I would like to ldap bind with username instead of DN

Sun Jun 21 17:24:06 CEST 2020

wOn Jun 21, 2020, at 11:08 AM, Wessel Louwris <wessel at stutit.nl> wrote:
> 
> If I authenticate with user migr03 at company.nl <mailto:migr03 at company.nl> (which is not our main domain example.nl <http://example.nl/>) I get below log.
> With mig01 at example.nl <mailto:mig01 at example.nl> everything works fine (although it still binds with the full DN) and I can authenticatie. 
> 
> I hoped that DEFAULT Ldap-UserDN := "%{User-Name}” in my /etc/freeradius/mods-config/files/authorize would skip the ldapsearch and go straight to the binding with this username.
> 
> I also pasted my ldap, authorize, default file below the logs.

  Don't do that.  Read the docs: http://wiki.freeradius.org/list-help

> (97) Received Access-Request Id 35 from 10.164.0.3:37310 to 172.17.0.6:1812 length 591
> (97)   User-Name = "migr03 at company.nl"

  You're still not posting the FULL debug output.  I asked you to do that.

  The reason you're having issues is simple:  You're not reading the documentation, and you're not following instructions.

  I asked you to post the FULL debug output.  You didn't do that.  The documentation says DON'T post configuration files.  You did that.

  If you simply read the documentation and follow instructions, you can get the issue fixed.  Quickly.  The more you fight, the longer it will take to fix the issue.

...
> (97) # Executing section authorize from file /etc/freeradius/sites-enabled/default
> (97)   authorize {
> (97)     policy filter_username {
> (97)       if (&User-Name) {
> (97)       if (&User-Name)  -> TRUE
> (97)       if (&User-Name)  {
> (97)         if (&User-Name =~ / /) {
> (97)         if (&User-Name =~ / /)  -> FALSE
> (97)         if (&User-Name =~ /@[^@]*@/ ) {
> (97)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
> (97)         if (&User-Name =~ /\.\./ ) {
> (97)         if (&User-Name =~ /\.\./ )  -> FALSE
> (97)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
> (97)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
> (97)         if (&User-Name =~ /\.$/)  {
> (97)         if (&User-Name =~ /\.$/)   -> FALSE
> (97)         if (&User-Name =~ /@\./)  {
> (97)         if (&User-Name =~ /@\./)   -> FALSE
> (97)       } # if (&User-Name)  = notfound
> (97)     } # policy filter_username = notfound
> (97)     [preprocess] = ok
> (97)     [digest] = noop
> (97) suffix: Checking for suffix after "@"
> (97) suffix: Looking up realm "company.nl" for User-Name = "migr03 at company.nl"
> (97) suffix: No such realm "company.nl"
> (97)     [suffix] = noop
> (97) eap: Peer sent EAP Response (code 2) ID 94 length 63
> (97) eap: Continuing tunnel setup
> (97)     [eap] = ok
> (97)   } # authorize = ok

  And no mention of the "files" module

  i..e you edited the default configuration and broke it.  Don't do that.

> (97) server inner-tunnel {
> (97)   session-state: No cached attributes
> (97)   # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
> (97)     authorize {
> (97)       policy filter_username {
> (97)         if (&User-Name) {
> (97)         if (&User-Name)  -> TRUE
> (97)         if (&User-Name)  {
> (97)           if (&User-Name =~ / /) {
> (97)           if (&User-Name =~ / /)  -> FALSE
> (97)           if (&User-Name =~ /@[^@]*@/ ) {
> (97)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
> (97)           if (&User-Name =~ /\.\./ ) {
> (97)           if (&User-Name =~ /\.\./ )  -> FALSE
> (97)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
> (97)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
> (97)           if (&User-Name =~ /\.$/)  {
> (97)           if (&User-Name =~ /\.$/)   -> FALSE
> (97)           if (&User-Name =~ /@\./)  {
> (97)           if (&User-Name =~ /@\./)   -> FALSE
> (97)         } # if (&User-Name)  = notfound
> (97)       } # policy filter_username = notfound
> (97) suffix: Checking for suffix after "@"
> (97) suffix: Looking up realm "company.nl" for User-Name = "migr03 at company.nl"
> (97) suffix: No such realm "company.nl"
> (97)       [suffix] = noop
> (97)       update control {
> (97)         &Proxy-To-Realm := LOCAL
> (97)       } # update control = noop
> (97) eap: Peer sent EAP Response (code 2) ID 1 length 13
> (97) eap: No EAP Start, assuming it's an on-going EAP conversation
> (97)       [eap] = updated
> rlm_ldap (ldap): Reserved connection (23)
> (97) ldap: EXPAND (mail=%{User-Name})
> (97) ldap:    --> (mail=migr03 at company.nl)
> (97) ldap: Performing search in "dc=example,dc=nl" with filter "(mail=migr03 at company.nl)", scope "sub"
> (97) ldap: Waiting for search result...
> (97) ldap: User object found at DN "uid=migr03,ou=Users,dc=example,dc=nl"
> (97) ldap: Processing user attributes
> (97) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute
> (97) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
> rlm_ldap (ldap): Released connection (23)
> (97)       [ldap] = ok
> (97)       [expiration] = noop
> (97)       [logintime] = noop
> (97)       [pap] = noop
> (97)       if (User-Password) {
> (97)       if (User-Password)  -> FALSE
> (97)     } # authorize = updated

  And no mention of the "files" module here, either.

  It's a complete mystery to me why people delete things from the configuration, and are then surprised that it doesn't work.

  If you tell the server to NOT use the "files" module, then it won't use the "files" module.  And anything you put into mods-config/files/authorize will be ignored.

  Alan DeKok.