eDir Universal password implementation.
Hi, I've been working this morning in bringing back the eDirectory Universal Password feature into the new rlm_ldap module. I'm only talking about Universal Password, not the NMAS two-factor auth, as this is something we don't have here so there's no way for me to test. What have been done and is working : - reformatting edir_ldapext.c for the universal password code into a new file, some code cleanup - implementing the "edir=yes/no" options for rlm_ldap - retrieve the password in ldap_authorize and add the corresponding Cleartext-Password attribute Actually I can successfully connect using an eDir account with pap/. What has to be done, and where I need some hints : - Now that we have the cleartext-password, we're not going in the ldap_authenticate anymore. In the past with Auth-Type=LDAP it was possible, but setting Auth-Type=LDAP triggers a module_fail after the rewrite. In order to enforce eDir account policy, we have to bind to the LDAP server. how would you recommend me to implement it ? - add the IFDEF NOVELL around the added code (i can do it that's ok) - adapt the Makefile in order to compile edir_upwd.c only if configure has --with-edir (need help on that point) - return an error in the debug if universal password is not found, but do not fail the module (or should I ?) Initial commit in my fork is visible here : https://github.com/olivierbeytrison/freeradius-server/commits/rlm_ldap_add_e... Btw, it has been some years since the last time I wrote C. Be gentle and advise, I'll try to make it as clean as possible. Any advice are welcome ! Olivier -- Olivier Beytrison Network & Security Engineer, HES-SO Fribourg Mobile: +41 (0)78 619 73 53 Mail: olivier@heliosnet.org
Olivier Beytrison wrote:
I've been working this morning in bringing back the eDirectory Universal Password feature into the new rlm_ldap module.
That's great. I don't like removing functionality. But if I can't test it, I can't use it.
I'm only talking about Universal Password, not the NMAS two-factor auth, as this is something we don't have here so there's no way for me to test.
OK.
What have been done and is working : - reformatting edir_ldapext.c for the universal password code into a new file, some code cleanup
Nice. I'm picky on formatting, though. But that's an easy fix.
- implementing the "edir=yes/no" options for rlm_ldap - retrieve the password in ldap_authorize and add the corresponding Cleartext-Password attribute
That's good. I have minor issues with build options (WITH_EDIR, etc.), so that people *without* it can still use rlm_ldap. But that's also an easy fix.
Actually I can successfully connect using an eDir account with pap/.
Good.
What has to be done, and where I need some hints : - Now that we have the cleartext-password, we're not going in the ldap_authenticate anymore. In the past with Auth-Type=LDAP it was possible, but setting Auth-Type=LDAP triggers a module_fail after the rewrite.
What does that mean?
In order to enforce eDir account policy, we have to bind to the LDAP server. how would you recommend me to implement it ?
Re-use the existing LDAP bind code. The old module re-implemented LDAP connections, for no good reason I could see. The new module can re-use (or not) LDAP connections.
- add the IFDEF NOVELL around the added code (i can do it that's ok)
That's easy to do.
- adapt the Makefile in order to compile edir_upwd.c only if configure has --with-edir (need help on that point)
That's easy to do.
- return an error in the debug if universal password is not found, but do not fail the module (or should I ?)
It should return a NOOP.
Initial commit in my fork is visible here : https://github.com/olivierbeytrison/freeradius-server/commits/rlm_ldap_add_e...
Btw, it has been some years since the last time I wrote C. Be gentle and advise, I'll try to make it as clean as possible. Any advice are welcome !
If it works, and isn't horrid, it's good. Alan DeKok.
On 07.12.2012 14:21, Alan DeKok wrote:
Olivier Beytrison wrote:
What has to be done, and where I need some hints : - Now that we have the cleartext-password, we're not going in the ldap_authenticate anymore. In the past with Auth-Type=LDAP it was possible, but setting Auth-Type=LDAP triggers a module_fail after the rewrite.
What does that mean?
