Groups in active directory and checks in MySQL

Atomikramp atomikramp at email.it
Mon Aug 26 10:04:41 CEST 2013


Hello,


sorry for the top quoting but i'm using a webmail for replying


 which is really crap.


 


accordingly i'm posting here the debug log of a radtest.


the authentication gets rejected because the group matches in the
raddb/users with the following expression:


 


DEFAULT Ldap-Group == "fax", Auth-Type := Reject


 


i've tried commenting it out and adding this to mysql in the table
radgroupcheck:


 


table: radgroupcheck


Groupname: fax


Attribute: Auth-Type


op: :=


Value: Reject


 


but it's not giving the same result, the check against sql is ignored and
the user is authed successfully.


 


here is the debug log:


 


rad_recv: Access-Request packet from host 127.0.0.1 port 45195, id=232,
length=57


User-Name = "sogo1"


User-Password = "userpassword"


NAS-IP-Address = 192.168.4.82


NAS-Port = 80


# Executing section authorize from file
/etc/freeradius/sites-enabled/default


+- entering group authorize {...}


++[preprocess] returns ok


[auth_log] expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/freeradius/radacct/127.0.0.1/auth-detail-20130826


[auth_log]
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands
to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20130826


[auth_log] expand: %t -> Mon Aug 26 07:56:19 2013


++[auth_log] returns ok


++[chap] returns noop


++[mschap] returns noop


++[digest] returns noop


[suffix] No '@' in User-Name = "sogo1", looking up realm NULL


[suffix] No such realm "NULL"


++[suffix] returns noop


[eap] No EAP-Message, not doing EAP


++[eap] returns noop


  [ldap] Entering ldap_groupcmp()


[files] expand: dc=plutone,dc=local -> dc=plutone,dc=local


[files] WARNING: Deprecated conditional expansion ":-".  See "man
unlang" for details


[files] ... expanding second conditional


[files] expand: %{User-Name} -> sogo1


[files] expand: (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) ->
(sAMAccountName=sogo1)


  [ldap] ldap_get_conn: Checking Id: 0


  [ldap] ldap_get_conn: Got Id: 0


  [ldap] performing search in dc=plutone,dc=local, with filter
(sAMAccountName=sogo1)


  [ldap] ldap_release_conn: Release Id: 0


[files] expand:
(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
->
(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=)))


  [ldap] ldap_get_conn: Checking Id: 0


  [ldap] ldap_get_conn: Got Id: 0


  [ldap] performing search in dc=plutone,dc=local, with filter
(&(cn=fax)(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))))


  [ldap] object not found


  [ldap] ldap_release_conn: Release Id: 0


  [ldap] ldap_get_conn: Checking Id: 0


  [ldap] ldap_get_conn: Got Id: 0


  [ldap] performing search in CN=sogo1,CN=Users,DC=plutone,DC=local,
with filter (objectclass=*)


  [ldap] performing search in CN=Fax,CN=Users,DC=plutone,DC=local, with
filter (cn=fax)


rlm_ldap::ldap_groupcmp: User found in group fax


  [ldap] ldap_release_conn: Release Id: 0


[files] users: Matched entry DEFAULT at line 205


++[files] returns ok


[ldap] performing user authorization for sogo1


[ldap] WARNING: Deprecated conditional expansion ":-".  See "man
unlang" for details


[ldap] ... expanding second conditional


[ldap] expand: %{User-Name} -> sogo1


[ldap] expand: (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) ->
(sAMAccountName=sogo1)


[ldap] expand: dc=plutone,dc=local -> dc=plutone,dc=local


  [ldap] ldap_get_conn: Checking Id: 0


  [ldap] ldap_get_conn: Got Id: 0


  [ldap] performing search in dc=plutone,dc=local, with filter
(sAMAccountName=sogo1)


[ldap] No default NMAS login sequence


[ldap] looking for check items in directory...


[ldap] looking for reply items in directory...


WARNING: No "known good" password was found in LDAP.  Are you sure that
the user is configured correctly?


