Abort when LDAP module is run twice.
Júlíus Þór Bess Ríkharðsson
julius.bess at nyherji.is
Wed Apr 29 15:30:29 CEST 2015
Hi,
I'm running a ldap module twice, both times with a different base_dn but when I do that, the server aborts.
I'm using FreeRADIUS 3.0.4 (more specifically Centos release: 6.el7)
If I try to run the module twice, without changing the base_dn the abort still happens.
Is this a known limitation in which I should work around by initiating another module with a different base_dn?
Here is a log:
Ready to process requests
Received Access-Request Id 19 from 10.255.120.5:1645 to xo.xo.xo.xo:1812 length 172
Service-Type = Login-User
Cisco-AVPair = 'service-type=Login'
Calling-Station-Id = 'xx.xx.xx.xx'
User-Name = 'test.juliusbess'
EAP-Message = 0x023b001401746573742e6a756c69757362657373
Message-Authenticator = 0x1d29c4c865bf30c2a4316ffbe67468bf
NAS-IP-Address = 10.255.120.5
Acct-Session-Id = '160000000000FBDF'
NAS-Identifier = 'vpn.test.local'
(0) Received Access-Request packet from host 10.255.120.5 port 1645, id=19, length=172
(0) Service-Type = Login-User
(0) Cisco-AVPair = 'service-type=Login'
(0) Calling-Station-Id = 'xx.xx.xx.xx'
(0) User-Name = 'test.juliusbess'
(0) EAP-Message = 0x023b001401746573742e6a756c69757362657373
(0) Message-Authenticator = 0x1d29c4c865bf30c2a4316ffbe67468bf
(0) NAS-IP-Address = 10.255.120.5
(0) Acct-Session-Id = '160000000000FBDF'
(0) NAS-Identifier = 'vpn.test.local'
(0) # Executing section authorize from file /etc/raddb/sites-enabled/vpn-nyherji-test
(0) authorize {
(0) update request {
(0) EXPAND %{User-Name}
(0) --> test.juliusbess
(0) SQL-User-Name set to 'test.juliusbess'
rlm_sql (sql): Reserved connection (4)
rlm_sql (sql): Executing query: 'select groupname from radhuntgroup where nasipaddress="10.255.120.5"'
rlm_sql (sql): Released connection (4)
(0) EXPAND %{sql:select groupname from radhuntgroup where nasipaddress="%{Client-IP-Address}"}
(0) --> vpn-nas
(0) Huntgroup-Name := "vpn-nas"
(0) } # update request = noop
(0) if (!Huntgroup-Name)
(0) if (!Huntgroup-Name) -> FALSE
(0) filter_username filter_username {
(0) if (!&User-Name)
(0) if (!&User-Name) -> FALSE
(0) if (&User-Name =~ / /)
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@.*@/ )
(0) if (&User-Name =~ /@.*@/ ) -> FALSE
(0) if (&User-Name =~ /\\.\\./ )
(0) if (&User-Name =~ /\\.\\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\\.$/)
(0) if (&User-Name =~ /\\.$/) -> FALSE [120/1973]
(0) if (&User-Name =~ /@\\./)
(0) if (&User-Name =~ /@\\./) -> FALSE
(0) } # filter_username filter_username = noop
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap-umsja] = noop
(0) [digest] = noop
(0) suffix : Checking for suffix after "@"
(0) suffix : No '@' in User-Name = "test.juliusbess", looking up realm NULL
(0) suffix : Found realm "NULL"
(0) suffix : Adding Stripped-User-Name = "test.juliusbess"
(0) suffix : Adding Realm = "NULL"
(0) suffix : Authentication realm is LOCAL
(0) [suffix] = ok
(0) ntdomain : Request already has destination realm set. Ignoring
(0) [ntdomain] = noop
(0) eap-vpn-nyherji : Peer sent code Response (2) ID 59 length 20
(0) eap-vpn-nyherji : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(0) [eap-vpn-nyherji] = ok
(0) } # authorize = ok
(0) Found Auth-Type = eap-vpn-nyherji
(0) # Executing group from file /etc/raddb/sites-enabled/vpn-nyherji-test
(0) authenticate {
(0) eap-vpn-nyherji : Peer sent method Identity (1)
(0) eap-vpn-nyherji : Calling eap_peap to process EAP data
(0) eap_peap : Initiate
(0) eap_peap : Start returned 1
