Hello,

 

In order to allow a user to access the service (send a Access-Accept) I need to validate several things:

 

First the password must be OK:

 

 

The user must be allowed to use the service:

 

 

 

I have no trouble to check the User-Name/Password using ldap and chap modules. But I can’t figure out how to use the ldap reply to request the local mysql where is store the match between crm Id and status.

I don’t know how to use a reply of a authorization module (ldap) in an another one (sql).

 

Since I didn’t find out how to do this, I tried to add the crmID in a unused radius attribute: Callback-Number:

 

In the ldap attrmap configuration file I added:

 

replyItem       Callback-Number                 SFRrelationLoginService

 

And in the sql configuration:

 

sql_user_name = "%{Callback-Number}"

 

 

Unfortunately as expected the replyItem is only add when the reply is generate. I also tried with a checkItem without more success…

 

Is it possible to configure the ldap module in order to store a ldapattribute in a variable usable by the mysql module ? Or to replace/add a radius attribute in the request, base on the ldap reply before the next module is compute?

 

 

 

Examples :

 

Goal case:

 

echo "User-Name= toto,Chap-Password=111111", | sudo radclient -x 172.16.0.135:1812 auth secret

Sending Access-Request of id 202 to 172.16.0.135 port 1812

        User-Name = "toto"

        CHAP-Password = 0xcab5c3da9c9ebb891608c1991c2e37bea3

rad_recv: Access-Reject packet from host 172.16.0.135 port 1812, id=202, length=20

 

 

log:

 

Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: Waking up in 0.9 seconds.

Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: rlm_ldap: waiting for bind result ...

Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: rlm_ldap: Bind was successful

Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: rlm_ldap: performing search in ou=EndUser,dc=USER,dc=fr, with filter (USERlogin=toto*)

Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: [ldapClear] No default NMAS login sequence

Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: [ldapClear] looking for check items in directory...

Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: rlm_ldap: USERrelationLoginService -> Callback-Number == "siebelsIdFortoto"

Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: rlm_ldap: USERuserPassword -> Cleartext-Password == "111111"

Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: rlm_ldap: USERlogin -> User-Name == "toto"

Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: [ldapClear] looking for reply items in directory...

Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: [ldapClear] user toto authorized to use remote access

Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: rlm_ldap: ldap_release_conn: Release Id: 0

Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: ++[ldapClear] returns ok

Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: [sql_crm_abv] #011expand: %{Callback-Number} ->

Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: [sql_crm_abv] sql_set_user escaped user --> ''

Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: rlm_sql (sql_crm_abv): Reserving sql socket id: 1

Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: [sql_crm_abv] #011expand: SELECT Identifiant, Status           FROM siebel           WHERE Identifiant = '%{Callback-Number}' AND Status='1' -> SELECT Identifiant, Status           FROM siebel           WHERE Identifiant = '' AND Status='1'

Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: rlm_sql_mysql: query:  SELECT Identifiant, Status           FROM siebel           WHERE Identifiant = '' AND Status='1'

Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: rlm_sql (sql_crm_abv): Released sql socket id: 1

Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: [sql_crm_abv] User  not found

Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: ++[sql_crm_abv] returns notfound

Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: [chap] Setting 'Auth-Type := CHAP'

Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: ++[chap] returns ok

Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: ++[expiration] returns noop

Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: ++[logintime] returns noop

Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: [pap] Found existing Auth-Type, not changing it.

Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: ++[pap] returns noop

Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: rlm_sqlcounter: Entering module authorize code

Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: rlm_sqlcounter: Could not find Key value pair

Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: ++[scratchcounter_lyo] returns noop

Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: Found Auth-Type = CHAP

Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: +- entering group CHAP {...}

Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: [chap] login attempt by "toto" with CHAP password

Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: [chap] Using clear text password "111111" for user toto authentication.

Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: [chap] chap user toto authenticated succesfully

Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: ++[chap] returns ok

Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: Login OK: [toto/<CHAP-Password>] (from client ext port 0)

Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: +- entering group post-auth {...}

Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: ++[reply_log] returns ok

 

 

 

 

Test addin the crmId in the request before computing => not possible in real situation, but to test everything else

 

 echo "User-Name= toto,Chap-Password=111111",Callback-Number='siebelsIdFortoto' | sudo radclient -x 172.16.0.135:1812 auth secret

Sending Access-Request of id 159 to 172.16.0.135 port 1812

        User-Name = "toto"

        CHAP-Password = 0x9fb08ff7f454d0c9998fc5dd72479940cd

        Callback-Number = "siebelsIdFortoto"

rad_recv: Access-Accept packet from host 172.16.0.135 port 1812, id=159, length=20

