AW: Attributes Missing - Auth with ldap
This is a discussion on AW: Attributes Missing - Auth with ldap within the FreeRADIUS Users forums, part of the Networking and Network Related category; Hi,=20 I looked at a few things: 1. the authorize section contains "ldap" 2. I bind with ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
04-20-2005
|
|||
|
|||
AW: Attributes Missing - Auth with ldap
Hi,=20
I looked at a few things: 1. the authorize section contains "ldap" 2. I bind with an existing user 3. I want to return "Filter-Id" and this is in teh "ldap.attrmap" The strange thing is the following: I run the Freeradius on a Virtual machine. I tried this first with Novell Server A=20 There I had an very fast binding and got my return attributes. Then I tried with Novell Server B The binding was very slow and I didn=B4t got my attributes. The only thing I changed were the servers and groups I authenticate against. Your answer brings me to another question: Do the return Attributes need to be defined on the user properties on the novell server ? Find attached a debug output: rad_recv: Access-Request packet from host 170.56.119.129:3243, id=3D1, length=3D48 User-Name =3D "herkenra" User-Password =3D "removed" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name =3D "herkenra", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'OU=3DAbteilungen,O=3DFKEL' radius_xlat: '(uid=3Dherkenra)' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 170.56.185.59:389, authentication 0 rlm_ldap: bind as cn=3DB_LDAP,o=3DFKEL/ to 170.56.185.59:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in OU=3DAbteilungen,O=3DFKEL, with filter (uid=3Dherkenra) rlm_ldap: ldap_release_conn: Release Id: 0 radius_xlat: '(|(&(objectClass=3DGroupOfNames)(member=3Dcn=3Dhe rkenra,ou=3DGCD,ou=3DAb= teilungen ,o=3DFKEL))(&(objectClass=3DGroupOfUniqueNames)(un iquemember=3Dcn=3Dherke= nra,ou=3D GCD,ou=3DAbteilungen,o=3DFKEL)))' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in CN=3DWGRAS,O=3DFKEL, with filter (|(&(objectClass=3DGroupOfNames)(member=3Dcn=3Dher kenra,ou=3DGCD,ou=3DAbt= eilungen, o=3DFKEL))(&(objectClass=3DGroupOfUniqueNames)(uni quemember=3Dcn=3Dherken= ra,ou=3DG CD,ou=3DAbteilungen,o=3DFKEL))) rlm_ldap: object not found or got ambiguous search result rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in = cn=3Dherkenra,ou=3DGCD,ou=3DAbteilungen,o=3DFKEL, with filter (objectclass=3D*) rlm_ldap::ldap_groupcmp: ldap_get_values() failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "files" returns notfound for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for herkenra radius_xlat: '(uid=3Dherkenra)' radius_xlat: 'OU=3DAbteilungen,O=3DFKEL' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in OU=3DAbteilungen,O=3DFKEL, with filter (uid=3Dherkenra) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user herkenra authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_ldap: - authenticate rlm_ldap: login attempt by "herkenra" with password "removed" rlm_ldap: user DN: cn=3Dherkenra,ou=3DGCD,ou=3DAbteilungen,o=3DFKEL rlm_ldap: (re)connect to 170.56.185.59:389, authentication 1 rlm_ldap: bind as = cn=3Dherkenra,ou=3DGCD,ou=3DAbteilungen,o=3DFKEL/removed to 170.56.185.59:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user herkenra authenticated succesfully modcall[authenticate]: module "ldap" returns ok for request 0 modcall: group Auth-Type returns ok for request 0 Sending Access-Accept of id 1 to 170.56.119.129:3243 Finished request 0 Going to the next request -----Urspr=FCngliche Nachricht----- Von: Michael Mitchell [mailto:mitchell.michael@bigpond.com] Gesendet: Mittwoch, 20. April 2005 15:19 An: freeradius-users@lists.freeradius.org Betreff: Re: Attributes Missing - Auth with ldap Firstly, run freeradius is debug mode (radiusd -X) and it will tell you=20 exactly what it is doing. You should be able to see which attribute it=20 has retrieved from the directory to add to the reply. A few things to look at would be: 1) Do you have ldap configured in the authorize section of radiusd.conf? This is where it picks up the attributes from the user's record. 2) If the answer to 1 is yes, You're doing an anonymous bind to the LDAP server. Does that give you the necessary access rights to read the=20 record from LDAP? 3) If the answer to 2 is yes, are the attributes you're trying to=20 read/return configured in $prefix/etc/raddb/ldap.attrmap Hope that helps, and guides you on your way to a solution. regards, Mike Andre Herkenrath wrote: > Hi, >=20 > I have a very strange problem. > I authenticate a user agains a Novell 6 Server, which is not the > problem. > But I need some Attributes from the authentication brought back to the > NAS >=20 > I put these in the users file and it worked with another server: >=20 > Users (complete) > ----------------- > DEFAULT Auth-Type :=3D3DLDAP ,Ldap-Group =3D3D=3D3D = "CN=3D3DWGRAS,O=3D3DFKEL" > Reply-Message =3D3D "Welcome, you are allowed to have dialup > access", > Framed-Filter-Id =3D3D "std.ppp", > Fall-Through =3D3D 0 > ------------------ > The Ldap portion of the radiusd.conf (comments removed) > ---------------- >=20 > ldap { > server =3D3D "170.56.185.59" > identity =3D3D "anonymous" > basedn =3D3D "OU=3D3DAbteilungen,O=3D3DFKEL" > filter =3D3D "(uid=3D3D%{Stripped-User-Name:-%{User-Name}})" > start_tls =3D3D no > dictionary_mapping =3D3D ${raddbdir}/ldap.attrmap > ldap_connections_number =3D3D 5 > groupmembership_attribute =3D3D radiusGroupName > timeout =3D3D 20 > timelimit =3D3D 20 > net_timeout =3D3D 10 > } >=20 > Strangely the binds need a very long time (up to 8 seconds each) - but > what has this to do with the not transmitting the Attributes ?? >=20 > As I said, the authentication works, but the Attributes are missing - > Any Ideas ? >=20 > Regards > Andre -=20 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html 
|
Linear Mode
