I would like to ldap bind with username instead of DN

Wessel Louwris wessel at stutit.nl
Sun Jun 21 17:08:57 CEST 2020



> Op 19 jun. 2020, om 16:55 heeft Alan DeKok <aland at deployingradius.com> het volgende geschreven:
> 
> On Jun 19, 2020, at 8:11 AM, Wessel Louwris <wessel at stutit.nl> wrote:
>> 
>> I would like to bind with the given username and skip the ldapsearch, so I implemented 
>> 
>> 	DEFAULT Ldap-UserDN := "%{User-Name}”
>> 
>> in my authorize file (as described on https://wiki.freeradius.org/modules/Rlm_ldap <https://wiki.freeradius.org/modules/Rlm_ldap>).
>> Unfortunately this seems to be not enough because it’s still binding with the DN:
>> 
>> (6) ldap: Login attempt by "user at company.nl "
> 
>  It helps to show the FULL debug output.  You've deleted 99% of the output.  That means we don't know what else is going on.
> 
>> (6) ldap: Using user DN from request "uid= user,ou=Users,dc=example,dc=com”    # this is a wrong DN returned by ldapsearch
>> (6) ldap: Waiting for bind result...
>> (6) ldap: ERROR: Bind credentials incorrect: Invalid credentials
> 
>  My guess is that you're running the "files" module (which reads the users file) *after* the ldap module.
> 
>  Alan DeKok.


If I authenticate with user migr03 at company.nl <mailto:migr03 at company.nl> (which is not our main domain example.nl <http://example.nl/>) I get below log.
With mig01 at example.nl <mailto:mig01 at example.nl> everything works fine (although it still binds with the full DN) and I can authenticatie. 

I hoped that DEFAULT Ldap-UserDN := "%{User-Name}” in my /etc/freeradius/mods-config/files/authorize would skip the ldapsearch and go straight to the binding with this username.

I also pasted my ldap, authorize, default file below the logs.

