ldap - edirectory authentication

Gary Gatten Ggatten at waddell.com
Thu Dec 9 23:46:13 CET 2010

Good to see Novell fans still exist!
No time to dig into this, but I've seen on the list several times that copying configs from one version of FR to another is not always supported / recommended.  Probably doesn't help much, but maybe point you in the right direction.  Can you reinstall the original working version and conf of FR?

From: freeradius-users-bounces+ggatten=waddell.com at lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell.com at lists.freeradius.org] On Behalf Of Robert Koskey
Sent: Thursday, December 09, 2010 4:41 PM
To: freeradius-users at lists.freeradius.org
Subject: ldap - edirectory authentication

Can anyone help? We are trying to do a ldap authentication from novell's edirectory to an Aruba controller for wireless access. These are the error's we are getting.
It used to work perfectly but the original radius server blew up. We installed a new one with the same configuration and it doesn't work. The problem areas are bold'ed.
The problem seems to occur after the ldap authentication. I don't think we are entirely clear about the order in which the whole process happens.

Any help or suggestions would be greatly appreciated.

The set up is:
OpenSuse 11.0
FreeRadius 2.0.5

We have tried:
OpenSuse 11.3
FreeRadius 2.1.9  (same result)

rad_recv: Access-Request packet from host port 34806, id=218, length=199
 User-Name = "jordanhkaltenbruner"
 NAS-IP-Address =
 NAS-Port = 2
 NAS-Identifier = ""
 NAS-Port-Type = Wireless-802.11
 Calling-Station-Id = "78CA39B5D3E5"
 Called-Station-Id = "000B8661AC58"
 Service-Type = Login-User
 Framed-MTU = 1100
 EAP-Message = 0x02010018016a6f7264616e686b616c74656e6272756e6572
 Aruba-Essid-Name = "SCHS-Student"
 Aruba-Location-Id = "SpringbankW2-9"
 Message-Authenticator = 0x4542e9b98b5978ca1ca52b7617910620
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: No '@'<mailto:'@'> in User-Name = "jordanhkaltenbruner", looking up realm NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_ldap: - authorize
rlm_ldap: performing user authorization for jordanhkaltenbruner
WARNING: Deprecated conditional expansion ":-".  See "man unlang" for details
 expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=jordanhkaltenbruner)
 expand: ou=springhigh_lab,o=springhigh -> ou=springhigh_lab,o=springhigh
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to, authentication 0
rlm_ldap: setting TLS mode to 1
rlm_ldap: bind as cn=admin,o=springhigh/???? to
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=springhigh_lab,o=springhigh, with filter (uid=jordanhkaltenbruner)
rlm_ldap: Added the eDirectory password 51601222 in check items as Cleartext-Password
rlm_ldap: No default NMAS login sequence
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user jordanhkaltenbruner authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: No clear-text password in the request.  Not performing PAP.
++[pap] returns noop
auth: type Local
auth: No User-Password or CHAP-Password attribute in the request
auth: Failed to validate the user.
  Found Post-Auth-Type Reject
+- entering group REJECT
 expand: %{User-Name} -> jordanhkaltenbruner
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Sending Access-Reject of id 218 to port 34806
Finished request 0.

Robert Koskey,
Systems and Network Manager

Rocky View Schools
Telephone: 403-945-4080
Cell: 403-988-4640

Robert Koskey,
Systems and Network Manager

Rocky View Schools
Telephone: 403-945-4080
Cell: 403-988-4640


This communication is intended for the use of the recipient to which it is addressed, and may contain confidential, personal, and or privileged information. Please contact us immediately if you are not the intended recipient of this communication, and do not copy, distribute, or take action relying on it. Any communication received in error, or subsequent reply, should be deleted or destroyed.

<font size="1">
<div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'>
"This email is intended to be reviewed by only the intended recipient
 and may contain information that is privileged and/or confidential.
 If you are not the intended recipient, you are hereby notified that
 any review, use, dissemination, disclosure or copying of this email
 and its attachments, if any, is strictly prohibited.  If you have
 received this email in error, please immediately notify the sender by
 return email and delete this email from your system."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20101209/8f61750d/attachment.html>

More information about the Freeradius-Users mailing list