eDir Universal password implementation.

Peter Lambrechtsen peter at crypt.co.nz
Fri Dec 7 21:32:22 CET 2012 

You shouldn't need your second LDAP in the post-auth section as per

On Sat, Dec 8, 2012 at 6:50 AM, Olivier Beytrison <olivier at heliosnet.org>wrote:

> On 07.12.2012 18:07, Olivier Beytrison wrote:
> > On 07.12.2012 17:54, Alan DeKok wrote:
> >>
> >>   I've pushed a one-character fix.
> >>
> > Found it also. and I also had to invert char * and size_t in my call in
> > rlm_ldap.c
> >
> > okay code working again.
> > I'll push all those change to my repo
> >
> code has been pushed along with some other fix/typo/formatting.
>
> Things works on my side [1]. I'm happy with it. now it depends on you if
> you want more rewriting of the code. If so I can test your change
> whenever you want.
>
> Olivier
>
> [1] working example
> rad_recv: Access-Request packet from host 127.0.0.1 port 39774, id=247,
> length=87
>         User-Name = "olivier.beytriso"
>         CHAP-Password = 0x9960e4b86ea318e5b24xxxxxxxxxxxxx
>         NAS-IP-Address = 160.98.240.25
>         NAS-Port = 0
>         Message-Authenticator = 0x0e83e1b97e7dd468e136da6be344114b
> (0) # Executing section authorize from file
> /etc/freeradius/sites-enabled/default
> (0)   group authorize {
> (0)  - entering group authorize {...}
> (0)    policy filter_username {
> (0)   - entering policy filter_username {...}
> [snip]
> (0)   - policy filter_username returns notfound
> (0)   [preprocess] = ok
> (0) chap : Setting 'Auth-Type := CHAP'
> (0)   [chap] = ok
> (0)   [mschap] = noop
> (0)   [digest] = noop
> (0) suffix : No '@' in User-Name = "olivier.beytriso", looking up realm
> NULL
> (0) suffix : No such realm "NULL"
> (0)   [suffix] = noop
> (0) eap : No EAP-Message, not doing EAP
> (0)   [eap] = noop
> (0)   [files] = noop
> (0) ldap :      expand: '%{Stripped-User-Name}' -> ''
> (0) ldap :      ... expanding second conditional
> (0) ldap :      escape: 'olivier.beytriso' -> 'olivier.beytriso'
> (0) ldap :      expand: '%{User-Name}' -> 'olivier.beytriso'
> (0) ldap :      expand: '(uid=%{%{Stripped-User-Name}:-%{User-Name}})'
> -> '(uid=olivier.beytriso)'
> (0) ldap :      expand: 'ou=people,o=hes-so' -> 'ou=people,o=hes-so'
> rlm_ldap (ldap): Reserved connection (4)
> (0) ldap : Performing search in 'ou=people,o=hes-so' with filter
> '(uid=olivier.beytriso)'
> (0) ldap : User found at DN "cn=31935762,ou=courant,ou=people,o=hes-so"
> (0) ldap : Added the eDirectory password XXXXXXXXXX in check items as
> Cleartext-Password
>

Yay!.. That's what the eDir code is all about :)


> (0) ldap :      control:hessoRole +=
> "31935762-440774439#RORG-HEFR-EIFR-INTR-INFO#EMP#COL" (hessoRole)
> rlm_ldap (ldap): Released connection (4)
> rlm_ldap (ldap): Closing idle connection (0): Too many free connections
> (5 > 3)
> rlm_ldap (ldap): Closing connection (0)
> (0)   [ldap] = ok
> (0)   [expiration] = noop
> (0)   [logintime] = noop
> (0) Found Auth-Type = CHAP
> (0) # Executing group from file /etc/freeradius/sites-enabled/default
> (0)   group CHAP {
> (0)  - entering group CHAP {...}
> (0) chap : login attempt by "olivier.beytriso" with CHAP password
> (0) chap : Using clear text password "XXXXXXXXXX" for user
> olivier.beytriso authentication.
> (0) chap : chap user olivier.beytriso authenticated succesfully
> (0)   [chap] = ok
> (0) # Executing section post-auth from file
> /etc/freeradius/sites-enabled/default
>

Starting here


> (0)   group post-auth {
> (0)  - entering group post-auth {...}
> rlm_ldap (ldap): Reserved connection (4)
> (0) ldap : Login attempt by "olivier.beytriso" with password "XXXXXXXXXX"
> (0) ldap : Bind as user "cn=31935762,ou=courant,ou=people,o=hes-so" was
> successful
> rlm_ldap (ldap): Released connection (4)
> (0)   [ldap] = ok
>

And here, since you've already checked your chap password against the eDir
password by sucking it cleartext over ssl out via Universal Password you
don't need to double check it :)


> (0)   [exec] = noop
> (0)    policy remove_reply_message_if_eap {
> (0)   - entering policy remove_reply_message_if_eap {...}
> (0)    ? if (reply:EAP-Message && reply:Reply-Message)
> (0) ? Evaluating (reply:EAP-Message ) -> FALSE
> (0) ? Skipping (reply:Reply-Message)
> (0)    ? if (reply:EAP-Message && reply:Reply-Message) -> FALSE
> (0)     else else {
> (0)    - entering else else {...}
> (0)     [noop] = noop
> (0)    - else else returns noop
> (0)   - policy remove_reply_message_if_eap returns noop
> Sending Access-Accept of id 247 from 127.0.0.1 port 1812 to 127.0.0.1
> port 39774
>

We also use eDir support and had notified our account manager at
Novell/NetIQ about this... But it's brilliant you're doing the code changes.

The NMAS challenge response parts using a specific NMAS Method are also
pretty nifty when used with the Vasco tokens (which I have played with but
havn't managed to convince my management to deploy at my employer).  If you
were in the mood it's pretty easy to setup and test using the Simple
Password NMAS Method to confirm that the NMAS bits work too.

Last piece which I would *love* to see was adding in "Accounting Start /
Stop" support into rlm_ldap (and am willing to fund it depending on the
time / complexity).

What would be great is if via an Accounting Start you could add/replace an
attribute, and then via the accounting stop remove the attribute if it
exists.  We're using this since we have a Novell IDM Driver listening to
database changes, if a subscriber has an attribute change against their
eDir record, our IDM driver sends a CoA or DM mid-session change using the
Coova JRadius client to the BNG.  Currently built the code to made the
attribute change using a perl module which works well, but would be nice if
it were in rlm_ldap instead :)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-devel/attachments/20121208/43e9a706/attachment.html>

More information about the Freeradius-Devel mailing list