Problem with LDAP and Groups

Bryan Evege bryan at bevege.com
Thu Oct 11 20:39:46 CEST 2007


freeradius-users-request at lists.freeradius.org wrote:
> Send Freeradius-Users mailing list submissions to
> 	freeradius-users at lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> 	http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
> 	freeradius-users-request at lists.freeradius.org
>
> You can reach the person managing the list at
> 	freeradius-users-owner at lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
>    1. Re: Problem with LDAP and Groups (Alan DeKok)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 11 Oct 2007 09:58:49 +0200
> From: Alan DeKok <aland at deployingradius.com>
> Subject: Re: Problem with LDAP and Groups
> To: FreeRadius users mailing list
> 	<freeradius-users at lists.freeradius.org>
> Message-ID: <470DD7B9.9040607 at deployingradius.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Bryan Evege wrote:
>   
>> Here's the problem.  When a user logs in and is a member of more than
>> one group radius only uses the first one to match.  I've included the
>> users file below.
>>     
>
>   In which you tell it to stop matching after the first one.
>
>   
>> DEFAULT Ldap-Group == packeteer_read_only,User-Profile :=
>> "uid=packeteer_read_only,ou=profiles,ou=radius,dc=csctus,dc=net",
>> Auth-Type := LDAP
>>        Fall-Through = no
>>     
>
>   See "man users" for the meaning of Fall-Through.  Then, change this to
> "yes".
>
>   Alan DeKok.
>
>
> ------------------------------
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
> End of Freeradius-Users Digest, Vol 30, Issue 40
> ************************************************
>   

Thank you for the reply.  If I change the fall through to yes it still 
matches as many groups as the user is in.  How can I tell freeradius 
which attributes to send back?  It only sends back the attributes of the 
last group it finds.

For example, bevege is a member of the following groups, packetshapper, 
cisco_priv_15, cisco_priv_1, linux.  Here is what happens when I try to 
log into one of the packet shappers.  I get the attributes for the 
cisco_priv_1 because it's last in the list and I can't logon.  I f  I 
change all of the users groups to fall-through=no the packetshapper 
allows me to login but then the cisco profiles don't work because it 
never makes it to them.

Basically this setup works fine if you're only in one group! What's the 
point of groups if you can only be in one.

Any help would be appreciated.

_*Radius -X -A output

*_freeradius-users-request at lists.freeradius.org wrote:
 > Send Freeradius-Users mailing list submissions to
 >     freeradius-users at lists.freeradius.org
 >
 > To subscribe or unsubscribe via the World Wide Web, visit
 >     http://lists.freeradius.org/mailman/listinfo/freeradius-users
 > or, via email, send a message with subject or body 'help' to
 >     freeradius-users-request at lists.freeradius.org
 >
 > You can reach the person managing the list at
 >     freeradius-users-owner at lists.freeradius.org
 >
 > When replying, please edit your Subject line so it is more specific
 > than "Re: Contents of Freeradius-Users digest..."
 >
 >
 > Today's Topics:
 >
 >    1. Re: Problem with LDAP and Groups (Alan DeKok)
 >
 >
 > ----------------------------------------------------------------------
 >
 > Message: 1
 > Date: Thu, 11 Oct 2007 09:58:49 +0200
 > From: Alan DeKok <aland at deployingradius.com>
 > Subject: Re: Problem with LDAP and Groups
 > To: FreeRadius users mailing list
 >     <freeradius-users at lists.freeradius.org>
 > Message-ID: <470DD7B9.9040607 at deployingradius.com>
 > Content-Type: text/plain; charset=ISO-8859-1
 >
 > Bryan Evege wrote:
 >> Here's the problem.  When a user logs in and is a member of more than
 >> one group radius only uses the first one to match.  I've included the
 >> users file below.
 >
 >   In which you tell it to stop matching after the first one.
 >
 >> DEFAULT Ldap-Group == packeteer_read_only,User-Profile :=
 >> "uid=packeteer_read_only,ou=profiles,ou=radius,dc=csctus,dc=net",
 >> Auth-Type := LDAP
 >>        Fall-Through = no
 >
 >   See "man users" for the meaning of Fall-Through.  Then, change this to
 > "yes".
 >
 >   Alan DeKok.
 >
 >
 > ------------------------------
 >
 > -
 > List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html
 >
 >
 > End of Freeradius-Users Digest, Vol 30, Issue 40
 > ************************************************

