LDAP Query: Not Found
Song Zou
a13519 at me.com
Mon Nov 19 13:35:32 CET 2018
please don’t send email
On Jul 29, 2015, at 04:17, Scott Pickles via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> sAMAccountName is what resolved that issue. I am using unlang to have AD check my user's group membership and then I want to use ntlm_auth to authenticate. Almost there, just a bit stuck:
> Received Access-Request Id 48 from 172.18.1.2:1025 to 172.18.2.100:1812 length 66
> User-Name = 'spickles'
> User-Password = '****'
> NAS-IP-Address = 172.18.1.2
> NAS-Port = 48
> NAS-Port-Type = Virtual
> (0) Received Access-Request packet from host 172.18.1.2 port 1025, id=48, length=66
> (0) User-Name = 'spickles'
> (0) User-Password = '****'
> (0) NAS-IP-Address = 172.18.1.2
> (0) NAS-Port = 48
> (0) NAS-Port-Type = Virtual
>
> /etc/raddb/clients.conf configuration points my NAS to the site file 'cisco_asa' via virtual_server = cisco_asa
> (0) # Executing section authorize from file /etc/raddb/sites-enabled/cisco_asa
>
> (0) authorize {
> (0) [preprocess] = ok
> (0) [mschap] = noop
> (0) [files] = noop
> rlm_ldap (ldap): Reserved connection (4)
> (0) ldap : EXPAND (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})
> (0) ldap : --> (sAMAccountName=spickles)
> (0) ldap : EXPAND DC=myDomain,DC=com
> (0) ldap : --> DC=myDomain,DC=com
> (0) ldap : Performing search in 'DC=myDomain,DC=com' with filter '(sAMAccountName=spickles)', scope 'sub'
> (0) ldap : Waiting for search result...
>
> This is good
> (0) ldap : User object found at DN "CN=Scott Pickles,CN=Users,DC=myDomain,DC=com"
>
> (0) ldap : Processing user attributes
>
> This is expected because I'm just using LDAP to check group membership
> (0) WARNING: ldap : No "known good" password added. Ensure the admin user has permission to read the password attribute
> (0) WARNING: ldap : PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
>
>
> rlm_ldap (ldap): Released connection (4)
> (0) [ldap] = ok
> (0) if (Ldap-Group == "VPN-Internal")
> (0) Searching for user in group "VPN-Internal"
> rlm_ldap (ldap): Reserved connection (4)
> (0) Using user DN from request "CN=Scott Pickles,CN=Users,DC=myDomain,DC=com"
> (0) Checking for user in group objects
> (0) EXPAND (&(cn=VPN-Internal)(objectClass=posixGroup)(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}})))
> (0) --> (&(cn=VPN-Internal)(objectClass=posixGroup)(|(member=CN\3dScott Pickles\2cCN\3dUsers\2cDC\3dmyDomain\2cDC\3dcom)(memberUid=spickles)))
> (0) EXPAND DC=myDomain,DC=com
> (0) --> DC=myDomain,DC=com
> (0) Performing search in 'DC=myDomain,DC=com' with filter '(&(cn=VPN-Internal)(objectClass=posixGroup)(|(member=CN\3dScott Pickles\2cCN\3dUsers\2cDC\3dmyDomain\2cDC\3dcom)(memberUid=spickles)))', scope 'sub'
> (0) Waiting for search result...
>
> How come search fails first time
> (0) Search returned no results
> (0) Search returned not found
>
>
> (0) Checking user object membership (memberOf) attributes
> (0) Performing unfiltered search in 'CN=Scott Pickles,CN=Users,DC=myDomain,DC=com', scope 'base'
> (0) Waiting for search result...
> (0) Processing group membership value "CN=VPN-Internal,OU=VPN,OU=Groups,DC=myDomain,DC=com"
> (0) Converting group DN to group Name
> (0) Performing unfiltered search in 'CN=VPN-Internal,OU=VPN,OU=Groups,DC=myDomain,DC=com', scope 'base'
> (0) Waiting for search result...
>
> But works the second time?
> (0) Group name is "VPN-Internal"
> (0) User found. Comparison between membership: name (resolved from DN), check: name
>
>
> rlm_ldap (ldap): Released connection (4)
> (0) if (Ldap-Group == "VPN-Internal") -> TRUE
> (0) if (Ldap-Group == "VPN-Internal") {
> (0) [ok] = ok
> (0) } # if (Ldap-Group == "VPN-Internal") = ok
> (0) ... skipping else for request 0: Preceding "if" was taken
> (0) } # authorize = ok
>
> To fix this, do I add Auth-Type to my unlang statement?
> (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
>
> server cisco_asa {
> authorize {
> preprocess
> mschap
> files
> ldap
> if(Ldap-Group == "VPN-Internal") {
> #Setting 'Auth-Type := ntlm_auth' here fails
> # Loading authorize {...}
> #/etc/raddb/sites-enabled/cisco_asa[8] Invalid return code assigment inside of a if section
> #/etc/raddb/sites-enabled/cisco_asa[2]: Errors parsing authorize section.
>
> #setting 'ntlm_auth' here doesn't seem to be necessary?
> ok
> }
> else {
> reject
> }
> }
>
> authenticate {
> Auth-Type PAP {
> pap
> }
>
> Auth-Type CHAP {
> chap
> }
>
> Auth-Type MS-CHAP {
> mschap
> }
> ntlm_auth
> }
> }
>
> This is obviously where it's failing, but authenticate also has ntlm_auth as I thought it should? Seems like I just need to tweak the authorize/authenticate sections?
> (0) Failed to authenticate the user
> (0) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject): [spickles/****] (from client ROCH_FIREWALL port 48)
> (0) Using Post-Auth-Type Reject
>
>
> (0) # Executing group from file /etc/raddb/sites-enabled/cisco_asa
> (0) Post-Auth-Type REJECT {
> (0) attr_filter.access_reject : EXPAND %{User-Name}
> (0) attr_filter.access_reject : --> spickles
> (0) attr_filter.access_reject : Matched entry DEFAULT at line 11
> (0) [attr_filter.access_reject] = updated
> (0) } # Post-Auth-Type REJECT = updated
> (0) Delaying response for 1 seconds
> Waking up in 0.6 seconds.
> Waking up in 0.3 seconds.
> (0) Sending delayed response
> (0) Sending Access-Reject packet to host 172.18.1.2 port 1025, id=48, length=0
> Sending Access-Reject Id 48 from 172.18.2.100:1812 to 172.18.1.2:1025
> Waking up in 3.9 seconds.
> (0) Cleaning up request packet ID 48 with timestamp +7
> Ready to process requests
>
>
>
>
> On Tuesday, July 28, 2015 12:43 PM, Alan Buxey <A.L.M.Buxey at lboro.ac.uk> wrote:
>
>
> You are not getting any results. The same with ldapsearch
>
> So use an ldap explorer tool or talk to the ldap/AD expert at your site to get info about the schema. Openlap is uid, AD is usually eg sAMAccountName
>
> Once you've got the right tag and paths it'll all work
>
> alan
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list