rlm_ldap: no dialupAccess attribute - access denied by default
youness hsina
youness.hsina at gmail.com
Fri May 30 13:55:49 CEST 2008
i disabled " access_attr="dialupAccess" " in radiusd.conf file
it works correctly thank you ;-)
2008/5/30 Ivan Kalik <tnt at kalik.net>:
> Again:
>
> http://wiki.freeradius.org/index.php/Rlm_ldap
>
> Access attribute and it's use is explained in there. You can disable it
> if you want. Or allow access if it doesn't exist.
>
> Ivan Kalik
> Kalik Informatika ISP
>
>
> Dana 30/5/2008, "youness hsina" <youness.hsina at gmail.com> piše:
>
> >Hi Lists,
> >sorry for my english and thank you very much in advance for your help.
> >
> >I'm trying to make a test in radius server with a user who is locate in
> >ldap server with this commande :
> >*# radtest yhsina yhsina localhost 0 test
> >*and i'm getting this message :
> >Sending Access-Request of id 36 to 127.0.0.1 port 1812
> > User-Name = "yhsina"
> > User-Password = "yhsina"
> > NAS-IP-Address = 255.255.255.255
> > NAS-Port = 0
> >*rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=36,
> length=20
> >*in debugging mode i have this error : *
> >**rlm_ldap: no dialupAccess attribute - access denied by default*
> >*
> >*Have you any ideas please why it doen't work ?
> >
> >here's my debugging message :
> >
> >radius# radiusd -X -A &
> >[1] 4889
> >radius# Starting - reading configuration files ...
> >reread_config: reading radiusd.conf
> >Config: including file: /usr/local/etc/raddb/proxy.conf
> >Config: including file: /usr/local/etc/raddb/clients.conf
> >Config: including file: /usr/local/etc/raddb/snmp.conf
> >Config: including file: /usr/local/etc/raddb/eap.conf
> >Config: including file: /usr/local/etc/raddb/sql.conf
> > main: prefix = "/usr/local"
> > main: localstatedir = "/var"
> > main: logdir = "/var/log"
> > main: libdir = "/usr/local/lib"
> > main: radacctdir = "/var/log/radacct"
> > main: hostname_lookups = no
> > main: snmp = no
> > main: max_request_time = 30
> > main: cleanup_delay = 5
> > main: max_requests = 1024
> > main: delete_blocked_requests = 0
> > main: port = 0
> > main: allow_core_dumps = no
> > main: log_stripped_names = no
> > main: log_file = "/var/log/radius.log"
> > main: log_auth = no
> > main: log_auth_badpass = no
> > main: log_auth_goodpass = no
> > main: pidfile = "/var/run/radiusd/radiusd.pid"
> > main: user = "(null)"
> > main: group = "(null)"
> > main: usercollide = no
> > main: lower_user = "no"
> > main: lower_pass = "no"
> > main: nospace_user = "no"
> > main: nospace_pass = "no"
> > main: checkrad = "/usr/local/sbin/checkrad"
> > main: proxy_requests = yes
> > proxy: retry_delay = 5
> > proxy: retry_count = 3
> > proxy: synchronous = yes
> > proxy: default_fallback = yes
> > proxy: dead_time = 120
> > proxy: post_proxy_authorize = no
> > proxy: wake_all_if_all_dead = no
> > security: max_attributes = 200
> > security: reject_delay = 1
> > security: status_server = no
> > main: debug_level = 0
> >read_config_files: reading dictionary
> >read_config_files: reading naslist
> >Using deprecated naslist file. Support for this will go away soon.
> >read_config_files: reading clients
> >read_config_files: reading realms
> >radiusd: entering modules setup
> >Module: Library search path is /usr/local/lib
> >Module: Loaded exec
> > exec: wait = yes
> > exec: program = "(null)"
> > exec: input_pairs = "request"
> > exec: output_pairs = "(null)"
> > exec: packet_type = "(null)"
> >rlm_exec: Wait=yes but no output defined. Did you mean output=none?
