LDAP Auth

Dave Rummel daverummel at boothcreek.com
Fri Jun 5 00:30:02 CEST 2009


First off I am totally new to radius...but really love the concept. I 
have radius working with ldap to authorize the user if they are in the 
corporate directory, o=lookout. My next step is to filter it by category 
to the NAS device. I have been looking at quite a few examples, but 
nothing seems to stick.

In order for me to just grasp the concept, I have tried this in the 
users file, o=lookout is our complete list of all of our users

DEFAULT Huntgroup-Name == CiscoAdmin, Ldap-Group == "o=lookout"
     Fall-Through = no

DEFAULT Auth-Type := Reject

If I comment out the Reject, the user is able to authenticate to the 
Cisco Router, as soon as uncomment it out, I get rejected...here is the 
log file from it.



Thu Jun  4 16:15:52 2009 : Info: [ldap] user daverummel authorized to 
use remote access
Thu Jun  4 16:15:52 2009 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0
Thu Jun  4 16:15:52 2009 : Info: ++[ldap] returns ok
Thu Jun  4 16:15:52 2009 : Info: ++[expiration] returns noop
Thu Jun  4 16:15:52 2009 : Info: ++[logintime] returns noop
Thu Jun  4 16:15:52 2009 : Info: Found Auth-Type = Reject
Thu Jun  4 16:15:52 2009 : Info: Auth-Type = Reject, rejecting user
Thu Jun  4 16:15:52 2009 : Info: Failed to authenticate the user.
Thu Jun  4 16:15:52 2009 : Auth: Login incorrect: [daverummel] (from 
client R1 port 98 cli 216.103.190.220)
Thu Jun  4 16:15:52 2009 : Info: Using Post-Auth-Type Reject
Thu Jun  4 16:15:52 2009 : Info: +- entering group REJECT {...}
Thu Jun  4 16:15:52 2009 : Info: [attr_filter.access_reject]    expand: 
%{User-Name} -> daverummel
Thu Jun  4 16:15:52 2009 : Debug:  attr_filter: Matched entry DEFAULT at 
line 11
Thu Jun  4 16:15:52 2009 : Info: ++[attr_filter.access_reject] returns 
updated
Thu Jun  4 16:15:52 2009 : Info: Delaying reject of request 0 for 1 seconds
Thu Jun  4 16:15:52 2009 : Debug: Going to the next request
Thu Jun  4 16:15:52 2009 : Debug: Waking up in 0.9 seconds.
Thu Jun  4 16:15:53 2009 : Info: Sending delayed reject for request 0


The line I am really trying to understand is this one, where is this 
line 11 ?

*Thu Jun  4 16:15:52 2009 : Debug:  attr_filter: Matched entry DEFAULT 
at line 11

*Thanks for your help

Dave
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090604/391904a5/attachment.html>


More information about the Freeradius-Users mailing list