You shouldn't need your second LDAP in the post-auth section as per On Sat, Dec 8, 2012 at 6:50 AM, Olivier Beytrison <olivier@heliosnet.org>wrote:
On 07.12.2012 18:07, Olivier Beytrison wrote:
On 07.12.2012 17:54, Alan DeKok wrote:
I've pushed a one-character fix.
Found it also. and I also had to invert char * and size_t in my call in rlm_ldap.c
okay code working again. I'll push all those change to my repo
code has been pushed along with some other fix/typo/formatting.
Things works on my side [1]. I'm happy with it. now it depends on you if you want more rewriting of the code. If so I can test your change whenever you want.
Olivier
[1] working example rad_recv: Access-Request packet from host 127.0.0.1 port 39774, id=247, length=87 User-Name = "olivier.beytriso" CHAP-Password = 0x9960e4b86ea318e5b24xxxxxxxxxxxxx NAS-IP-Address = 160.98.240.25 NAS-Port = 0 Message-Authenticator = 0x0e83e1b97e7dd468e136da6be344114b (0) # Executing section authorize from file /etc/freeradius/sites-enabled/default (0) group authorize { (0) - entering group authorize {...} (0) policy filter_username { (0) - entering policy filter_username {...} [snip] (0) - policy filter_username returns notfound (0) [preprocess] = ok (0) chap : Setting 'Auth-Type := CHAP' (0) [chap] = ok (0) [mschap] = noop (0) [digest] = noop (0) suffix : No '@' in User-Name = "olivier.beytriso", looking up realm NULL (0) suffix : No such realm "NULL" (0) [suffix] = noop (0) eap : No EAP-Message, not doing EAP (0) [eap] = noop (0) [files] = noop (0) ldap : expand: '%{Stripped-User-Name}' -> '' (0) ldap : ... expanding second conditional (0) ldap : escape: 'olivier.beytriso' -> 'olivier.beytriso' (0) ldap : expand: '%{User-Name}' -> 'olivier.beytriso' (0) ldap : expand: '(uid=%{%{Stripped-User-Name}:-%{User-Name}})' -> '(uid=olivier.beytriso)' (0) ldap : expand: 'ou=people,o=hes-so' -> 'ou=people,o=hes-so' rlm_ldap (ldap): Reserved connection (4) (0) ldap : Performing search in 'ou=people,o=hes-so' with filter '(uid=olivier.beytriso)' (0) ldap : User found at DN "cn=31935762,ou=courant,ou=people,o=hes-so" (0) ldap : Added the eDirectory password XXXXXXXXXX in check items as Cleartext-Password
Yay!.. That's what the eDir code is all about :)
(0) ldap : control:hessoRole += "31935762-440774439#RORG-HEFR-EIFR-INTR-INFO#EMP#COL" (hessoRole) rlm_ldap (ldap): Released connection (4) rlm_ldap (ldap): Closing idle connection (0): Too many free connections (5 > 3) rlm_ldap (ldap): Closing connection (0) (0) [ldap] = ok (0) [expiration] = noop (0) [logintime] = noop (0) Found Auth-Type = CHAP (0) # Executing group from file /etc/freeradius/sites-enabled/default (0) group CHAP { (0) - entering group CHAP {...} (0) chap : login attempt by "olivier.beytriso" with CHAP password (0) chap : Using clear text password "XXXXXXXXXX" for user olivier.beytriso authentication. (0) chap : chap user olivier.beytriso authenticated succesfully (0) [chap] = ok (0) # Executing section post-auth from file /etc/freeradius/sites-enabled/default
Starting here
(0) group post-auth { (0) - entering group post-auth {...} rlm_ldap (ldap): Reserved connection (4) (0) ldap : Login attempt by "olivier.beytriso" with password "XXXXXXXXXX" (0) ldap : Bind as user "cn=31935762,ou=courant,ou=people,o=hes-so" was successful rlm_ldap (ldap): Released connection (4) (0) [ldap] = ok
And here, since you've already checked your chap password against the eDir password by sucking it cleartext over ssl out via Universal Password you don't need to double check it :)
(0) [exec] = noop (0) policy remove_reply_message_if_eap { (0) - entering policy remove_reply_message_if_eap {...} (0) ? if (reply:EAP-Message && reply:Reply-Message) (0) ? Evaluating (reply:EAP-Message ) -> FALSE (0) ? Skipping (reply:Reply-Message) (0) ? if (reply:EAP-Message && reply:Reply-Message) -> FALSE (0) else else { (0) - entering else else {...} (0) [noop] = noop (0) - else else returns noop (0) - policy remove_reply_message_if_eap returns noop Sending Access-Accept of id 247 from 127.0.0.1 port 1812 to 127.0.0.1 port 39774
We also use eDir support and had notified our account manager at Novell/NetIQ about this... But it's brilliant you're doing the code changes. The NMAS challenge response parts using a specific NMAS Method are also pretty nifty when used with the Vasco tokens (which I have played with but havn't managed to convince my management to deploy at my employer). If you were in the mood it's pretty easy to setup and test using the Simple Password NMAS Method to confirm that the NMAS bits work too. Last piece which I would *love* to see was adding in "Accounting Start / Stop" support into rlm_ldap (and am willing to fund it depending on the time / complexity). What would be great is if via an Accounting Start you could add/replace an attribute, and then via the accounting stop remove the attribute if it exists. We're using this since we have a Novell IDM Driver listening to database changes, if a subscriber has an attribute change against their eDir record, our IDM driver sends a CoA or DM mid-session change using the Coova JRadius client to the BNG. Currently built the code to made the attribute change using a perl module which works well, but would be nice if it were in rlm_ldap instead :)