Op 19 jun. 2020, om 16:55 heeft Alan DeKok <aland@deployingradius.com> het volgende geschreven:
On Jun 19, 2020, at 8:11 AM, Wessel Louwris <wessel@stutit.nl> wrote:
I would like to bind with the given username and skip the ldapsearch, so I implemented
DEFAULT Ldap-UserDN := "%{User-Name}”
in my authorize file (as described on https://wiki.freeradius.org/modules/Rlm_ldap <https://wiki.freeradius.org/modules/Rlm_ldap>). Unfortunately this seems to be not enough because it’s still binding with the DN:
(6) ldap: Login attempt by "user@company.nl "
It helps to show the FULL debug output. You've deleted 99% of the output. That means we don't know what else is going on.
(6) ldap: Using user DN from request "uid= user,ou=Users,dc=example,dc=com” # this is a wrong DN returned by ldapsearch (6) ldap: Waiting for bind result... (6) ldap: ERROR: Bind credentials incorrect: Invalid credentials
My guess is that you're running the "files" module (which reads the users file) *after* the ldap module.
Alan DeKok.
If I authenticate with user migr03@company.nl <mailto:migr03@company.nl> (which is not our main domain example.nl <http://example.nl/>) I get below log. With mig01@example.nl <mailto:mig01@example.nl> everything works fine (although it still binds with the full DN) and I can authenticatie. I hoped that DEFAULT Ldap-UserDN := "%{User-Name}” in my /etc/freeradius/mods-config/files/authorize would skip the ldapsearch and go straight to the binding with this username. I also pasted my ldap, authorize, default file below the logs. Thanks, Wessel ## migr03@company.nl (97) Received Access-Request Id 35 from 10.164.0.3:37310 to 172.17.0.6:1812 length 591 (97) User-Name = "migr03@company.nl" (97) NAS-IP-Address = 172.16.16.101 (97) NAS-Identifier = "4C-B1-CD-4A-B3-A8" (97) Called-Station-Id = "4C-B1-CD-4A-B3-A8:example" (97) NAS-Port-Type = Wireless-802.11 (97) Service-Type = Framed-User (97) NAS-Port = 1 (97) Calling-Station-Id = "A4-5E-60-DC-05-CF" (97) Location-Data = 0x31304e4c17174d616b657273747265657420446576656c6f706d656e74 (97) Location-Data = 0x32304e4c1626467265642e526f65736b65737472616174393745203130373645432020416d7374657264616d (97) Connect-Info = "CONNECT 802.11" (97) Acct-Session-Id = "5EEF7342-0AB3A001" (97) Acct-Multi-Session-Id = "A737E56E6E72BF9E" (97) WLAN-Pairwise-Cipher = 1027076 (97) WLAN-Group-Cipher = 1027076 (97) WLAN-AKM-Suite = 1027073 (97) Ruckus-SSID = "example" (97) Ruckus-BSSID = 0x4cb1cd4ab3a8 (97) Ruckus-Location = "example" (97) Ruckus-VLAN-ID = 1 (97) Ruckus-SCG-CBlade-IP = 600626236 (97) Attr-26.25053.155 = 0x41646d696e697374726174696f6e20446f6d61696e (97) Ruckus-Zone-Name = "example" (97) Ruckus-Wlan-Name = "example" (97) EAP-Message = 0x025e003f1580000000351703030030e8e23bf39036dbd45371248590343102796b93bf10fbc8d28cf32ed50809ee15c4d28a12a2eb53c18cf686e0dda17e41 (97) State = 0x2469b8502137ad1a348bcdde947a8261 (97) Chargeable-User-Identity = 0x00 (97) Message-Authenticator = 0xb1d164eef1c5725a9f35050eecb2bde7 (97) Event-Timestamp = "Jun 21 2020 14:48:35 UTC" (97) Proxy-State = 0x3635 (97) Restoring &session-state (97) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (97) &session-state:TLS-Session-Version = "TLS 1.2" (97) # Executing section authorize from file /etc/freeradius/sites-enabled/default (97) authorize { (97) policy filter_username { (97) if (&User-Name) { (97) if (&User-Name) -> TRUE (97) if (&User-Name) { (97) if (&User-Name =~ / /) { (97) if (&User-Name =~ / /) -> FALSE (97) if (&User-Name =~ /@[^@]*@/ ) { (97) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (97) if (&User-Name =~ /\.