groupcmp fails during tunneled request

Matthieu Lazaro matthieu.lazaro at eservglobal.com
Tue Apr 28 14:12:33 CEST 2009


Hello list,

I'm having an issue with the group check (ldap_groupcmp).

Everything is fine until the request is tunnelled, and I can't find out
why my user is rejected there....
It seems that he ends in this section during this phase:
DEFAULT Ldap-Group == BANNED , Auth-Type := Reject
        Reply-Message = "Account disabled.  Please call the helpdesk."

       Even if he has the correct group in the LDAP.

This was working on my test bed. The configuration seems to be the same,
the only change is the NAS type ( I have tested that on HP switches, and
now it's using a Cisco Wireless controller).
It was working perfectly before I introduced the group check using the
huntgroups.

I'm using version 2.1.1 of freeradius on an Debian etch box.

Here is the part of the debug where it fails.

Sending tunneled request
        EAP-Message = 0x020f000b01676269676f74
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "alicebob"
        Calling-Station-Id = "00-13-02-25-FF-40"
        Called-Station-Id = "00-1E-13-1D-85-70:WiFi-TEST"
        NAS-Port = 1
        NAS-IP-Address = 192.168.226.8
        NAS-Identifier = "accessPoint-Manager"
        Airespace-Wlan-Id = 2
        Service-Type = Framed-User
        Framed-MTU = 1300
        NAS-Port-Type = Wireless-802.11
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "502"
server inner-tunnel {
Tue Apr 28 11:42:35 2009 : Info: +- entering group authorize {...}
Tue Apr 28 11:42:35 2009 : Info: ++[mschap] returns noop
Tue Apr 28 11:42:35 2009 : Info: [suffix] No '@' in User-Name =
"alicebob", looking up realm NULL
Tue Apr 28 11:42:35 2009 : Info: [suffix] No such realm "NULL"
Tue Apr 28 11:42:35 2009 : Info: ++[suffix] returns noop
Tue Apr 28 11:42:35 2009 : Info: [eap] EAP packet type response id 15
length 11
Tue Apr 28 11:42:35 2009 : Info: [eap] No EAP Start, assuming it's an
on-going EAP conversation
Tue Apr 28 11:42:35 2009 : Info: ++[eap] returns updated
Tue Apr 28 11:42:35 2009 : Debug: rlm_ldap: Entering ldap_groupcmp()
Tue Apr 28 11:42:35 2009 : Info: [files]        expand:
dc=companyname,dc=com -> dc=companyname,dc=com
Tue Apr 28 11:42:35 2009 : Info: [files] WARNING: Deprecated conditional
expansion ":-".  See "man unlang" for details
Tue Apr 28 11:42:35 2009 : Info: [files]        expand:
(uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=alicebob)
Tue Apr 28 11:42:35 2009 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0
Tue Apr 28 11:42:35 2009 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0
Tue Apr 28 11:42:35 2009 : Debug: rlm_ldap: performing search in
dc=companyname,dc=com, with filter (uid=alicebob)
Tue Apr 28 11:42:35 2009 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0
Tue Apr 28 11:42:35 2009 : Info: [files]        expand:
(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
->
(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=)))
Tue Apr 28 11:42:35 2009 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0
Tue Apr 28 11:42:35 2009 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0
Tue Apr 28 11:42:35 2009 : Debug: rlm_ldap: performing search in
dc=companyname,dc=com, with filter
(&(radiusGroupName=BANNED)(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))))
Tue Apr 28 11:42:35 2009 : Debug: rlm_ldap: object not found or got
ambiguous search result
Tue Apr 28 11:42:35 2009 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0
Tue Apr 28 11:42:35 2009 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0
Tue Apr 28 11:42:35 2009 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0
Tue Apr 28 11:42:35 2009 : Debug: rlm_ldap: performing search in
uid=alicebob,ou=people,dc=companyname,dc=com, with filter (objectclass=*)
Tue Apr 28 11:42:35 2009 : Debug: rlm_ldap::groupcmp: Group BANNED not
found or user not a member
Tue Apr 28 11:42:35 2009 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0
Tue Apr 28 11:42:35 2009 : Info: [files] users: Matched entry DEFAULT at
line 15
Tue Apr 28 11:42:35 2009 : Info: ++[files] returns ok

Tell me if you need more debug output...

Best regards,
Matt



More information about the Freeradius-Users mailing list