Well I was wrong, if you use only universal password, you don't need to got into ldap module during authenticate. But there was the post-auth section to enforce edir account policy. Is it ok for you if I implement it the same way (in post-auth) by re-using almost the same code as for ldap_authenticate ?
- add the IFDEF NOVELL around the added code (i can do it that's ok)
That's easy to do.
and it's done
- adapt the Makefile in order to compile edir_upwd.c only if configure has --with-edir (need help on that point)
That's easy to do.
Well I'll try to figure it out myself then ;)
- return an error in the debug if universal password is not found, but do not fail the module (or should I ?)
It should return a NOOP.
done On a side not, because I'm also new to github, how can I sum up all the changes in a single commit in order to make the pull request ? Olivier -- Olivier Beytrison Network & Security Engineer, HES-SO Fribourg Mail: olivier@heliosnet.org
On 7 Dec 2012, at 14:04, Olivier Beytrison <olivier@heliosnet.org> wrote:
On 07.12.2012 14:21, Alan DeKok wrote:
Olivier Beytrison wrote:
What has to be done, and where I need some hints : - Now that we have the cleartext-password, we're not going in the ldap_authenticate anymore. In the past with Auth-Type=LDAP it was possible, but setting Auth-Type=LDAP triggers a module_fail after the rewrite.
What does that mean?
Well I was wrong, if you use only universal password, you don't need to got into ldap module during authenticate. But there was the post-auth section to enforce edir account policy. Is it ok for you if I implement it the same way (in post-auth) by re-using almost the same code as for ldap_authenticate ?
- add the IFDEF NOVELL around the added code (i can do it that's ok)
That's easy to do.
and it's done
- adapt the Makefile in order to compile edir_upwd.c only if configure has --with-edir (need help on that point)
That's easy to do.
Well I'll try to figure it out myself then ;)
The option is already there just add a substituion in Makefile.in and all.mk for @edir@ https://github.com/FreeRADIUS/freeradius-server/blob/master/src/modules/rlm_... Would be: SOURCES := $(TARGETNAME).c @edir@ If it's built --with-edir @edir@ will be expanded to edir_ldapext.c If --with-edir is passed -DNOVELL_UNIVERSAL_PASSWORD -DNOVELL will also be added to module CFLAGS.
- return an error in the debug if universal password is not found, but do not fail the module (or should I ?)
It should return a NOOP.
done
On a side not, because I'm also new to github, how can I sum up all the changes in a single commit in order to make the pull request ?
git rebase -i HEAD~<number of commits you want to squash> Change the start of the commit lines you want to squash to 'f' Git push --force origin master then you can just do a pull request for your master branch on the github website. -Arran
On Fri, Dec 07, 2012 at 03:04:34PM +0100, Olivier Beytrison wrote:
On a side not, because I'm also new to github, how can I sum up all the changes in a single commit in order to make the pull request ?
You don't need a single commit - just make sure all the commits are in a branch that was forked off the master branch recently. Push the branch up to github, and pull request the branch. Git will figure out what needs merging automatically. You can merge commits together with git rebase if you can get your head around it. I tend to create a new branch based off the latest master, then cherry-pick the individual commits into it, then push that branch to github for the pull request. Cheers Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Olivier Beytrison wrote:
Initial commit in my fork is visible here : https://github.com/olivierbeytrison/freeradius-server/commits/rlm_ldap_add_e...
Btw, it has been some years since the last time I wrote C. Be gentle and advise, I'll try to make it as clean as possible. Any advice are welcome !
I've cleaned up the code && pushed it back to the main repository. some comments: - formatting is good. By good, I mean "Alan is almost fanatical about formatting". - similar with variable names, etc. CamelCase is annoying. Hungarian notation with type-names is annoying. - "goto cleanup" is OK, but it should be done early, rather than checking for errors: if (!err...) That's BAD. Just do "if (err) goto cleanup" - simplicity is to be desired. - functions are "static" where possible - parameters are "char *str, size_t size", not the other way around. - I squashed all of the changes into one commit, and added the "configure" changes, too. - I didn't make any changes to the main rlm_ldap.c file. I'm not sure I'm happy with that code. There may be simpler ways to do it. - malloc can be avoided for small buffers. (and should be avoided) Please grab a fresh copy, and see how it works for you. Alan DeKok.
