Need help Configuring Radius and Ldap
Phil Mayers
p.mayers at imperial.ac.uk
Sun Dec 5 10:32:09 CET 2010
On 12/03/2010 08:43 PM, James Winter wrote:
> On Dec 3, 2010, at 10:52 AM, Phil Mayers wrote:
>> You haven't said what your problem is
>
> Sorry! My server tells me that it ldap did not find a correct matchup,
> but then returns true.
No. It says is found a match, but that:
>
> [ldap] performing search in cn=Users,dc=ds,dc=saintjoe,dc=edu, with
> filter (samaccountname=jwn6657)
> [ldap] looking for check items in directory...
> [ldap] looking for reply items in directory...
> WARNING: No "known good" password was found in LDAP. Are you sure
> that the user is configured correctly?
...there was no "userPassword" (or it wasn't readable)
> [ldap] user jwn6657 authorized to use remote access
> [ldap] ldap_release_conn: Release Id: 0
> ++[ldap] returns ok
>
> It also then continues to search through other forms of
> authentication, and then it seems to return false to the remote device
> if any of these are false.
Firstly, radius and the modules don't return "false". The modules return
one of a number of error codes (e.g. "ok", above) and the server returns
either an Access-Accept or Access-Reject.
Secondly, the debug output you posted returns an "Access-Accept"
because, although the LDAP module was unable to see a userPassword
attribute on the LDAP entry, a later module sets the Auth-Type to
"ntlm_auth" and your server then obeys that.
This is all a non-standard config, so *someone* has configured the
server - was it you?
>
> The remote device also told me that the authentication was invalid. I
Well, FreeRadius sent an Access-Accept. What is the remote device? If
you hadn't trimmed the debugging output I might be able to suggest more.
> was able to successfully authenticate on this device by using the
> local users file(on the radius server).
So compare the reply in that case with the reply in this case, and
configure the radius server to send the same attributes.
>
>
>> The radius server is authenticating the user successfully:
>>
>>> Sending Access-Accept of id 186 to 131.93.254.2 port 4844
>>> Finished request 3.
>>> Going to the next request
Like I said - FreeRadius is sending an Access-Accept.
More information about the Freeradius-Users
mailing list