Thank you for the reply.  If I change the fall through to yes it still 
matches as many groups as the user is in.  How can I tell freeradius 
which attributes to send back?  It only sends back the attributes of the 
last group it finds.

radius -X -A output

rad_recv: Access-Request packet from host 10.17.71.10:4852, id=68, length=58
        User-Name = "bevege"
        User-Password = "xxxxxxx"
        Service-Type = Login-User
        NAS-IP-Address = 10.17.71.10
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
    rlm_realm: No '@' in User-Name = "bevege", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 0
rlm_ldap: Entering ldap_groupcmp()
radius_xlat:  'ou=users,ou=radius,dc=csctus,dc=net'
radius_xlat:  '(uid=bevege)'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as cn=Manager,dc=csctus,dc=net/xxxxx to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=users,ou=radius,dc=csctus,dc=net, with 
filter (uid=bevege)
rlm_ldap: ldap_release_conn: Release Id: 0
radius_xlat:  '(&(uid=bevege)(objectclass=radiusprofile))'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=users,ou=radius,dc=csctus,dc=net, with 
filter 
(&(radiusGroupName=acct_disabled)(&(uid=bevege)(objectclass=radiusprofile)))
rlm_ldap: object not found or got ambiguous search result (user is not a 
memeber)
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in 
uid=bevege,ou=Atlanta,ou=users,ou=radius,dc=csctus,dc=net, with filter 
(objectclass=*)

rlm_ldap::groupcmp: Group acct_disabled not found ????or user not a 
member (this is true)

rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: Entering ldap_groupcmp()
radius_xlat:  'ou=users,ou=radius,dc=csctus,dc=net'
radius_xlat:  '(&(uid=bevege)(objectclass=radiusprofile))'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=users,ou=radius,dc=csctus,dc=net, with 
filter 
(&(radiusGroupName=packeteer_read_only)(&(uid=bevege)(objectclass=radiusprofile)))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in 
uid=bevege,ou=Atlanta,ou=users,ou=radius,dc=csctus,dc=net, with filter 
(objectclass=*)

rlm_ldap::groupcmp: Group packeteer_read_only not found ????or user not 
a member (this is true)

rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: Entering ldap_groupcmp()
radius_xlat:  'ou=users,ou=radius,dc=csctus,dc=net'
radius_xlat:  '(&(uid=bevege)(objectclass=radiusprofile))'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=users,ou=radius,dc=csctus,dc=net, with 
filter 
(&(radiusGroupName=Packeteer)(&(uid=bevege)(objectclass=radiusprofile)))

rlm_ldap::ldap_groupcmp: User found in group Packeteer (this is true)

rlm_ldap: ldap_release_conn: Release Id: 0

    users: Matched entry DEFAULT at line 162 (this is correct.)

rlm_ldap: Entering ldap_groupcmp()
radius_xlat:  'ou=users,ou=radius,dc=csctus,dc=net'
radius_xlat:  '(&(uid=bevege)(objectclass=radiusprofile))'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=users,ou=radius,dc=csctus,dc=net, with 
filter 
(&(radiusGroupName=netscreen)(&(uid=bevege)(objectclass=radiusprofile)))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in 
uid=bevege,ou=Atlanta,ou=users,ou=radius,dc=csctus,dc=net, with filter 
(objectclass=*)

rlm_ldap::groupcmp: Group netscreen not found ????or user not a member 
(this is correct)

rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: Entering ldap_groupcmp()
radius_xlat:  'ou=users,ou=radius,dc=csctus,dc=net'
radius_xlat:  '(&(uid=bevege)(objectclass=radiusprofile))'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=users,ou=radius,dc=csctus,dc=net, with 
filter 
(&(radiusGroupName=cisco_priv_15)(&(uid=bevege)(objectclass=radiusprofile)))

rlm_ldap::ldap_groupcmp: User found in group cisco_priv_15 (this is correct)

rlm_ldap: ldap_release_conn: Release Id: 0

    users: Matched entry DEFAULT at line 168 (this is correct)

rlm_ldap: Entering ldap_groupcmp()
radius_xlat:  'ou=users,ou=radius,dc=csctus,dc=net'
radius_xlat:  '(&(uid=bevege)(objectclass=radiusprofile))'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=users,ou=radius,dc=csctus,dc=net, with 
filter 
(&(radiusGroupName=cisco_priv_1)(&(uid=bevege)(objectclass=radiusprofile)))

