Zitat von Nicolas Baradakis <nbk@sitadelle.com>:
Markus Krause wrote:
Zitat von Nicolas Baradakis <nbk@sitadelle.com>:
And finally, if someone has a setup with ldap backend, and is volunteering to test the patch under bug #261 (ldap_pairget fixes), perhaps it could be added to 1.1.1, too. I'm not using LDAP on my site, therefore I can't test it myself easily.
i have a testing installation with freeradius using ldap on which i could do some tests if necessary. unfortunatly i am not a freeradius expert, but if you tell me what i should test/try i would be glad to help!
Thanks, that'd be useful. Here you are the detailed instructions:
$ cvs -d :pserver:anoncvs@cvs.freeradius.org:/source login CVS password: anoncvs $ cvs -d :pserver:anoncvs@cvs.freeradius.org:/source checkout -r branch_1_1 radiusd $ cd radiusd $ wget 'http://bugs.freeradius.org/showattachment.cgi?attach_id=113' -O ldap_pairget.patch $ patch -p0 < ldap_pairget.patch
Then recompile FreeRADIUS like usual and test with a user from your LDAP directory. If that works, the next step is to enter the test values from the bugzilla into LDAP, and verify if the RADIUS values are correct in the reply packet.
See http://bugs.freeradius.org/show_bug.cgi?id=261
-- Nicolas Baradakis so here is what i did and what happend (on a current debian sarge linux, suse seems to be missing some packages):
atlas:~/radius-test# cvs -d :pserver:anoncvs@cvs.freeradius.org:/source login Logging in to :pserver:anoncvs@cvs.freeradius.org:2401/source CVS password: <i typed "anoncvs"> atlas:~/radius-test# cvs -d :pserver:anoncvs@cvs.freeradius.org:/source checkout -r branch_1_1 radiusd [lots of cvs messages "U radiusd/ ..."] atlas:~/radius-test# cd radiusd/ atlas:~/radius-test/radiusd# wget 'http://bugs.freeradius.org/showattachment.cgi?attach_id=113' -O ldap_pairg et.patch [wget output] atlas:~/radius-test/radiusd# patch -p0 < ldap_pairget.patch patching file src/modules/rlm_ldap/rlm_ldap.c Hunk #1 succeeded at 2309 (offset 32 lines). atlas:~/radius-test/radiusd# dpkg-buildpackage -us -uc -b [lot of output, all seems successful, results are debian packages] atlas:~/radius-test/radiusd# cd .. atlas:~/radius-test# dpkg -i freeradius_1.1.0-0_i386.deb freeradius-ldap_1.1.0-0_i386.deb freeradius-mysql_1.1.0-0_i386.deb [some output, all ok] atlas:~/radius-test# now the entry of a ldap user (as ldif): # testuser2, People, mogli.de dn: uid=testuser2,ou=People,dc=mogli,dc=de cn: testuser2 objectClass: account objectClass: posixAccount objectClass: top objectClass: radiusprofile uidNumber: 501 gidNumber: 100 homeDirectory: /home/testuser1 loginShell: /bin/bash uid: testuser2 dialupAccess: 1 radiusTunnelMediumType: IEEE-802 radiusTunnelPrivateGroupId: 1 radiusTunnelType: VLAN radiusFramedIPAddress: 192.168.0.112 radiusFramedIPNetmask: 255.255.255.0 radiusExpiration: 11 Jan 2006 13:00:00 userPassword: {CRYPT}sefjKaLm7zybE radiusReplyItem: Reply-Message := foo bar radiusReplyItem: Reply-Message += This_is_a_Reply radiusReplyItem: Reply-Message += This is another Reply with spaces radiusReplyItem: Reply-Message += This_is_yet_another_Reply_without_spaces now a test with radtest: atlas:~# radtest testuser2 secret localhost 0 testing123 Sending Access-Request of id 7 to 127.0.0.1 port 1812 User-Name = "testuser2" User-Password = "secret" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=7, length=97 Framed-IP-Netmask = 255.255.255.0 Framed-IP-Address = 192.168.0.112 Reply-Message = "This_is_a_Reply" Reply-Message = "This_is_yet_another_Reply_without_spaces" Session-Timeout = 70115 atlas:~# it looks like the reply-message items containing spaces are ignored, the debug output of freeradius -XA says: rad_recv: Access-Request packet from host 127.0.0.1:32784, id=33, length=61 User-Name = "testuser2" User-Password = "secret" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 modcall[authorize]: module "files" returns notfound for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for testuser2 radius_xlat: '(uid=testuser2)' radius_xlat: 'dc=mogli,dc=de' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldapserv1.mogli.de:389, authentication 0 rlm_ldap: bind as / to ldapserv1.mogli.de:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=mogli,dc=de, with filter (uid=testuser2) rlm_ldap: looking for check items in directory... rlm_ldap: Adding radiusExpiration as Expiration, value 11 Jan 2006 13:00:00 & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusFramedIPNetmask as Framed-IP-Netmask, value 255.255.255.0 & op=11 rlm_ldap: Adding radiusFramedIPAddress as Framed-IP-Address, value 192.168.0.112 & op=11 rlm_ldap: parsing radiusReplyItem failed: Reply-Message := foo bar rlm_ldap: extracted attribute Reply-Message from generic item Reply-Message += This_is_a_Reply rlm_ldap: parsing radiusReplyItem failed: Reply-Message += This