You shouldn't need your second LDAP in the post-auth section as per <br><br><div class="gmail_quote">On Sat, Dec 8, 2012 at 6:50 AM, Olivier Beytrison <span dir="ltr"><<a href="mailto:olivier@heliosnet.org" target="_blank">olivier@heliosnet.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">On 07.12.2012 18:07, Olivier Beytrison wrote:<br>
> On 07.12.2012 17:54, Alan DeKok wrote:<br>
>><br>
>> I've pushed a one-character fix.<br>
>><br>
> Found it also. and I also had to invert char * and size_t in my call in<br>
> rlm_ldap.c<br>
><br>
> okay code working again.<br>
> I'll push all those change to my repo<br>
><br>
</div>code has been pushed along with some other fix/typo/formatting.<br>
<br>
Things works on my side [1]. I'm happy with it. now it depends on you if<br>
you want more rewriting of the code. If so I can test your change<br>
whenever you want.<br>
<br>
Olivier<br>
<br>
[1] working example<br>
rad_recv: Access-Request packet from host 127.0.0.1 port 39774, id=247,<br>
length=87<br>
User-Name = "olivier.beytriso"<br>
CHAP-Password = 0x9960e4b86ea318e5b24xxxxxxxxxxxxx<br>
NAS-IP-Address = 160.98.240.25<br>
NAS-Port = 0<br>
Message-Authenticator = 0x0e83e1b97e7dd468e136da6be344114b<br>
(0) # Executing section authorize from file<br>
/etc/freeradius/sites-enabled/default<br>
(0) group authorize {<br>
(0) - entering group authorize {...}<br>
(0) policy filter_username {<br>
(0) - entering policy filter_username {...}<br>
[snip]<br>
(0) - policy filter_username returns notfound<br>
(0) [preprocess] = ok<br>
(0) chap : Setting 'Auth-Type := CHAP'<br>
(0) [chap] = ok<br>
(0) [mschap] = noop<br>
(0) [digest] = noop<br>
(0) suffix : No '@' in User-Name = "olivier.beytriso", looking up realm NULL<br>
(0) suffix : No such realm "NULL"<br>
(0) [suffix] = noop<br>
(0) eap : No EAP-Message, not doing EAP<br>
(0) [eap] = noop<br>
(0) [files] = noop<br>
(0) ldap : expand: '%{Stripped-User-Name}' -> ''<br>
(0) ldap : ... expanding second conditional<br>
(0) ldap : escape: 'olivier.beytriso' -> 'olivier.beytriso'<br>
(0) ldap : expand: '%{User-Name}' -> 'olivier.beytriso'<br>
(0) ldap : expand: '(uid=%{%{Stripped-User-Name}:-%{User-Name}})'<br>
-> '(uid=olivier.beytriso)'<br>
(0) ldap : expand: 'ou=people,o=hes-so' -> 'ou=people,o=hes-so'<br>
rlm_ldap (ldap): Reserved connection (4)<br>
(0) ldap : Performing search in 'ou=people,o=hes-so' with filter<br>
'(uid=olivier.beytriso)'<br>
(0) ldap : User found at DN "cn=31935762,ou=courant,ou=people,o=hes-so"<br>
(0) ldap : Added the eDirectory password XXXXXXXXXX in check items as<br>
Cleartext-Password<br></blockquote><div><br>Yay!.. That's what the eDir code is all about :)<br> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
(0) ldap : control:hessoRole +=<br>
"31935762-440774439#RORG-HEFR-EIFR-INTR-INFO#EMP#COL" (hessoRole)<br>
rlm_ldap (ldap): Released connection (4)<br>
rlm_ldap (ldap): Closing idle connection (0): Too many free connections<br>
(5 > 3)<br>
rlm_ldap (ldap): Closing connection (0)<br>
(0) [ldap] = ok<br>
(0) [expiration] = noop<br>
(0) [logintime] = noop<br>
(0) Found Auth-Type = CHAP<br>
(0) # Executing group from file /etc/freeradius/sites-enabled/default<br>
(0) group CHAP {<br>
(0) - entering group CHAP {...}<br>
(0) chap : login attempt by "olivier.beytriso" with CHAP password<br>
(0) chap : Using clear text password "XXXXXXXXXX" for user<br>
olivier.beytriso authentication.<br>
(0) chap : chap user olivier.beytriso authenticated succesfully<br>
(0) [chap] = ok<br>
(0) # Executing section post-auth from file<br>
/etc/freeradius/sites-enabled/default<br></blockquote><div><br>Starting here<br> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
(0) group post-auth {<br>
(0) - entering group post-auth {...}<br>
rlm_ldap (ldap): Reserved connection (4)<br>
(0) ldap : Login attempt by "olivier.beytriso" with password "XXXXXXXXXX"<br>
(0) ldap : Bind as user "cn=31935762,ou=courant,ou=people,o=hes-so" was<br>
successful<br>
rlm_ldap (ldap): Released connection (4)<br>
(0) [ldap] = ok<br></blockquote><div><br>And here, since you've already checked your chap password against the eDir password by sucking it cleartext over ssl out via Universal Password you don't need to double check it :)<br>
</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
(0) [exec] = noop<br>
(0) policy remove_reply_message_if_eap {<br>
(0) - entering policy remove_reply_message_if_eap {...}<br>
(0) ? if (reply:EAP-Message && reply:Reply-Message)<br>
(0) ? Evaluating (reply:EAP-Message ) -> FALSE<br>
(0) ? Skipping (reply:Reply-Message)<br>
(0) ? if (reply:EAP-Message && reply:Reply-Message) -> FALSE<br>
(0) else else {<br>
(0) - entering else else {...}<br>
(0) [noop] = noop<br>
(0) - else else returns noop<br>
(0) - policy remove_reply_message_if_eap returns noop<br>
Sending Access-Accept of id 247 from 127.0.0.1 port 1812 to 127.0.0.1<br>
port 39774<br></blockquote><div><br>We also use eDir support and had notified our account manager at Novell/NetIQ about this... But it's brilliant you're doing the code changes.<br><br>The NMAS challenge response parts using a specific NMAS Method are also pretty nifty when used with the Vasco tokens (which I have played with but havn't managed to convince my management to deploy at my employer). If you were in the mood it's pretty easy to setup and test using the Simple Password NMAS Method to confirm that the NMAS bits work too.<br>
<br>Last piece which I would *love* to see was adding in "Accounting Start / Stop" support into rlm_ldap (and am willing to fund it depending on the time / complexity).<br><br>What would be great is if via an Accounting Start you could add/replace an attribute, and then via the accounting stop remove the attribute if it exists. We're using this since we have a Novell IDM Driver listening to database changes, if a subscriber has an attribute change against their eDir record, our IDM driver sends a CoA or DM mid-session change using the Coova JRadius client to the BNG. Currently built the code to made the attribute change using a perl module which works well, but would be nice if it were in rlm_ldap instead :)<br>
</div></div>