little bugs that appear to have appeared ...
Hi, 1) rlm_ldap: performing user authorization for expand: %{Stripped-User-Name} -> eun20 expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=eun20) expand: ou=unix ,ou=uscs, o=University of Sussex -> ou=unix ,ou=uscs, o=University of Sussex rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=unix ,ou=uscs, o=University of Sussex, with filter (uid=eun20) rlm_ldap: checking if remote access for eun20@sussex.ac.uk is allowed by uosRadiusAccountEnabled rlm_ldap: Added Crypt-Password = gsQB00xxxxxx in check items rlm_ldap: looking for check items in directory... rlm_ldap: LDAP attribute ntPassword as RADIUS attribute NT-Password == 0xf5f94b0fd14e86xxxxxxxxxxxxxxx rlm_ldap: looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? rlm_ldap: user eun20@sussex.ac.uk authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 2 good passwords found, should not be be being warned. Passwords are being stored in the standard password LDAP attributes, in the standard ldap attribute map file. So thats UserPassword and NTPassword , header recognition is on in LDAP module. The crypt passwords are in format {crypt}56bit des salted hash. NT4 Passwords without the 0x prefix are also printed wrong, which is problematic for debugging. 2) 426 Post-Auth-Type REJECT { 427 update reply { 428 # Update event type for logging in events table. 429 Event-Type := '12' 430 } 431 # Log rejected attempts to help with debugging 432 sql 433 attr_filter.access_reject 434 # SQL Clients generates event with limited information in roaming table 435 sql_roaming 436 } update reply in the Post-Auth-Type blocks doesn't work. %{reply:Event-Type} in the sql query expands to '' Event-Type is an int defined in the sussex_vendor dictionary. Setting Event-Type in the main body of Post-Auth works fine. Thanks, Arran -- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900
Arran Cudbard-Bell wrote:
2 good passwords found, should not be be being warned.
Yeah, that's a minor issue.
update reply in the Post-Auth-Type blocks doesn't work.
%{reply:Event-Type} in the sql query expands to ''
Which SQL query? The one in the "sql" module, or the one in the "sql_roaming" module? Note that the attr_filter module is listed between the two. It will REMOVE any attributes that aren't supposed to go in an Access-Reject... like Event-Type. Alan DeKok.
Alan DeKok wrote:
Arran Cudbard-Bell wrote:
2 good passwords found, should not be be being warned.
Yeah, that's a minor issue.
update reply in the Post-Auth-Type blocks doesn't work.
%{reply:Event-Type} in the sql query expands to ''
Which SQL query? The one in the "sql" module, or the one in the "sql_roaming" module? sql_roaming
Note that the attr_filter module is listed between the two. It will REMOVE any attributes that aren't supposed to go in an Access-Reject... like Event-Type.
Yep, and it does it very nicely.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
-- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900
Hi, In auth.c, there is: 713 /* 714 * Result should be >= 0 here - if not, it means the user 715 * is rejected, so we just process post-auth and return. 716 */ 717 if (result < 0) { 718 return RLM_MODULE_REJECT; 719 } Should this be the following instead (like the comment suggests?) /* * Result should be >= 0 here - if not, it means the user * is rejected, so we just process post-auth and return. */ if (result < 0) { return rad_postauth(request); } Also, I updated from cvs this morning, but had some problems related to SNMP: - do_snmp was missing from main_config_t - radius_snmp_init() is prototyped to return int, when in fact it is void Cheers, David On Sep 27, 2007, at 1:38 PM, Alan DeKok wrote:
Arran Cudbard-Bell wrote:
2 good passwords found, should not be be being warned.
Yeah, that's a minor issue.
update reply in the Post-Auth-Type blocks doesn't work.
%{reply:Event-Type} in the sql query expands to ''
Which SQL query? The one in the "sql" module, or the one in the "sql_roaming" module? Note that the attr_filter module is listed between the two. It will REMOVE any attributes that aren't supposed to go in an Access-Reject... like Event-Type.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ devel.html
wlan@mac.com wrote:
In auth.c, there is: .. Should this be the following instead (like the comment suggests?)
No. The execution of post-auth type = reject is done in event.c.
Also, I updated from cvs this morning, but had some problems related to SNMP:
- do_snmp was missing from main_config_t - radius_snmp_init() is prototyped to return int, when in fact it is void
Fixed. Alan DeKok.
In auth.c, there is: .. Should this be the following instead (like the comment suggests?)
No. The execution of post-auth type = reject is done in event.c.
Thanks... hmm.. yet, I want to run through my post-auth handler right after the inner auth of a peap request (which used to work, I think). Any suggestions would be appreciated. Putting the rad_postauth() on that line does the trick though. David
wlan@mac.com wrote:
hmm.. yet, I want to run through my post-auth handler right after the inner auth of a peap request (which used to work, I think). Any suggestions would be appreciated. Putting the rad_postauth() on that line does the trick though.
Ah, ok. The issue is that the code in event.c returns from handling tunneled requests BEFORE running post-auth-type Reject. I'll see if I can fix that today or tomorrow. Alan DeKok.
participants (3)
-
Alan DeKok -
Arran Cudbard-Bell -
wlan@mac.com