subject:"Autz\-Type examples and parse error"

Re: Autz-Type examples and parse error

2010-10-13 Thread Harry Hoffman

Hi Alan,

Thanks for the help! This works well and lessens the confusion on my
part.

I do have one question. When using ldap as the authorization module the
Auth-Type gets set properly to siteone_ldap. But if I try using
ntlm_auth then the Auth-Type is not set even though ntlm_auth returns
OK.

rad_recv: Access-Request packet from host 127.0.0.1 port 38806, id=14,
length=63
User-Name = SITEONE\\hhoffman
User-Password = password
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = SITEONE\hhoffman, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[ntdomain] Looking up realm SITEONE for User-Name = SITEONE\hhoffman
[ntdomain] Found realm SITEONE
[ntdomain] Adding Stripped-User-Name = hhoffman
[ntdomain] Adding Realm = SITEONE
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
++? if (!Realm)
? Evaluating !(Realm) - FALSE
++? if (!Realm) - FALSE
++? elsif (Realm == siteone.edu)
? Evaluating (Realm == siteone.edu) - FALSE
++? elsif (Realm == siteone.edu) - FALSE
++? elsif (Realm == SITEONE)
? Evaluating (Realm == SITEONE) - TRUE
++? elsif (Realm == SITEONE) - TRUE
++- entering elsif (Realm == SITEONE) {...}
[siteone_ntlm_auth] expand: --username=%{Stripped-User-Name} -
--username=hhoffman
[siteone_ntlm_auth] expand: --password=%{User-Password} -
--password=password
Exec-Program output: NT_STATUS_OK: Success (0x0) 
Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0) 
Exec-Program: returned: 0
+++[siteone_ntlm_auth] returns ok
++- elsif (Realm == SITEONE) returns ok
++ ... skipping elsif for request 6: Preceding if was taken
++ ... skipping elsif for request 6: Preceding if was taken
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user.
Authentication may fail because of this.
++[pap] returns noop
No authenticate method (Auth-Type) configuration found for the request:
Rejecting the user
Failed to authenticate the user.
Login incorrect: [SITEONE\\hhoffman] (from client localhost port 1812)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - SITEONE\hhoffman
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 6 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 6
Sending Access-Reject of id 14 to 127.0.0.1 port 38806
Waking up in 4.9 seconds.
Cleaning up request 6 ID 14 with timestamp +864
Ready to process requests.




On Tue, 2010-10-12 at 21:48 +0200, Alan DeKok wrote:
 Harry Hoffman wrote:
  I'm following along with the docs for Autz-Type in freeradius-2.1.8,
  specifically the section about selecting between multiple instances of a
  module.
 
   In 2.x, there are better ways to do this.  See man unlang for
 conditionally calling a module.
 
  In users.conf I have:
  DEFAULT Realm == siteone.edu, Autz-Type := siteone_ldap, Auth-Type :=
  siteone_ldap
 
   Please don't say users.conf.  It's the users file.
 
   The issue is that 2.x has the inner-tunnel virtual server, and the
 documentation is left over from 1.1.x.  The solution is instead to *not*
 use the users file.  Instead, do:
 
 authorize {
   ...
   if (Realm == siteone.edu) {
   siteone_ldap
   }
   ...
 }
 
   This will *also* have it automatically set Auth-Type to
 siteone_ldap, too.  That's simpler than the users file entry, and
 gives less room for mistakes.
 
   Alan DeKok.
 


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Autz-Type examples and parse error

2010-10-13 Thread Phil Mayers


On 13/10/10 14:40, Harry Hoffman wrote:

Hi Alan,

Thanks for the help! This works well and lessens the confusion on my
part.

I do have one question. When using ldap as the authorization module the
Auth-Type gets set properly to siteone_ldap. But if I try using


That's a feature of the ldap module; if it is a named module it sets 
the Auth-Type to that name (otherwise using LDAP)



ntlm_auth then the Auth-Type is not set even though ntlm_auth returns
OK.


The (confusingly named) ntlm_auth module is actually a copy of the 
exec module which checks PAP requests; it does not have that feature. 
You are also using it wrong, by running it in the authorize section.


You want something like:

authorize {
  if (Realm == ...) {
ldap_siteone
  }
  elsif (Realm == ...) {
update control {
  Auth-Type := PAP-ntdom
}
  }
}

authenticate {
  Auth-Type ldap_siteone {
ldap_siteone
  }
  Auth-Type PAP-ntdom {
ntlm_auth
  }
}


I guess the other alternative is:

authorize {
  if (Realm == ...) {
ldap_siteone
  }
  elsif (Realm == ...) {
ntlm_auth
if (ok) {
  update control {
Auth-Type := PAP-ntdom
  }
}
  }
}

...but maybe it's not really what you should be doing; authenticate 
should happen after authorize

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Autz-Type examples and parse error

2010-10-13 Thread Harry Hoffman

Hi Phil,

Thanks for the pointers. I was attempting to use ntlm_auth to ensure the
account actually existed for the authorization section. And then again
in the authentication section to ensure the user name and password
match.

Is there a better way to check for authorization against AD?

