Here is the Debug output differences with some context lines. As I said on previous email, when using group options I can see on the debug that is not authenticating only authorizing, while not using group options is indeed authenticating. I can see that there is also something different about PAP. ============================================================================================================================= Debug diff sections using group options with some context lines: ============================================================================================================================= basedn = "cn=Users,dc=jetdom,dc=local" filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})" base_filter = "(objectclass=*)" auto_header = no access_attr_used_for_allow = yes groupname_attribute = "cn" groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))" groupmembership_attribute = "memberOf" dictionary_mapping = "/usr/pbi/freeradius-i386/etc/raddb/ldap.attrmap" ldap_debug = 0 ldap_connections_number = 5 compare_check_items = no do_xlat = yes [ldap] Bind was successful [ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter (sAMAccountName=administrator) [ldap] ldap_release_conn: Release Id: 0 [files] expand: (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=CN\3dAdministrator\2cCN\3dUsers\2cDC\3djetdom\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dAdministrator\2cCN\3dUsers\2cDC\3djetdom\2cDC\3dlocal))) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter (&(cn=InternetAccess)(|(&(objectClass=GroupOfNames)(member=CN\3dAdministrator\2cCN\3dUsers\2cDC\3djetdom\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dAdministrator\2cCN\3dUsers\2cDC\3djetdom\2cDC\3dlocal)))) [ldap] object not found [ldap] ldap_release_conn: Release Id: 0 [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in CN=Administrator,CN=Users,DC=jetdom,DC=local, with filter (objectclass=*) [ldap] performing search in CN=InternetAccess,CN=Users,DC=jetdom,DC=local, with filter (cn=InternetAccess) rlm_ldap::ldap_groupcmp: User found in group InternetAccess [ldap] ldap_release_conn: Release Id: 0 [files] users: Matched entry DEFAULT at line 5 ++[files] = ok ++policy redundant { [sql] expand: %{User-Name} -> administrator [sql] sql_set_user escaped user --> 'administrator' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'administrator' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'administrator' ORDER BY priority rlm_sql (sql): Released sql socket id: 3 [sql] User administrator not found +++[sql] = notfound ++} # policy redundant = notfound ++policy redundant { [ldap] performing user authorization for administrator [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> administrator [ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=administrator) [ldap] expand: cn=Users,dc=jetdom,dc=local -> cn=Users,dc=jetdom,dc=local [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter (sAMAccountName=administrator) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] ldap_release_conn: Release Id: 0 +++[ldap] = ok ++} # policy redundant = ok rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[daily] = noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[weekly] = noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[monthly] = noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[forever] = noop rlm_checkval: Could not find item named Calling-Station-Id in request rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs ++[checkval] = notfound ++[expiration] = noop ++[logintime] = noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] = noop +} # group authorize = ok Found Auth-Type = Accept Auth-Type = Accept, accepting the user expand: -> Login OK: [administrator] (from client squid port 111) # Executing section post-auth from file /usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default +group post-auth { ++policy redundant { [sql] expand: %{User-Name} -> administrator [sql] sql_set_user escaped user --> 'administrator' [sql] expand: %{User-Password} -> jet10520b [sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'administrator', 'jet10520b', 'Access-Accept', '2015-04-21 23:06:58') rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'administrator', 'jet10520b', 'Access-Accept', '2015-04-21 23:06:58') rlm_sql (sql): Reserving sql socket id: 2 rlm_sql (sql): Released sql socket id: 2 +++[sql] = ok ++} # policy redundant = ok ++[exec] = noop +} # group post-auth = ok Sending Access-Accept of id 1 to 192.168.56.1 port 5829 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 1 with timestamp +71 Ready to process requests. ============================================================================================================================= Debug diff sections NOT using group options with some context lines: ============================================================================================================================= basedn = "cn=Users,dc=jetdom,dc=local" filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})" base_filter = "(objectclass=*)" auto_header = no access_attr_used_for_allow = yes groupname_attribute = "cn" groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" dictionary_mapping = "/usr/pbi/freeradius-i386/etc/raddb/ldap.attrmap" ldap_debug = 0 ldap_connections_number = 5 compare_check_items = no do_xlat = yes [ldap] Bind was successful [ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter (sAMAccountName=administrator) [ldap] ldap_release_conn: Release Id: 0 [files] expand: (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter (&(cn=InternetAccess)(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=)))) [ldap] object not found [ldap] ldap_release_conn: Release Id: 0 rlm_ldap::ldap_groupcmp: Group InternetAccess not found or user is not a member. [ldap] Entering ldap_groupcmp() [files] expand: cn=Users,dc=jetdom,dc=local -> cn=Users,dc=jetdom,dc=local [files] expand: (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter (&(cn=InternetAccess)(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=)))) [ldap] object not found [ldap] ldap_release_conn: Release Id: 0 rlm_ldap::ldap_groupcmp: Group InternetAccess not found or user is not a member. ++[files] = noop ++policy redundant { [sql] expand: %{User-Name} -> administrator [sql] sql_set_user escaped user --> 'administrator' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'administrator' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'administrator' ORDER BY priority rlm_sql (sql): Released sql socket id: 3 [sql] User administrator not found +++[sql] = notfound ++} # policy redundant = notfound ++policy redundant { [ldap] performing user authorization for administrator [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> administrator [ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=administrator) [ldap] expand: cn=Users,dc=jetdom,dc=local -> cn=Users,dc=jetdom,dc=local [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter (sAMAccountName=administrator) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] Setting Auth-Type = LDAP [ldap] ldap_release_conn: Release Id: 0 +++[ldap] = ok ++} # policy redundant = ok rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[daily] = noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[weekly] = noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[monthly] = noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[forever] = noop rlm_checkval: Could not find item named Calling-Station-Id in request rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs ++[checkval] = notfound ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = ok Found Auth-Type = LDAP # Executing group from file /usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default +group LDAP { [ldap] login attempt by "administrator" with password "jet10520b" [ldap] user DN: CN=Administrator,CN=Users,DC=jetdom,DC=local [ldap] (re)connect to jetsms-srv2003.jetdom.local:389, authentication 1 [ldap] setting TLS CACert File to /usr/pbi/freeradius-i386/etc/raddb/certs/ca_ldap1_cert.pem [ldap] setting TLS CACert Directory to /usr/pbi/freeradius-i386/etc/raddb/certs/ [ldap] setting TLS Require Cert to never [ldap] setting TLS Cert File to /usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.crt [ldap] setting TLS Key File to /usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.key [ldap] setting TLS Rand File to /usr/pbi/freeradius-i386/etc/raddb/certs/random [ldap] bind as CN=Administrator,CN=Users,DC=jetdom,DC=local/jet10520b to jetsms-srv2003.jetdom.local:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] user administrator authenticated succesfully ++[ldap] = ok +} # group LDAP = ok expand: -> Login OK: [administrator] (from client squid port 111) # Executing section post-auth from file /usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default +group post-auth { ++policy redundant { [sql] expand: %{User-Name} -> administrator [sql] sql_set_user escaped user --> 'administrator' [sql] expand: %{User-Password} -> jet10520b [sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'administrator', 'jet10520b', 'Access-Accept', '2015-04-21 23:26:00') rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'administrator', 'jet10520b', 'Access-Accept', '2015-04-21 23:26:00') rlm_sql (sql): Reserving sql socket id: 2 rlm_sql (sql): Released sql socket id: 2 +++[sql] = ok ++} # policy redundant = ok ++[exec] = noop +} # group post-auth = ok Sending Access-Accept of id 3 to 192.168.56.1 port 5829 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 3 with timestamp +47 Ready to process requests. On Wed, Apr 22, 2015 at 6:51 AM, Alan DeKok <aland@deployingradius.com> wrote:
On Apr 21, 2015, at 11:31 PM, Jose Torres-Berrocal < jetsystemservices@gmail.com> wrote:
Debug output using group options:
While posting the debug output is nice, it would help for *you* to look at them, too. Just dumping them here and expecting us to do all the work is... not nice.
You can use tools like "diff" to see what the differences are. Then, post the *differences* here, and ask for clarification.
i.e. if you're not going to read the debug output, we're not going to read it, either.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html