Freeradius + Ldap - Authorise OK but NO dynamic VLANs

Matthew Newton mcn4 at leicester.ac.uk
Mon Aug 22 19:02:31 CEST 2016


On Mon, Aug 22, 2016 at 05:53:04PM +0200, Matthew Pulis wrote:
> How come it is seeing that it is not a member of SeminaryAdmin when
> ldapsearch specifically says it is. I didn't touch the default schema in
> OpenLDAP so it should be pretty much straight forward from that side.

Because likely either the search that FreeRADIUS is doing is the
wrong search for your LDAP schema, or the bind user hasn't got
permission to read the data. Looks like the former.

> Mon Aug 22 17:43:18 2016 : Debug: rlm_ldap (ldap): Bind successful
> Mon Aug 22 17:43:18 2016 : Debug: (0)     User is not a member of
> "SeminaryAdmin" <============================!!!!!!!!!
> Mon Aug 22 17:43:18 2016 : Debug: (0)     if (Ldap-Group ==
> "SeminaryAdmin")  -> FALSE

This is really hard to read, and missing all the startup data.
Please always post the whole debug output in each mail, it makes
it so much easier to help. And just "radiusd -X". No -xx or -XXX
or anything else, unless asked. That should skip the timestamps
out and just include everything that is needed.

Easiest way is to run

  radiusd -X | tee log.txt

send a test packet, then hit Ctrl-C, and attach the log.txt file
to the e-mail. That will hopefully preserve it without line
wrapping and mangling it.

It's good you've now got a fresh up-to-date install, and it should
be clearer to see but we need the whole output.

Thanks

Matthew


-- 
Matthew Newton, Ph.D. <mcn4 at leicester.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>


More information about the Freeradius-Users mailing list