On 07.12.2012 16:14, Alan DeKok wrote:
I've cleaned up the code && pushed it back to the main repository. some comments:
- formatting is good. By good, I mean "Alan is almost fanatical about formatting".
- similar with variable names, etc. CamelCase is annoying. Hungarian notation with type-names is annoying.
- "goto cleanup" is OK, but it should be done early, rather than checking for errors:
if (!err...)
That's BAD. Just do "if (err) goto cleanup"
- simplicity is to be desired.
- functions are "static" where possible
- parameters are "char *str, size_t size", not the other way around.
- I squashed all of the changes into one commit, and added the "configure" changes, too.
- I didn't make any changes to the main rlm_ldap.c file. I'm not sure I'm happy with that code. There may be simpler ways to do it.
you mean in the authorize section ? How would your rather do it ?
- malloc can be avoided for small buffers. (and should be avoided)
Please grab a fresh copy, and see how it works for you. Alright thanks for those inputs.
I've grabbed a fresh copy. Added @edir@ in all.mk.in for rlm_ldap Everything compiles fine. Server starts. rlm_ldap loads correctly. But The server fails to retrieve the universal password! Error code is -1633 (buf_overflow) Problem comes from edir.c:220. is MAX_STRING_LEN available ? I need to gdb this to see the size of buffer ... but weird On my side, I've implemented post-auth. tested. works like a charm. Olivier -- Olivier Beytrison Network & Security Engineer, HES-SO Fribourg Mobile: +41 (0)78 619 73 53 Mail: olivier@heliosnet.org
Olivier Beytrison wrote:
On 07.12.2012 16:14, Alan DeKok wrote:
- I didn't make any changes to the main rlm_ldap.c file. I'm not sure I'm happy with that code. There may be simpler ways to do it.
you mean in the authorize section ? How would your rather do it ?
Yes. I'm not sure how else to do it. I didn't have time to do any in-depth review.
I've grabbed a fresh copy. Added @edir@ in all.mk.in for rlm_ldap Everything compiles fine. Server starts. rlm_ldap loads correctly.
OK, thanks.
But The server fails to retrieve the universal password! Error code is -1633 (buf_overflow)
Problem comes from edir.c:220. is MAX_STRING_LEN available ? I need to gdb this to see the size of buffer ... but weird
It's available in src/include/libradius.h So what's "bufsize" in edir.c? Is it updated by berDecodeLoginData()?
On my side, I've implemented post-auth. tested. works like a charm.
Push it to your repo, and I'll take a look at it. Alan DeKok.
On 07.12.2012 17:12, Olivier Beytrison wrote:
I've grabbed a fresh copy. Added @edir@ in all.mk.in for rlm_ldap Everything compiles fine. Server starts. rlm_ldap loads correctly.
But The server fails to retrieve the universal password! Error code is -1633 (buf_overflow)
Problem comes from edir.c:220. is MAX_STRING_LEN available ? I need to gdb this to see the size of buffer ... but weird
alright (gdb) p bufsize $5 = 256 (gdb) p MAX_STRING_LEN No symbol "MAX_STRING_LEN" in current context. (gdb) n 220 if (bufsize >= MAX_STRING_LEN) { (gdb) n 221 err = NMAS_E_BUFFER_OVERFLOW; bufsize=256 is weird, in this case my password is 14 char long. -- Olivier Beytrison Network & Security Engineer, HES-SO Fribourg Mobile: +41 (0)78 619 73 53 Mail: olivier@heliosnet.org
Olivier Beytrison wrote:
(gdb) p bufsize $5 = 256 (gdb) p MAX_STRING_LEN No symbol "MAX_STRING_LEN" in current context.