Thanks, 
Wessel

## migr03 at company.nl


(97) Received Access-Request Id 35 from 10.164.0.3:37310 to 172.17.0.6:1812 length 591
(97)   User-Name = "migr03 at company.nl"
(97)   NAS-IP-Address = 172.16.16.101
(97)   NAS-Identifier = "4C-B1-CD-4A-B3-A8"
(97)   Called-Station-Id = "4C-B1-CD-4A-B3-A8:example"
(97)   NAS-Port-Type = Wireless-802.11
(97)   Service-Type = Framed-User
(97)   NAS-Port = 1
(97)   Calling-Station-Id = "A4-5E-60-DC-05-CF"
(97)   Location-Data = 0x31304e4c17174d616b657273747265657420446576656c6f706d656e74
(97)   Location-Data = 0x32304e4c1626467265642e526f65736b65737472616174393745203130373645432020416d7374657264616d
(97)   Connect-Info = "CONNECT 802.11"
(97)   Acct-Session-Id = "5EEF7342-0AB3A001"
(97)   Acct-Multi-Session-Id = "A737E56E6E72BF9E"
(97)   WLAN-Pairwise-Cipher = 1027076
(97)   WLAN-Group-Cipher = 1027076
(97)   WLAN-AKM-Suite = 1027073
(97)   Ruckus-SSID = "example"
(97)   Ruckus-BSSID = 0x4cb1cd4ab3a8
(97)   Ruckus-Location = "example"
(97)   Ruckus-VLAN-ID = 1
(97)   Ruckus-SCG-CBlade-IP = 600626236
(97)   Attr-26.25053.155 = 0x41646d696e697374726174696f6e20446f6d61696e
(97)   Ruckus-Zone-Name = "example"
(97)   Ruckus-Wlan-Name = "example"
(97)   EAP-Message = 0x025e003f1580000000351703030030e8e23bf39036dbd45371248590343102796b93bf10fbc8d28cf32ed50809ee15c4d28a12a2eb53c18cf686e0dda17e41
(97)   State = 0x2469b8502137ad1a348bcdde947a8261
(97)   Chargeable-User-Identity = 0x00
(97)   Message-Authenticator = 0xb1d164eef1c5725a9f35050eecb2bde7
(97)   Event-Timestamp = "Jun 21 2020 14:48:35 UTC"
(97)   Proxy-State = 0x3635
(97) Restoring &session-state
(97)   &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(97)   &session-state:TLS-Session-Version = "TLS 1.2"
(97) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(97)   authorize {
(97)     policy filter_username {
(97)       if (&User-Name) {
(97)       if (&User-Name)  -> TRUE
(97)       if (&User-Name)  {
(97)         if (&User-Name =~ / /) {
(97)         if (&User-Name =~ / /)  -> FALSE
(97)         if (&User-Name =~ /@[^@]*@/ ) {
(97)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(97)         if (&User-Name =~ /\.\./ ) {
(97)         if (&User-Name =~ /\.\./ )  -> FALSE
(97)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(97)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(97)         if (&User-Name =~ /\.$/)  {
(97)         if (&User-Name =~ /\.$/)   -> FALSE
(97)         if (&User-Name =~ /@\./)  {
(97)         if (&User-Name =~ /@\./)   -> FALSE
(97)       } # if (&User-Name)  = notfound
(97)     } # policy filter_username = notfound
(97)     [preprocess] = ok
(97)     [digest] = noop
(97) suffix: Checking for suffix after "@"
(97) suffix: Looking up realm "company.nl" for User-Name = "migr03 at company.nl"
(97) suffix: No such realm "company.nl"
(97)     [suffix] = noop
(97) eap: Peer sent EAP Response (code 2) ID 94 length 63
(97) eap: Continuing tunnel setup
(97)     [eap] = ok
(97)   } # authorize = ok
(97) Found Auth-Type = eap
(97) # Executing group from file /etc/freeradius/sites-enabled/default
(97)   authenticate {
(97) eap: Expiring EAP session with state 0x16172ce416162ae1
(97) eap: Finished EAP session with state 0x2469b8502137ad1a
(97) eap: Previous EAP request found for state 0x2469b8502137ad1a, released from the list
(97) eap: Peer sent packet with method EAP TTLS (21)
(97) eap: Calling submodule eap_ttls to process data
(97) eap_ttls: Authenticate
(97) eap_ttls: Continuing EAP-TLS
(97) eap_ttls: Peer indicated complete TLS record size will be 53 bytes
(97) eap_ttls: Got complete TLS record (53 bytes)
(97) eap_ttls: [eaptls verify] = length included
(97) eap_ttls: [eaptls process] = ok
(97) eap_ttls: Session established.  Proceeding to decode tunneled attributes
(97) eap_ttls: Got tunneled request
(97) eap_ttls:   EAP-Message = 0x0201000d06353e643650396179
(97) eap_ttls:   FreeRADIUS-Proxied-To = 127.0.0.1
(97) eap_ttls: Sending tunneled request
(97) Virtual server inner-tunnel received request
(97)   EAP-Message = 0x0201000d06353e643650396179
(97)   FreeRADIUS-Proxied-To = 127.0.0.1
(97)   User-Name = "migr03 at company.nl"
(97)   State = 0x16172ce416162ae179e6db30cac8670e
(97) WARNING: Outer and inner identities are the same.  User privacy is compromised.
(97) server inner-tunnel {
(97)   session-state: No cached attributes
(97)   # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
(97)     authorize {
(97)       policy filter_username {
(97)         if (&User-Name) {
(97)         if (&User-Name)  -> TRUE
(97)         if (&User-Name)  {
(97)           if (&User-Name =~ / /) {
(97)           if (&User-Name =~ / /)  -> FALSE
(97)           if (&User-Name =~ /@[^@]*@/ ) {
(97)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(97)           if (&User-Name =~ /\.\./ ) {
(97)           if (&User-Name =~ /\.\./ )  -> FALSE
(97)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(97)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(97)           if (&User-Name =~ /\.$/)  {
(97)           if (&User-Name =~ /\.$/)   -> FALSE
(97)           if (&User-Name =~ /@\./)  {
(97)           if (&User-Name =~ /@\./)   -> FALSE
