Checkval weird issue with LDAP backend and PAM authentication

Marco Carcano marco at marcolinux.it
Sat Nov 27 01:21:54 CET 2010


Hi Alan

OK - Got working - did a look at rlm_ldap.c, and ldap.h  
(ldap_is_ldap_url and ldap_url_parse fuctions) - altough I have one  
issue more, ... se below

          if ("%{ldap:ldap://127.0.0.1/CN=%{User- 
Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices}" == "%{NAS- 
Identifier}" ) {
                 ok
         }
         else {
                 reject
         }


debug is

++? if ("%{ldap:ldap://127.0.0.1/CN=%{User- 
Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices}" == "%{NAS- 
Identifier}" )
rlm_ldap: - ldap_xlat
         expand: ldap://127.0.0.1/CN=%{User- 
Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices -> ldap:// 
127.0.0.1/CN=testuser,OU=Users,DC=marcolinux,DC=local?eckAllowedServices
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in  
CN=testuser,OU=Users,DC=marcolinux,DC=local, with filter (null)
rlm_ldap: Adding attribute eckAllowedServices, value: ftp
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: - ldap_xlat end
         expand: %{ldap:ldap://127.0.0.1/CN=%{User- 
Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices} -> ftp
         expand: %{NAS-Identifier} -> ftp
? Evaluating ("%{ldap:ldap://127.0.0.1/CN=%{User- 
Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices}" == "%{NAS- 
Identifier}" ) -> TRUE
++? if ("%{ldap:ldap://127.0.0.1/CN=%{User- 
Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices}" == "%{NAS- 
Identifier}" ) -> TRUE
++- entering if ("%{ldap:ldap://127.0.0.1/CN=%{User- 
Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices}" == "%{NAS- 
Identifier}" ) {...}
+++[ok] returns ok
++- if ("%{ldap:ldap://127.0.0.1/CN=%{User- 
Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices}" == "%{NAS- 
Identifier}" ) returns ok
++ ... skipping else for request 0: Preceding "if" was taken
Found Auth-Type = PAM

but it works only if eckAllowedServices has only one value.  
eckAllowedServices is a multi-string attribute, that is for example

eckAllowedServices[0]=httpProxy
eckAllowedServices[1]=ftp
eckAllowedServices[2]=VPN

ecc

it works only for the first element of the array, ... so in the  
preceding example only if eckAllowedServices[0]=ftp

is there a way to have it recursively process all the elements of the  
array to do the comparison?

I tried

if ("%{ldap:ldap://127.0.0.1/CN=%{User- 
Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices[*]}" == "% 
{NAS-Identifier}" )

and

if ("%{ldap:ldap://127.0.0.1/CN=%{User- 
Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices}[*]" == "% 
{NAS-Identifier}" )

but had no luck

Marco Carcano

just for info (for other users that may read this post in the future):  
I was wondering if it performed an anonymous bind to the directory -  
LDAP URL does not contain credentials, so I raised up ldap server  
verbosity and gave a look to the log, ....
it works authenticated as in modules/ldap - I think this is really  
important: in my server I prohibited anonymous binding also from  
localhost




Il giorno 26/nov/10, alle ore 09:31, Alan DeKok ha scritto:

> Marco Carcano wrote:
>> I RTM unlang, but I have to admit I only got confused - The only  
>> thing I
>> have understood is to write a simple statement like this (in  
>> authorize
>> section)
>>
>>        if (NAS-Identifier == "ftp" ) {
>>                ok
>>        }
>>        else {
>>                reject
>>        }
>>
>> and I think is even wrong because returns always OK :(((((
>
>  And.... what does debug mode say?
>
>> I noticed on some posts people using a syntax like if (NAS- 
>> Identifier ==
>> %{sql: SELECT ... BLA BLA} )
>
>  See "man unlang".  This is documented.
>
>> but I have not been able to see a working example using ldap,
>
> if (NAS-Identifier == "%{ldap: ... ldap stuff ... }") {
>
>
>
>> thinking at the %{sql:SELECT ...} example I tough I syntax almost  
>> like this
>>
>>        if (NAS-Identifier ==
>> "ldap:cn=%{User-Name},ou=Users,dc=marcolinux,dc=local
>> (eckAllowedServices)" ) {
>
>  You didn't use the same form as the SQL example.  The brackets have
> *meaning*: %{}
>
>  See "man unlang".
>
>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list