It's a preprocessor macro.
(gdb) n 220 if (bufsize >= MAX_STRING_LEN) { (gdb) n 221 err = NMAS_E_BUFFER_OVERFLOW;
bufsize=256 is weird, in this case my password is 14 char long.
I've pushed a one-character fix. Alan DeKok.
On 07.12.2012 17:54, Alan DeKok wrote:
I've pushed a one-character fix.
Found it also. and I also had to invert char * and size_t in my call in rlm_ldap.c okay code working again. I'll push all those change to my repo -- Olivier Beytrison Network & Security Engineer, HES-SO Fribourg Mobile: +41 (0)78 619 73 53 Mail: olivier@heliosnet.org
On 07.12.2012 18:07, Olivier Beytrison wrote:
On 07.12.2012 17:54, Alan DeKok wrote:
I've pushed a one-character fix.
Found it also. and I also had to invert char * and size_t in my call in rlm_ldap.c
okay code working again. I'll push all those change to my repo
code has been pushed along with some other fix/typo/formatting. Things works on my side [1]. I'm happy with it. now it depends on you if you want more rewriting of the code. If so I can test your change whenever you want. Olivier [1] working example rad_recv: Access-Request packet from host 127.0.0.1 port 39774, id=247, length=87 User-Name = "olivier.beytriso" CHAP-Password = 0x9960e4b86ea318e5b24xxxxxxxxxxxxx NAS-IP-Address = 160.98.240.25 NAS-Port = 0 Message-Authenticator = 0x0e83e1b97e7dd468e136da6be344114b (0) # Executing section authorize from file /etc/freeradius/sites-enabled/default (0) group authorize { (0) - entering group authorize {...} (0) policy filter_username { (0) - entering policy filter_username {...} [snip] (0) - policy filter_username returns notfound (0) [preprocess] = ok (0) chap : Setting 'Auth-Type := CHAP' (0) [chap] = ok (0) [mschap] = noop (0) [digest] = noop (0) suffix : No '@' in User-Name = "olivier.beytriso", looking up realm NULL (0) suffix : No such realm "NULL" (0) [suffix] = noop (0) eap : No EAP-Message, not doing EAP (0) [eap] = noop (0) [files] = noop (0) ldap : expand: '%{Stripped-User-Name}' -> '' (0) ldap : ... expanding second conditional (0) ldap : escape: 'olivier.beytriso' -> 'olivier.beytriso' (0) ldap : expand: '%{User-Name}' -> 'olivier.beytriso' (0) ldap : expand: '(uid=%{%{Stripped-User-Name}:-%{User-Name}})' -> '(uid=olivier.beytriso)' (0) ldap : expand: 'ou=people,o=hes-so' -> 'ou=people,o=hes-so' rlm_ldap (ldap): Reserved connection (4) (0) ldap : Performing search in 'ou=people,o=hes-so' with filter '(uid=olivier.beytriso)' (0) ldap : User found at DN "cn=31935762,ou=courant,ou=people,o=hes-so" (0) ldap : Added the eDirectory password XXXXXXXXXX in check items as Cleartext-Password (0) ldap : control:hessoRole += "31935762-440774439#RORG-HEFR-EIFR-INTR-INFO#EMP#COL" (hessoRole) rlm_ldap (ldap): Released connection (4) rlm_ldap (ldap): Closing idle connection (0): Too many free connections (5 > 3) rlm_ldap (ldap): Closing connection (0) (0) [ldap] = ok (0) [expiration] = noop (0) [logintime] = noop (0) Found Auth-Type = CHAP (0) # Executing group from file /etc/freeradius/sites-enabled/default (0) group CHAP { (0) - entering group CHAP {...} (0) chap : login attempt by "olivier.beytriso" with CHAP password (0) chap : Using clear text password "XXXXXXXXXX" for user olivier.beytriso authentication. (0) chap : chap user olivier.beytriso authenticated succesfully (0) [chap] = ok (0) # Executing section post-auth from file /etc/freeradius/sites-enabled/default (0) group post-auth { (0) - entering group post-auth {...