Re: Wrong behaviour of rlm_ldap module + users file
On 7/27/07, Phil Mayers [EMAIL PROTECTED] wrote:
DEFAULT
Ldap-UserDn = `cn=%{User-Name},ou=whatever,...`
Note that the DN need not be real
Hi Phil,
lol, I browsed the source too and I was gonna recompile it to exclude
the hardcoded uid search.
Clearly that would have been useless.
Thanks for the hints suggestion.
The line above, modified to match the needed suffix and DN did the trick.
I also found there was no need to tweak the radiusd.conf file and move
ldap to the instantiate section. That's good news.
--
In a sea of glass shards, I hear you screaming
--icchan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wrong behaviour of rlm_ldap module + users file
On Fri, 2007-07-27 at 13:25 +0200, inverse wrote:
Hi,
I tried the suggestion and it didn't work, here are the involved
radiusd.conf sections.
Ok. I quick glance at the code shows that the Ldap-Group compare
function will do an LDAP search to find the users LDAP DN. You can set
it, and it should skip the search - however, the attribute needs to go
in the request pairs (grr) so put these lines in hints
DEFAULT
Ldap-UserDn = `cn=%{User-Name},ou=whatever,...`
Note that the DN need not be real
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wrong behaviour of rlm_ldap module + users file
Hi,
I tried the suggestion and it didn't work, here are the involved
radiusd.conf sections.
You will also notice mschap and similars, that's because we also have
dialup users who need an ldap lookup for their belonging to a dialup
group and the password. I also need to check if chap still works with
this configuration...
instantiate {
exec
ldap
files
expr
}
authorize {
preprocess
auth_log
chap
mschap
suffix
eap
files
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
eap
}
And this is the users file line:
[EMAIL PROTECTED] Cleartext-Password := a, Ldap-Group == wifi
I also used this one:
[EMAIL PROTECTED] Ldap-Group == wifi
with EAP-TLS.
No way. Both first perform a user-existence check in the ldap_groupcmp() call.
Meaning these both work if user exists in the LDAP tree.
In the meanwhile I'm looking at the source code for this call... it
sounds like this search is hardcoded somewhere. Forgive my suckage.
T_T
Bye,
Inverse
On 7/26/07, inverse [EMAIL PROTECTED] wrote:
users file line:
[EMAIL PROTECTED] Auth-Type := EAP, User-Password == a, Ldap-Group ==
wifi
Totally wrong. You want:
[EMAIL PROTECTED] Cleartext-Password := a, Ldap-Group == wifi
Thanks, I owe you one
Bye,
Inverse.
--
In a sea of glass shards, I hear you screaming
--icchan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Wrong behaviour of rlm_ldap module + users file
Hi,
this problem is simple (everything not shown here is v1.1.6
out-f-the-box radiusd configuration):
users file line:
[EMAIL PROTECTED] Auth-Type := EAP, User-Password == a, Ldap-Group == wifi
this is a test line, [EMAIL PROTECTED] uses EAP-MD5 , but I want to
check if he's in the Ldap-Group named 'wifi'.
radiusd.conf lines, ldap section:
filter =(uid=%{User-Name})
edir_account_policy_check=no
password_attribute = userPassword
groupmembership_filter = ((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))
This is where I actually suck. I think this is correct, but it won't
work as expected because:
rad_recv: Access-Request packet from host 149.132.5.108:35285, id=0, length=160
User-Name = [EMAIL PROTECTED]
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = 02-00-00-00-00-01
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 11Mbps 802.11b
EAP-Message =
0x021f0170616f6c6f2e676169617264656c6c6940756e696d69622e6974
Message-Authenticator = 0x14b3675352d738629cc1bb21695f3122
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
radius_xlat: '/var/log/radius/radacct/127.0.0.1/auth-detail-20070726'
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20070726
modcall[authorize]: module auth_log returns ok for request 0
modcall[authorize]: module chap returns noop for request 0
modcall[authorize]: module mschap returns noop for request 0
rlm_realm: Looking up realm test.com for User-Name = [EMAIL PROTECTED]
rlm_realm: Found realm test.com
rlm_realm: Proxying request from user john.doe to realm test.com
rlm_realm: Adding Realm = test.com
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module suffix returns noop for request 0
rlm_eap: EAP packet type response id 0 length 31
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module eap returns updated for request 0
rlm_ldap: Entering ldap_groupcmp()
radius_xlat: 'dc=test,dc=com
radius_xlat: '([EMAIL PROTECTED])'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap.test.com:636, authentication 0
rlm_ldap: setting TLS mode to 1
rlm_ldap: setting TLS CACert File to /usr/local/etc/raddb/certs/crl/root.pem
rlm_ldap: bind as cn=ldapreader,ou=servizi,dc=test,dc=com/blargh to
ldap.test.com:636
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=test,dc=com, with filter
([EMAIL PROTECTED])
rlm_ldap: ldap_release_conn: Release Id: 0
radius_xlat: '((objectClass=GroupOfNames)([EMAIL PROTECTED]))'
This is where the problem arises. I don't want to check if
[EMAIL PROTECTED] esists.
rlm_ldap wants to, but that's not what I told him to do. I never told
rlm_ldap to verify if [EMAIL PROTECTED] is an LDAP user. Now he is,
but only because I created him.
