LDAP auth in two sources

Vladimir Mendelevich menv at on-line.ru
Fri Nov 27 08:37:33 CET 2009 

On Thu, 26 Nov 2009 18:21:29 -0000 (UTC)
 tnt at kalik.net wrote:

> > As i doesn't have any other auth rather LDAP it is done
> > automatically. I hope so. ;-)
> 
> Enable files (and comment out ldap entries) and put:
> 
> DEFAULT Auth-Type := tam
> 
> at the top of the users file. That's much cheaper way.

Hm... I think i don't understand you. What to disable in
what section? authorize or authentificate? 

> Check base_dn. You say it is different but server debug
> would disagree.
> 

But they are. 

        ldap tam {
                server = "skoll-vm1.kmz.ts"
                basedn = "o=tamknown"
                filter = "(uid=%{User-Name})"
                authtype = tam
                start_tls = no
                dictionary_mapping =
${raddbdir}/ldap.attrmap
                ldap_connections_number = 5
                timeout = 4
                timelimit = 3
                net_timeout = 1
                compare_check_items = no
                do_xlat = no
                access_attr_used_for_allow = no
                set_auth_type = yes
        }
        ldap lotus {
                server = "ldap.kmz.ts"
                basedn = "o=tsas"
                filter = "(uid=%{User-Name})"
                authtype = lotus
                start_tls = no
                dictionary_mapping =
${raddbdir}/ldap.attrmap
                ldap_connections_number = 5
                timeout = 4
                timelimit = 3
                net_timeout = 1
                compare_check_items = no
                do_xlat = no
                access_attr_used_for_allow = no
                set_auth_type = yes
        }

Previous version have written different base dn on the
screen on every debug. You can see it in my first message.
Now i cannot see it on the screen. Below is unmodified
output.

rad_recv: Access-Request packet from host 192.168.110.3
port 52866, id=87, length=64
	User-Name = "vmendelevich"
	User-Password = "33333333"
	NAS-IP-Address = 192.168.110.3
	NAS-Port = 10
+- entering group authorize {...}
++- entering group ldap {...}
[tam] performing user authorization for vmendelevich
[tam] 	expand: (uid=%{User-Name}) -> (uid=vmendelevich)
[tam] 	expand: o=tamknown -> o=tamknown
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to skoll-vm1.kmz.ts:389,
authentication 0
rlm_ldap: bind as / to skoll-vm1.kmz.ts:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in o=tamknown, with filter
(uid=vmendelevich)
[tam] looking for check items in directory...
[tam] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are
you sure that the user is configured correctly?
[tam] Setting Auth-Type = tam
[tam] user vmendelevich authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
+++[tam] returns ok
++- group ldap returns ok
Found Auth-Type = tam
+- entering group tam {...}
[tam] login attempt by "vmendelevich" with password
"33333333"
[tam] user DN: uid=vmendelevich,o=tamknown
rlm_ldap: (re)connect to skoll-vm1.kmz.ts:389,
authentication 1
rlm_ldap: bind as uid=vmendelevich,o=tamknown/33333333 to
skoll-vm1.kmz.ts:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind failed with invalid credentials
++[tam] returns reject
++? if (reject)
? Evaluating (reject) -> TRUE
++? if (reject) -> TRUE
++- entering if (reject) {...}
[lotus] login attempt by "vmendelevich" with password
"33333333"
[lotus] user DN: uid=vmendelevich,o=tamknown
rlm_ldap: (re)connect to ldap.kmz.ts:389, authentication 1
rlm_ldap: bind as uid=vmendelevich,o=tamknown/33333333 to
ldap.kmz.ts:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind failed with invalid credentials
+++[lotus] returns reject
++- if (reject) returns reject
Failed to authenticate the user.
Login incorrect (rlm_ldap: Bind as user failed):
[vmendelevich] (from client VMendelevich port 10)
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 87 to 192.168.110.3 port 52866
Waking up in 4.9 seconds.
Cleaning up request 0 ID 87 with timestamp +14
Ready to process requests.

My problem has begun exactly at this point. When
authentification is passed on the second server base_dn is
used from the first request to first server. 

UIN:9244669
Phone:+7(495)727-0982 ext.4162

More information about the Freeradius-Users mailing list