Problem with two ldap connections

Jörn Volkhausen volkhausen.joern at gmx.de
Tue Mar 14 12:09:12 CET 2017


Just for information of other people who have the same problem.

Issue:

The two ldap configurations are interacting in an undocumented way.

Twe configuration of the first module is touching the second module
configuration and instance.

Solution:

For me it helped to just define the basedn and filter in one of the two
ldap configurations.

The other configuration worked also, because i use them only in pair
with xlat. There is the possibility to define another dn and filter.


I dont know, but could it be that this is not desired operating?


Thanks and hope it helps

Jörn Volkhausen


Am 14.03.2017 um 07:56 schrieb Jörn Volkhausen:
> Hello at all
>
> i have a small problem an dhope anyone can help me.
> First my configuration and the debug output:
>
> --- sites-available/radius-staging --- (is also linked in sites-enabled)
> authorize {
>     if ("%{User-Name}" =~ /^(.*)#(.*)@domain.de$/) {
>                 update request {
>                         Group-Name := "%{1}"
>                         Stripped-User-Name := "%{2}"
>                 }
>         }
>         else {
>                 reject
>         }
>         #"%{exec:/usr/bin/printenv}"
>         ldap-kap-costumertype
>         if
> ("%{ldap-kap-costumertype:ldap:///dc=domain,dc=de?businessCategory?one?ou=%{Group-Name}}"
> == unmanaged) {
>                 update control {
>                         Proxy-to-Realm := unmanagedCostumers
>                 }
>         #       updated
>         }
>         else {
>                 ldap-kap-staging
>         #       updated
>         }
> }
>
> authenticate {
>     Auth-Type PAP {
>                 pap
>     }
>     Auth-Type LDAP {
>                 ldap-kap-staging
>     }
> }
>    
> --- modules/ldap-kap-staging ---
> ldap ldap-kap-staging {
>     server := "test"
>         identity := "cn=radiusbinduser,ou=admins,dc=domain,dc=de"
>         password := "XXXXXXX"
>         basedn := "ou=%{Group-Name},dc=domain,dc=de"
>         filter := "(&(uid=%{Stripped-User-Name})(userEnabled=true))"
>
>     dictionary_mapping = ${confdir}/ldap.attrmap
>     set_auth_type = yes
> }
>
> --- modules/ldap-kap-costumertype ---
> ldap ldap-kap-costumertype {
>     server := "test"
>         identity := "cn=radiusbinduser,ou=admins,dc=domain,dc=de"
>         password := "XXXXX"
>         basedn := "dc=domain,dc=de"
>         filter := "ou=%{Group-Name}"
>
>     dictionary_mapping = ${confdir}/ldap.attrmap
>     set_auth_type = no
> }
>
> --- debug output from freeradius ---
> Ready to process requests.
> rad_recv: Access-Request packet from host 10.10.20.100 port 55835, id=1,
> length=131
>     User-Name = "rplus.dt#test at domain.de"
>     Acct-Session-Id = "1489473128K1snz"
>     NAS-IP-Address = 127.0.0.1
>     NAS-Identifier = "Localhost"
>     NAS-Port = 0
>     Calling-Station-Id = "1115551212"
>     User-Password = "testpass"
>     Message-Authenticator = 0xb33a7beab35041d5b1c179deef4d6376
> server radius-staging {
> # Executing section authorize from file
> /etc/freeradius/sites-enabled/radius-staging
> +group authorize {
> ++? if ("%{User-Name}" =~ /^(.*)#(.*)@domain.de$/)
>     expand: %{User-Name} -> rplus.dt#test at domain.de
> ? Evaluating ("%{User-Name}" =~ /^(.*)#(.*)@domain.de$/) -> TRUE
> ++? if ("%{User-Name}" =~ /^(.*)#(.*)@domain.de$/) -> TRUE
> ++if ("%{User-Name}" =~ /^(.*)#(.*)@domain.de$/) {
> +++update request {
>     expand: %{1} -> domain.dt
>     expand: %{2} -> test
> +++} # update request = noop
> ++} # if ("%{User-Name}" =~ /^(.*)#(.*)@domain.de$/) = noop
> ++ ... skipping else for request 0: Preceding "if" was taken
> [ldap-kap-costumertype] performing user authorization for test
> [ldap-kap-costumertype]     expand: ou=%{Group-Name} -> ou=rplus.dt
> [ldap-kap-costumertype]     expand: dc=domain,dc=de -> dc=domain,dc=de
>   [ldap-kap-costumertype] ldap_get_conn: Checking Id: 0
>   [ldap-kap-costumertype] ldap_get_conn: Got Id: 0
>   [ldap-kap-costumertype] attempting LDAP reconnection
>   [ldap-kap-costumertype] (re)connect to test:636, authentication 0
>   [ldap-kap-costumertype] setting TLS mode to 1
>   [ldap-kap-costumertype] bind as
> cn=radiusbinduser,ou=admins,dc=domain,dc=de/XXXXX to test:636
>   [ldap-kap-costumertype] waiting for bind result ...
>   [ldap-kap-costumertype] Bind was successful
