LDAP group check not working with SQL expansion

Klara Mall klara.mall at kit.edu
Mon Jul 24 23:03:08 CEST 2017


Hi,

I'm using FreeRADIUS Version 3.0.12.

I'm doing EAP-TTLS/PAP and I have the following policy in the
authorize section of the inner tunnel virtual server (same behaviour
when it's in post-auth):

w2vgroupcheck {
    if("%{Stripped-User-Domain}" =~ /^([^\.]+)\.w2v\.kit\.edu$/) {
        if ("%{sql:SELECT COUNT(*) FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}" > 0) {
            if (LDAP-Group == "%{sql:SELECT group_name FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}") {
                update reply {
                    Tunnel-Private-Group-Id := "%{sql:SELECT vlan_id FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}"
                    Tunnel-Type := VLAN
                    Tunnel-Medium-Type := IEEE-802
                }
            }
            else {
                reject
            }
        }
    }
}

Which results in:

(8)       policy w2vgroupcheck {                                                                                                                                                                  
(8)         if ("%{Stripped-User-Domain}" =~ /^([^\.]+)\.w2v\.kit\.edu$/) {                                                                                                                       
(8)         EXPAND %{Stripped-User-Domain}                                                                                                                                                        
(8)            --> vlan-1.w2v.kit.edu                                                                                                                                                        
(8)         if ("%{Stripped-User-Domain}" =~ /^([^\.]+)\.w2v\.kit\.edu$/)  -> TRUE                                                                                                                
(8)         if ("%{Stripped-User-Domain}" =~ /^([^\.]+)\.w2v\.kit\.edu$/)  {                                                                                                                      
(8)           if ("%{sql:SELECT COUNT(*) FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}" > 0) {                                                      
rlm_sql (sql): Reserved connection (0)                                                                                                                                                            
(8)           Executing select query: SELECT COUNT(*) FROM w2v WHERE vlan_name=regexp_replace('vlan-1.w2v.kit.edu', '\.w2v\.kit\.edu$', '')                                                  
rlm_sql_postgresql: Status: PGRES_TUPLES_OK                                                                                                                                                       
rlm_sql_postgresql: query affected rows = 1 , fields = 1                                                                                                                                          
rlm_sql (sql): Released connection (0) 
(8)           EXPAND %{sql:SELECT COUNT(*) FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}
(8)              --> 1     
(8)           if ("%{sql:SELECT COUNT(*) FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}" > 0)  -> TRUE
(8)           if ("%{sql:SELECT COUNT(*) FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}" > 0)  {
(8)             if (LDAP-Group == "%{sql:SELECT group_name FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}") {
rlm_sql (sql): Reserved connection (1)                                       
(8)             Executing select query: SELECT group_name FROM w2v WHERE vlan_name=regexp_replace('vlan-1.w2v.kit.edu', '\.w2v\.kit\.edu$', '')
rlm_sql_postgresql: Status: PGRES_TUPLES_OK                                        
rlm_sql_postgresql: query affected rows = 1 , fields = 1
rlm_sql (sql): Released connection (1)                          
(8)             EXPAND %{sql:SELECT group_name FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}
(8)                --> KIT-Group-1
(8)             if (LDAP-Group == "%{sql:SELECT group_name FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}")  -> FALSE
(8)             else {                    
(8)               [reject] = reject
(8)             } # else = reject                                                    
(8)           } # if ("%{sql:SELECT COUNT(*) FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}" > 0)  = reject
(8)         } # if ("%{Stripped-User-Domain}" =~ /^([^\.]+)\.w2v\.kit\.edu$/)  = reject
(8)       } # policy w2vgroupcheck = reject


I don't understand it because the SQL expansion works but then
there is no try to do the LDAP group check. It just says FALSE
and rejects. When I replace 
(LDAP-Group == "%{sql:SELECT group_name FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}") 
with
(LDAP-Group == "KIT-Group-1")
it works:

(8)       policy w2vgroupcheck {                                                                                                                                                         [50/1950]
(8)         if ("%{Stripped-User-Domain}" =~ /^([^\.]+)\.w2v\.kit\.edu$/) {                                                                                                                       
(8)         EXPAND %{Stripped-User-Domain}                                                                                                                                                        
(8)            --> vlan-1.w2v.kit.edu                                                                                                                                                        
(8)         if ("%{Stripped-User-Domain}" =~ /^([^\.]+)\.w2v\.kit\.edu$/)  -> TRUE                                                                                                                
(8)         if ("%{Stripped-User-Domain}" =~ /^([^\.]+)\.w2v\.kit\.edu$/)  {
(8)           if ("%{sql:SELECT COUNT(*) FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}" > 0) {
rlm_sql (sql): Reserved connection (0)
(8)           Executing select query: SELECT COUNT(*) FROM w2v WHERE vlan_name=regexp_replace('vlan-1.w2v.kit.edu', '\.w2v\.kit\.edu$', '')
rlm_sql_postgresql: Status: PGRES_TUPLES_OK                                              
rlm_sql_postgresql: query affected rows = 1 , fields = 1
rlm_sql (sql): Released connection (0)
(8)           EXPAND %{sql:SELECT COUNT(*) FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}
(8)              --> 1                                                                          
(8)           if ("%{sql:SELECT COUNT(*) FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}" > 0)  -> TRUE
(8)           if ("%{sql:SELECT COUNT(*) FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}" > 0)  {
(8)             if (LDAP-Group == "KIT-Group-1") {                          
(8)             Searching for user in group "KIT-Group-1"                                                                                                                               
rlm_ldap (ldap): Reserved connection (1)
(8)             Using user DN from request "uid=abc123,ou=People,ou=unix,ou=IDM,dc=kit,dc=edu"
(8)             Checking for user in group objects
(8)               EXPAND (&(cn=KIT-Group-1)(objectClass=posixGroup)(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))
(8)                  --> (&(cn=KIT-Group-1)(objectClass=posixGroup)(memberUid=abc123))
(8)               Performing search in "ou=unix,ou=IDM,dc=kit,dc=edu" with filter "(&(cn=KIT-Group-1)(objectClass=posixGroup)(memberUid=abc123))", scope "sub"
(8)               Waiting for search result...
(8)             User found in group object "ou=unix,ou=IDM,dc=kit,dc=edu"
rlm_ldap (ldap): Released connection (1)
(8)             if (LDAP-Group == "KIT-Group-1")  -> TRUE
(8)             if (LDAP-Group == "KIT-Group-1")  {
(8)               update reply {
rlm_sql (sql): Reserved connection (1)
(8)                 Executing select query: SELECT vlan_id FROM w2v WHERE vlan_name=regexp_replace('vlan-1.w2v.kit.edu', '\.w2v\.kit\.edu$', '')
rlm_sql_postgresql: Status: PGRES_TUPLES_OK                                          
rlm_sql_postgresql: query affected rows = 1 , fields = 1
rlm_sql (sql): Released connection (1)                                                                                       
(8)                 EXPAND %{sql:SELECT vlan_id FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}
(8)                    --> 22                                                                                                                                                                    
(8)                 Tunnel-Private-Group-Id := 22
(8)                 Tunnel-Type := VLAN       
(8)                 Tunnel-Medium-Type := IEEE-802
(8)               } # update reply = noop
(8)             } # if (LDAP-Group == "KIT-Group-1")  = noop             
(8)             ... skipping else: Preceding "if" was taken
(8)           } # if ("%{sql:SELECT COUNT(*) FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}" > 0)  = noop
(8)         } # if ("%{Stripped-User-Domain}" =~ /^([^\.]+)\.w2v\.kit\.edu$/)  = noop
(8)       } # policy w2vgroupcheck = noop



Thanks in advance
Klara


More information about the Freeradius-Users mailing list