\./ ) { (97) if (&User-Name =~ /\.\./ ) -> FALSE (97) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (97) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (97) if (&User-Name =~ /\.$/) { (97) if (&User-Name =~ /\.$/) -> FALSE (97) if (&User-Name =~ /@\./) { (97) if (&User-Name =~ /@\./) -> FALSE (97) } # if (&User-Name) = notfound (97) } # policy filter_username = notfound (97) [preprocess] = ok (97) [digest] = noop (97) suffix: Checking for suffix after "@" (97) suffix: Looking up realm "company.nl" for User-Name = "migr03@company.nl" (97) suffix: No such realm "company.nl" (97) [suffix] = noop (97) eap: Peer sent EAP Response (code 2) ID 94 length 63 (97) eap: Continuing tunnel setup (97) [eap] = ok (97) } # authorize = ok (97) Found Auth-Type = eap (97) # Executing group from file /etc/freeradius/sites-enabled/default (97) authenticate { (97) eap: Expiring EAP session with state 0x16172ce416162ae1 (97) eap: Finished EAP session with state 0x2469b8502137ad1a (97) eap: Previous EAP request found for state 0x2469b8502137ad1a, released from the list (97) eap: Peer sent packet with method EAP TTLS (21) (97) eap: Calling submodule eap_ttls to process data (97) eap_ttls: Authenticate (97) eap_ttls: Continuing EAP-TLS (97) eap_ttls: Peer indicated complete TLS record size will be 53 bytes (97) eap_ttls: Got complete TLS record (53 bytes) (97) eap_ttls: [eaptls verify] = length included (97) eap_ttls: [eaptls process] = ok (97) eap_ttls: Session established. Proceeding to decode tunneled attributes (97) eap_ttls: Got tunneled request (97) eap_ttls: EAP-Message = 0x0201000d06353e643650396179 (97) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1 (97) eap_ttls: Sending tunneled request (97) Virtual server inner-tunnel received request (97) EAP-Message = 0x0201000d06353e643650396179 (97) FreeRADIUS-Proxied-To = 127.0.0.1 (97) User-Name = "migr03@company.nl" (97) State = 0x16172ce416162ae179e6db30cac8670e (97) WARNING: Outer and inner identities are the same. User privacy is compromised. (97) server inner-tunnel { (97) session-state: No cached attributes (97) # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel (97) authorize { (97) policy filter_username { (97) if (&User-Name) { (97) if (&User-Name) -> TRUE (97) if (&User-Name) { (97) if (&User-Name =~ / /) { (97) if (&User-Name =~ / /) -> FALSE (97) if (&User-Name =~ /@[^@]*@/ ) { (97) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (97) if (&User-Name =~ /\.\./ ) { (97) if (&User-Name =~ /\.\./ ) -> FALSE (97) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (97) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (97) if (&User-Name =~ /\.$/) { (97) if (&User-Name =~ /\.$/) -> FALSE (97) if (&User-Name =~ /@\./) { (97) if (&User-Name =~ /@\./) -> FALSE (97) } # if (&User-Name) = notfound (97) } # policy filter_username = notfound (97) suffix: Checking for suffix after "@" (97) suffix: Looking up realm "company.nl" for User-Name = "migr03@company.nl" (97) suffix: No such realm "company.nl" (97) [suffix] = noop (97) update control { (97) &Proxy-To-Realm := LOCAL (97) } # update control = noop (97) eap: Peer sent EAP Response (code 2) ID 1 length 13 (97) eap: No EAP Start, assuming it's an on-going EAP conversation (97) [eap] = updated rlm_ldap (ldap): Reserved connection (23) (97) ldap: EXPAND (mail=%{User-Name}) (97) ldap: --> (mail=migr03@company.nl) (97) ldap: Performing search in "dc=example,dc=nl" with filter "(mail=migr03@company.nl)", scope "sub" (97) ldap: Waiting for search result... (97) ldap: User object found at DN "uid=migr03,ou=Users,dc=example,dc=nl" (97) ldap: Processing user attributes (97) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute (97) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure) rlm_ldap (ldap): Released connection (23) (97) [ldap] = ok (97) [expiration] = noop (97) [logintime] = noop (97) [pap] = noop (97) if (User-Password) { (97) if (User-Password) -> FALSE (97) } # authorize = updated (97) Found Auth-Type = eap (97) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (97) authenticate { (97) eap: Expiring EAP session with state 0x16172ce416162ae1 (97) eap: Finished EAP session with state 0x16172ce416162ae1 (97) eap: Previous EAP request found for state 0x16172ce416162ae1, released from the list (97) eap: Peer sent packet with method EAP GTC (6) (97) eap: Calling submodule eap_gtc to process data (97) eap_gtc: # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (97) eap_gtc: Auth-Type PAP { rlm_ldap (ldap): Reserved connection (28) (97) ldap: Login attempt by "migr03@company.nl" (97) ldap: Using user DN from request "uid=migr03,ou=Users,dc=example,dc=nl" (97) ldap: Waiting for bind result... (97) ldap: ERROR: Bind credentials incorrect: Invalid credentials (97) ldap: ERROR: Server said: Incorrect password. rlm_ldap (ldap): Released connection (28) (97) eap_gtc: [ldap] = reject (97) eap_gtc: } # Auth-Type PAP = reject (97) eap: ERROR: Failed continuing EAP GTC (6) session. EAP sub-module failed (97) eap: Sending EAP Failure (code 4) ID 1 length 4 (97) eap: Failed in EAP select (97) [eap] = invalid (97) } # authenticate = invalid (97) Failed to authenticate the user (97) Using Post-Auth-Type Reject (97) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (97) Post-Auth-Type REJECT { (97) attr_filter.access_reject: EXPAND %{User-Name} (97) attr_filter.access_reject: --> migr03@company.nl (97) attr_filter.access_reject: Matched entry DEFAULT at line 11 (97) [attr_filter.access_reject] = updated (97) update outer.session-state { (97) &Module-Failure-Message := &request:Module-Failure-Message -> 'ldap: Bind credentials incorrect: Invalid credentials' (97) } # update outer.session-state = noop (97) } # Post-Auth-Type REJECT = updated (97) } # server inner-tunnel (97) Virtual server sending reply (97) EAP-Message = 0x04010004 (97) Message-Authenticator = 0x00000000000000000000000000000000 (97) eap_ttls: Got tunneled Access-Reject (97) eap: ERROR: Failed continuing EAP TTLS (21) session. EAP sub-module failed (97) eap: Sending EAP Failure (code 4) ID 94 length 4 (97) eap: Failed in EAP select (97) [eap] = invalid (97) } # authenticate = invalid (97) Failed to authenticate the user (97) Using Post-Auth-Type Reject (97) # Executing group from file /etc/freeradius/sites-enabled/default (97) Post-Auth-Type REJECT { (97) attr_filter.access_reject: EXPAND %{User-Name} (97) attr_filter.access_reject: --> migr03@company.nl (97) attr_filter.access_reject: Matched entry DEFAULT at line 11 (97) [attr_filter.access_reject] = updated (97) [eap] = noop (97) policy remove_reply_message_if_eap { (97) if (&reply:EAP-Message && &reply:Reply-Message) { (97) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (97) else { (97) [noop] = noop (97) } # else = noop (97) } # policy remove_reply_message_if_eap = noop (97) } # Post-Auth-Type REJECT = updated (97) Delaying response for 1.000000 seconds Waking up in 0.9 seconds. (97) Sending delayed response (97) Sent Access-Reject Id 35 from 172.17.0.6:1812 