separating Users?
freeradius at corwyn.net
freeradius at corwyn.net
Tue Dec 1 15:19:36 CET 2009
At 02:39 AM 12/1/2009, Alan DeKok wrote:
> Because you've forced the "ntlm_auth" module to be run. That module
>ONLY checks clear-text passwords, and there is NO clear-text password in
>the request.
>
> Change the line having
> ... Auth-Type := ntlm_auth, ...
> to
> ... Auth-Type = ntlm_auth, ...
DEFAULT Huntgroup-Name == Cisco_Huntgroup, Auth-Type:=ntlm_auth,
Ldap-Group == "Infrastructure"
Service-Type:=NAS-Prompt-User,cisco-avpair:="shell:priv-lvl=15"
DEFAULT Huntgroup-Name == VPN_Huntgroup, Auth-Type=ntlm_auth,
Ldap-Group == "VPN_Users"
It runs the LDAP group check, but still lets the user log in even
when he's not in the VPN_Users group:
rlm_ldap::groupcmp: Group VPN_Users not found or user not a member
rlm_ldap: ldap_release_conn: Release Id: 0
++[files] returns noop
[ldap] performing user authorization for ciscorsteeves
[ldap] WARNING: Deprecated conditional expansion ":-". See "man
unlang" for details
[ldap] expand:
(&(sAMAccountname=%{Stripped-User-Name:-%{User-Name}})(objectClass=person))
-> (&(sAMAccountname=ciscorsteeves)(objectClass=person))
[ldap] expand: OU=Enterprise,DC=example,DC=com ->
OU=Enterprise,DC=example,DC=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in OU=Enterprise,DC=example,DC=com, with
filter (&(sAMAccountname=ciscorsteeves)(objectClass=person))
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure
that the user is configured correctly?
[ldap] user ciscorsteeves authorized to use remote access
> And read "man users" to see what the difference is.
Ahh, man 5 users. cool.
Rick
> Alan DeKok.
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list