Antw: Re: Additional NDS error messages missing in FR3 ?

Anja Ruckdaeschel Anja.Ruckdaeschel at rz.uni-regensburg.de
Tue Oct 2 16:44:08 CEST 2018 

Hi Arran!

No, I'm not running FR 2 with -X...
There is no debug enabled in the LDAP-Module in FR2 (so it defaults to 0x0000 - says the documentation).



""" You know there are multiple instances of Module-Failure-Message right? Are you checking all of them."""

I don't know what you exactly mean with  "multiple instances of Module-Failure-Message"....
But if you mean fail, userlock, reeject, ...., than it's not there....

I have a customized  msg_badpass in FR2 with:
%{Module-Failure-Message} and %{reply:Reply-Message}

In  FR2 it is in Module-Failure for ldap, e.g.  [ldap] Bind as user failed
and in Reply-Message you can find: NDS error: failed authentication (-669).

Or  [ldap] some dn bind to some ldap server  failed Server is unwilling to perform in Module-Failure
and  NDS error: login lockout (-197) in Reply-Message...

Sorry, my last post was a bit misleading, because the detailed NDS-Error wasn't in Module-Failure, but in Reply-Message.....


I checked it with  FR3 with debug_reply after ldap.authenticate (called in Post-Auth for edir-policy-checking and some intruder-triggering) and it's not in the reply  ....
If you run with -X, it looks like this (intruder)... 

Tue Oct  2 15:24:19 2018 : Debug: (10) ldap: Waiting for bind result...
Tue Oct  2 15:24:22 2018 : ERROR: (10) ldap: Bind credentials incorrect: Invalid credentials
Tue Oct  2 15:24:22 2018 : ERROR: (10) ldap: Server said: NDS error: failed authentication (-669).
Tue Oct  2 15:24:22 2018 : Debug: rlm_ldap (ldap): Released connection (1)

I only want to access this ERROR-Message somehow... it does not have to be in Module-Failure-Message...


In the FR2-Code I think it's for example here:
https://github.com/FreeRADIUS/freeradius-server/blob/v2.x.x/src/modules/rlm_ldap/rlm_ldap.c#L2101
https://github.com/FreeRADIUS/freeradius-server/blob/v2.x.x/src/modules/rlm_ldap/rlm_ldap.c#L2233 
https://github.com/FreeRADIUS/freeradius-server/blob/v2.x.x/src/modules/rlm_ldap/rlm_ldap.c#L2253 


I'm not quite sure were it is in FR3, perhaps it's starting here (with case error 53)  (is it in extra?):
https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/src/modules/rlm_ldap/ldap.c#L748 

Sorry, not much of a C programmer myself...

Ciao Anja

















>>> Arran Cudbard-Bell <a.cudbardb at freeradius.org> 29.09.2018 15:06 >>>


> On Sep 27, 2018, at 4:45 PM, Anja Ruckdaeschel <Anja.Ruckdaeschel at rz.uni-regensburg.de> wrote:
> 
> Hi there!
> 
> With FR2 you could acesss the NDS error messages, e.g.
> 
> NDS error: no additional information available (-338)
> NDS error: failed authentication (-669)
> NDS error: login lockout (-197)
> ...
> and log them.
> 
> In FR3 I still can see them with 
> ldap_debug = 0xFFFF
> 
> 
> 
> All I get e.g. with Module-Failure-Message is
> 
> Bind was not permitted: Server was unwilling to perform
> which is the LDAP Error Code 53, which is okay, but I'd really like to log the additional messages, because
> it's really useful...

I went through the Novell code in v2.0.x and there's no where obvious where additional messages are being printed.

It's not clear exactly how you're getting logging output from the server.  Are you running with -X? 

You know there are multiple instances of Module-Failure-Message right? Are you checking all of them.

-Arran
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list