} rlm_ldap (ldap): Reserved connection (4) (0) ldap : Login attempt by "olivier.beytriso" with password "XXXXXXXXXX" (0) ldap : Bind as user "cn=31935762,ou=courant,ou=people,o=hes-so" was successful rlm_ldap (ldap): Released connection (4) (0) [ldap] = ok (0) [exec] = noop (0) policy remove_reply_message_if_eap { (0) - entering policy remove_reply_message_if_eap {...} (0) ? if (reply:EAP-Message && reply:Reply-Message) (0) ? Evaluating (reply:EAP-Message ) -> FALSE (0) ? Skipping (reply:Reply-Message) (0) ? if (reply:EAP-Message && reply:Reply-Message) -> FALSE (0) else else { (0) - entering else else {...} (0) [noop] = noop (0) - else else returns noop (0) - policy remove_reply_message_if_eap returns noop Sending Access-Accept of id 247 from 127.0.0.1 port 1812 to 127.0.0.1 port 39774 -- Olivier Beytrison Network & Security Engineer, HES-SO Fribourg Mobile: +41 (0)78 619 73 53 Mail: olivier@heliosnet.org
Olivier Beytrison wrote:
code has been pushed along with some other fix/typo/formatting.
Things works on my side [1]. I'm happy with it. now it depends on you if you want more rewriting of the code. If so I can test your change whenever you want.
I've pushed my changes back. Again, minor formatting. i.e. I like short names. It's easier to read. It's just as descriptive as "this_variable_is_for_foo", when the context makes it clear. Alan DeKok.
On 7 Dec 2012, at 19:40, Alan DeKok <aland@DEPLOYINGRADIUS.COM> wrote:
Olivier Beytrison wrote:
code has been pushed along with some other fix/typo/formatting.
Things works on my side [1]. I'm happy with it. now it depends on you if you want more rewriting of the code. If so I can test your change whenever you want.
I've pushed my changes back. Again, minor formatting.
i.e. I like short names. It's easier to read. It's just as descriptive as "this_variable_is_for_foo", when the context makes it clear.
Alan DeKok.
Feel like writing a coding style guide on the wiki? If you start it off with the basics I'll add some more content. -Arran
On 07.12.2012 20:40, Alan DeKok wrote:
Olivier Beytrison wrote:
code has been pushed along with some other fix/typo/formatting.
Things works on my side [1]. I'm happy with it. now it depends on you if you want more rewriting of the code. If so I can test your change whenever you want.
I've pushed my changes back. Again, minor formatting.
i.e. I like short names. It's easier to read. It's just as descriptive as "this_variable_is_for_foo", when the context makes it clear.
Thanks Alan! I've pulled the changes and I'm testing them. In the mean time I've pushed a few minor fix in a new branch in my repo. -- Olivier Beytrison Network & Security Engineer, HES-SO Fribourg Mobile: +41 (0)78 619 73 53 Mail: olivier@heliosnet.org
On 07.12.2012 21:24, Olivier Beytrison wrote:
I've pushed my changes back. Again, minor formatting.
i.e. I like short names. It's easier to read. It's just as descriptive as "this_variable_is_for_foo", when the context makes it clear.
Thanks Alan! I've pulled the changes and I'm testing them.
Looks fine to me. compiles and works well on my side.
In the mean time I've pushed a few minor fix in a new branch in my repo.
I just squashed a few change into a single commit on my repo, branch last-edir-fix Olivier -- Olivier Beytrison Network & Security Engineer, HES-SO Fribourg Mobile: +41 (0)78 619 73 53 Mail: olivier@heliosnet.org
You shouldn't need your second LDAP in the post-auth section as per On Sat, Dec 8, 2012 at 6:50 AM, Olivier Beytrison <olivier@heliosnet.org>wrote:
On 07.12.2012 18:07, Olivier Beytrison wrote:
On 07.12.2012 17:54, Alan DeKok wrote:
I've pushed a one-character fix.
