I did make sure to restart the server. I did fail to mention that I purged freeradius and reinstalled so I must have made a configuration error somewhere along the way. From: Freeradius-Users <freeradius-users-bounces+kevin.virk=faithlife.com@lists.freeradius.org> on behalf of freeradius-users-request@lists.freeradius.org <freeradius-users-request@lists.freeradius.org> Sent: Friday, August 10, 2018 1:30 AM To: freeradius-users@lists.freeradius.org Subject: Freeradius-Users Digest, Vol 160, Issue 14 Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-request@lists.freeradius.org You can reach the person managing the list at freeradius-users-owner@lists.freeradius.org When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeradius-Users digest..." Today's Topics: 1. Re: ldap module for user and mac authentication (Dave Macias) 2. Re: ldap module for user and mac authentication (Michael Ströder) 3. Re: Accounting-Request packet shared secret fail (Alan DeKok) (Kevin Virk) (Alan DeKok) 4. Re: Dynamic vlan assignment (Dom Latter) 5. Re: Freeradius-Users Digest, Vol 160, Issue 9 (Arun NP) ---------------------------------------------------------------------- Message: 1 Date: Thu, 9 Aug 2018 08:23:51 -0400 From: Dave Macias <davama@gmail.com> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: ldap module for user and mac authentication Message-ID: <CA+nFYV_UOg+TuMMciVwPWTHUX5B=H=rbhpUE9mv_e+rsVDvCYw@mail.gmail.com> Content-Type: text/plain; charset="UTF-8"
Yes, I had thought of something to the effect of (suggestions welcomed) :
* if (!"%{ldap:ldap://master1/ou=%{client:shortname},ou=macs,dc=myorg,dc=net?cn?sub?(* *&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}") {* * if (!"%{ldap:ldap://master2/ou=%{client:shortname},ou=macs,dc=myorg,dc=net?c* *n?sub?(&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}") {* * reject* * }* * }* * update {* * control:Auth-Type := Accept* * }*
But this does not account for the scenario of openldap being dead. The 1st "if" statement will be always be FALSE and never attempt the next "if" statement and therefore 'Accept'
I believe i misspoke here... But interesting observations. if i use the below code AND have multiple ldap servers configured in my ldap module, radius '%{ldap:ldap:///...}' will automatically go to the one that is alive; assuming one is at least alive. IF i have just one ldap server configured in my ldap module, (which is dead), then the 'if' will FAIL and reject as it should. *if (!"%{ldap:ldap:///ou=%{client:shortname},ou=macs,dc=datacom,dc=net?cn?sub?(&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}") {* *reject* *}* *else {* *update {* *control:Auth-Type := Accept* *}* *}* Same results as above (ldap module will use the live ldap server, not the dead one) *if (!"%{ldap:ldap://dead-ldap-server/ou=%{client:shortname},ou=macs,dc=datacom,dc=net?cn?sub?(&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}")* *...* *...* So what did i learn? you dont need to use the SRV record for failover, as long as you have all the ldap servers in your ldap module. I think it makes sense since '%{ldap:...}" is using the ldap module, technically, but i would have thought that "ldap:///" or "ldap://dead-ldap-server/" meant localhost/dead-ldap-server not "live.ldap.the-module-found' Or maybe im just completely off... Hope that makes, sense. (1) if (&NAS-Port-Type == "Ethernet" && &Calling-Station-Id) { (1) if (&NAS-Port-Type == "Ethernet" && &Calling-Station-Id) -> TRUE (1) if (&NAS-Port-Type == "Ethernet" && &Calling-Station-Id) { (1) policy rewrite_calling_station_id { (1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (1) update request { (1) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (1) --> 00-04-F2-DD-98-C6 (1) &Calling-Station-Id := 00-04-F2-DD-98-C6 (1) } # update request = noop (1) [updated] = updated (1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (1) ... skipping else: Preceding "if" was taken (1) } # policy rewrite_calling_station_id = updated (1) if (!"%{ldap:ldap:///ou=%{client:shortname},ou=macs,dc=datacom,dc=net?cn?sub?(&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}") { rlm_ldap (ldap): Reserved connection (0) (1) Performing search in "ou=sub-macs,ou=macs,dc=myorg,dc=net" with filter "(&(objectClass=ieee802Device)(macAddress=00-04-F2-DD-98-C6))", scope "sub" (1) Waiting for search result... rlm_ldap (ldap): Released connection (0) Need 5 more connections to reach 10 spares rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used rlm_ldap (ldap): Connecting to ldap://localhost:389 ldap://ldap2:389 TLSMC: MozNSS compatibility interception begins. tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration is present. tlsmc_intercept_initialization: INFO: successfully intercepted TLS initialization. Continuing with OpenSSL only. TLSMC: MozNSS compatibility interception ends. rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (1) EXPAND %{ldap:ldap:///ou=%{client:shortname},ou=macs,dc=datacom,dc=net?cn?sub?(&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))} (1) --> 0004f2dd98c6 (1) if (!"%{ldap:ldap:///ou=%{client:shortname},ou=macs,dc=datacom,dc=net?cn?sub?(&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}") -> FALSE (1) else { (1) update { (1) control:Auth-Type := Accept (1) } # update = noop (1) } # else = noop (1) } # if (&NAS-Port-Type == "Ethernet" && &Calling-Station-Id) = updated (1) ... skipping else: Preceding "if" was taken (1) [expiration] = noop (1) [logintime] = noop (1) pap: WARNING: Auth-Type already set. Not setting to PAP (1) [pap] = noop (1) } # authorize = updated (1) Found Auth-Type = Accept ------------------------------ Message: 2 Date: Thu, 9 Aug 2018 14:40:04 +0200 From: Michael Ströder <michael@stroeder.com> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org>, Dave Macias <davama@gmail.com> Subject: Re: ldap module for user and mac authentication Message-ID: <7caaa8c6-5a4c-19b6-a59b-fa045992de8c@stroeder.com> Content-Type: text/plain; charset="utf-8"; Format="flowed" On 8/9/18 2:23 PM, Dave Macias wrote:
So what did i learn? you dont need to use the SRV record for failover, as long as you have all the ldap servers in your ldap module.
Yes! In theory the advantage of SRV RRs are that you can theoretically change what's in your pool of LDAP servers and adjust priorities based on locations. Besides that I don't believe anybody fully implemented that I'm not a fan of SRV RRs anyway because the TLS hostname check is not even defined for that. Ciao, Michael.