Ldap-UserDn not set correctly in 2.0.3

Jason Alderfer jha2 at emu.edu
Fri Apr 11 15:50:20 CEST 2008


It appears that the LDAP module in 2.0.3 is not setting the Ldap-UserDn in
a way that is available for further analysis.  The problem shows up when
using "edir_account_policy_check = yes" and also when evaluating
Ldap-UserDn with unlang or from other modules as described below in my
previous post.

Does anyone have insight into this problem?

Jason


> I'm testing upgrading from 1.1.7 to 2.0.3 and have run into a problem with
> the LDAP module.  The problem appears in 2 places.  First, I'm using the
> --with-edir option so I have
>
> password_attribute = nspmPassword
>
> and
>
> edir_account_policy_check = yes
>
> set.  However, in 2.0.3, when I set "edir_account_policy_check = yes", I
> get this error:
>
> +- entering group post-auth
> rlm_ldap: User's FQDN not in config items list.
> ++[ldap] returns fail
>   PEAP: Tunneled authentication was rejected.
>   rlm_eap_peap: FAILURE
>
> If I don't set edir_account_policy_check, then authentication is
> successful, but the second problem shows up.  A little background:
>
> In 1.1.7 I'm setting VLANs via the 'users' file like this:
>
> DEFAULT Ldap-UserDn =~ "ou=is,ou=n,o=emu"
>         Tunnel-Type = "VLAN",
>         Tunnel-Medium-Type = "IEEE-802",
>         Tunnel-Private-Group-Id = 3
>
> and I've tried this in 2.0.3, but I've also tried unlang
>
> if (Ldap-UserDn =~ /ou=is,ou=n,o=emu/i) {
>         update reply {
>                 Tunnel-Type := "VLAN"
>                 Tunnel-Medium-Type := "IEEE-802"
>                 Tunnel-Private-Group-Id := 3
>         }
> }
>
> Neither of these work in 2.0.3.  The VLAN does not get set.  Files returns
> noop, and unlang shows in debug output
>
> ++? if (Ldap-UserDn =~ /ou=is,ou=n,o=emu/i)
>     (Attribute Ldap-UserDn was not found)
>
>
> I did some digging and I think I know why this is.  In rlm_ldap.c
> beginning at line 1306 is
>
> /*
>  * Adding new attribute containing DN for LDAP object associated with
>  * given username
>  */
> pairadd(check_pairs, pairmake("Ldap-UserDn", user_dn, T_OP_EQ));
>
> However, in 1.1.7 the code is
>
> pairadd(&request->packet->vps, pairmake("Ldap-UserDn", user_dn, T_OP_EQ));
>
> If I add this line to 2.0.3 just after the existing pairadd line and
> recompile, then everything just works -- edir policy check works and I can
> set VLANs using files module or unlang.
>
> Is this a bug in 2.0.3 or am I missing something in my new config file
> that would make the Ldap-UserDn available?
>
> Jason
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>


-- 





More information about the Freeradius-Users mailing list