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=test,dc=com, with filter
((cn=wifi)((objectClass=GroupOfNames)([EMAIL PROTECTED])))
rlm_ldap::ldap_groupcmp: User found in group wifi
and THIS is what I want rlm_ldap to do.
I want to check this and only this, since [EMAIL PROTECTED] is a
member of wifi and doesn't exist anywhere else in the LDAP tree. He
isn't a user. He's just an object in group wifi.
That's what happens in my production environment. john'doe's login
fails because the first useless search fails.
I know I'm doing something horribly wrong, and I can't find out what's
my major malfunction.
Help!
rlm_ldap: ldap_release_conn: Release Id: 0
users: Matched entry [EMAIL PROTECTED] at line 32
Bye,
Inverse.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wrong behaviour of rlm_ldap module + users file
users file line: [EMAIL PROTECTED] Auth-Type := EAP, User-Password == a, Ldap-Group == wifi Totally wrong. You want: [EMAIL PROTECTED] Cleartext-Password := a, Ldap-Group == wifi Thanks, I owe you one Bye, Inverse. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wrong behaviour of rlm_ldap module + users file
On Thu, 2007-07-26 at 14:56 +0200, inverse wrote:
Hi,
this problem is simple (everything not shown here is v1.1.6
out-f-the-box radiusd configuration):
users file line:
[EMAIL PROTECTED] Auth-Type := EAP, User-Password == a, Ldap-Group ==
wifi
Totally wrong. You want:
[EMAIL PROTECTED] Cleartext-Password := a, Ldap-Group == wifi
Don't set auth type
Don't compare the password; set the server-side one
this is a test line, [EMAIL PROTECTED] uses EAP-MD5 , but I want to
check if he's in the Ldap-Group named 'wifi'.
radiusd.conf lines, ldap section:
filter =(uid=%{User-Name})
edir_account_policy_check=no
password_attribute = userPassword
groupmembership_filter =
((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))
This is where I actually suck. I think this is correct, but it won't
work as expected because:
rad_recv: Access-Request packet from host 149.132.5.108:35285, id=0,
length=160
User-Name = [EMAIL PROTECTED]
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = 02-00-00-00-00-01
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 11Mbps 802.11b
EAP-Message =
0x021f0170616f6c6f2e676169617264656c6c6940756e696d69622e6974
Message-Authenticator = 0x14b3675352d738629cc1bb21695f3122
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
radius_xlat: '/var/log/radius/radacct/127.0.0.1/auth-detail-20070726'
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20070726
modcall[authorize]: module auth_log returns ok for request 0
modcall[authorize]: module chap returns noop for request 0
modcall[authorize]: module mschap returns noop for request 0
rlm_realm: Looking up realm test.com for User-Name = [EMAIL PROTECTED]
rlm_realm: Found realm test.com
rlm_realm: Proxying request from user john.doe to realm test.com
rlm_realm: Adding Realm = test.com
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module suffix returns noop for request 0
rlm_eap: EAP packet type response id 0 length 31
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module eap returns updated for request 0
rlm_ldap: Entering ldap_groupcmp()
radius_xlat: 'dc=test,dc=com
radius_xlat: '([EMAIL PROTECTED])'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap.test.com:636, authentication 0
rlm_ldap: setting TLS mode to 1
rlm_ldap: setting TLS CACert File to /usr/local/etc/raddb/certs/crl/root.pem
rlm_ldap: bind as cn=ldapreader,ou=servizi,dc=test,dc=com/blargh to
ldap.test.com:636
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=test,dc=com, with filter
([EMAIL PROTECTED])
rlm_ldap: ldap_release_conn: Release Id: 0
radius_xlat: '((objectClass=GroupOfNames)([EMAIL PROTECTED]))'
This is where the problem arises. I don't want to check if
[EMAIL PROTECTED] esists.
rlm_ldap wants to, but that's not what I told him to do. I never told
rlm_ldap to verify if [EMAIL PROTECTED] is an LDAP user. Now he is,
but only because I created him.
You've got the ldap module in authorize. Remove it.
You will need to put it in instantiate so that it gets initialised,
but you don't want to check it during authorize.
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=test,dc=com, with filter
((cn=wifi)((objectClass=GroupOfNames)([EMAIL PROTECTED])))
rlm_ldap::ldap_groupcmp: User found in group wifi
and THIS is what I want rlm_ldap to do.
I want to check this and only this, since [EMAIL PROTECTED] is a
member of wifi and doesn't exist anywhere else in the LDAP tree. He
isn't a user. He's just an object in group wifi.
That's what happens in my production environment. john'doe's login
fails because the first useless search fails.
I know I'm doing something horribly wrong, and I can't find out what's
my major malfunction.
Remove ldap from the authorize section and put it in the
instantiate section
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