[ldap] user sogo1 authorized to use remote access


  [ldap] ldap_release_conn: Release Id: 0


++[ldap] returns ok


[sql] expand: %{User-Name} -> sogo1


[sql] sql_set_user escaped user --> 'sogo1'


rlm_sql (sql): Reserving sql socket id: 1


[sql] expand: SELECT id, username, attribute, value, op      
    FROM radcheck           WHERE
username = '%{SQL-User-Name}'           ORDER BY id
-> SELECT id, username, attribute, value, op        
  FROM radcheck           WHERE username =
'sogo1'           ORDER BY id


[sql] expand: SELECT groupname           FROM
radusergroup           WHERE username =
'%{SQL-User-Name}'           ORDER BY priority
-> SELECT groupname           FROM radusergroup
          WHERE username = 'sogo1'    
      ORDER BY priority


rlm_sql (sql): Released sql socket id: 1


[sql] User sogo1 not found


++[sql] returns notfound


++[expiration] returns noop


++[logintime] returns noop


[pap] WARNING: Auth-Type already set.  Not setting to PAP


++[pap] returns noop


rlm_sqlcounter: Entering module authorize code


rlm_sqlcounter: Could not find Check item value pair


++[dailycounter] returns noop


Found Auth-Type = Reject


Auth-Type = Reject, rejecting user


Failed to authenticate the user.


Using Post-Auth-Type Reject


# Executing group from file /etc/freeradius/sites-enabled/default


+- entering group REJECT {...}


[attr_filter.access_reject] expand: %{User-Name} -> sogo1


 attr_filter: Matched entry DEFAULT at line 11


++[attr_filter.access_reject] returns updated


Delaying reject of request 7 for 1 seconds


Going to the next request


Waking up in 0.9 seconds.


Sending delayed reject for request 7


Sending Access-Reject of id 232 to 127.0.0.1 port 45195


Reply-Message = "Not Allowed."


Waking up in 4.9 seconds.


Cleaning up request 7 ID 232 with timestamp +585


Ready to process requests.


 


 


I've noticed that in the rlm_sql debugging no query is performed against
radgroupcheck


could it be that i missed something in my configuration? yet i can't figure
out what, i ran through my config files many times..


 


thanks.


Francesco


 



--------- Original Message --------

 Da: "Alan DeKok" <aland at deployingradius.com>

 To: "FreeRadius users mailing list"
<freeradius-users at lists.freeradius.org>

 Oggetto: Re: Groups in active directory and checks in MySQL

 Data: 23/08/13 21:32

 

  

 

 Atomikramp wrote:

 > I'm in a situation now where i can successfully retrieve group

 > membership of users in the active directory LDAP tree using rlm_ldap,

 > and check them against files.

 

 OK.

 

 > so if i have a user with "memberOf" attribute set to groupA

 > and i set in the raddb/users the following entry:

 > 

 > DEFAULTLdap-Group == "groupA", Auth-Type := Reject

 > Reply-Message = "Not Allowed."

 > 

 > i successfully deny access to that user.

 

 That should map directly to the SQL tables.

 

 > Since i'm already using MySQL for storing accounting informations i
was

 > really interested in being able to use the same backend (mysql) also
for

 > performing checks against groups.

 > 

 > If i perform checks against usernames using the table radcheck they
work

 > properly (users retrieved from the LDAP backend), i've tried setting a

 > radcheck like the following:

 > userA Max-Daily-Session := 7200

 > 

 > and after 2 hours the user is unable to authenticate to the NAS
because

 > the time allowed has expired.

 > 

 > 

 > But i cant seem to be able to do the same thing with the groups.

 

 Post the debug output. And what do you have in SQL?

 

 > i've configured sites-enabled/default like this:

 

 Note that the FAQ, README, "man" pages, and web pages ALL say to post

 the debug output. We really don't care about the configuration. It

 doesn't show what happens when the server receives a request.

 

 Alan DeKok.

  
 
 --
 Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP
autenticato? GRATIS solo con Email.it: http://www.email.it/f
 
 Sponsor:
 PEPPA PIG: Acquista Peluche, Gadget e Abbigliamento Originale su
mistercupido.com
 Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=12897&d=20130826


 
 
 --
 Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP autenticato? GRATIS solo con Email.it http://www.email.it/f
 
 Sponsor:
 PEPPA PIG: Acquista Peluche, Gadget e Abbigliamento Originale su mistercupido.com
 Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=12897&d=26-8
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130826/486f27e6/attachment.html>


More information about the Freeradius-Users mailing list