Authenticating groups via LDAP

John Maher john at chem.umass.edu
Sun May 23 14:32:09 CEST 2010 

On 05/22/2010 01:45 PM, Alan DeKok wrote:
> Johnny R wrote:
>> Alan,
>>
>> John Maher at the first post asked if  there is  any resource that is
>> particularly good at explaining how radius and its config files really
>> works. I want just to ask it again, if possible, it there is any thread
>> or link illustrating how all files in /etc/radb interact to each other.
> 
>   radiusd.conf is the "master" file, and reads all of the other ones.
> 
>   The "modules" directory contains module configuration.
> 
>   The "sites-available" directory contains sample virtual servers.
> 
>   The "sites-enabled" directory contains enabled virtual servers.
> 
>   The "dictionary" file references dictionaries.
> 
>   Everything else is usually a file needed by a module.
> 
>   It's really not that complicated, and the filenames are usually
> descriptive, so you can tell what they do.
> 
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Alan,

Thanks for this information. Being very new to radius, and a bit sloppy
with my wording, I was not clear about what I was looking for. It's true
that the function of the different config files not that complicated.
What is not clear to me, when looking at the output of freeradius -X
that is generated from a user's connection attempt, is the sequencing
and reasoning behind the output.

For example, the output I posted included this:

[ldap] performing user authorization for jmaher
[ldap] WARNING: Deprecated conditional expansion ":-".  See "man unlang"
for details
[ldap]     ... expanding second conditional
[ldap]     expand: %{User-Name} -> jmaher
[ldap]     expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=jmaher)
[ldap]     expand: dc=cns -> dc=cns
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in dc=cns, with filter (uid=jmaher)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
  [ldap] sambaNtPassword -> NT-Password ==
0x4537353238434135323632453745303645438324444363635383830453042333
  [ldap] sambaLmPassword -> LM-Password ==
0x3743414639453142313632453745303645463337453431343231373532384341
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that
the user is configured correctly?
[ldap] user jmaher authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok

I don't understand several things from this, but one example is why does
it state:

WARNING: No "known good" password was found in LDAP.  Are you sure that
the user is configured correctly?

and the next line states:

[ldap] user jmaher authorized to use remote access

?

Anyway, a good resource for understanding how radius and its modules do
their jobs would be good to know about.

Thanks.

John

More information about the Freeradius-Users mailing list