Cheers,
Harry


On Wed, 2010-10-13 at 14:56 +0100, Phil Mayers wrote:
 On 13/10/10 14:40, Harry Hoffman wrote:
  Hi Alan,
 
  Thanks for the help! This works well and lessens the confusion on my
  part.
 
  I do have one question. When using ldap as the authorization module the
  Auth-Type gets set properly to siteone_ldap. But if I try using
 
 That's a feature of the ldap module; if it is a named module it sets 
 the Auth-Type to that name (otherwise using LDAP)
 
  ntlm_auth then the Auth-Type is not set even though ntlm_auth returns
  OK.
 
 The (confusingly named) ntlm_auth module is actually a copy of the 
 exec module which checks PAP requests; it does not have that feature. 
 You are also using it wrong, by running it in the authorize section.
 
 You want something like:
 
 authorize {
if (Realm == ...) {
  ldap_siteone
}
elsif (Realm == ...) {
  update control {
Auth-Type := PAP-ntdom
  }
}
 }
 
 authenticate {
Auth-Type ldap_siteone {
  ldap_siteone
}
Auth-Type PAP-ntdom {
  ntlm_auth
}
 }
 
 
 I guess the other alternative is:
 
 authorize {
if (Realm == ...) {
  ldap_siteone
}
elsif (Realm == ...) {
  ntlm_auth
  if (ok) {
update control {
  Auth-Type := PAP-ntdom
}
  }
}
 }
 
 ...but maybe it's not really what you should be doing; authenticate 
 should happen after authorize
 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
 


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Autz-Type examples and parse error

2010-10-13 Thread Phil Mayers


On 13/10/10 15:17, Harry Hoffman wrote:

Hi Phil,

Thanks for the pointers. I was attempting to use ntlm_auth to ensure the
account actually existed for the authorization section. And then again
in the authentication section to ensure the user name and password
match.


But that's not what you're doing. You're actually issuing a password 
check request.


And why check twice? If they don't exist, auth will fail in the 
authenticate {} section.




Is there a better way to check for authorization against AD?


It depends. What does authorization in this context mean?

AD has an integrated LDAP server, which is moderately useful; if you 
configure FreeRadius you can

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Autz-Type examples and parse error

2010-10-12 Thread Harry Hoffman

Hi All,

I'm following along with the docs for Autz-Type in freeradius-2.1.8,
specifically the section about selecting between multiple instances of a
module.

In users.conf I have:
DEFAULT Realm == siteone.edu, Autz-Type := siteone_ldap, Auth-Type :=
siteone_ldap

In sites-enabled/default I have:

authorize{

preprocess
chap
mscap
suffix
ntdomain

Autz-Type siteone_ldap{
siteone_ldap
}

...
}

authenticate{
...
Auth-Type siteone_ldap {
siteone_ldap
}
}



In proxy.conf I have:
realm siteone.edu {
authhost = LOCAL
accthost = LOCAL
}


When I run radiusd -XC I get the following parse error:
/etc/raddb/users[205]: Parse error (check) for entry DEFAULT: Unknown
value siteone_ldap for attribute Autz-Type
Errors reading /etc/raddb/users


As far as I can tell I'm following the example verbatim. Can someone
shed some light on why I'm getting the parse error?

Below if full debug output:


[r...@avocet raddb]# radiusd -XC
FreeRADIUS Version 2.1.8, for host i386-redhat-linux-gnu, built on Jan
19 2010 at 18:23:59
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. 
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A 
PARTICULAR PURPOSE. 
You may redistribute copies of FreeRADIUS under the terms of the 
GNU General Public License v2. 
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration
file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/siteone_ntlm_auth
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/ldap
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/ntlm_auth
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/siteone_ldap
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/control-socket
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/inner-tunnel
main {
user = radiusd
group = radiusd
allow_core_dumps = no
}
including dictionary file /etc/raddb/dictionary
main {
prefix = /usr
localstatedir = /var
logdir = /var/log/radius
libdir = /usr/lib/freeradius
radacctdir = /var/log/radius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = /var/run/radiusd/radiusd.pid
checkrad = /usr/sbin/checkrad

Re: Autz-Type examples and parse error

2010-10-12 Thread Alan DeKok

Harry Hoffman wrote:
 I'm following along with the docs for Autz-Type in freeradius-2.1.8,
 specifically the section about selecting between multiple instances of a
 module.

  In 2.x, there are better ways to do this.  See man unlang for
conditionally calling a module.

 In users.conf I have:
 DEFAULT Realm == siteone.edu, Autz-Type := siteone_ldap, Auth-Type :=
 siteone_ldap

  Please don't say users.conf.  It's the users file.

  The issue is that 2.x has the inner-tunnel virtual server, and the
documentation is left over from 1.1.x.  The solution is instead to *not*
use the users file.  Instead, do:

authorize {
...
if (Realm == siteone.edu) {
siteone_ldap
}
...
}

  This will *also* have it automatically set Auth-Type to
siteone_ldap, too.  That's simpler than the users file entry, and
gives less room for mistakes.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Autz-Type examples and parse error

Re: Autz-Type examples and parse error

Re: Autz-Type examples and parse error

Re: Autz-Type examples and parse error

Autz-Type examples and parse error

Re: Autz-Type examples and parse error

6 matches

Site Navigation

Mail list logo

Footer information