Allow users from a specific DA group
Free2009
nunogfas at gmail.com
Thu Sep 24 10:49:20 CEST 2009
Hi, I spent some time trying to put working together FR+AD and presently i'm
using ntlm to authenticate users through mschap against the AD. It is
working.
Next step is try to allow access only to specific users belonging to a Group
from the AD, but it is not working.
I post here the important i have configured untill now:
1. users file:
DEFAULT Ldap-Group != "wireless", Auth-Type := Reject
2. /usr/local/etc/raddb/sites-enabled/inner-tunnel and default:
# uncommented ldap from authorize function
3. /modules/ldap:
server = "192.168.1.10"
port = 389
identity = "cn=Administrator,cn=users,dc=DOT1X,dc=local"
password = 123456
basedn = "dc=DOT1X,dc=local"
filter = "(&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}}))"
base_filter = "(objectclass=radiusprofile)"
groupmembership_filter =
"(|(&(objectClass=group)(member=%{Ldap-UserDn}))(&(objectClass=top)(uniquemember=%{Ldap-UserDn})))"
groupmembership_attribute = memberOf
Do you have any idea what can be missing?
I send also the debub:
ldap_chase_v3referral: msgid 15, url
"ldap://dot1x.local/CN=Configuration,DC=dot1x,DC=local"
ldap_send_server_request
ldap_new_connection 0 1 1
ldap_int_open_connection
ldap_connect_to_host: TCP dot1x.local:389
ldap_new_socket: 15
ldap_prepare_socket: 15
ldap_connect_to_host: Trying 192.168.1.10:389
ldap_pvt_connect: fd: 15 tm: 1 async: 0
ldap_ndelay_on: 15
ldap_int_poll: fd: 15 tm: 1
ldap_is_sock_ready: 15
ldap_ndelay_off: 15
ldap_pvt_connect: 0
anonymous rebind via ldap_sasl_bind("")
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ldap_result ld 0x818f1f8 msgid 25
wait4msg ld 0x818f1f8 msgid 25 (timeout 100000 usec)
wait4msg continue ld 0x818f1f8 msgid 25 all 1
** ld 0x818f1f8 Connections:
* host: dot1x.local port: 0
refcnt: 2 status: Connected
last used: Wed Sep 23 21:25:55 2009
rebind in progress
queue is empty
* host: DomainDnsZones.dot1x.local port: 0
refcnt: 1 status: Connected
last used: Wed Sep 23 21:25:55 2009
* host: 192.168.1.10 port: 389 (default)
refcnt: 2 status: Connected
last used: Wed Sep 23 21:25:55 2009
** ld 0x818f1f8 Outstanding Requests:
* msgid 25, origid 25, status InProgress
outstanding referrals 0, parent count 0
* msgid 22, origid 15, status InProgress
outstanding referrals 0, parent count 3
* msgid 18, origid 15, status RequestCompleted
outstanding referrals 0, parent count 2
* msgid 16, origid 15, status RequestCompleted
outstanding referrals 0, parent count 1
* msgid 15, origid 15, status ChasingRefs
outstanding referrals 2, parent count 3
ld 0x818f1f8 request count 5 (abandoned 0)
** ld 0x818f1f8 Response Queue:
* msgid 15, type 115
chained responses:
* msgid 15, type 115
* msgid 15, type 115
ld 0x818f1f8 response count 1
ldap_chkResponseList ld 0x818f1f8 msgid 25 all 1
ldap_chkResponseList returns ld 0x818f1f8 NULL
ldap_int_select
read1msg: ld 0x818f1f8 msgid 25 all 1
read1msg: ld 0x818f1f8 msgid 25 message type bind
read1msg: ld 0x818f1f8 0 new referrals
read1msg: mark request completed, ld 0x818f1f8 msgid 25
request done: ld 0x818f1f8 msgid 25
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 25, msgid 25)
ldap_free_connection 0 1
ldap_free_connection: refcnt 1
ldap_parse_result
ldap_msgfree
read1msg: search ref chased, mark request chasing refs, id = 15
adding response ld 0x818f1f8 msgid 15 type 115:
wait4msg ld 0x818f1f8 3 s 972321 us to go
wait4msg continue ld 0x818f1f8 msgid 15 all 1
** ld 0x818f1f8 Connections:
* host: dot1x.local port: 0
refcnt: 1 status: Connected
last used: Wed Sep 23 21:25:55 2009
* host: DomainDnsZones.dot1x.local port: 0
refcnt: 1 status: Connected
last used: Wed Sep 23 21:25:55 2009
* host: 192.168.1.10 port: 389 (default)
refcnt: 2 status: Connected
last used: Wed Sep 23 21:25:55 2009
** ld 0x818f1f8 Outstanding Requests:
* msgid 24, origid 15, status InProgress
outstanding referrals 0, parent count 4
* msgid 22, origid 15, status InProgress
outstanding referrals 0, parent count 3
* msgid 18, origid 15, status RequestCompleted
outstanding referrals 0, parent count 2
* msgid 16, origid 15, status RequestCompleted
outstanding referrals 0, parent count 1
* msgid 15, origid 15, status ChasingRefs
outstanding referrals 2, parent count 4
ld 0x818f1f8 request count 5 (abandoned 0)
** ld 0x818f1f8 Response Queue:
* msgid 15, type 115
chained responses:
* msgid 15, type 115
* msgid 15, type 115
* msgid 15, type 115
ld 0x818f1f8 response count 1
ldap_chkResponseList ld 0x818f1f8 msgid 15 all 1
ldap_chkResponseList returns ld 0x818f1f8 NULL
ldap_int_select