>   [ldap-kap-costumertype] performing search in dc=domain,dc=de, with
> filter ou=rplus.dt
> [ldap-kap-costumertype] No default NMAS login sequence
> [ldap-kap-costumertype] looking for check items in directory...
> [ldap-kap-costumertype] looking for reply items in directory...
> WARNING: No "known good" password was found in LDAP.  Are you sure that
> the user is configured correctly?
>   [ldap-kap-costumertype] ldap_release_conn: Release Id: 0
> ++[ldap-kap-costumertype] = ok
> ++? if
> ("%{ldap-kap-costumertype:ldap:///dc=domain,dc=de?businessCategory?one?ou=%{Group-Name}}"
> == unmanaged)
>   [ldap-kap-costumertype] - ldap_xlat
>     expand:
> ldap:///dc=domain,dc=de?businessCategory?one?ou=%{Group-Name} ->
> ldap:///dc=domain,dc=de?businessCategory?one?ou=rplus.dt
>   [ldap-kap-costumertype] ldap_get_conn: Checking Id: 0
>   [ldap-kap-costumertype] ldap_get_conn: Got Id: 0
>   [ldap-kap-costumertype] performing search in dc=domain,dc=de, with
> filter ou=rplus.dt
>   [ldap-kap-costumertype] Adding attribute businessCategory, value: managed
>   [ldap-kap-costumertype] ldap_release_conn: Release Id: 0
>   [ldap-kap-costumertype] - ldap_xlat end
>     expand:
> %{ldap-kap-costumertype:ldap:///dc=domain,dc=de?businessCategory?one?ou=%{Group-Name}}
> -> managed
> ? Evaluating
> ("%{ldap-kap-costumertype:ldap:///dc=domain,dc=de?businessCategory?one?ou=%{Group-Name}}"
> == unmanaged) -> FALSE
> ++? if
> ("%{ldap-kap-costumertype:ldap:///dc=domain,dc=de?businessCategory?one?ou=%{Group-Name}}"
> == unmanaged) -> FALSE
> ++else else {
> [ldap-kap-staging] performing user authorization for test
> [ldap-kap-staging]     expand:
> (&(uid=%{Stripped-User-Name})(userEnabled=true)) ->
> (&(uid=test)(userEnabled=true))     
> <---------------------------------------
> [ldap-kap-staging]     expand: ou=%{Group-Name},dc=domain,dc=de ->
> ou=rplus.dt,dc=domain,dc=de    <---------------------------------------
>   [ldap-kap-staging] ldap_get_conn: Checking Id: 0
>   [ldap-kap-staging] ldap_get_conn: Got Id: 0
>   [ldap-kap-staging] attempting LDAP reconnection
>   [ldap-kap-staging] (re)connect to test:636, authentication 0
>   [ldap-kap-staging] setting TLS mode to 1
>   [ldap-kap-staging] bind as
> cn=radiusbinduser,ou=admins,dc=domain,dc=de/XXXXX to test:636
>   [ldap-kap-staging] waiting for bind result ...
>   [ldap-kap-staging] Bind was successful
>   [ldap-kap-staging] performing search in ou=rplus.dt,dc=domain,dc=de,
> with filter (&(uid=test)(userEnabled=true))
> [ldap-kap-staging] No default NMAS login sequence
> [ldap-kap-staging] looking for check items in directory...
>   [ldap-kap-staging] userPassword -> Password-With-Header ==
> "{SSHA}ac2cE0LcZb04Hr9mGf5RIvfeoDlDkT5BaEB4tw=="
> [ldap-kap-staging] looking for reply items in directory...
> [ldap-kap-staging] Setting Auth-Type = LDAP
>   [ldap-kap-staging] ldap_release_conn: Release Id: 0
> +++[ldap-kap-staging] = ok
> ++} # else else = ok
> +} # group authorize = ok
> Found Auth-Type = LDAP
> # Executing group from file /etc/freeradius/sites-enabled/radius-staging
> +group LDAP {
> [ldap-kap-staging] login attempt by "test" with password "testpass"
> [ldap-kap-staging] user DN: ou=rplus.dt,dc=domain,dc=de       
> <---------------------------------------
>   [ldap-kap-staging] (re)connect to test:636, authentication 1
>   [ldap-kap-staging] setting TLS mode to 1
>   [ldap-kap-staging] bind as ou=rplus.dt,dc=telekom,dc=de/testpass to
> test:636 <---------------------------------------
>   [ldap-kap-staging] waiting for bind result ...
>   [ldap-kap-staging] Bind failed with invalid credentials    
> ++[ldap-kap-staging] = reject
> +} # group LDAP = reject
> Failed to authenticate the user.
> } # server radius-staging
> Using Post-Auth-Type Reject
> # Executing group from file /etc/freeradius/sites-enabled/radius-staging
> +group REJECT {
> [attr_filter.access_reject]     expand: %{User-Name} ->
> rplus.dt#test at domain.de
> attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] = updated
> +} # group REJECT = updated
> Delaying reject of request 0 for 1 seconds
>
>
> Can anyone explain me why freeradius use two different userdn's for the
> same ldap configuration [ldap-kap-staging]?
> That he is authorizing the user is good, but why is freeradius using the
> wrong dn at the authenticate stage for the same ldapconfig?
>
> Thank you very much
> Jörn Volkhausen
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list