to 10.164.0.3:37310 length 48 (97) EAP-Message = 0x045e0004 (97) Message-Authenticator = 0x00000000000000000000000000000000 (97) Proxy-State = 0x3635 Waking up in 3.1 seconds. (91) Cleaning up request packet ID 234 with timestamp +898 (92) Cleaning up request packet ID 242 with timestamp +898 (93) Cleaning up request packet ID 173 with timestamp +898 (94) Cleaning up request packet ID 28 with timestamp +898 (95) Cleaning up request packet ID 24 with timestamp +898 (96) Cleaning up request packet ID 144 with timestamp +898 Waking up in 0.5 seconds. (97) Cleaning up request packet ID 35 with timestamp +898 Ready to process requests My ldap config /etc/freeradius/mods-available/ldap: ldap { server = 'ldaps://ldap.google.com' port = 636 identity = 'XX' password = XX base_dn = 'dc=example,dc=nl' sasl { } update { control:Password-With-Header += 'userPassword' control:Cleartext-Password := 'userPassword' control:NT-Password := 'ntPassword' control: += 'radiusControlAttribute' request: += 'radiusRequestAttribute' reply: += 'radiusReplyAttribute' } user_dn = "LDAP-UserDn" user { base_dn = "${..base_dn}" filter = "(mail=%{User-Name})" sasl { } } group { base_dn = "${..base_dn}" filter = '(objectClass=posixGroup)' membership_attribute = 'memberOf' } profile { } client { base_dn = "${..base_dn}" filter = '(objectClass=radiusClient)' template { } attribute { ipaddr = 'radiusClientIdentifier' secret = 'radiusClientSecret' } } accounting { reference = "%{tolower:type.%{Acct-Status-Type}}" type { start { update { description := "Online at %S" } } interim-update { update { description := "Last seen at %S" } } stop { update { description := "Offline at %S" } } } } post-auth { update { } } options { chase_referrals = yes rebind = yes res_timeout = 10 srv_timelimit = 3 net_timeout = 1 idle = 60 probes = 3 interval = 3 ldap_debug = 0x0028 } tls { start_tls = no certificate_file = /etc/freeradius/certs/ldap-client.crt private_key_file = /etc/freeradius/certs/ldap-client.key require_cert = 'allow' } pool { start = ${thread[pool].start_servers} min = ${thread[pool].min_spare_servers} max = ${thread[pool].max_servers} spare = ${thread[pool].max_spare_servers} uses = 0 retry_delay = 30 lifetime = 0 idle_timeout = 60 } } my /etc/freeradius/mods-config/files/authorize DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "CSLIP" Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "SLIP" Framed-Protocol = SLIP DEFAULT Ldap-UserDN := "%{User-Name}" my /etc/freeradius/sites-available/default: server default { listen { type = auth ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { ipaddr = * port = 0 type = acct limit { } } listen { type = auth ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { ipv6addr = :: port = 0 type = acct limit { } } authorize { filter_username preprocess digest suffix eap { ok = return } files -sql ldap expiration logintime pap if (User-Password) { update control { Auth-Type := ldap } } } authenticate { Auth-Type PAP { ldap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } mschap digest ldap eap } preacct { preprocess acct_unique suffix files } accounting { detail unix -sql exec attr_filter.accounting_response } session { } post-auth { if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) { update reply { &User-Name !* ANY } } update { &reply: += &session-state: } -sql exec remove_reply_message_if_eap Post-Auth-Type REJECT { -sql attr_filter.access_reject eap remove_reply_message_if_eap } Post-Auth-Type Challenge { } } pre-proxy { } post-proxy { eap } }