rlm_ldap::ldap_groupcmp: User found in group cisco_priv_1 (this is correct)

rlm_ldap: ldap_release_conn: Release Id: 0

    users: Radius -X -A output

rad_recv: Access-Request packet from host 10.17.71.10:4852, id=68, length=58
        User-Name = "bevege"
        User-Password = "xxxxxxx"
        Service-Type = Login-User
        NAS-IP-Address = 10.17.71.10
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
    rlm_realm: No '@' in User-Name = "bevege", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 0
rlm_ldap: Entering ldap_groupcmp()
radius_xlat:  'ou=users,ou=radius,dc=csctus,dc=net'
radius_xlat:  '(uid=bevege)'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as cn=Manager,dc=csctus,dc=net/xxxxx to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=users,ou=radius,dc=csctus,dc=net, with 
filter (uid=bevege)
rlm_ldap: ldap_release_conn: Release Id: 0
radius_xlat:  '(&(uid=bevege)(objectclass=radiusprofile))'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=users,ou=radius,dc=csctus,dc=net, with 
filter 
(&(radiusGroupName=acct_disabled)(&(uid=bevege)(objectclass=radiusprofile)))
rlm_ldap: object not found or got ambiguous search result (user is not a 
memeber)
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in 
uid=bevege,ou=Atlanta,ou=users,ou=radius,dc=csctus,dc=net, with filter 
(objectclass=*)

rlm_ldap::groupcmp: Group acct_disabled not found ????or user not a 
member (this is true)

rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: Entering ldap_groupcmp()
radius_xlat:  'ou=users,ou=radius,dc=csctus,dc=net'
radius_xlat:  '(&(uid=bevege)(objectclass=radiusprofile))'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=users,ou=radius,dc=csctus,dc=net, with 
filter 
(&(radiusGroupName=packeteer_read_only)(&(uid=bevege)(objectclass=radiusprofile)))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in 
uid=bevege,ou=Atlanta,ou=users,ou=radius,dc=csctus,dc=net, with filter 
(objectclass=*)

rlm_ldap::groupcmp: Group packeteer_read_only not found ????or user not 
a member    (this is true)

rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: Entering ldap_groupcmp()
radius_xlat:  'ou=users,ou=radius,dc=csctus,dc=net'
radius_xlat:  '(&(uid=bevege)(objectclass=radiusprofile))'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=users,ou=radius,dc=csctus,dc=net, with 
filter 
(&(radiusGroupName=Packeteer)(&(uid=bevege)(objectclass=radiusprofile)))

rlm_ldap::ldap_groupcmp: User found in group Packeteer (this is true)

rlm_ldap: ldap_release_conn: Release Id: 0

    users: Matched entry DEFAULT at line 162 (this is correct.)

rlm_ldap: Entering ldap_groupcmp()
radius_xlat:  'ou=users,ou=radius,dc=csctus,dc=net'
radius_xlat:  '(&(uid=bevege)(objectclass=radiusprofile))'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=users,ou=radius,dc=csctus,dc=net, with 
filter 
(&(radiusGroupName=netscreen)(&(uid=bevege)(objectclass=radiusprofile)))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in 
uid=bevege,ou=Atlanta,ou=users,ou=radius,dc=csctus,dc=net, with filter 
(objectclass=*)

rlm_ldap::groupcmp: Group netscreen not found ????or user not a member 
(this is correct)

rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: Entering ldap_groupcmp()
radius_xlat:  'ou=users,ou=radius,dc=csctus,dc=net'
radius_xlat:  '(&(uid=bevege)(objectclass=radiusprofile))'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=users,ou=radius,dc=csctus,dc=net, with 
filter 
(&(radiusGroupName=cisco_priv_15)(&(uid=bevege)(objectclass=radiusprofile)))

rlm_ldap::ldap_groupcmp: User found in group cisco_priv_15 (this is correct)

rlm_ldap: ldap_release_conn: Release Id: 0

    users: Matched entry DEFAULT at line 168 (this is correct)

rlm_ldap: Entering ldap_groupcmp()
radius_xlat:  'ou=users,ou=radius,dc=csctus,dc=net'
radius_xlat:  '(&(uid=bevege)(objectclass=radiusprofile))'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=users,ou=radius,dc=csctus,dc=net, with 
filter 
(&(radiusGroupName=cisco_priv_1)(&(uid=bevege)(objectclass=radiusprofile)))

