Expanding run-time variables and checking access_attr for allow

Nicolás Velázquez nicolas.velazquez at uam.es
Thu Nov 19 10:43:57 CET 2009


Hi Ivan,

> 
> > The second question.
> >
> > If I put, ONLY FOR CHECK, the base_filter =
> > "(uniquemember=cn=nicolas.velazquez at uam.es,cn=users,dc=uam,dc=es)"
> the
> > LDAP
> > replies with No Such Object. But the radius authorization sends ok.
> > The misconfiguration of LDAP is not the question here.
> > The question here is: documentation says if the parameter not exists
> the
> > authorization doesn't work.
> 
> It exists so it does work:


I don't understand anything.

I have the tcpdump file to see the transaction.
I see all the conversation: first the admin_user bind to perform the
authorization, and in the second phase I see the bind of the user to check
the authentication.

But the answer to the authorize module from LDAP as I can see it using
Wireshark is:

LDAPMessage searchResDone (3) noSuchObject [0results]
   messageID: 3
   protocolOp: searchResDone (5)
      searchResDone
         resultCode: noSuchObject (32)
         matchedDN: cn=Groups, dc=uam,dc=es

The LDAP server doesn't answer
uniquemember=cn=nicolas.velazquez at uam.es,cn=users,dc=uam,dc=es OK or Object
OK or similar acceptance message (I'm not the LDAP guru in my org as you can
see).

Is FR using the matchedDN parameter? 
I used "cn" as access_atr. 
It could be an explanation an then I must build a better access_atr.
Please, confirm me this question.

And the initial question about the expand of runtime-variables?
The UNexpand of the base_filter is the normal way of operation?

I have read all the wiki and server documentation I found about run-time
variables, operators, etc and I haven't saw anything about this issue.
And the changelog doc doesn't say any bug fix about this question from 2.1.4
to 2.1.7.

Anyway, thank you very much Ivan.

  Nicolas

Nicolás Velazquez Campoy
Unidad Técnica de Comunicaciones
Tecnologías de la Información. UAM
http://rincon.uam.es/dir?cw=389407348632812





More information about the Freeradius-Users mailing list