LDAP Not working properly

vijaysingh vijay.singh at kochar.com
Mon Jul 18 12:28:55 CEST 2011


I have started Radius with radiusd -X 
After entering user name and password in cisco device it is giving "%
Authorization failed." immediatley.

The logs are as following. I don't know is it stripping cisco-avpair before
the RADIUS accept packet are sent to device. How to check the same ?

rad_recv: Access-Request packet from host 172.17.3.210 port 1645, id=197,
length=82
        NAS-IP-Address = 172.17.3.210
        NAS-Port = 1
        NAS-Port-Type = Virtual
        User-Name = "vijay.singh"
        Calling-Station-Id = "172.17.27.9"
        User-Password = "Password"
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "vijay.singh", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
  [ldap] Entering ldap_groupcmp()
[files]         expand: OU=Servers,dc=kochar,dc=com ->
OU=Servers,dc=kochar,dc=com
[files] WARNING: Deprecated conditional expansion ":-".  See "man unlang"
for details
[files]         ... expanding second conditional
[files]         expand: %{User-Name} -> vijay.singh
[files]         expand:
(&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})) ->
(&(sAMAccountName=vijay.singh))
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] attempting LDAP reconnection
  [ldap] (re)connect to 172.17.3.223:389, authentication 0
  [ldap] bind as CN=ADS Admin,OU=Servers,DC=kochar,DC=com/Password to
172.17.3.223:389
  [ldap] waiting for bind result ...
  [ldap] Bind was successful
  [ldap] performing search in OU=Servers,dc=kochar,dc=com, with filter
(&(sAMAccountName=vijay.singh))
  [ldap] ldap_release_conn: Release Id: 0
[files]         expand:
(|(&(objectClass=group)(member=%{Ldap-UserDn}))(&(objectClass=top)(uniquemember=%{Ldap-UserDn})))
-> (|(&(objectClass=group)(member=))(&(objectClass=top)(uniquemember=)))
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in OU=Servers,dc=kochar,dc=com, with filter
(&(cn=CiscoAdminLr)(|(&(objectClass=group)(member=))(&(objectClass=top)(uniquemember=))))
  [ldap] object not found
  [ldap] ldap_release_conn: Release Id: 0
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in CN=Vijay Singh,OU=Servers,DC=kochar,DC=com,
with filter (objectclass=*)
rlm_ldap::ldap_groupcmp: ldap_get_values() failed
  [ldap] ldap_release_conn: Release Id: 0
++[files] returns noop
[ldap] performing user authorization for vijay.singh
[ldap] WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
details
[ldap]  ... expanding second conditional
[ldap]  expand: %{User-Name} -> vijay.singh
[ldap]  expand: (&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})) ->
(&(sAMAccountName=vijay.singh))
[ldap]  expand: OU=Servers,dc=kochar,dc=com -> OU=Servers,dc=kochar,dc=com
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in OU=Servers,dc=kochar,dc=com, with filter
(&(sAMAccountName=vijay.singh))
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that the
user is configured correctly?
[ldap] Setting Auth-Type = LDAP
[ldap] user vijay.singh authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = LDAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group LDAP {...}
[ldap] login attempt by "vijay.singh" with password "Password"
[ldap] user DN: CN=Vijay Singh,OU=Servers,DC=kochar,DC=com
  [ldap] (re)connect to 172.17.3.223:389, authentication 1
  [ldap] bind as CN=Vijay Singh,OU=Servers,DC=kochar,DC=com/Password to
172.17.3.223:389
  [ldap] waiting for bind result ...
  [ldap] Bind was successful
[ldap] user vijay.singh authenticated succesfully
++[ldap] returns ok
        expand: Host %n% -> Host 172.17.3.210%
Login OK: [vijay.singh] (from client Kipl Asr Network port 1 cli
172.17.27.9) Host 172.17.3.210%
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 197 to 172.17.3.210 port 1645
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 197 with timestamp +27
Ready to process requests.


--
View this message in context: http://freeradius.1045715.n5.nabble.com/LDAP-Not-working-properly-tp4593327p4598911.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.



More information about the Freeradius-Users mailing list