(0) eap-vpn-nyherji : New EAP session, adding 'State' attribute to reply 0xe5c88dc8e5f49486
(0) [eap-vpn-nyherji] = handled
(0) } # authenticate = handled
(0) Sending Access-Challenge packet to host 10.255.120.5 port 1645, id=19, length=0
(0) EAP-Message = 0x013c00061920
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0xe5c88dc8e5f494860e93d83d98be7363
Sending Access-Challenge Id 19 from xo.xo.xo.xo:1812 to 10.255.120.5:1645
EAP-Message = 0x013c00061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe5c88dc8e5f494860e93d83d98be7363
(0) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 20 from 10.255.120.5:1645 to xo.xo.xo.xo:1812 length 176
Service-Type = Login-User
Cisco-AVPair = 'service-type=Login'
Calling-Station-Id = 'xx.xx.xx.xx'
User-Name = 'test.juliusbess'
EAP-Message = 0x023c0006031a
Message-Authenticator = 0xbdf3041a309a309f5d190089d0d7f2fa
State = 0xe5c88dc8e5f494860e93d83d98be7363
NAS-IP-Address = 10.255.120.5 [71/1973]
Acct-Session-Id = '160000000000FBDF'
NAS-Identifier = 'vpn.test.local'
(1) Received Access-Request packet from host 10.255.120.5 port 1645, id=20, length=176
(1) Service-Type = Login-User
(1) Cisco-AVPair = 'service-type=Login'
(1) Calling-Station-Id = 'xx.xx.xx.xx'
(1) User-Name = 'test.juliusbess'
(1) EAP-Message = 0x023c0006031a
(1) Message-Authenticator = 0xbdf3041a309a309f5d190089d0d7f2fa
(1) State = 0xe5c88dc8e5f494860e93d83d98be7363
(1) NAS-IP-Address = 10.255.120.5
(1) Acct-Session-Id = '160000000000FBDF'
(1) NAS-Identifier = 'vpn.test.local'
(1) # Executing section authorize from file /etc/raddb/sites-enabled/vpn-nyherji-test
(1) authorize {
(1) update request {
(1) EXPAND %{User-Name}
(1) --> test.juliusbess
(1) SQL-User-Name set to 'test.juliusbess'
rlm_sql (sql): Reserved connection (4)
rlm_sql (sql): Executing query: 'select groupname from radhuntgroup where nasipaddress="10.255.120.5"'
rlm_sql (sql): Released connection (4)
(1) EXPAND %{sql:select groupname from radhuntgroup where nasipaddress="%{Client-IP-Address}"}
(1) --> vpn-nas
(1) Huntgroup-Name := "vpn-nas"
(1) } # update request = noop
(1) if (!Huntgroup-Name)
(1) if (!Huntgroup-Name) -> FALSE
(1) filter_username filter_username {
(1) if (!&User-Name)
(1) if (!&User-Name) -> FALSE
(1) if (&User-Name =~ / /)
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@.*@/ )
(1) if (&User-Name =~ /@.*@/ ) -> FALSE
(1) if (&User-Name =~ /\\.\\./ )
(1) if (&User-Name =~ /\\.\\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
(1) if (&User-Name =~ /\\.$/)
(1) if (&User-Name =~ /\\.$/) -> FALSE
(1) if (&User-Name =~ /@\\./)
(1) if (&User-Name =~ /@\\./) -> FALSE
(1) } # filter_username filter_username = noop
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap-umsja] = noop
(1) [digest] = noop
(1) suffix : Checking for suffix after "@" [22/1973]
(1) suffix : No '@' in User-Name = "test.juliusbess", looking up realm NULL
(1) suffix : Found realm "NULL"
(1) suffix : Adding Stripped-User-Name = "test.juliusbess"
(1) suffix : Adding Realm = "NULL"
(1) suffix : Authentication realm is LOCAL
(1) [suffix] = ok
(1) ntdomain : Request already has destination realm set. Ignoring
(1) [ntdomain] = noop
(1) eap-vpn-nyherji : Peer sent code Response (2) ID 60 length 6
(1) eap-vpn-nyherji : No EAP Start, assuming it's an on-going EAP conversation
(1) [eap-vpn-nyherji] = updated
(1) [files] = noop
(1) sql : EXPAND %{User-Name}
(1) sql : --> test.juliusbess
(1) sql : SQL-User-Name set to 'test.juliusbess'
rlm_sql (sql): Reserved connection (4)
(1) sql : EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(1) sql : --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test.juliusbess' ORDER BY id
