprocess: with_ntdomain_hack = no
> preprocess: with_specialix_jetstream_hack = no
> preprocess: with_cisco_vsa_hack = no
> preprocess: with_alvarion_vsa_hack = no
>Module: Instantiated preprocess (preprocess)
>Module: Loaded realm
> realm: format = "suffix"
> realm: delimiter = "@"
> realm: ignore_default = no
> realm: ignore_null = no
>Module: Instantiated realm (suffix)
>Module: Loaded files
> files: usersfile = "/usr/local/etc/raddb/users"
> files: acctusersfile = "/usr/local/etc/raddb/acct_users"
> files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
> files: compat = "no"
>Module: Instantiated files (files)
>Module: Loaded Acct-Unique-Session-Id
> acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
>Client-IP-Address, NAS-Port"
>Module: Instantiated acct_unique (acct_unique)
>Module: Loaded detail
> detail: detailfile = "/var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d"
> detail: detailperm = 384
> detail: dirperm = 493
> detail: locking = no
>Module: Instantiated detail (detail)
>Module: Loaded radutmp
> radutmp: filename = "/var/log/radutmp"
> radutmp: username = "%{User-Name}"
> radutmp: case_sensitive = yes
> radutmp: check_with_nas = yes
> radutmp: perm = 384
> radutmp: callerid = yes
>Module: Instantiated radutmp (radutmp)
>Listening on authentication *:1812
>Listening on accounting *:1813
>Ready to process requests.
>rad_recv: Access-Request packet from host 127.0.0.1:54433, id=36, length=58
>        User-Name = "yhsina"
>        User-Password = "yhsina"
>        NAS-IP-Address = 255.255.255.255
>        NAS-Port = 0
>  Processing the authorize section of radiusd.conf
>modcall: entering group authorize for request 0
>  modcall[authorize]: module "preprocess" returns ok for request 0
>  modcall[authorize]: module "chap" returns noop for request 0
>  modcall[authorize]: module "mschap" returns noop for request 0
>    rlm_realm: No '@' in User-Name = "yhsina", looking up realm NULL
>    rlm_realm: No such realm "NULL"
>  modcall[authorize]: module "suffix" returns noop for request 0
>  rlm_eap: No EAP-Message, not doing EAP
>  modcall[authorize]: module "eap" returns noop for request 0
>  modcall[authorize]: module "files" returns notfound for request 0
>rlm_ldap: - authorize
>rlm_ldap: performing user authorization for yhsina
>radius_xlat:  '(uid=yhsina)'
>radius_xlat:  'dc=iut-velizy,dc=uvsq,dc=fr'
>rlm_ldap: ldap_get_conn: Checking Id: 0
>rlm_ldap: ldap_get_conn: Got Id: 0
>rlm_ldap: attempting LDAP reconnection
>rlm_ldap: (re)connect to 192.168.33.33:389, authentication 0
>rlm_ldap: bind as cn=Manager,dc=iut-velizy,dc=uvsq,dc=fr/secret to
>192.168.33.33:389
>rlm_ldap: waiting for bind result ...
>rlm_ldap: Bind was successful
>rlm_ldap: performing search in dc=iut-velizy,dc=uvsq,dc=fr, with filter
>(uid=yhsina)
>*rlm_ldap: no dialupAccess attribute - access denied by default*
>rlm_ldap: ldap_release_conn: Release Id: 0
>  modcall[authorize]: module "ldap" returns userlock for request 0
>modcall: leaving group authorize (returns userlock) for request 0
>Delaying request 0 for 1 seconds
>Finished request 0
>
>
>
>
>
>
>>
>>
>>
>>
>
>




More information about the Freeradius-Users mailing list