Antw: Re: Additional NDS error messages missing in FR3 ?

Arran Cudbard-Bell a.cudbardb at freeradius.org
Wed Oct 3 08:48:15 CEST 2018 

>> I have a customized  msg_badpass in FR2 with:
>> %{Module-Failure-Message} and %{reply:Reply-Message}
>> 
>> In  FR2 it is in Module-Failure for ldap, e.g.  [ldap] Bind as user failed
>> and in Reply-Message you can find: NDS error: failed authentication (-669).
> 
>  Yeah, that was wrong.  Reply-Message shouldn't be overloaded like that.

Yeah.

> 
>> I checked it with  FR3 with debug_reply after ldap.authenticate (called in Post-Auth for edir-policy-checking and some intruder-triggering) and it's not in the reply  ....
>> If you run with -X, it looks like this (intruder)... 
>> 
>> Tue Oct  2 15:24:19 2018 : Debug: (10) ldap: Waiting for bind result...
>> Tue Oct  2 15:24:22 2018 : ERROR: (10) ldap: Bind credentials incorrect: Invalid credentials
>> Tue Oct  2 15:24:22 2018 : ERROR: (10) ldap: Server said: NDS error: failed authentication (-669).

OK, so the error message *IS* available in v3 OP just isn't accessing it.

>> Tue Oct  2 15:24:22 2018 : Debug: rlm_ldap (ldap): Released connection (1)
>> 
>> I only want to access this ERROR-Message somehow... it does not have to be in Module-Failure-Message...
> 
>  OK, the error should be in the Module-Failure-Message attribute.

It is.  The OP just isn't accessing the different Module-Failure-Messages.  There's no code issue here, there's nothing that needs to be fixed on our side.

OP use &Module-Failure-Message[0], &Module-Failure-Message[1], &Module-Failure-Message[2], etc... to get the different messages.

IIRC "%{Module-Failure-Message[*]}" will get you a concatenation of all the values.

i.e.

update reply {
	Reply-Message := "%{Module-Failure-Message[*]}"
}

The Module-Failure-Message attributes in v3 form an error stack, with any call to REDEBUG or RERROR pushing additional messages onto the top of the stack.

This lets you get the complete progression of errors.

>> 
>> In the FR2-Code I think it's for example here:
>> https://github.com/FreeRADIUS/freeradius-server/blob/v2.x.x/src/modules/rlm_ldap/rlm_ldap.c#L2101
>> https://github.com/FreeRADIUS/freeradius-server/blob/v2.x.x/src/modules/rlm_ldap/rlm_ldap.c#L2233 
>> https://github.com/FreeRADIUS/freeradius-server/blob/v2.x.x/src/modules/rlm_ldap/rlm_ldap.c#L2253 
>> 
>> 
>> I'm not quite sure were it is in FR3, perhaps it's starting here (with case error 53)  (is it in extra?):
>> https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/src/modules/rlm_ldap/ldap.c#L748 
> 
>  We'll take a look at adding that back in.

It's already included in v3 and v4.  The error handling and code already deals with this.

-Arran

More information about the Freeradius-Users mailing list