LDAP(Active Directory) password AND groups not working together

duckeo duckeo at gmail.com
Mon Jun 26 10:06:14 CEST 2006 

On 6/26/06, duckeo <duckeo at gmail.com> wrote:
> Some random garbage

Okay solved a few issues but found a few more - realised I had a typo
in the above post and corrected that.

The thing issue remaining is still the handling of failures. The debug
output seems to indicate a Auth-Type reject is present, but not
matching it to the user file.

I've tried simplfying things a bit:

Users file:
DEFAULT Auth-Type := LDAP, Ldap-Group == "RadiusWirelessVPN"
        Service-Type = Framed,
        Framed-Protocol = PPP,
        Framed-IP-Address = 255.255.255.254,
        Framed-IP-Netmask = 255.255.255.255,

DEFAULT Auth-Type := Reject
        Reply-Message = "Access Rejected - Please check your username
and password and try again."

Debug output upon VALID user with incorrect password:
rad_recv: Access-Request packet from host 10.200.148.49:4885, id=206, length=50
        User-Name = "radiustest"
        User-Password = "radiustest1"
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
  modcall[authorize]: module "preprocess" returns ok for request 2
rlm_ldap: - authorize
rlm_ldap: performing user authorization for radiustest
radius_xlat:  '(&(sAMAccountname=radiustest)(objectClass=person))'
radius_xlat:  'OU=Domain Users,DC=foo,DC=bar,DC=foo,DC=bar'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in OU=Domain
Users,DC=foo,DC=bar,DC=foo,DC=bar, with filter
(&(sAMAccountname=radiustest)(objectClass=person))
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user radiustest authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 2
rlm_ldap: Entering ldap_groupcmp()
radius_xlat:  'OU=Domain Users,DC=foo,DC=bar,DC=foo,DC=bar'
radius_xlat:  '(&(objectClass=group)(member=CN=Test\\,
Radius,OU=testing,OU=Domain Users,DC=foo,DC=bar,DC=foo,DC=bar))'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in OU=Domain
Users,DC=foo,DC=bar,DC=foo,DC=bar, with filter
(&(cn=RadiusWirelessVPN)(&(objectClass=group)(member=CN=Test\\,
Radius,OU=testing,OU=Domain Users,DC=foo,DC=bar,DC=foo,DC=bar)))
rlm_ldap::ldap_groupcmp: User found in group RadiusWirelessVPN
rlm_ldap: ldap_release_conn: Release Id: 0
    users: Matched entry DEFAULT at line 219
  modcall[authorize]: module "files" returns ok for request 2
modcall: group authorize returns ok for request 2
  rad_check_password:  Found Auth-Type LDAP
auth: type "LDAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 2
rlm_ldap: - authenticate
rlm_ldap: login attempt by "radiustest" with password "radiustest1"
rlm_ldap: user DN: CN=Test\, Radius,OU=testing,OU=Domain
Users,DC=foo,DC=bar,DC=foo,DC=bar
rlm_ldap: (re)connect to foo.bar.foo.bar:389, authentication 1
rlm_ldap: bind as CN=Test\, Radius,OU=testing,OU=Domain
Users,DC=foo,DC=bar,DC=foo,DC=bar/radiustest1 to foo.bar.foo.bar:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind failed with invalid credentials
rlm_ldap: 80090308: LdapErr: DSID-0C090334, comment:
AcceptSecurityContext error, data 52e, vece
  modcall[authenticate]: module "ldap" returns reject for request 2
modcall: group Auth-Type returns reject for request 2
auth: Failed to validate the user.
Delaying request 2 for 1 seconds
Finished request 2
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 206 to 10.200.148.49:4885
        Reply-Message = "80090308: LdapErr: DSID-0C090334, comment:
AcceptSecurityContext error, data 52e, vece"
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 2 ID 206 with timestamp 449f945f
Nothing to do.  Sleeping until we see a request.


The thing that puzzles me is:
rlm_ldap: ldap_release_conn: Release Id: 0
    users: Matched entry DEFAULT at line 219

It matches a DEFAULT line in users, but doesn't send the reply? It
continues to try to authenticate the user, and on the second time
fails to bind (due to incorrect credentials) and doesn't match the
line in Users:
rlm_ldap: Bind failed with invalid credentials
rlm_ldap: 80090308: LdapErr: DSID-0C090334, comment:
AcceptSecurityContext error, data 52e, vece
  modcall[authenticate]: module "ldap" returns reject for request 2
modcall: group Auth-Type returns reject for request 2
auth: Failed to validate the user.

And instead sends back via radius (in an Access-Reject packet):
Reply-Message=80090308: LdapErr: DSID-0C090334, comment:
AcceptSecurityContext error, data 52e, vece

Any ideas on this one?

More information about the Freeradius-Users mailing list