On Tue, 12 Dec 2006, Kostas Kalevras wrote:
Mark T. Valites wrote:
I'm trying to set up authentication to a SunOne Directory that requires not
only a successful bind with by radius on behalf of the user attempting to
authticate to it, but also a specified LDAP search filter to return a
result as well. I can't seem to get the freeradius ldap module to return
any result when the value of the attribute I'm comparing against contains a
'/', as often found in the 'homeDirectory' and 'loginShell' LDAP
attributes.
From the command line, the search and filter returns correctly:
$ ldapsearch -v -H ldaps://ldapserver.domain.com \
-b ou=people,dc=domain,dc=com -x -D \
"uid=myuid,ou=people,dc=domain,dc=com" -W \
'(&(uid=myuid)(loginShell=/bin/tcsh))'
The corresponding SunOne log:
[12/Dec/2006:11:10:24 -0500] conn=4896 op=-1 msgId=-1 - fd=45 slot=45 LDAPS
connection from www.xxx.yyy.zzz to xxx.yyy.zzz.www
[12/Dec/2006:11:10:24 -0500] conn=4896 op=0 msgId=1 - BIND
dn="uid=myuid,ou=people,dc=domain,dc=com" method=128 version=3
[12/Dec/2006:11:10:24 -0500] conn=4896 op=0 msgId=1 - RESULT err=0 tag=97
nentries=0 etime=0 dn="uid=myuid,ou=people,dc=domain,dc=com"
[12/Dec/2006:11:10:24 -0500] conn=4896 op=1 msgId=2 - SRCH
base="ou=people,dc=domain,dc=com" scope=2
filter="(&(uid=myuid)(loginShell=/bin/tcsh))"
attrs=ALL[12/Dec/2006:11:10:24 -0500] conn=4896 op=1 msgId=2 - RESULT err=0
tag=101 nentries=1 etime=0
[12/Dec/2006:11:10:24 -0500] conn=4896 op=2 msgId=3 - UNBIND
[12/Dec/2006:11:10:24 -0500] conn=4896 op=2 msgId=-1 - closing - U1
[12/Dec/2006:11:10:25 -0500] conn=4896 op=-1 msgId=-1 - closed.
A snippet from my radiusd.conf:
server = "ldapserver.domain.com"
basedn = "ou=people,dc=domain,dc=com"
filter = "(&(uid=%u)(loginshell=/bin/tcsh))"
The output from running radiusd in debug mode:
rlm_ldap: - authorize
rlm_ldap: performing user authorization for myuid
radius_xlat: '(&(uid=myuid)(loginShell=/bin/tcsh))'
radius_xlat: 'ou=people,dc=domain,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldapserver.domain.com:636, authentication 0
rlm_ldap: setting TLS mode to 1
rlm_ldap: setting TLS Require Cert to never
rlm_ldap: bind as / to ldapserver.domain.com:636
TLS certificate verification: Error, Unknown error
rlm_ldap: waiting for bind result ...
request 1 done
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=people,dc=domain,dc=com, with filter
(&(uid=myuid)(loginShell=/bin/tcsh))
request 2 done
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns notfound for request 0
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type LDAP
auth: type "ldap"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_ldap: - authenticate
rlm_ldap: login attempt by "myuid" with password "mypasswd"
radius_xlat: '(&(uid=myuid)(loginShell=/bin/tcsh))'
radius_xlat: 'ou=people,dc=domain,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=people,dc=domain,dc=com, with filter
(&(uid=myuid)(loginShell=/bin/tcsh))
request 3 done
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authenticate]: module "ldap" returns notfound for request 0
modcall: leaving group authenticate (returns notfound) for request 0
auth: Failed to validate the user.
The corresponding SunOne log:
[12/Dec/2006:11:12:33 -0500] conn=4897 op=-1 msgId=-1 - fd=45 slot=45 LDAPS
connection from www.xxx.yyy.zzz to xxx.yyy.zzz.www
[12/Dec/2006:11:12:33 -0500] conn=4897 op=0 msgId=1 - BIND dn="" method=128
version=3
[12/Dec/2006:11:12:33 -0500] conn=4897 op=0 msgId=1 - RESULT err=0 tag=97
nentries=0 etime=0 dn=""
[12/Dec/2006:11:12:33 -0500] conn=4897 op=1 msgId=2 - SRCH
base="ou=people,dc=domina,dc=com" scope=2
filter="(&(uid=myuid)(loginShell=/bin/tcsh))" attrs="radiusnasipaddress
radiusexpiration acctflags ntpassword lmpassword radiuscallingstationid
radiuscalledstationid radiussimultaneoususe radiusauthtype radiuscheckitem
radiusreplymessage radiusloginlatport radiusportlimit
radiusframedappletalkzone radiusframedappletalknetwork
radiusframedappletalklink radiusloginlatgroup radiusloginlatnode
radiusloginlatservice radiusterminationaction radiusidletimeout
radiussessiontimeout radiusclass radiusframedipxnetwork radiuscallbackid
radiuscallbacknumber radiuslogintcpport radiusloginservice
radiusloginiphost radiusframedcompression radiusframedmtu radiusfilterid
radiusframedrouting radiusframedroute radiusframedipnetmask
radiusframedipaddress radiusframedprotocol radiusservicetype
radiusreplyitem"
[12/Dec/2006:11:12:33 -0500] conn=4897 op=1 msgId=2 - RESULT err=0 tag=101
nentries=0 etime=0
[12/Dec/2006:11:12:33 -0500] conn=4897 op=2 msgId=3 - SRCH
base="ou=people,dc=domain,dc=com" scope=2
filter="(&(uid=myuid)(loginShell=/bin/tcsh))" attrs="uid"
[12/Dec/2006:11:12:33 -0500] conn=4897 op=2 msgId=3 - RESULT err=0 tag=101
nentries=0 etime=0
Both searches in this log don't return any results. Also, compared to the
command line search, you are binding as anonymous in this case. So make sure
that anonymous searches work correctly.
The command line search did return something, but I didn't include the
result.
Nonetheless, your reply helped me - an ACL on the loginShell and
homeDirectory attributes was preventing me from seeing them. A command
line ldapsearch with an anonymous bind made this very evident.
It was dumb luck that the filter with attributes other than loginShell and
homeDirectory that I were checking weren't foiled by the ACL. I now see
clearly see the distinction between the ways authN and authZ work when
connecting to ldap and the (now) obvious debug log entries. I'll either
adjust attribute ACLs appropriately or bind as a user with priveledges to
see them.
Sorry for that noise and thank you for the help!
-Mark
--
Mark T. Valites
Senior Systems Administrator
University at Buffalo
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
