wOn Jun 21, 2020, at 11:08 AM, Wessel Louwris <wessel@stutit.nl> wrote:
If I authenticate with user migr03@company.nl <mailto:migr03@company.nl> (which is not our main domain example.nl <http://example.nl/>) I get below log. With mig01@example.nl <mailto:mig01@example.nl> everything works fine (although it still binds with the full DN) and I can authenticatie.
I hoped that DEFAULT Ldap-UserDN := "%{User-Name}” in my /etc/freeradius/mods-config/files/authorize would skip the ldapsearch and go straight to the binding with this username.
I also pasted my ldap, authorize, default file below the logs.
Don't do that. Read the docs: http://wiki.freeradius.org/list-help
(97) Received Access-Request Id 35 from 10.164.0.3:37310 to 172.17.0.6:1812 length 591 (97) User-Name = "migr03@company.nl"
You're still not posting the FULL debug output. I asked you to do that. The reason you're having issues is simple: You're not reading the documentation, and you're not following instructions. I asked you to post the FULL debug output. You didn't do that. The documentation says DON'T post configuration files. You did that. If you simply read the documentation and follow instructions, you can get the issue fixed. Quickly. The more you fight, the longer it will take to fix the issue. ...
(97) # Executing section authorize from file /etc/freeradius/sites-enabled/default (97) authorize { (97) policy filter_username { (97) if (&User-Name) { (97) if (&User-Name) -> TRUE (97) if (&User-Name) { (97) if (&User-Name =~ / /) { (97) if (&User-Name =~ / /) -> FALSE (97) if (&User-Name =~ /@[^@]*@/ ) { (97) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (97) if (&User-Name =~ /\.\./ ) { (97) if (&User-Name =~ /\.\./ ) -> FALSE (97) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (97) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (97) if (&User-Name =~ /\.$/) { (97) if (&User-Name =~ /\.$/) -> FALSE (97) if (&User-Name =~ /@\./) { (97) if (&User-Name =~ /@\./) -> FALSE (97) } # if (&User-Name) = notfound (97) } # policy filter_username = notfound (97) [preprocess] = ok (97) [digest] = noop (97) suffix: Checking for suffix after "@" (97) suffix: Looking up realm "company.nl" for User-Name = "migr03@company.nl" (97) suffix: No such realm "company.nl" (97) [suffix] = noop (97) eap: Peer sent EAP Response (code 2) ID 94 length 63 (97) eap: Continuing tunnel setup (97) [eap] = ok (97) } # authorize = ok
And no mention of the "files" module i..e you edited the default configuration and broke it. Don't do that.
(97) server inner-tunnel { (97) session-state: No cached attributes (97) # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel (97) authorize { (97) policy filter_username { (97) if (&User-Name) { (97) if (&User-Name) -> TRUE (97) if (&User-Name) { (97) if (&User-Name =~ / /) { (97) if (&User-Name =~ / /) -> FALSE (97) if (&User-Name =~ /@[^@]*@/ ) { (97) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (97) if (&User-Name =~ /\.\./ ) { (97) if (&User-Name =~ /\.\./ ) -> FALSE (97) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (97) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (97) if (&User-Name =~ /\.$/) { (97) if (&User-Name =~ /\.$/) -> FALSE (97) if (&User-Name =~ /@\./) { (97) if (&User-Name =~ /@\./) -> FALSE (97) } # if (&User-Name) = notfound (97) } # policy filter_username = notfound (97) suffix: Checking for suffix after "@" (97) suffix: Looking up realm "company.nl" for User-Name = "migr03@company.nl" (97) suffix: No such realm "company.nl" (97) [suffix] = noop (97) update control { (97) &Proxy-To-Realm := LOCAL (97) } # update control = noop (97) eap: Peer sent EAP Response (code 2) ID 1 length 13 (97) eap: No EAP Start, assuming it's an on-going EAP conversation (97) [eap] = updated rlm_ldap (ldap): Reserved connection (23) (97) ldap: EXPAND (mail=%{User-Name}) (97) ldap: --> (mail=migr03@company.nl) (97) ldap: Performing search in "dc=example,dc=nl" with filter "(mail=migr03@company.nl)", scope "sub" (97) ldap: Waiting for search result... (97) ldap: User object found at DN "uid=migr03,ou=Users,dc=example,dc=nl" (97) ldap: Processing user attributes (97) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute (97) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure) rlm_ldap (ldap): Released connection (23) (97) [ldap] = ok (97) [expiration] = noop (97) [logintime] = noop (97) [pap] = noop (97) if (User-Password) { (97) if (User-Password) -> FALSE (97) } # authorize = updated
And no mention of the "files" module here, either. It's a complete mystery to me why people delete things from the configuration, and are then surprised that it doesn't work. If you tell the server to NOT use the "files" module, then it won't use the "files" module. And anything you put into mods-config/files/authorize will be ignored. Alan DeKok.