read1msg: ld 0x818f1f8 msgid 15 all 1
read1msg: ld 0x818f1f8 msgid 22 message type search-result
ldap_chase_referrals
read1msg: V2 referral chased, mark request completed, id = 22
read1msg: ld 0x818f1f8 0 new referrals
read1msg: mark request completed, ld 0x818f1f8 msgid 22
merged parent (id 15) error info: result errno 1, error <>, matched <>
ldap_free_connection 0 1
ldap_send_unbind
ldap_free_connection: actually freed
wait4msg ld 0x818f1f8 3 s 972094 us to go
wait4msg continue ld 0x818f1f8 msgid 15 all 1
** ld 0x818f1f8 Connections:
* host: dot1x.local port: 0
refcnt: 1 status: Connected
last used: Wed Sep 23 21:25:55 2009
* host: 192.168.1.10 port: 389 (default)
refcnt: 2 status: Connected
last used: Wed Sep 23 21:25:55 2009
** ld 0x818f1f8 Outstanding Requests:
* msgid 24, origid 15, status InProgress
outstanding referrals 0, parent count 4
* msgid 22, origid 15, status RequestCompleted
outstanding referrals 0, parent count 3
* msgid 18, origid 15, status RequestCompleted
outstanding referrals 0, parent count 2
* msgid 16, origid 15, status RequestCompleted
outstanding referrals 0, parent count 1
* msgid 15, origid 15, status ChasingRefs
outstanding referrals 1, parent count 4
ld 0x818f1f8 request count 5 (abandoned 0)
** ld 0x818f1f8 Response Queue:
* msgid 15, type 115
chained responses:
* msgid 15, type 115
* msgid 15, type 115
* msgid 15, type 115
ld 0x818f1f8 response count 1
ldap_chkResponseList ld 0x818f1f8 msgid 15 all 1
ldap_chkResponseList returns ld 0x818f1f8 NULL
ldap_int_select
read1msg: ld 0x818f1f8 msgid 15 all 1
read1msg: ld 0x818f1f8 msgid 15 message type search-result
read1msg: ld 0x818f1f8 0 new referrals
read1msg: mark request completed, ld 0x818f1f8 msgid 15
ldap_free_connection 0 1
ldap_free_connection: refcnt 1
wait4msg ld 0x818f1f8 3 s 971737 us to go
wait4msg continue ld 0x818f1f8 msgid 15 all 1
** ld 0x818f1f8 Connections:
* host: dot1x.local port: 0
refcnt: 1 status: Connected
last used: Wed Sep 23 21:25:55 2009
* host: 192.168.1.10 port: 389 (default)
refcnt: 1 status: Connected
last used: Wed Sep 23 21:25:55 2009
** ld 0x818f1f8 Outstanding Requests:
* msgid 24, origid 15, status InProgress
outstanding referrals 0, parent count 4
* msgid 22, origid 15, status RequestCompleted
outstanding referrals 0, parent count 3
* msgid 18, origid 15, status RequestCompleted
outstanding referrals 0, parent count 2
* msgid 16, origid 15, status RequestCompleted
outstanding referrals 0, parent count 1
* msgid 15, origid 15, status RequestCompleted
outstanding referrals 1, parent count 4
ld 0x818f1f8 request count 5 (abandoned 0)
** ld 0x818f1f8 Response Queue:
* msgid 15, type 115
chained responses:
* msgid 15, type 115
* msgid 15, type 115
* msgid 15, type 115
ld 0x818f1f8 response count 1
ldap_chkResponseList ld 0x818f1f8 msgid 15 all 1
ldap_chkResponseList returns ld 0x818f1f8 NULL
ldap_int_select
read1msg: ld 0x818f1f8 msgid 15 all 1
read1msg: ld 0x818f1f8 msgid 24 message type search-result
ldap_chase_referrals
read1msg: V2 referral chased, mark request completed, id = 24
read1msg: ld 0x818f1f8 0 new referrals
read1msg: mark request completed, ld 0x818f1f8 msgid 24
merged parent (id 15) error info: result errno 1, error <00000000: LdapErr:
DSID-0C090627, comment: In order to perform this operation a successful bind
must be completed on the connection., data 0, vece>, matched <>
request done: ld 0x818f1f8 msgid 15
res_errno: 1, res_error: <00000000: LdapErr: DSID-0C090627, comment: In
order to perform this operation a successful bind must be completed on the
connection., data 0, vece>, res_matched: <>
ldap_free_request (origid 15, msgid 15)
ldap_free_request (origid 15, msgid 24)
ldap_free_request (origid 15, msgid 22)
ldap_free_request (origid 15, msgid 18)
ldap_free_request (origid 15, msgid 16)
ldap_free_connection 0 1
ldap_send_unbind
ldap_free_connection: actually freed
adding response ld 0x818f1f8 msgid 15 type 101:
ldap_parse_result
ldap_err2string
rlm_ldap: ldap_search() failed: Operations error
ldap_msgfree
[ldap] search failed
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns fail
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> dot1x\user3
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 1 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 1
Sending Access-Reject of id 66 to 192.168.1.7 port 1645
Waking up in 4.9 seconds
--
View this message in context: http://www.nabble.com/Allow-users-from-a-specific-DA-group-tp25544888p25544888.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
More information about the Freeradius-Users
mailing list