ldap configuration & the mysterious filter ="(uid=%u)"

Walter Moore moorewr at eckerd.edu
Tue Feb 9 19:40:00 CET 2016


Good afternoon.

I've been searching for an answer this issue on a new install of freeradius
on CentOS 7, installed from RPMs. As far as I can see, what I enter for the
ldap filter is not being used by the server, but I'm hopeful I've missed
some detail in the configuration.

Here' the key error in the output from radiusd -X.

*(0) ERROR: ldap : (uid=%u)*
*(0) ERROR: ldap :       ^ Invalid variable expansion*
*(0)  ERROR: ldap : Unable to create filter*

[root at kukulcan raddb]# grep -r '%u'
[root at kukulcan raddb]# grep -r '\%u'

[root at kukulcan raddb]# radiusd -v
radiusd: FreeRADIUS Version 3.0.4, for host x86_64-redhat-linux-gnu, built
on Mar  5 2015 at 23:41:36
Copyright (C) 1999-2014 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT

[root at kukulcan raddb]# yum list freeradius\*
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
 * base: centos.host-engine.com
 * extras: centos.den.host-engine.com
 * updates: centos.mirror.ndchost.com
Installed Packages
freeradius.x86_64                             3.0.4-6.el7
 @base
freeradius-devel.x86_64                       3.0.4-6.el7
 @base
freeradius-doc.x86_64                         3.0.4-6.el7
 @base
freeradius-krb5.x86_64                        3.0.4-6.el7
 @base
freeradius-ldap.x86_64                        3.0.4-6.el7
 @base
freeradius-mysql.x86_64                       3.0.4-6.el7
 @base
freeradius-perl.x86_64                        3.0.4-6.el7
 @base
freeradius-postgresql.x86_64                  3.0.4-6.el7
 @base
freeradius-python.x86_64                      3.0.4-6.el7
 @base
freeradius-sqlite.x86_64                      3.0.4-6.el7
 @base
freeradius-unixODBC.x86_64                    3.0.4-6.el7
 @base
freeradius-utils.x86_64                       3.0.4-6.el7
 @base
Available Packages
freeradius-devel.i686                         3.0.4-6.el7
 base


/etc/raddb/mods-enables/ldap:
[...]
    ldap {
        server = "ldap.eckerd.edu"
        identity = "cn=directory manager"
        password = *********
        basedn = "dc=eckerd,dc=edu"
*        filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"*
        #base_filter = "(objectclass=radiusprofile)"
[...]

[root at kukulcan ~]# grep '%u' /etc/raddb/mods-enabled/ldap
[root at kukulcan ~]#


LDAP output from radiusd -X

[...]
  # Loaded module rlm_ldap
  # Instantiating module "ldap" from file /etc/raddb/mods-enabled/ldap
  ldap {
        server = "ldap.eckerd.edu"
        port = 389
        password = <<< secret >>>
        identity = "cn=directory manager"
   user {
*        filter = "(uid=%u)"*
        scope = "sub"
        base_dn = ""
        access_positive = yes
   }
   group {
        scope = "sub"
        base_dn = ""
        name_attribute = "cn"
        cacheable_name = no
        cacheable_dn = no
   }
   client {
        scope = "sub"
        base_dn = ""
    attribute {
        identifier = "host"
        shortname = "cn"
    }
   }
   profile {
        filter = "(&)"
   }
   options {
        ldap_debug = 0
        net_timeout = 10
        res_timeout = 20
        srv_timelimit = 20
        idle = 60
        probes = 3
        interval = 30
   }
   tls {
        start_tls = no
   }
  }
rlm_ldap: Falling back to build time libldap version info.  Query for
LDAP_OPT_API_INFO returned: -1
rlm_ldap: libldap vendor: OpenLDAP version: 20439
rlm_ldap (ldap): Couldn't find configuration for accounting, will return
NOOP for calls from this section
rlm_ldap (ldap): Couldn't find configuration for post-auth, will return
NOOP for calls from this section
rlm_ldap (ldap): Initialising connection pool
   pool {
        start = 5
        min = 5
        max = 10
        spare = 3
        uses = 0
        lifetime = 0
        cleanup_interval = 30
        idle_timeout = 60
        retry_delay = 1
        spread = no
   }
rlm_ldap (ldap): Opening additional connection (0)
rlm_ldap (ldap): Connecting to ldap.eckerd.edu:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (1)
rlm_ldap (ldap): Connecting to ldap.eckerd.edu:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (2)
rlm_ldap (ldap): Connecting to ldap.eckerd.edu:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (3)
rlm_ldap (ldap): Connecting to ldap.eckerd.edu:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (4)
rlm_ldap (ldap): Connecting to ldap.eckerd.edu:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
[...]
Received Access-Request Id 44 from 127.0.0.1:44847 to 127.0.0.1:1812 length
77
        User-Name = 'moorewr'
        User-Password = 'foobar'
        NAS-IP-Address = 198.187.214.151
        NAS-Port = 0
        Message-Authenticator = 0x6a42189a2e73e4a2d624012f4ab82ce3
(0) Received Access-Request packet from host 127.0.0.1 port 44847, id=44,
length=77
(0)     User-Name = 'moorewr'
(0)     User-Password = 'foobar'
(0)     NAS-IP-Address = 198.187.214.151
(0)     NAS-Port = 0
(0)     Message-Authenticator = 0x6a42189a2e73e4a2d624012f4ab82ce3
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0)   authorize {
rlm_ldap (ldap): Reserved connection (4)
*(0) ERROR: ldap : (uid=%u)*
*(0) ERROR: ldap :       ^ Invalid variable expansion*
*(0)  ERROR: ldap : Unable to create filter*
rlm_ldap (ldap): Released connection (4)
rlm_ldap (ldap): Closing connection (3): Hit idle_timeout, was idle for 259
seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): Closing connection (2): Hit idle_timeout, was idle for 259
seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): Closing connection (1): Hit idle_timeout, was idle for 259
seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): Closing connection (0): Hit idle_timeout, was idle for 259
seconds
rlm_ldap (ldap): You probably need to lower "min"
(0)   [ldap] = invalid
(0)  } #  authorize = invalid
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0)  Post-Auth-Type REJECT {
(0)  attr_filter.access_reject : EXPAND %{User-Name}
(0)  attr_filter.access_reject :    --> moorewr
(0)  attr_filter.access_reject : Matched entry DEFAULT at line 11
(0)   [attr_filter.access_reject] = updated
(0)  eap : Request didn't contain an EAP-Message, not inserting EAP-Failure
(0)   [eap] = noop
(0)   remove_reply_message_if_eap remove_reply_message_if_eap {
(0)     if (&reply:EAP-Message && &reply:Reply-Message)
(0)     if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(0)    else else {
(0)     [noop] = noop
(0)    } # else else = noop
(0)   } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(0)  } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(0) Sending delayed response
(0) Sending Access-Reject packet to host 127.0.0.1 port 44847, id=44,
length=0
Sending Access-Reject Id 44 from 127.0.0.1:1812 to 127.0.0.1:44847
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 44 with timestamp +259


-- 
+-----------------------------------------------------------------+
Walter R. Moore --  Sr. Systems Administrator, Eckerd College
moorewr at eckerd.edu --  http://home.eckerd.edu/~moorewr

"It was glorious to see -- if your heart were iron,
And you could keep from grieving at all the pain" - The Iliad (13.355)

I'm on twitter: http://twitter.com/moorewreckerd

***Reminder! ITS will never ask you to e-mail your password!***


More information about the Freeradius-Users mailing list