Problem in LDAP Group Access

Kostas Kalevras kkalev@noc.ntua.gr
Wed, 8 May 2002 16:42:31 +0300 (EET DST) 

On Wed, 8 May 2002 m.raman@i-stt.com wrote:

> Hi,
>
> I am having problem in LDAP Group access....below is the configuration
> info.  In the mail archive i found i need to create Ldap-Group, but i don't
> know where to create this Ldap-Group.
>
> I attached the radius debug information also.
>
>
> /raddb/radiud.conf File:-
> -----------------
>
> ldap {
>                 server = "localhost"
>                 identity = "cn=Manager,dc=i-stt,dc=com"
>                 password = secret
>                 basedn = "dc=i-stt,dc=com"
>                 start_tls = no
>                 ldap_connections_number = 5
>                 password_attribute = userPassword
>                 groupname_attribute = cn
>                 groupmembership_filter =
> (&(objectclass=posixGroup)(memberuid=%u}))
>                 timeout = 4
>                 timelimit = 3
>                 net_timeout = 1
> }
>
>
> Group Idif File:
> ----------------
> dn: cn=group2,dc=i-stt,dc=com
> cn:group2
> description:RAS Users
> gidnumber:1100
> objectClass: top
> objectClass: posixGroup
> memberuid:TC
>
> User Idif File:
> ---------------
>
> dn: uid=TC,dc=i-stt,dc=com
> objectClass:top
> objectClass:account
> objectClass: posixAccount
> userPassword: {SSHA}gmfbti8L3iAgscNt+K9U+vBm7qZVQA==
> uid: TC
> cn: group2
> uidNumber: 9010
> gidNumber: 1100
> homeDirectory:/
>
> /raddb/user file:
> -----------------
>
> DEFAULT Group == "group2", Auth-Type := LDAP
>
>
> radiusd -X output :-
> --------------------
> rad_recv: Access-Request packet from host 10.93.4.30:1699, id=53, length=42
>         User-Name = "TC"
>         User-Password = "T\264\343\242\273\226\2518T\241-)C\234p\202"
> modcall: entering group authorize
>   modcall[authorize]: module "preprocess" returns ok
>   modcall[authorize]: module "suffix" returns ok
> rlm_ldap: Entering ldap_groupcmp()
> radius_xlat:  'dc=i-stt,dc=com'
> radius_xlat:  '(uid=TC)'
> ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in dc=i-stt,dc=com, with filter (uid=TC)
> rlm_ldap: performing search in dc=i-stt,dc=com, with filter (cn=group2)
> rlm_ldap: object not found or got ambiguous search result
> rlm_ldap::ldap_groupcmp: Group group2 not found


Hmm, quite strange. Normally, it should find the group entry without problem.
What do you see in your ldap server logs? Do you have any ACLs blocking the
search? Try runing the search manually through ldapsearch and see what happens.
ldapsearch -h localhost -D 'cn=Manager,dc=i-stt,dc=com' -b dc=i-stt,dc=com
cn=group2

--
Kostas Kalevras		Network Operations Center
kkalev@noc.ntua.gr	National Technical University of Athens, Greece
Work Phone:		+30 10 7721861
'Go back to the shadow'	Gandalf

> ldap_release_conn: Release Id: 0
>   modcall[authorize]: module "files" returns notfound
> modcall: group authorize returns ok
> auth: No Auth-Type configuration for the request, rejecting the user
> auth: Failed to validate the user.
> Delaying request 3 for 1 seconds
> Finished request 3
> Going to the next request
> --- Walking the entire request list ---
> Waking up in 1 seconds...
> --- Walking the entire request list ---
> Sending Access-Reject of id 53 to 10.93.4.30:1699
> Waking up in 4 seconds...
> --- Walking the entire request list ---
> Cleaning up request 3 ID 53 with timestamp 3cd8f2cd
> Nothing to do.  Sleeping until we see a request.
>
> [This e-mail is confidential and may also be privileged. If you are not the
> intended recipient, please delete it and notify us immediately; you should
> not copy or use it for any purpose, nor disclose its contents to any other
> person. Thank you.]
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
>