rlm_ldap::ldap_groupcmp: User found in group cisco_priv_1 (this is correct)

rlm_ldap: ldap_release_conn: Release Id: 0

    users: Matched entry DEFAULT at line 171 (this is correct)

rlm_ldap: Entering ldap_groupcmp()
radius_xlat:  'ou=users,ou=radius,dc=csctus,dc=net'
radius_xlat:  '(&(uid=bevege)(objectclass=radiusprofile))'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=users,ou=radius,dc=csctus,dc=net, with 
filter 
(&(radiusGroupName=netscreen)(&(uid=bevege)(objectclass=radiusprofile)))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in 
uid=bevege,ou=Atlanta,ou=users,ou=radius,dc=csctus,dc=net, with filter 
(objectclass=*)

rlm_ldap::groupcmp: Group netscreen not found ????or user not a member 
(this is correct)

rlm_ldap: ldap_release_conn: Release Id: 0

    users: Matched entry DEFAULT at line 177 (this is odd, why is it 
matching on the last Group in the users file, DEFAULT Auth-Type := Reject
        Reply-Message = "Please call the helpdesk.")

  modcall[authorize]: module "files" returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for bevege
radius_xlat:  '(uid=bevege)'
radius_xlat:  'ou=users,ou=radius,dc=csctus,dc=net'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=users,ou=radius,dc=csctus,dc=net, with 
filter (uid=bevege)
rlm_ldap: performing search in 
uid=cisco_priv_1,ou=profiles,ou=radius,dc=csctus,dc=net, with filter 
(objectclass=radiusprofile)

rlm_ldap: extracted attribute Cisco-AVPair from generic item 
Cisco-AVPair ="priv-lvl=1" (why does it choose only this attribute to 
send back?)

rlm_ldap: Added password {MD5}xxxxxxxxxxxxxxxx== in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user bevege authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
  rad_check_password:  Found Auth-Type Reject
 
rad_check_password: Auth-Type = Reject, rejecting user (I believe this 
is because it matches line 177 last which has Auth-Type reject)
auth: Failed to validate the user.

Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 68 to 10.17.71.10 port 4852
        Reply-Message = "Please call the helpdesk."
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 68 with timestamp 470e2326
Nothing to do.  Sleeping until we see a request.

Users file for reference

    156 DEFAULT Ldap-Group == acct_disabled, Auth-Type := Reject
    157         Reply-Message = "Account disabled.  Please call the 
helpdesk."
    158
    159 DEFAULT Ldap-Group == packeteer_read_only,User-Profile := 
"uid=packeteer_read_only,ou=profiles,ou=radius,dc=csctus,dc=net", 
Auth-Type         := LDAP
    160         Fall-Through = yes
    161
    162 DEFAULT Ldap-Group == Packeteer,User-Profile := 
"uid=Packeteer,ou=profiles,ou=radius,dc=csctus,dc=net", Auth-Type := LDAP
    163         Fall-Through = yes
    164
    165 DEFAULT Ldap-Group == netscreen,User-Profile := 
"uid=netscreen,ou=profiles,ou=radius,dc=csctus,dc=net", Auth-Type := LDAP
    166         Fall-Through = yes
    167
    168 DEFAULT Ldap-Group == cisco_priv_15,User-Profile := 
"uid=cisco_priv_15,ou=profiles,ou=radius,dc=csctus,dc=net", Auth-Type := 
LDAP
    169         Fall-Through = yes
    170
    171 DEFAULT Ldap-Group == cisco_priv_1,User-Profile := 
"uid=cisco_priv_1,ou=profiles,ou=radius,dc=csctus,dc=net", Auth-Type := LDAP
    172         Fall-Through = yes
    173
    174 DEFAULT Ldap-Group == netscreen,User-Profile := 
"uid=netscreen,ou=profiles,ou=radius,dc=csctus,dc=net", Auth-Type := LDAP
    175         Fall-Through = no
    176
    177 DEFAULT Auth-Type := Reject
    178         Reply-Message = "Please call the helpdesk."
    179
    180 DEFAULT Auth-Type = System
    181         fall-Through = 1ed entry DEFAULT at line 171 (this is 
correct)



More information about the Freeradius-Users mailing list