rlm_sql (sql): Executing query: 'SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test.juliusbess' ORDER BY id'
(1) sql : EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(1) sql : --> SELECT groupname FROM radusergroup WHERE username = 'test.juliusbess' ORDER BY priority
rlm_sql (sql): Executing query: 'SELECT groupname FROM radusergroup WHERE username = 'test.juliusbess' ORDER BY priority'
(1) sql : User not found in any groups
rlm_sql (sql): Released connection (4)
(1) [sql] = notfound
(1) if ("%{realm}" =~ /(DEFAULT|NULL)/)
(1) EXPAND %{realm}
(1) --> NULL
(1) if ("%{realm}" =~ /(DEFAULT|NULL)/) -> TRUE
(1) if ("%{realm}" =~ /(DEFAULT|NULL)/) {
(1) update control {
(1) &LDAP-baseDN-custom := 'OU-test'
(1) } # update control = noop
(1) EXPAND %{control:LDAP-baseDN-custom}
(1) --> OU-test
rlm_ldap (ldap-vpn-nyh): Reserved connection (4)
(1) ldap-vpn-nyh : EXPAND (|(&(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})(objectClass=user))(&(userPrincipalName=%{User-Name})(objectClass=user)))
(1) ldap-vpn-nyh : --> (|(&(sAMAccountName=test.juliusbess)(objectClass=user))(&(userPrincipalName=test.juliusbess)(objectClass=user)))
(1) ldap-vpn-nyh : EXPAND OU=%{control:LDAP-baseDN-custom},DC=some,DC=local,DC=lan
(1) ldap-vpn-nyh : --> OU=OU-test,DC=some,DC=local,DC=lan
(1) ldap-vpn-nyh : Performing search in 'OU=OU-test,DC=some,DC=local,DC=lan' with filter '(|(&(sAMAccountName=test.juliusbess)(objectClass=user))(&(userPrincipalName=test.juliusbess)(objectClass=user)))', scope 'sub'
(1) ldap-vpn-nyh : Waiting for search result...
(1) ldap-vpn-nyh : User object found at DN "CN=Testuser - Test,OU=Contractors,OU=Users,OU=YYY,OU=OU-test,DC=some,DC=local,DC=lan"
(1) ldap-vpn-nyh : Processing user attributes
(1) WARNING: ldap-vpn-nyh : No "known good" password added. Ensure the admin user has permission to read the password attribute
(1) WARNING: ldap-vpn-nyh : PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
rlm_ldap (ldap-vpn-nyh): Released connection (4)
(1) [ldap-vpn-nyh] = ok
(1) EXPAND %{control:LDAP-baseDN-custom}
(1) --> OU-test
rlm_ldap (ldap-vpn-nyh): Reserved connection (4)
(1) ldap-vpn-nyh : EXPAND (|(&(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})(objectClass=user))(&(userPrincipalName=%{User-Name})(objectClass=user)))
(1) ldap-vpn-nyh : --> (|(&(sAMAccountName=test.juliusbess)(objectClass=user))(&(userPrincipalName=test.juliusbess)(objectClass=user)))
(1) ldap-vpn-nyh : EXPAND OU=%{control:LDAP-baseDN-custom},DC=some,DC=local,DC=lan
(1) ldap-vpn-nyh : --> OU=OU-test,DC=some,DC=local,DC=lan
(1) ldap-vpn-nyh : Performing search in 'OU=OU-test,DC=some,DC=local,DC=lan' with filter '(|(&(sAMAccountName=test.juliusbess)(objectClass=user))(&(userPrincipalName=test.juliusbess)(objectClass=user)))', scope 'sub'
(1) ldap-vpn-nyh : Waiting for search result...
(1) ldap-vpn-nyh : User object found at DN "CN=Testuser - Test,OU=Contractors,OU=Users,OU=YYY,OU=OU-test,DC=some,DC=local,DC=lan"
(1) ldap-vpn-nyh : Processing user attributes
(1) WARNING: ldap-vpn-nyh : No "known good" password added. Ensure the admin user has permission to read the password attribute
(1) WARNING: ldap-vpn-nyh : PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
Aborted
Kær kveðja / Best regards
Júlíus Þór Bess Ríkharðsson
Netsérfræðingur / Network Administrator
Nýherji Hf.
Borgartún 37 - 105 Reykjavík
Simi/Telephone:
+354 516 1000
Email: julius.bess at nyherji.is
Helpdesk:
+354 516 1600
Netsíða: http://www.nyherji.is
More information about the Freeradius-Users
mailing list