 

 

log:

 

 

Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: Thread 4 got semaphore

Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: Thread 4 handling request 0, (1 handled so far)

Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: +- entering group authorize {...}

Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: ++[preprocess] returns ok

Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: ++[mschap] returns noop

Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [IPASS] No '/' in User-Name = "toto", looking up realm NULL

Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [IPASS] No such realm "NULL"

Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: ++[IPASS] returns noop

Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [suffix] No '@' in User-Name = "toto", looking up realm NULL

Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [suffix] No such realm "NULL"

Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: ++[suffix] returns noop

Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: ++[files] returns noop

Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [ldapClear] performing user authorization for toto

Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [ldapClear] #011expand: %{Stripped-User-Name} ->

Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [ldapClear] #011expand: %{User-Name} -> toto

Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [ldapClear] #011expand: (USERlogin=%{%{Stripped-User-Name}:-%{User-Name}}*) -> (USERlogin=toto*)

Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [ldapClear] #011expand: ou=EndUser,dc=USER,dc=fr -> ou=EndUser,dc=USER,dc=fr

Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: rlm_ldap: ldap_get_conn: Checking Id: 0

Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: rlm_ldap: ldap_get_conn: Got Id: 0

Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: rlm_ldap: attempting LDAP reconnection

Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: rlm_ldap: (re)connect to 10.33.245.241:389, authentication 0

Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: rlm_ldap: bind as cn=Radius Gp,ou=Application,dc=USER,dc=fr/radiusgp to 10.33.245.241:389

Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: Threads: total/active/spare threads = 5/1/4

Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: Waking up in 0.9 seconds.

Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: rlm_ldap: waiting for bind result ...

Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: rlm_ldap: Bind was successful

Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: rlm_ldap: performing search in ou=EndUser,dc=USER,dc=fr, with filter (USERlogin=toto*)

Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [ldapClear] No default NMAS login sequence

Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [ldapClear] looking for check items in directory...

Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: rlm_ldap: USERrelationLoginService -> Callback-Number == "siebelsIdFortoto"

Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: rlm_ldap: USERuserPassword -> Cleartext-Password == "111111"

Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: rlm_ldap: USERlogin -> User-Name == "toto"

Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [ldapClear] looking for reply items in directory...

Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [ldapClear] user toto authorized to use remote access

Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: rlm_ldap: ldap_release_conn: Release Id: 0

Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: ++[ldapClear] returns ok

Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [sql_crm_abv] #011expand: %{Callback-Number} -> siebelsIdFortoto

Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [sql_crm_abv] sql_set_user escaped user --> 'siebelsIdFortoto'

Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: rlm_sql (sql_crm_abv): Reserving sql socket id: 1

Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [sql_crm_abv] #011expand: SELECT Identifiant, Status           FROM siebel           WHERE Identifiant = '%{Callback-Number}' AND Status='1' -> SELECT Identifiant, Status           FROM siebel           WHERE Identifiant = 'siebelsIdFortoto' AND Status='1'

Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: rlm_sql_mysql: query:  SELECT Identifiant, Status           FROM siebel           WHERE Identifiant = '=siebelsIdFortoto' AND Status='1'

Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: rlm_sql (sql_crm_abv): Released sql socket id: 1

Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [sql_crm_abv] User siebelsIdFortoto not found

Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: ++[sql_crm_abv] returns notfound

Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [chap] Setting 'Auth-Type := CHAP'

Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: ++[chap] returns ok

Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: ++[expiration] returns noop

Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: ++[logintime] returns noop

Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [pap] Found existing Auth-Type, not changing it.

Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: ++[pap] returns noop

Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: rlm_sqlcounter: Entering module authorize code

Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: rlm_sqlcounter: Could not find Key value pair

Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: Found Auth-Type = CHAP

Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: +- entering group CHAP {...}

Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [chap] login attempt by "toto" with CHAP password

Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [chap] Using clear text password "111111" for user toto authentication.

Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [chap] chap user toto authenticated succesfully

Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: ++[chap] returns ok

Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: Login OK: [toto/<CHAP-Password>] (from client ext port 0)

Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: +- entering group post-auth {...}

JJun 16 12:33:29 radius-wifi1-aub freeradius[7106]: Finished request 0.

Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: Going to the next request

Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: Thread 4 waiting to be assigned a request

Jun 16 12:33:30 radius-wifi1-aub freeradius[7106]: Waking up in 4.0 seconds.

Jun 16 12:33:34 radius-wifi1-aub freeradius[7106]: Cleaning up request 0 ID 159 with timestamp +4

Jun 16 12:33:34 radius-wifi1-aub freeradius[7106]: Ready to process requests.