> >Module: Instantiated exec (exec)
> >Module: Loaded expr
> >Module: Instantiated expr (expr)
> >Module: Loaded PAP
> > pap: encryption_scheme = "crypt"
> > pap: auto_header = yes
> >Module: Instantiated pap (pap)
> >Module: Loaded CHAP
> >Module: Instantiated chap (chap)
> >Module: Loaded MS-CHAP
> > mschap: use_mppe = yes
> > mschap: require_encryption = no
> > mschap: require_strong = no
> > mschap: with_ntdomain_hack = no
> > mschap: passwd = "(null)"
> > mschap: ntlm_auth = "(null)"
> >Module: Instantiated mschap (mschap)
> >Module: Loaded System
> > unix: cache = no
> > unix: passwd = "(null)"
> > unix: shadow = "(null)"
> > unix: group = "(null)"
> > unix: radwtmp = "/var/log/radwtmp"
> > unix: usegroup = no
> > unix: cache_reload = 600
> >Module: Instantiated unix (unix)
> >Module: Loaded LDAP
> > ldap: server = "192.168.33.33"
> > ldap: port = 389
> > ldap: net_timeout = 1
> > ldap: timeout = 4
> > ldap: timelimit = 3
> > ldap: identity = "cn=Manager,dc=iut-velizy,dc=uvsq,dc=fr"
> > ldap: tls_mode = no
> > ldap: start_tls = no
> > ldap: tls_cacertfile = "(null)"
> > ldap: tls_cacertdir = "(null)"
> > ldap: tls_certfile = "(null)"
> > ldap: tls_keyfile = "(null)"
> > ldap: tls_randfile = "(null)"
> > ldap: tls_require_cert = "allow"
> > ldap: password = "secret"
> > ldap: basedn = "dc=iut-velizy,dc=uvsq,dc=fr"
> > ldap: filter = "(uid=%u)"
> > ldap: base_filter = "(objectclass=radiusprofile)"
> > ldap: default_profile = "(null)"
> > ldap: profile_attribute = "(null)"
> > ldap: password_header = "(null)"
> > ldap: password_attribute = "userPassword"
> > ldap: access_attr = "dialupAccess"
> > ldap: groupname_attribute = "cn"
> > ldap: groupmembership_filter =
>
> >"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
> > ldap: groupmembership_attribute = "(null)"
> > ldap: dictionary_mapping = "/usr/local/etc/raddb/ldap.attrmap"
> > ldap: ldap_debug = 0
> > ldap: ldap_connections_number = 5
> > ldap: compare_check_items = no
> > ldap: access_attr_used_for_allow = yes
> > ldap: do_xlat = yes
> > ldap: set_auth_type = yes
> >rlm_ldap: Registering ldap_groupcmp for Ldap-Group
> >rlm_ldap: Registering ldap_xlat with xlat_name ldap
> >rlm_ldap: reading ldap<->radius mappings from file
> >/usr/local/etc/raddb/ldap.attrmap
> >rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
> >rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
> >rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
> >rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
> >rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
> >rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
> >rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
> >rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
> >rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
> >rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
> >rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
> >rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
> >rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
> >rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
> >rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
> >rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
> >rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
> >rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
> >rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
> >rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
> >rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
> >rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
> >rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
> >rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
> >rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
> >rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
> >rlm_ldap: LDAP radiusClass mapped to RADIUS Class
> >rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
> >rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
> >rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
> >rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
> >rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
> >rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
> >rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS
> >Framed-AppleTalk-Link
> >rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS
> >Framed-AppleTalk-Network
> >rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS
> >Framed-AppleTalk-Zone
> >rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
> >rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
> >rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
> >conns: 0x2840f290
> >Module: Instantiated ldap (ldap)
> >Module: Loaded eap
> > eap: default_eap_type = "tls"
> > eap: timer_expire = 60
> > eap: ignore_unknown_eap_types = yes
> > eap: cisco_accounting_username_bug = no
> >rlm_eap: Loaded and initialized type md5
> >rlm_eap: Loaded and initialized type leap
> > gtc: challenge = "Password: "
> > gtc: auth_type = "PAP"
> >rlm_eap: Loaded and initialized type gtc
> > tls: rsa_key_exchange = no
> > tls: dh_key_exchange = yes
> > tls: rsa_key_length = 512
> > tls: dh_key_length = 512
> > tls: verify_depth = 0
> > tls: CA_path = "(null)"
> > tls: pem_file_type = yes
> > tls: private_key_file = "/usr/local/etc/raddb/certs/serveur.pem"
> > tls: certificate_file = "/usr/local/etc/raddb/certs/serveur.pem"
> > tls: CA_file = "/usr/local/etc/raddb/certs/root.pem"
> > tls: private_key_password = "whatever"
> > tls: dh_file = "/usr/local/etc/raddb/certs/dh"
> > tls: random_file = "/usr/local/etc/raddb/certs/random"
> > tls: fragment_size = 1024
> > tls: include_length = yes
> > tls: check_crl = no
> > tls: check_cert_cn = "%{User-Name}"
> > tls: cipher_list = "(null)"
> > tls: check_cert_issuer = "(null)"
> >rlm_eap_tls: Loading the certificate file as a chain
> >WARNING: rlm_eap_tls: Unable to set DH parameters. DH cipher suites may
> not
> >work!
