FR 3.0 with eDir

Olivier Beytrison olivier at heliosnet.org
Wed Dec 18 15:01:51 CET 2013 

On 18.12.2013 13:49, Hubert Kupper wrote:
> Am 18.12.2013 10:54, schrieb Hubert Kupper:
> Ok, I resetted the password for user dumm and tried it again. Here is
> the output:
[snip]
> rlm_ldap (ldap): Reserved connection (2)
> (9) ldap :     expand: "(cn=%{%{Stripped-User-Name}:-%{User-Name}})" ->
> '(cn=dumm)'
> (9) ldap :     expand: "o=org" -> 'o=org'
> (9) ldap : Performing search in 'o=org' with filter '(cn=dumm)'
> (9) ldap : Waiting for search result...
> (9) ldap : User object found at DN "cn=dumm,ou=test1,ou=test,o=org"
> (9) ldap : Added eDirectory password in check items as
> Cleartext-Password = pwddummy
> (9) ldap : Binding as user for eDirectory authorization checks
> (9) ldap : Waiting for bind result...
> (9) ldap : Bind successful
> (9) ldap : Bind as user "cn=dumm,ou=test1,ou=test,o=org" was successful
> rlm_ldap (ldap): Released connection (2)
> (9)   [ldap] = ok

That's good
[snip]
> /etc/raddb/sites-enabled/inner-tunnel
> (9) eap_mschapv2 :  Auth-Type MS-CHAP {
> (9) mschap : Creating challenge hash with username: dumm
> (9) mschap : Client is using MS-CHAPv2 for dumm, we need NT-Password
> (9) mschap : adding MS-CHAPv2 MPPE keys
> (9)   [mschap] = ok

that's also good :)

[snip]
> (10) ldap :     expand: "." -> '.'
> (10) ldap :     expand: "Authenticated at %S" -> 'Authenticated at
> 2013-12-18 13:34:42'
> rlm_ldap (ldap): Reserved connection (2)
> (10) ldap : Waiting for bind result...
> (10) ldap : Bind successful
> (10) ldap :     expand: "(cn=%{%{Stripped-User-Name}:-%{User-Name}})" ->
> '(cn=dumm)'
> (10) ldap :     expand: "o=org" -> 'o=org'
> (10) ldap : Performing search in 'o=org' with filter '(cn=dumm)'
> (10) ldap : Waiting for search result...
> (10) ldap : User object found at DN "cn=dumm,ou=test1,ou=test,o=org"
> (10) ldap : Modifying object with DN "cn=dumm,ou=test1,ou=test,o=org"
> (10) ldap : Waiting for modify result...
> rlm_ldap (ldap): Released connection (2)
> (10)   [ldap] = reject

that's not good. you're calling the ldap module in
inner-tunnel.post-auth, I guess you're updating values in the LDAP. But
for some reason it fails and return a reject. The logs doesn't show what
went wrong though.

If you comment the ldap module in post-auth, it will work.

Is there  a reason why you have ldap listed in post-auth ? can you post
your inner-tunnel config ?

Olivier
-- 

 Olivier Beytrison
 Network & Security Engineer, HES-SO Fribourg
 Mail: olivier at heliosnet.org

More information about the Freeradius-Users mailing list