is another Reply with spaces rlm_ldap: extracted attribute Reply-Message from generic item Reply-Message += This_is_yet_another_Reply_without_spaces rlm_ldap: user testuser2 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type ldap auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group LDAP for request 0 rlm_ldap: - authenticate rlm_ldap: login attempt by "testuser2" with password "secret" rlm_ldap: user DN: uid=testuser2,ou=People,dc=mogli,dc=de rlm_ldap: (re)connect to ldapserv1.mogli.de:389, authentication 1 rlm_ldap: bind as uid=testuser2,ou=People,dc=mogli,dc=de/secret to ldapserv1.mogli.de:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user testuser2 authenticated succesfully modcall[authenticate]: module "ldap" returns ok for request 0 modcall: leaving group LDAP (returns ok) for request 0 radius_xlat: 'This_is_a_Reply' radius_xlat: 'This_is_yet_another_Reply_without_spaces' Processing the post-auth section of radiusd.conf modcall: entering group post-auth for request 0 radius_xlat: '/var/log/freeradius/radacct/127.0.0.1/reply-detail-20060110' rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /var/log/freeradius/radacct/127.0.0.1/reply-detail-20060110 modcall[post-auth]: module "reply_log" returns ok for request 0 rlm_sql (sql): Processing sql_postauth radius_xlat: 'testuser2' rlm_sql (sql): sql_set_user escaped user --> 'testuser2' radius_xlat: 'INSERT into radpostauth (id, user, pass, reply, date) values ('', 'testuser2', 'secret', 'Access-Accept', NOW())' rlm_sql (sql) in sql_postauth: query is INSERT into radpostauth (id, user, pass, reply, date) values ('', 'testuser2', 'secret', 'Access-Accept', NOW()) rlm_sql (sql): Reserving sql socket id: 4 rlm_sql (sql): Released sql socket id: 4 modcall[post-auth]: module "sql" returns ok for request 0 modcall: leaving group post-auth (returns ok) for request 0 Sending Access-Accept of id 33 to 127.0.0.1 port 32784 Framed-IP-Netmask = 255.255.255.0 Framed-IP-Address = 192.168.0.112 Reply-Message += "This_is_a_Reply" Reply-Message += "This_is_yet_another_Reply_without_spaces" Session-Timeout := 70038 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 33 with timestamp 43c3e1aa Nothing to do. Sleeping until we see a request. there seems to be (still?) a problem with spaces: rlm_ldap: parsing radiusReplyItem failed: Reply-Message := foo bar rlm_ldap: parsing radiusReplyItem failed: Reply-Message += This is another Reply with spaces to be sure it is not due to "+=" i entered the following to users in ldap (again ldif): # testuser3, People, mogli.de dn: uid=testuser3,ou=People,dc=mogli,dc=de cn: testuser3 objectClass: account objectClass: posixAccount objectClass: top objectClass: radiusprofile uidNumber: 501 gidNumber: 100 homeDirectory: /home/testuser1 loginShell: /bin/bash uid: testuser3 dialupAccess: 1 userPassword: {CRYPT}sefjKaLm7zybE radiusReplyItem: Reply-Message := foo bar # testuser4, People, mogli.de dn: uid=testuser4,ou=People,dc=mogli,dc=de cn: testuser4 objectClass: account objectClass: posixAccount objectClass: top objectClass: radiusprofile uidNumber: 501 gidNumber: 100 homeDirectory: /home/testuser1 loginShell: /bin/bash uid: testuser4 dialupAccess: 1 userPassword: {CRYPT}sefjKaLm7zybE radiusReplyItem: Reply-Message := foo_bar radtest says: atlas:~# radtest testuser3 secret localhost 0 testing123 Sending Access-Request of id 243 to 127.0.0.1 port 1812 User-Name = "testuser3" User-Password = "secret" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=243, length=20 atlas:~# radtest testuser4 secret localhost 0 testing123 Sending Access-Request of id 248 to 127.0.0.1 port 1812 User-Name = "testuser4" User-Password = "secret" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=248, length=29 Reply-Message = "foo_bar" atlas:~# the debug output is similar to them for testuser2: rad_recv: Access-Request packet from host 127.0.0.1:32791, id=243, length=61 User-Name = "testuser3" User-Password = "secret" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 modcall[authorize]: module "files" returns notfound for request 1 rlm_ldap: - authorize rlm_ldap: performing user authorization for testuser3 radius_xlat: '(uid=testuser3)' radius_xlat: 'dc=mogli,dc=de' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=mogli,dc=de, with filter (uid=testuser3) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: parsing radiusReplyItem failed: Reply-Message := foo bar rlm_ldap: user testuser3 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 1 modcall: leaving group authorize (returns ok) for request 1 rad_check_password: Found Auth-Type ldap auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group LDAP for request 1 rlm_ldap: - authenticate rlm_ldap: login attempt by "testuser3" with password "secret" rlm_ldap: user DN: uid=testuser3,ou=People,dc=mogli,dc=de rlm_ldap: (re)connect to ldapserv1.mogli.de:389, authentication 1 rlm_ldap: bind as uid=testuser3,ou=People,dc=mogli,dc=de/secret to ldapserv1.mogli.de:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user testuser3 authenticated succesfully modcall[authenticate]: module "ldap" returns ok for request 1 modcall: leaving group LDAP (returns ok) for request 1 Processing the post-auth section of radiusd.conf modcall: entering group post-auth for request 1 radius_xlat: '/var/log/freeradius/radacct/127.0.0.1/reply-detail-20060110' rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /var/log/freeradius/radacct/127.0.0.1/reply-detail-20060110 modcall[post-auth]: module "reply_log" returns ok for request 1 rlm_sql (sql): Processing sql_postauth radius_xlat: 'testuser3' rlm_sql (sql): sql_set_user escaped user --> 'testuser3' radius_xlat: 'INSERT into radpostauth (id, user, pass, reply, date) values ('', 'testuser3', 'secret', 'Access-Accept', NOW())' rlm_sql (sql) in sql_postauth: query is INSERT into radpostauth (id, user, pass, reply, date) values ('', 'testuser3', 'secret', 'Access-Accept', NOW()) rlm_sql (sql): Reserving sql socket id: 3 rlm_sql (sql): Released sql socket id: 3 modcall[post-auth]: module "sql" returns ok for request 1 modcall: leaving group post-auth (returns ok) for request 1 Sending Access-Accept of id 243 to 127.0.0.1 port 32791 Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 127.0.0.1:32792, id=248, length=61 User-Name = "testuser4" User-Password = "secret" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 modcall[authorize]: module "chap" returns noop for request 2 modcall[authorize]: module "mschap" returns noop for request 2 modcall[authorize]: module "files" returns notfound for request 2 rlm_ldap: - authorize rlm_ldap: performing user authorization for testuser4 radius_xlat: '(uid=testuser4)' radius_xlat: 'dc=mogli,dc=de' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=mogli,dc=de, with filter (uid=testuser4) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: extracted attribute Reply-Message from generic item Reply-Message := foo_bar rlm_ldap: user testuser4 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 2 modcall: leaving group authorize (returns ok) for request 2 rad_check_password: Found Auth-Type ldap auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group LDAP for request 2 rlm_ldap: - authenticate rlm_ldap: login attempt by "testuser4" with password "secret" rlm_ldap: user DN: uid=testuser4,ou=People,dc=mogli,dc=de rlm_ldap: (re)connect to ldapserv1.mogli.de:389, authentication 1 rlm_ldap: bind as uid=testuser4,ou=People,dc=mogli,dc=de/secret to ldapserv1.mogli.de:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user testuser4 authenticated succesfully modcall[authenticate]: module "ldap" returns ok for request 2 modcall: leaving group LDAP (returns ok) for request 2 radius_xlat: 'foo_bar' Processing the post-auth section of radiusd.conf modcall: entering group post-auth for request 2 radius_xlat: '/var/log/freeradius/radacct/127.0.0.1/reply-detail-20060110' rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /var/log/freeradius/radacct/127.0.0.1/reply-detail-20060110 modcall[post-auth]: module "reply_log" returns ok for request 2 rlm_sql (sql): Processing sql_postauth radius_xlat: 'testuser4' rlm_sql (sql): sql_set_user escaped user --> 'testuser4' radius_xlat: 'INSERT into radpostauth (id, user, pass, reply, date) values ('', 'testuser4', 'secret', 'Access-Accept', NOW())' rlm_sql (sql) in sql_postauth: query is INSERT into radpostauth (id, user, pass, reply, date) values ('', 'testuser4', 'secret', 'Access-Accept', NOW()) rlm_sql (sql): Reserving sql socket id: 2 rlm_sql (sql): Released sql socket id: 2 modcall[post-auth]: module "sql" returns ok for request 2 modcall: leaving group post-auth (returns ok) for request 2 Sending Access-Accept of id 248 to 127.0.0.1 port 32792 Reply-Message := "foo_bar" Finished request 2 Going to the next request --- Walking the entire request list --- Waking up in 3 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 243 with timestamp 43c3e448 Waking up in 3 seconds... --- Walking the entire request list --- Cleaning up request 2 ID 248 with timestamp 43c3e44b Nothing to do. Sleeping until we see a request. of course there can be antoher error on my side, but seems that ldap reply items containing spaces are not parsed correctly. if i can test some more just let me know, sorry to be of no more help! regards markus -- Markus Krause email: krause@biochem.mpg.de Computing Center Tel.: 089 - 89 40 85 99 Group Lottspeich / Proteomics Fax.: 089 - 89 40 85 98 --------------------------------------------------------------------- This message was sent using https://webmail.biochem.mpg.de If you encounter any problems please report to rz-linux@biochem.mpg.de