Found it also. and I also had to invert char * and size_t in my call in rlm_ldap.c
okay code working again. I'll push all those change to my repo
code has been pushed along with some other fix/typo/formatting.
Things works on my side [1]. I'm happy with it. now it depends on you if you want more rewriting of the code. If so I can test your change whenever you want.
Olivier
[1] working example rad_recv: Access-Request packet from host 127.0.0.1 port 39774, id=247, length=87 User-Name = "olivier.beytriso" CHAP-Password = 0x9960e4b86ea318e5b24xxxxxxxxxxxxx NAS-IP-Address = 160.98.240.25 NAS-Port = 0 Message-Authenticator = 0x0e83e1b97e7dd468e136da6be344114b (0) # Executing section authorize from file /etc/freeradius/sites-enabled/default (0) group authorize { (0) - entering group authorize {...} (0) policy filter_username { (0) - entering policy filter_username {...} [snip] (0) - policy filter_username returns notfound (0) [preprocess] = ok (0) chap : Setting 'Auth-Type := CHAP' (0) [chap] = ok (0) [mschap] = noop (0) [digest] = noop (0) suffix : No '@' in User-Name = "olivier.beytriso", looking up realm NULL (0) suffix : No such realm "NULL" (0) [suffix] = noop (0) eap : No EAP-Message, not doing EAP (0) [eap] = noop (0) [files] = noop (0) ldap : expand: '%{Stripped-User-Name}' -> '' (0) ldap : ... expanding second conditional (0) ldap : escape: 'olivier.beytriso' -> 'olivier.beytriso' (0) ldap : expand: '%{User-Name}' -> 'olivier.beytriso' (0) ldap : expand: '(uid=%{%{Stripped-User-Name}:-%{User-Name}})' -> '(uid=olivier.beytriso)' (0) ldap : expand: 'ou=people,o=hes-so' -> 'ou=people,o=hes-so' rlm_ldap (ldap): Reserved connection (4) (0) ldap : Performing search in 'ou=people,o=hes-so' with filter '(uid=olivier.beytriso)' (0) ldap : User found at DN "cn=31935762,ou=courant,ou=people,o=hes-so" (0) ldap : Added the eDirectory password XXXXXXXXXX in check items as Cleartext-Password
Yay!.. That's what the eDir code is all about :)
(0) ldap : control:hessoRole += "31935762-440774439#RORG-HEFR-EIFR-INTR-INFO#EMP#COL" (hessoRole) rlm_ldap (ldap): Released connection (4) rlm_ldap (ldap): Closing idle connection (0): Too many free connections (5 > 3) rlm_ldap (ldap): Closing connection (0) (0) [ldap] = ok (0) [expiration] = noop (0) [logintime] = noop (0) Found Auth-Type = CHAP (0) # Executing group from file /etc/freeradius/sites-enabled/default (0) group CHAP { (0) - entering group CHAP {...} (0) chap : login attempt by "olivier.beytriso" with CHAP password (0) chap : Using clear text password "XXXXXXXXXX" for user olivier.beytriso authentication. (0) chap : chap user olivier.beytriso authenticated succesfully (0) [chap] = ok (0) # Executing section post-auth from file /etc/freeradius/sites-enabled/default
Starting here
(0) group post-auth { (0) - entering group post-auth {...} rlm_ldap (ldap): Reserved connection (4) (0) ldap : Login attempt by "olivier.beytriso" with password "XXXXXXXXXX" (0) ldap : Bind as user "cn=31935762,ou=courant,ou=people,o=hes-so" was successful rlm_ldap (ldap): Released connection (4) (0) [ldap] = ok
And here, since you've already checked your chap password against the eDir password by sucking it cleartext over ssl out via Universal Password you don't need to double check it :)
(0) [exec] = noop (0) policy remove_reply_message_if_eap { (0) - entering policy remove_reply_message_if_eap {...} (0) ? if (reply:EAP-Message && reply:Reply-Message) (0) ? Evaluating (reply:EAP-Message ) -> FALSE (0) ? Skipping (reply:Reply-Message) (0) ? if (reply:EAP-Message && reply:Reply-Message) -> FALSE (0) else else { (0) - entering else else {...} (0) [noop] = noop (0) - else else returns noop (0) - policy remove_reply_message_if_eap returns noop Sending Access-Accept of id 247 from 127.0.0.1 port 1812 to 127.0.0.1 port 39774