> >WARNING: Fix this by running the OpenSSL command listed in eap.conf
> >rlm_eap: Loaded and initialized type tls
> > mschapv2: with_ntdomain_hack = no
> >rlm_eap: Loaded and initialized type mschapv2
> >Module: Instantiated eap (eap)
> >radiusd.conf Auth-Type eap already configured - skipping
> >Module: Loaded preprocess
> > preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups"
> > preprocess: hints = "/usr/local/etc/raddb/hints"
> > preprocess: with_ascend_hack = no
> > preprocess: ascend_channels_per_line = 23
> > preprocess: with_ntdomain_hack = no
> > preprocess: with_specialix_jetstream_hack = no
> > preprocess: with_cisco_vsa_hack = no
> > preprocess: with_alvarion_vsa_hack = no
> >Module: Instantiated preprocess (preprocess)
> >Module: Loaded realm
> > realm: format = "suffix"
> > realm: delimiter = "@"
> > realm: ignore_default = no
> > realm: ignore_null = no
> >Module: Instantiated realm (suffix)
> >Module: Loaded files
> > files: usersfile = "/usr/local/etc/raddb/users"
> > files: acctusersfile = "/usr/local/etc/raddb/acct_users"
> > files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
> > files: compat = "no"
> >Module: Instantiated files (files)
> >Module: Loaded Acct-Unique-Session-Id
> > acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
> >Client-IP-Address, NAS-Port"
> >Module: Instantiated acct_unique (acct_unique)
> >Module: Loaded detail
> > detail: detailfile =
> "/var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d"
> > detail: detailperm = 384
> > detail: dirperm = 493
> > detail: locking = no
> >Module: Instantiated detail (detail)
> >Module: Loaded radutmp
> > radutmp: filename = "/var/log/radutmp"
> > radutmp: username = "%{User-Name}"
> > radutmp: case_sensitive = yes
> > radutmp: check_with_nas = yes
> > radutmp: perm = 384
> > radutmp: callerid = yes
> >Module: Instantiated radutmp (radutmp)
> >Listening on authentication *:1812
> >Listening on accounting *:1813
> >Ready to process requests.
> >rad_recv: Access-Request packet from host 127.0.0.1:54433, id=36,
> length=58
> > User-Name = "yhsina"
> > User-Password = "yhsina"
> > NAS-IP-Address = 255.255.255.255
> > NAS-Port = 0
> > Processing the authorize section of radiusd.conf
> >modcall: entering group authorize for request 0
> > modcall[authorize]: module "preprocess" returns ok for request 0
> > modcall[authorize]: module "chap" returns noop for request 0
> > modcall[authorize]: module "mschap" returns noop for request 0
> > rlm_realm: No '@' in User-Name = "yhsina", looking up realm NULL
> > rlm_realm: No such realm "NULL"
> > modcall[authorize]: module "suffix" returns noop for request 0
> > rlm_eap: No EAP-Message, not doing EAP
> > modcall[authorize]: module "eap" returns noop for request 0
> > modcall[authorize]: module "files" returns notfound for request 0
> >rlm_ldap: - authorize
> >rlm_ldap: performing user authorization for yhsina
> >radius_xlat: '(uid=yhsina)'
> >radius_xlat: 'dc=iut-velizy,dc=uvsq,dc=fr'
> >rlm_ldap: ldap_get_conn: Checking Id: 0
> >rlm_ldap: ldap_get_conn: Got Id: 0
> >rlm_ldap: attempting LDAP reconnection
> >rlm_ldap: (re)connect to 192.168.33.33:389, authentication 0
> >rlm_ldap: bind as cn=Manager,dc=iut-velizy,dc=uvsq,dc=fr/secret to
> >192.168.33.33:389
> >rlm_ldap: waiting for bind result ...
> >rlm_ldap: Bind was successful
> >rlm_ldap: performing search in dc=iut-velizy,dc=uvsq,dc=fr, with filter
> >(uid=yhsina)
> >*rlm_ldap: no dialupAccess attribute - access denied by default*
> >rlm_ldap: ldap_release_conn: Release Id: 0
> > modcall[authorize]: module "ldap" returns userlock for request 0
> >modcall: leaving group authorize (returns userlock) for request 0
> >Delaying request 0 for 1 seconds
> >Finished request 0
> >
> >
> >
> >
> >
> >
> >>
> >>
> >>
> >>
> >
> >
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
--
HSINA Youness
Etudiant R&T - IUT--Velizy 78140
Tél : 06.28.73.76.75
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080530/ce01df65/attachment.html>
More information about the Freeradius-Users
mailing list