Multi-valued LDAP attribute configuration

Alan DeKok aland at deployingradius.com
Thu Sep 14 15:45:44 CEST 2017 

On Sep 14, 2017, at 3:49 AM, Srinivasa R <srinivasa.r at icts.res.in> wrote:
> I have gone through the Freeradius logs and found that Freeradius is able
> to find the user id i.e macaddress which is multi value field from LDAP but
> the problem is with the password. Freeradius is retrieving all the
> three macaddress values for the password from the LDAP, but for some
> reasons, it is trying to match with the first value all the time. I am
> posting the detailed log. I am getting the Accept-Accept reply for the very
> first value in the multivalued field. Could someone help me please?
> 
> *Freeradius configuration:*
> *LDAP conf file config:*
> update {
>                control:Password-With-Header    += 'macAddress'

  Don't do that.  The "Password-With-Header" attribute is for LDAP passwords with headers.

  e.g. {nt4}....

  It is NOT for simple strings.

  Delete that.  It's wrong.

> Received Access-Request Id 22 from 172.16.XX.XX:35697 to 172.16.XX.XXX:1812
> length 103
> User-Name = 'e4:a4:71:a3:88:6f'
> User-Password = 'e4:a4:71:a3:88:6f'

  Since those are the same, you don't need to check passwords.  You just need to check that the MAC address is in LDAP.  Then, check that the User-Name is the same as the User-Password.

> 
> (2)  ldap : Performing search in 'ou=People,dc=icts,dc=res,dc=in' with
> filter '(macAddress=e4:a4:71:a3:88:6f)', scope 'sub'
> (2)  ldap : Waiting for search result...
> (2)  ldap : User object found at DN "cn=it
> section,ou=People,dc=icts,dc=res,dc=in"

  That's good...

> (2)  ldap : Processing user attributes
> (2)  ldap : control:Password-With-Header += '28:f1:0e:2a:c1:ac'
> (2)  ldap : control:Password-With-Header += 'e4:a4:71:a3:88:6f'
> (2)  ldap : control:Password-With-Header += '0c:c4:7a:22:63:23'
> rlm_ldap (ldap): Released connection (4)
> (2)   [ldap] = ok

  You can then do:

	...
	ldap
	if (ok && (User-Name == User-Password)) {
		update control {
			Auth-Type := Accept
		}
	}

  And it will work.  Don't bother checking the password after that.

  Alan DeKok.

More information about the Freeradius-Users mailing list