Hi, I'm running a ldap module twice, both times with a different base_dn but when I do that, the server aborts. I'm using FreeRADIUS 3.0.4 (more specifically Centos release: 6.el7) If I try to run the module twice, without changing the base_dn the abort still happens. Is this a known limitation in which I should work around by initiating another module with a different base_dn? Here is a log: Ready to process requests Received Access-Request Id 19 from 10.255.120.5:1645 to xo.xo.xo.xo:1812 length 172 Service-Type = Login-User Cisco-AVPair = 'service-type=Login' Calling-Station-Id = 'xx.xx.xx.xx' User-Name = 'test.juliusbess' EAP-Message = 0x023b001401746573742e6a756c69757362657373 Message-Authenticator = 0x1d29c4c865bf30c2a4316ffbe67468bf NAS-IP-Address = 10.255.120.5 Acct-Session-Id = '160000000000FBDF' NAS-Identifier = 'vpn.test.local' (0) Received Access-Request packet from host 10.255.120.5 port 1645, id=19, length=172 (0) Service-Type = Login-User (0) Cisco-AVPair = 'service-type=Login' (0) Calling-Station-Id = 'xx.xx.xx.xx' (0) User-Name = 'test.juliusbess' (0) EAP-Message = 0x023b001401746573742e6a756c69757362657373 (0) Message-Authenticator = 0x1d29c4c865bf30c2a4316ffbe67468bf (0) NAS-IP-Address = 10.255.120.5 (0) Acct-Session-Id = '160000000000FBDF' (0) NAS-Identifier = 'vpn.test.local' (0) # Executing section authorize from file /etc/raddb/sites-enabled/vpn-nyherji-test (0) authorize { (0) update request { (0) EXPAND %{User-Name} (0) --> test.juliusbess (0) SQL-User-Name set to 'test.juliusbess' rlm_sql (sql): Reserved connection (4) rlm_sql (sql): Executing query: 'select groupname from radhuntgroup where nasipaddress="10.255.120.5"' rlm_sql (sql): Released connection (4) (0) EXPAND %{sql:select groupname from radhuntgroup where nasipaddress="%{Client-IP-Address}"} (0) --> vpn-nas (0) Huntgroup-Name := "vpn-nas" (0) } # update request = noop (0) if (!Huntgroup-Name) (0) if (!Huntgroup-Name) -> FALSE (0) filter_username filter_username { (0) if (!&User-Name) (0) if (!&User-Name) -> FALSE (0) if (&User-Name =~ / /) (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@.*@/ ) (0) if (&User-Name =~ /@.*@/ ) -> FALSE (0) if (&User-Name =~ /\\.\\./ ) (0) if (&User-Name =~ /\\.\\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\\.$/) (0) if (&User-Name =~ /\\.$/) -> FALSE [120/1973] (0) if (&User-Name =~ /@\\./) (0) if (&User-Name =~ /@\\./) -> FALSE (0) } # filter_username filter_username = noop (0) [preprocess] = ok (0) [chap] = noop (0) [mschap-umsja] = noop (0) [digest] = noop (0) suffix : Checking for suffix after "@" (0) suffix : No '@' in User-Name = "test.juliusbess", looking up realm NULL (0) suffix : Found realm "NULL" (0) suffix : Adding Stripped-User-Name = "test.juliusbess" (0) suffix : Adding Realm = "NULL" (0) suffix : Authentication realm is LOCAL (0) [suffix] = ok (0) ntdomain : Request already has destination realm set. Ignoring (0) [ntdomain] = noop (0) eap-vpn-nyherji : Peer sent code Response (2) ID 59 length 20 (0) eap-vpn-nyherji : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap-vpn-nyherji] = ok (0) } # authorize = ok (0) Found Auth-Type = eap-vpn-nyherji (0) # Executing group from file /etc/raddb/sites-enabled/vpn-nyherji-test (0) authenticate { (0) eap-vpn-nyherji : Peer sent method Identity (1) (0) eap-vpn-nyherji : Calling eap_peap to process EAP data (0) eap_peap : Initiate (0) eap_peap : Start returned 1 (0) eap-vpn-nyherji : New EAP session, adding 'State' attribute to reply 0xe5c88dc8e5f49486 (0) [eap-vpn-nyherji] = handled (0) } # authenticate = handled (0) Sending Access-Challenge packet to host 10.255.120.5 port 1645, id=19, length=0 (0) EAP-Message = 0x013c00061920 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0xe5c88dc8e5f494860e93d83d98be7363 Sending Access-Challenge Id 19 from xo.xo.xo.xo:1812 to 10.255.120.5:1645 EAP-Message = 0x013c00061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe5c88dc8e5f494860e93d83d98be7363 (0) Finished request Waking up in 0.3 seconds. Received Access-Request Id 20 from 10.255.120.5:1645 to xo.xo.xo.xo:1812 length 176 Service-Type = Login-User Cisco-AVPair = 'service-type=Login' Calling-Station-Id = 'xx.xx.xx.xx' User-Name = 'test.juliusbess' EAP-Message = 0x023c0006031a Message-Authenticator = 0xbdf3041a309a309f5d190089d0d7f2fa State = 0xe5c88dc8e5f494860e93d83d98be7363 NAS-IP-Address = 10.255.120.5 [71/1973] Acct-Session-Id = '160000000000FBDF' NAS-Identifier = 'vpn.test.local' (1) Received Access-Request packet from host 10.255.120.5 port 1645, id=20, length=176 (1) Service-Type = Login-User (1) Cisco-AVPair = 'service-type=Login' (1) Calling-Station-Id = 'xx.xx.xx.xx' (1) User-Name = 'test.juliusbess' (1) EAP-Message = 0x023c0006031a (1) Message-Authenticator = 0xbdf3041a309a309f5d190089d0d7f2fa (1) State = 0xe5c88dc8e5f494860e93d83d98be7363 (1) NAS-IP-Address = 10.255.120.5 (1) Acct-Session-Id = '160000000000FBDF' (1) NAS-Identifier = 'vpn.test.local' (1) # Executing section authorize from file /etc/raddb/sites-enabled/vpn-nyherji-test (1) authorize { (1) update request { (1) EXPAND %{User-Name} (1) --> test.juliusbess (1) SQL-User-Name set to 'test.juliusbess' rlm_sql (sql): Reserved connection (4) rlm_sql (sql): Executing query: 'select groupname from radhuntgroup where nasipaddress="10.255.120.5"' rlm_sql (sql): Released connection (4) (1) EXPAND %{sql:select groupname from radhuntgroup where nasipaddress="%{Client-IP-Address}"} (1) --> vpn-nas (1) Huntgroup-Name := "vpn-nas" (1) } # update request = noop (1) if (!Huntgroup-Name) (1) if (!Huntgroup-Name) -> FALSE (1) filter_username filter_username { (1) if (!&User-Name) (1) if (!&User-Name) -> FALSE (1) if (&User-Name =~ / /) (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@.*@/ ) (1) if (&User-Name =~ /@.*@/ ) -> FALSE (1) if (&User-Name =~ /\\.\\./ ) (1) if (&User-Name =~ /\\.\\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\\.$/) (1) if (&User-Name =~ /\\.$/) -> FALSE (1) if (&User-Name =~ /@\\./) (1) if (&User-Name =~ /@\\./) -> FALSE (1) } # filter_username filter_username = noop (1) [preprocess] = ok (1) [chap] = noop (1) [mschap-umsja] = noop (1) [digest] = noop (1) suffix : Checking for suffix after "@" [22/1973] (1) suffix : No '@' in User-Name = "test.juliusbess", looking up realm NULL (1) suffix : Found realm "NULL" (1) suffix : Adding Stripped-User-Name = "test.juliusbess" (1) suffix : Adding Realm = "NULL" (1) suffix : Authentication realm is LOCAL (1) [suffix] = ok (1) ntdomain : Request already has destination realm set. Ignoring (1) [ntdomain] = noop (1) eap-vpn-nyherji : Peer sent code Response (2) ID 60 length 6 (1) eap-vpn-nyherji : No EAP Start, assuming it's an on-going EAP conversation (1) [eap-vpn-nyherji] = updated (1) [files] = noop (1) sql : EXPAND %{User-Name} (1) sql : --> test.juliusbess (1) sql : SQL-User-Name set to 'test.juliusbess' rlm_sql (sql): Reserved connection (4) (1) sql : EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (1) sql : --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test.juliusbess' ORDER