Assistance in handling ldap query failure scenario

John Douglass john.douglass at oit.gatech.edu
Fri Aug 6 18:54:06 CEST 2010 

I believe this bit of magic can be done based on other configurations 
but I can't work out the right "foo" so hopefully someone can help me 
out. I have my service manager asking for some additional magic out of 
our freeradius servers that handle our wireless WPA enterprise 
authentication/authorization.

Situation: LDAP connect/lookup fails (returns 'fail') and I want to 
continue processing as if it were "ok". Right now we want to ensure to 
err on the side of the customer and continue in the event there is an 
LDAP service outage.

Setup: I have the system working correctly with LDAP utilizing 
Freeradius 1.1.9. However, I am not sure how to do unlang control in the 
event of an LDAP failure. I am handling if an LDAP lookup is not found 
however.

Test: What I am attempting to test with is configure the ldap module 
with a non-existent LDAP server to fail but continue processing in the 
event of an LDAP failure.

I have Googled, read many configuration examples, and got a decent grip 
of unlang so hopefully someone can point me in the right direction. I'm 
close, but missing a small key component I imagine.

Here are (what I believe to be ) he important configuration sections and 
debug output.

authorize {
         preprocess

         #  This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP 
authentication.

         eap {
                ok = return
         }

         # LDAP: Development where if not found, steer them to group 
vlan0316

         # This part works as expected when LDAP answers and the user is 
not found
         gted-lawn-authz
         if(notfound) {
            update reply {
               Tunnel-Type := "VLAN"
               Tunnel-Medium-Type := "IEEE-802"
               Tunnel-Private-Group-Id := 316
            }
            notfound = return
         }

         #  Look in an SQL database.  The schema of the database is 
meant to mirror the "users" file.
         sqlwpa
}

The LDAP module configuration is as follows:

ldap gted-lawn-authz {
     #
     #  Note that this needs to match the name in the LDAP
     #  server certificate, if you're using ldaps.
     server = "ldaps://blahserver.gatech.edu"
     port = 636
     identity = "myBindDNDeletedForPrivacy"
     password = "myPasswordDeletedForPrivacy"
     basedn = "myBaseDNdeletedForPrivacy"
     filter = "myFilterThatWorksNormallyDeleted"

     ldap_connections_number = 10
     timeout = 4
     timelimit = 10
     net_timeout = 1

     tls {
         start_tls = no
         tls_mode = no
         require_cert    = "never"
     }

     # Mapping of RADIUS dictionary attributes to LDAP directory attributes.
     dictionary_mapping = ${confdir}/ldap.attrmap

     edir_account_policy_check = no
     set_auth_type = no
}

I have tried to handle this in the authorize{} section but not sure how 
to override the "fail" returncode from the ldap module in order to continue.

         gted-lawn-authz
         # want to detect a failure of the above gted-lawn-authz module, 
on failure skip to the next section which is "sqlwpa"
         if(fail) {
            fail = return
         }
         if(notfound) {
            update reply {
               Tunnel-Type := "VLAN"
               Tunnel-Medium-Type := "IEEE-802"
               Tunnel-Private-Group-Id := 316
            }
            notfound = return
         }
        #  Look in an SQL database.  The schema of the database is meant 
to mirror the "users" file.
        sqlwpa

Running it in debug mode I see it never hits the if(fail) section. My 
guess (but I haven't found any concrete info on how to continue) would 
be to have something in the gted-lawn-authz ldap module configuration as 
it looks like it breaks out of the loop there.

+- entering group authorize {...}
++[preprocess] returns ok
[eap] EAP packet type response id 0 length 10
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[gted-lawn-authz] performing user authorization for test-account
[gted-lawn-authz]     expand: (filterDeleted)
[gted-lawn-authz]     expand: (baseDeleted)
   [gted-lawn-authz] ldap_get_conn: Checking Id: 0
   [gted-lawn-authz] ldap_get_conn: Got Id: 0
   [gted-lawn-authz] attempting LDAP reconnection
   [gted-lawn-authz] (re)connect to ldaps://bleh.gatech.edu, 
authentication 0
   [gted-lawn-authz] setting TLS Require Cert to never
   [gted-lawn-authz] bind as uid=deletedForPrivacy
   [gted-lawn-authz] uid=deletedForPrivacy
   [gted-lawn-authz] (re)connection attempt failed
[gted-lawn-authz] search failed
   [gted-lawn-authz] ldap_release_conn: Release Id: 0
++[gted-lawn-authz] returns fail
Invalid user: [jd187/<via Auth-Type = EAP>] (from client localhost port 
0 cli 02-00-00-00-00-01)
} # server wpa
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> jd187
  attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated

Thanks in advance,
- John Douglass, Georgia Institute of Technology

More information about the Freeradius-Users mailing list