LDAP auth success / User reject

Michael Arndt michael.arndt at berlin.de
Thu Nov 18 11:57:58 CET 2010


hello *

Szenario: freeradius auth via LDAP simple bind with user passwd / user name for a hot spot
                 Used config works with two other setups of same environment

Problem: simple bind returns ok
                  then another module rejects the user
Any hints where i should look ?


Used Freeradius Version: FreeRADIUS Version 1.1.6

below debug output

hu Nov 18 11:20:52 2010 : Debug:   modsingle[authorize]: returned from suffix (rlm_realm) for request 0
Thu Nov 18 11:20:52 2010 : Debug:   modcall[authorize]: module "suffix" returns noop for request 0
Thu Nov 18 11:20:52 2010 : Debug:   modsingle[authorize]: calling ldap (rlm_ldap) for request 0
Thu Nov 18 11:20:52 2010 : Debug: rlm_ldap: - authorize
Thu Nov 18 11:20:52 2010 : Debug: rlm_ldap: performing user authorization for test1
Thu Nov 18 11:20:52 2010 : Debug: radius_xlat:  '(uid=test1)'
Thu Nov 18 11:20:52 2010 : Debug: radius_xlat:  'l=Stadt,dc=de,o=Organisationr'
Thu Nov 18 11:20:52 2010 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0
Thu Nov 18 11:20:52 2010 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0
Thu Nov 18 11:20:52 2010 : Debug: rlm_ldap: attempting LDAP reconnection
Thu Nov 18 11:20:52 2010 : Debug: rlm_ldap: (re)connect to 127.0.0.1:389, authentication 0
Thu Nov 18 11:20:52 2010 : Debug: rlm_ldap: bind as cn=LDAPADMIN,o=Customer/sharedsecret to 127.0.0.1:389
Thu Nov 18 11:20:52 2010 : Debug: rlm_ldap: waiting for bind result ...
Thu Nov 18 11:20:52 2010 : Debug: rlm_ldap: Bind was successful
Thu Nov 18 11:20:52 2010 : Debug: rlm_ldap: performing search in l=Stadt,dc=de,o=Organisation, with filter (uid=test1)
Thu Nov 18 11:20:52 2010 : Debug: rlm_ldap: looking for check items in directory...
Thu Nov 18 11:20:52 2010 : Debug: rlm_ldap: looking for reply items in directory...
Thu Nov 18 11:20:52 2010 : Debug: rlm_ldap: Setting Auth-Type = ldap
Thu Nov 18 11:20:52 2010 : Debug: rlm_ldap: user test1 authorized to use remote access
Thu Nov 18 11:20:52 2010 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0
Thu Nov 18 11:20:52 2010 : Debug:   modsingle[authorize]: returned from ldap (rlm_ldap) for request 0
Thu Nov 18 11:20:52 2010 : Debug:   modcall[authorize]: module "ldap" returns ok for request 0
Thu Nov 18 11:20:52 2010 : Debug:   modsingle[authorize]: calling eap (rlm_eap) for request 0
Thu Nov 18 11:20:52 2010 : Debug:   rlm_eap: No EAP-Message, not doing EAP
Thu Nov 18 11:20:52 2010 : Debug:   modsingle[authorize]: returned from eap (rlm_eap) for request 0
Thu Nov 18 11:20:52 2010 : Debug:   modcall[authorize]: module "eap" returns noop for request 0
Thu Nov 18 11:20:52 2010 : Debug:   modsingle[authorize]: calling files (rlm_files) for request 0
Thu Nov 18 11:20:52 2010 : Debug:     users: Matched entry DEFAULT at line 3
Thu Nov 18 11:20:52 2010 : Debug:   modsingle[authorize]: returned from files (rlm_files) for request 0
Thu Nov 18 11:20:52 2010 : Debug:   modcall[authorize]: module "files" returns ok for request 0
Thu Nov 18 11:20:52 2010 : Debug:   modsingle[authorize]: calling pap (rlm_pap) for request 0
Thu Nov 18 11:20:52 2010 : Debug: rlm_pap: Found existing Auth-Type, not changing it.
Thu Nov 18 11:20:52 2010 : Debug:   modsingle[authorize]: returned from pap (rlm_pap) for request 0
Thu Nov 18 11:20:52 2010 : Debug:   modcall[authorize]: module "pap" returns noop for request 0
Thu Nov 18 11:20:52 2010 : Debug: modcall: leaving group authorize (returns ok) for request 0
Thu Nov 18 11:20:52 2010 : Debug:   rad_check_password:  Found Auth-Type Reject
Thu Nov 18 11:20:52 2010 : Debug:   rad_check_password: Auth-Type = Reject, rejecting user
Thu Nov 18 11:20:52 2010 : Debug: auth: Failed to validate the user.
Thu Nov 18 11:20:52 2010 : Auth: Login incorrect: [test1/testpasswd] (from client wlanhsp port 0 cli 00:1e:c2:a3:4d:b  


line from users

DEFAULT Called-Station-Id =~ ".*:LIBRARY" , Ldap-group == "cn=city,cn=Groups,l=Stadt,dc=de,o=Organisation"                     

thx for any hints :-)
I have anonymized the ldap Attributes


Michael




More information about the Freeradius-Users mailing list