BY id rlm_sql (sql): Executing query: 'SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test.juliusbess' ORDER BY id' (1) sql : EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (1) sql : --> SELECT groupname FROM radusergroup WHERE username = 'test.juliusbess' ORDER BY priority rlm_sql (sql): Executing query: 'SELECT groupname FROM radusergroup WHERE username = 'test.juliusbess' ORDER BY priority' (1) sql : User not found in any groups rlm_sql (sql): Released connection (4) (1) [sql] = notfound (1) if ("%{realm}" =~ /(DEFAULT|NULL)/) (1) EXPAND %{realm} (1) --> NULL (1) if ("%{realm}" =~ /(DEFAULT|NULL)/) -> TRUE (1) if ("%{realm}" =~ /(DEFAULT|NULL)/) { (1) update control { (1) &LDAP-baseDN-custom := 'OU-test' (1) } # update control = noop (1) EXPAND %{control:LDAP-baseDN-custom} (1) --> OU-test rlm_ldap (ldap-vpn-nyh): Reserved connection (4) (1) ldap-vpn-nyh : EXPAND (|(&(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})(objectClass=user))(&(userPrincipalName=%{User-Name})(objectClass=user))) (1) ldap-vpn-nyh : --> (|(&(sAMAccountName=test.juliusbess)(objectClass=user))(&(userPrincipalName=test.juliusbess)(objectClass=user))) (1) ldap-vpn-nyh : EXPAND OU=%{control:LDAP-baseDN-custom},DC=some,DC=local,DC=lan (1) ldap-vpn-nyh : --> OU=OU-test,DC=some,DC=local,DC=lan (1) ldap-vpn-nyh : Performing search in 'OU=OU-test,DC=some,DC=local,DC=lan' with filter '(|(&(sAMAccountName=test.juliusbess)(objectClass=user))(&(userPrincipalName=test.juliusbess)(objectClass=user)))', scope 'sub' (1) ldap-vpn-nyh : Waiting for search result... (1) ldap-vpn-nyh : User object found at DN "CN=Testuser - Test,OU=Contractors,OU=Users,OU=YYY,OU=OU-test,DC=some,DC=local,DC=lan" (1) ldap-vpn-nyh : Processing user attributes (1) WARNING: ldap-vpn-nyh : No "known good" password added. Ensure the admin user has permission to read the password attribute (1) WARNING: ldap-vpn-nyh : PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure) rlm_ldap (ldap-vpn-nyh): Released connection (4) (1) [ldap-vpn-nyh] = ok (1) EXPAND %{control:LDAP-baseDN-custom} (1) --> OU-test rlm_ldap (ldap-vpn-nyh): Reserved connection (4) (1) ldap-vpn-nyh : EXPAND (|(&(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})(objectClass=user))(&(userPrincipalName=%{User-Name})(objectClass=user))) (1) ldap-vpn-nyh : --> (|(&(sAMAccountName=test.juliusbess)(objectClass=user))(&(userPrincipalName=test.juliusbess)(objectClass=user))) (1) ldap-vpn-nyh : EXPAND OU=%{control:LDAP-baseDN-custom},DC=some,DC=local,DC=lan (1) ldap-vpn-nyh : --> OU=OU-test,DC=some,DC=local,DC=lan (1) ldap-vpn-nyh : Performing search in 'OU=OU-test,DC=some,DC=local,DC=lan' with filter '(|(&(sAMAccountName=test.juliusbess)(objectClass=user))(&(userPrincipalName=test.juliusbess)(objectClass=user)))', scope 'sub' (1) ldap-vpn-nyh : Waiting for search result... (1) ldap-vpn-nyh : User object found at DN "CN=Testuser - Test,OU=Contractors,OU=Users,OU=YYY,OU=OU-test,DC=some,DC=local,DC=lan" (1) ldap-vpn-nyh : Processing user attributes (1) WARNING: ldap-vpn-nyh : No "known good" password added. Ensure the admin user has permission to read the password attribute (1) WARNING: ldap-vpn-nyh : PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure) Aborted Kær kveðja / Best regards Júlíus Þór Bess Ríkharðsson Netsérfræðingur / Network Administrator Nýherji Hf. Borgartún 37 - 105 Reykjavík Simi/Telephone: +354 516 1000 Email: julius.bess@nyherji.is Helpdesk: +354 516 1600 Netsíða: http://www.nyherji.is