rlm_ldap : user not found

classic Classic list List threaded Threaded
2 messages Options
| Threaded
Open this post in threaded view
|

rlm_ldap : user not found

Nicolas Viers - SCI
Hello,
i had a problem with freeradius and rlm_ldap module
sometimes and i don' know why users couldn't authenticate on ldap server.
I had this message in radius.log:
Auth: Login incorrect (rlm_ldap: User not found): [dupont]
and few seconds later the authentification is ok with the same user:
Auth: Login OK: [dupont]

Maybe a timeout problem with ldap ?
Should i modify timeout parameters on radiusd.conf or in slapd.conf ?
Maybe a nb of connections ?
Sould i increase "ldap_connections_number =" parameters ?

Thanks a lot

--
____________________________________________________________


Nicolas Viers                   |  Service Commun Informatique
Mél: [hidden email]    |  123, avenue Albert Thomas
                                |     87060 Limoges cedex
Tel: 05-55-45-77-09             |  Fax: 05-55-45-75-95
                   http://www.unilim.fr/sci

____________________________________________________________




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: rlm_ldap : user not found

Dusty Doris

> Hello,
> i had a problem with freeradius and rlm_ldap module
> sometimes and i don' know why users couldn't authenticate on ldap server.
> I had this message in radius.log:
> Auth: Login incorrect (rlm_ldap: User not found): [dupont]
> and few seconds later the authentification is ok with the same user:
> Auth: Login OK: [dupont]
>
> Maybe a timeout problem with ldap ?
> Should i modify timeout parameters on radiusd.conf or in slapd.conf ?
> Maybe a nb of connections ?
> Sould i increase "ldap_connections_number =" parameters ?
>
> Thanks a lot
>

You really need to try to capture that in debug mode if you can.  That
will tell you exactly why the user was not found and if there is any
issues such as timeouts to ldap.

If its sporadic and hard to reproduce, then it may be difficult to capture
that in debug mode.  In that case, do a tcpdump or ethereal capture and
leave that running overnight or for an extended period of time.

Then, when you find that same scenario in the logs, go back to your packet
capture and compare the actual attributes coming over between the not
found and accept.  With that information, you can turn on debug mode in
radius and resend the packets using radclient with the same attributes as
you found in the capture for the two scenarios.

Also, may want to send your users file and radiusd.conf ldap section
config here.  Perhaps there is a matching rule in the users file that is
causing that user to sometimes be not found.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html