(97)         } # if (&User-Name)  = notfound
(97)       } # policy filter_username = notfound
(97) suffix: Checking for suffix after "@"
(97) suffix: Looking up realm "company.nl" for User-Name = "migr03 at company.nl"
(97) suffix: No such realm "company.nl"
(97)       [suffix] = noop
(97)       update control {
(97)         &Proxy-To-Realm := LOCAL
(97)       } # update control = noop
(97) eap: Peer sent EAP Response (code 2) ID 1 length 13
(97) eap: No EAP Start, assuming it's an on-going EAP conversation
(97)       [eap] = updated
rlm_ldap (ldap): Reserved connection (23)
(97) ldap: EXPAND (mail=%{User-Name})
(97) ldap:    --> (mail=migr03 at company.nl)
(97) ldap: Performing search in "dc=example,dc=nl" with filter "(mail=migr03 at company.nl)", scope "sub"
(97) ldap: Waiting for search result...
(97) ldap: User object found at DN "uid=migr03,ou=Users,dc=example,dc=nl"
(97) ldap: Processing user attributes
(97) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute
(97) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
rlm_ldap (ldap): Released connection (23)
(97)       [ldap] = ok
(97)       [expiration] = noop
(97)       [logintime] = noop
(97)       [pap] = noop
(97)       if (User-Password) {
(97)       if (User-Password)  -> FALSE
(97)     } # authorize = updated
(97)   Found Auth-Type = eap
(97)   # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
(97)     authenticate {
(97) eap: Expiring EAP session with state 0x16172ce416162ae1
(97) eap: Finished EAP session with state 0x16172ce416162ae1
(97) eap: Previous EAP request found for state 0x16172ce416162ae1, released from the list
(97) eap: Peer sent packet with method EAP GTC (6)
(97) eap: Calling submodule eap_gtc to process data
(97) eap_gtc: # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
(97) eap_gtc:   Auth-Type PAP {
rlm_ldap (ldap): Reserved connection (28)
(97) ldap: Login attempt by "migr03 at company.nl"
(97) ldap: Using user DN from request "uid=migr03,ou=Users,dc=example,dc=nl"
(97) ldap: Waiting for bind result...
(97) ldap: ERROR: Bind credentials incorrect: Invalid credentials
(97) ldap: ERROR: Server said: Incorrect password.
rlm_ldap (ldap): Released connection (28)
(97) eap_gtc:     [ldap] = reject
(97) eap_gtc:   } # Auth-Type PAP = reject
(97) eap: ERROR: Failed continuing EAP GTC (6) session.  EAP sub-module failed
(97) eap: Sending EAP Failure (code 4) ID 1 length 4
(97) eap: Failed in EAP select
(97)       [eap] = invalid
(97)     } # authenticate = invalid
(97)   Failed to authenticate the user
(97)   Using Post-Auth-Type Reject
(97)   # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
(97)     Post-Auth-Type REJECT {
(97) attr_filter.access_reject: EXPAND %{User-Name}
(97) attr_filter.access_reject:    --> migr03 at company.nl
(97) attr_filter.access_reject: Matched entry DEFAULT at line 11
(97)       [attr_filter.access_reject] = updated
(97)       update outer.session-state {
(97)         &Module-Failure-Message := &request:Module-Failure-Message -> 'ldap: Bind credentials incorrect: Invalid credentials'
(97)       } # update outer.session-state = noop
(97)     } # Post-Auth-Type REJECT = updated
(97) } # server inner-tunnel
(97) Virtual server sending reply
(97)   EAP-Message = 0x04010004
(97)   Message-Authenticator = 0x00000000000000000000000000000000
(97) eap_ttls: Got tunneled Access-Reject
(97) eap: ERROR: Failed continuing EAP TTLS (21) session.  EAP sub-module failed
(97) eap: Sending EAP Failure (code 4) ID 94 length 4
(97) eap: Failed in EAP select
(97)     [eap] = invalid
(97)   } # authenticate = invalid
(97) Failed to authenticate the user
(97) Using Post-Auth-Type Reject
(97) # Executing group from file /etc/freeradius/sites-enabled/default
(97)   Post-Auth-Type REJECT {
(97) attr_filter.access_reject: EXPAND %{User-Name}
(97) attr_filter.access_reject:    --> migr03 at company.nl
(97) attr_filter.access_reject: Matched entry DEFAULT at line 11
(97)     [attr_filter.access_reject] = updated
(97)     [eap] = noop
(97)     policy remove_reply_message_if_eap {
(97)       if (&reply:EAP-Message && &reply:Reply-Message) {
(97)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(97)       else {
(97)         [noop] = noop
(97)       } # else = noop
(97)     } # policy remove_reply_message_if_eap = noop
(97)   } # Post-Auth-Type REJECT = updated
(97) Delaying response for 1.000000 seconds
Waking up in 0.9 seconds.
(97) Sending delayed response
(97) Sent Access-Reject Id 35 from 172.17.0.6:1812 to 10.164.0.3:37310 length 48
(97)   EAP-Message = 0x045e0004
(97)   Message-Authenticator = 0x00000000000000000000000000000000
(97)   Proxy-State = 0x3635
Waking up in 3.1 seconds.
(91) Cleaning up request packet ID 234 with timestamp +898
(92) Cleaning up request packet ID 242 with timestamp +898
(93) Cleaning up request packet ID 173 with timestamp +898
(94) Cleaning up request packet ID 28 with timestamp +898
(95) Cleaning up request packet ID 24 with timestamp +898
(96) Cleaning up request packet ID 144 with timestamp +898
Waking up in 0.5 seconds.
(97) Cleaning up request packet ID 35 with timestamp +898
Ready to process requests