We also use eDir support and had notified our account manager at Novell/NetIQ about this... But it's brilliant you're doing the code changes. The NMAS challenge response parts using a specific NMAS Method are also pretty nifty when used with the Vasco tokens (which I have played with but havn't managed to convince my management to deploy at my employer). If you were in the mood it's pretty easy to setup and test using the Simple Password NMAS Method to confirm that the NMAS bits work too. Last piece which I would *love* to see was adding in "Accounting Start / Stop" support into rlm_ldap (and am willing to fund it depending on the time / complexity). What would be great is if via an Accounting Start you could add/replace an attribute, and then via the accounting stop remove the attribute if it exists. We're using this since we have a Novell IDM Driver listening to database changes, if a subscriber has an attribute change against their eDir record, our IDM driver sends a CoA or DM mid-session change using the Coova JRadius client to the BNG. Currently built the code to made the attribute change using a perl module which works well, but would be nice if it were in rlm_ldap instead :)
On 07.12.2012 21:32, Peter Lambrechtsen wrote:
You shouldn't need your second LDAP in the post-auth section as per (0) ldap : expand: '%{Stripped-User-Name}' -> '' (0) ldap : ... expanding second conditional (0) ldap : escape: 'olivier.beytriso' -> 'olivier.beytriso' (0) ldap : expand: '%{User-Name}' -> 'olivier.beytriso' (0) ldap : expand: '(uid=%{%{Stripped-User-Name}:-%{User-Name}})' -> '(uid=olivier.beytriso)' (0) ldap : expand: 'ou=people,o=hes-so' -> 'ou=people,o=hes-so' rlm_ldap (ldap): Reserved connection (4) (0) ldap : Performing search in 'ou=people,o=hes-so' with filter '(uid=olivier.beytriso)' (0) ldap : User found at DN "cn=31935762,ou=courant,ou=people,o=hes-so" (0) ldap : Added the eDirectory password XXXXXXXXXX in check items as Cleartext-Password
Yay!.. That's what the eDir code is all about :)
Yep, password auto-magically retrieved in clear-text
Starting here
(0) group post-auth { (0) - entering group post-auth {...} rlm_ldap (ldap): Reserved connection (4) (0) ldap : Login attempt by "olivier.beytriso" with password "XXXXXXXXXX" (0) ldap : Bind as user "cn=31935762,ou=courant,ou=people,o=hes-so" was successful rlm_ldap (ldap): Released connection (4) (0) [ldap] = ok
And here, since you've already checked your chap password against the eDir password by sucking it cleartext over ssl out via Universal Password you don't need to double check it :)
The goal here is not to check if the password is valid. With universal password, wi know it is valid. We check here if the user is allowed to log in. If his account is locked, the bind fail. If the password is expired, it will consume the loginGrace, until it reaches 0, and the bind will also fail. So it's really about checking the account policy of eDirectory Though the comments in debug could be more specific I admit. Olivier -- Olivier Beytrison Network & Security Engineer, HES-SO Fribourg Mobile: +41 (0)78 619 73 53 Mail: olivier@heliosnet.org
On Sat, Dec 8, 2012 at 9:39 AM, Olivier Beytrison <olivier@heliosnet.org>wrote:
And here, since you've already checked your chap password against the eDir password by sucking it cleartext over ssl out via Universal Password you don't need to double check it :)
The goal here is not to check if the password is valid. With universal password, wi know it is valid. We check here if the user is allowed to log in. If his account is locked, the bind fail. If the password is expired, it will consume the loginGrace, until it reaches 0, and the bind will also fail. So it's really about checking the account policy of eDirectory
Though the comments in debug could be more specific I admit.
Ahh fair enough, we map the loginDisabled and expirationDate to dummy VSAs and check it in FreeRadius rather than passing that back as part of a bind to LDAP. Helps save ~30ms from the Auth time, and with ~1mil subs in the LDAP database, that's time worth saving. Thanks for doing the work to add eDir support back in again. It "was" going to be one of our major stumbling blocks in moving to FR3. I'll work over this downtime coming up to christmas to write a script to enable others to perform functional tests against eDir, since all you really need is to download the software, and load up one LDIF with some test users & a universal password policy to test the functionality.
Olivier --
Olivier Beytrison Network & Security Engineer, HES-SO Fribourg Mobile: +41 (0)78 619 73 53 Mail: olivier@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
Peter Lambrechtsen wrote:
Ahh fair enough, we map the loginDisabled and expirationDate to dummy VSAs and check it in FreeRadius rather than passing that back as part of a bind to LDAP. Helps save ~30ms from the Auth time, and with ~1mil subs in the LDAP database, that's time worth saving.
If you have example config, please share it.
Thanks for doing the work to add eDir support back in again. It "was" going to be one of our major stumbling blocks in moving to FR3.
I was hoping something would step forward.
I'll work over this downtime coming up to christmas to write a script to enable others to perform functional tests against eDir, since all you really need is to download the software, and load up one LDIF with some test users & a universal password policy to test the functionality.
That would be appredciated. Alan DeKok.
On 07.12.2012 22:27, Peter Lambrechtsen wrote:
Ahh fair enough, we map the loginDisabled and expirationDate to dummy VSAs and check it in FreeRadius rather than passing that back as part of a bind to LDAP. Helps save ~30ms from the Auth time, and with ~1mil subs in the LDAP database, that's time worth saving.
I would also be interested in this. Could you post a snippet of your configuration ? Only difference with doing a bind, is that you don't consume the loginGrace. Which might be a good thing actually. But the complete check should be loginDisabled == false && (passwordExpirationTime > now || loginGraceRemaining > 0)
Thanks for doing the work to add eDir support back in again. It "was" going to be one of our major stumbling blocks in moving to FR3.
Same here, I was blocked in my eduroam project (and my deadline is next friday) so now at least I can move over and deploy the servers. Big thanks to Alan for his job ! And I have to say that I have a lot of fun doing some code again :) I'll continue to propose some minor fix/enhancement to FR3 as I deploy it. Olivier -- Olivier Beytrison Network & Security Engineer, HES-SO Fribourg Mail: olivier@heliosnet.org
The NMAS challenge response parts using a specific NMAS Method are also pretty nifty when used with the Vasco tokens (which I have played with but havn't managed to convince my management to deploy at my employer). If you were in the mood it's pretty easy to setup and test using the Simple Password NMAS Method to confirm that the NMAS bits work too.
Last piece which I would *love* to see was adding in "Accounting Start / Stop" support into rlm_ldap (and am willing to fund it depending on the time / complexity). What would be great is if via an Accounting Start you could add/replace an attribute, and then via the accounting stop remove the attribute if it exists.
Yeah you're sort of wanting a simul function, I guess it'd be fairly easy to do. Full accounting using LDAP is harder, and not really what LDAP directories are meant for :) -Arran
participants (5)
-
Alan DeKok -
Arran Cudbard-Bell -
Matthew Newton -
Olivier Beytrison -
Peter Lambrechtsen