My ldap config /etc/freeradius/mods-available/ldap:

ldap {
    server = 'ldaps://ldap.google.com'
    port = 636
    identity = 'XX'
    password = XX
    base_dn = 'dc=example,dc=nl'
    sasl {
    }
    update {
        control:Password-With-Header    += 'userPassword'
        control:Cleartext-Password      := 'userPassword'
        control:NT-Password        := 'ntPassword'
        control:            += 'radiusControlAttribute'
        request:            += 'radiusRequestAttribute'
        reply:                += 'radiusReplyAttribute'
    }
    user_dn = "LDAP-UserDn"
    user {
        base_dn = "${..base_dn}"
        filter = "(mail=%{User-Name})"
        sasl {
        }
    }
    group {
        base_dn = "${..base_dn}"
        filter = '(objectClass=posixGroup)'
        membership_attribute = 'memberOf'
    }
    profile {
    }
    client {
        base_dn = "${..base_dn}"
        filter = '(objectClass=radiusClient)'
        template {
    
        }
        attribute {
            ipaddr                = 'radiusClientIdentifier'
            secret                = 'radiusClientSecret'
        }
    }
    accounting {
        reference = "%{tolower:type.%{Acct-Status-Type}}"
        type {
            start {
                update {
                    description := "Online at %S"
                }
            }
            interim-update {
                update {
                    description := "Last seen at %S"
                }
            }
            stop {
                update {
                    description := "Offline at %S"
                }
            }
        }
    }
    post-auth {
        update {
        }
    }
    options {
        chase_referrals = yes
        rebind = yes
        res_timeout = 10
        srv_timelimit = 3
        net_timeout = 1
        idle = 60
        probes = 3
        interval = 3
        ldap_debug = 0x0028
    }
    tls {
        start_tls = no
        certificate_file = /etc/freeradius/certs/ldap-client.crt
        private_key_file = /etc/freeradius/certs/ldap-client.key
          require_cert    = 'allow'
    }
    pool {
        start = ${thread[pool].start_servers}
        min = ${thread[pool].min_spare_servers}
        max = ${thread[pool].max_servers}
        spare = ${thread[pool].max_spare_servers}
        uses = 0
        retry_delay = 30
        lifetime = 0
        idle_timeout = 60
    }
}


my /etc/freeradius/mods-config/files/authorize

DEFAULT	Framed-Protocol == PPP
	Framed-Protocol = PPP,
	Framed-Compression = Van-Jacobson-TCP-IP

DEFAULT	Hint == "CSLIP"
	Framed-Protocol = SLIP,
	Framed-Compression = Van-Jacobson-TCP-IP

DEFAULT	Hint == "SLIP"
	Framed-Protocol = SLIP

DEFAULT Ldap-UserDN := "%{User-Name}"


my /etc/freeradius/sites-available/default:

server default {
listen {
    type = auth
    ipaddr = *
    port = 0
    limit {
          max_connections = 16
          lifetime = 0
          idle_timeout = 30
    }
}
listen {
    ipaddr = *
    port = 0
    type = acct
    limit {
    }
}
listen {
    type = auth
    ipv6addr = ::    
    port = 0
    limit {
          max_connections = 16
          lifetime = 0
          idle_timeout = 30
    }
}
listen {
    ipv6addr = ::
    port = 0
    type = acct
    limit {
    }
}
authorize {
    filter_username
    preprocess
    digest
    suffix
    eap {
        ok = return
    }
    files
    -sql
    ldap
    expiration
    logintime
    pap
        if (User-Password) {
            update control {
                   Auth-Type := ldap
            }
        }
}
authenticate {
    Auth-Type PAP {
        ldap
    }
    Auth-Type CHAP {
        chap
    }
    Auth-Type MS-CHAP {
        mschap
    }
    mschap
    digest
        ldap
    eap
}
preacct {
    preprocess
    acct_unique
    suffix
    files
}
accounting {
    detail
    unix
    -sql
    exec
    attr_filter.accounting_response
}
session {
}
post-auth {
    if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) {
        update reply {
            &User-Name !* ANY
        }
    }
    update {
        &reply: += &session-state:
    }
    -sql
    exec
    remove_reply_message_if_eap
    Post-Auth-Type REJECT {
        -sql
        attr_filter.access_reject
        eap
        remove_reply_message_if_eap
    }
    Post-Auth-Type Challenge {
    }
}
pre-proxy {
}
post-proxy {
    eap
}
}



More information about the Freeradius-Users mailing list