freeradius-users-request@lists.freeradius.org wrote:
Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-request@lists.freeradius.org
You can reach the person managing the list at freeradius-users-owner@lists.freeradius.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. Re: Problem with LDAP and Groups (Alan DeKok)
----------------------------------------------------------------------
Message: 1 Date: Thu, 11 Oct 2007 09:58:49 +0200 From: Alan DeKok <aland@deployingradius.com> Subject: Re: Problem with LDAP and Groups To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Message-ID: <470DD7B9.9040607@deployingradius.com> Content-Type: text/plain; charset=ISO-8859-1
Bryan Evege wrote:
Here's the problem. When a user logs in and is a member of more than one group radius only uses the first one to match. I've included the users file below.
In which you tell it to stop matching after the first one.
DEFAULT Ldap-Group == packeteer_read_only,User-Profile := "uid=packeteer_read_only,ou=profiles,ou=radius,dc=csctus,dc=net", Auth-Type := LDAP Fall-Through = no
See "man users" for the meaning of Fall-Through. Then, change this to "yes".
Alan DeKok.
------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
End of Freeradius-Users Digest, Vol 30, Issue 40 ************************************************
Thank you for the reply. If I change the fall through to yes it still matches as many groups as the user is in. How can I tell freeradius which attributes to send back? It only sends back the attributes of the last group it finds. For example, bevege is a member of the following groups, packetshapper, cisco_priv_15, cisco_priv_1, linux. Here is what happens when I try to log into one of the packet shappers. I get the attributes for the cisco_priv_1 because it's last in the list and I can't logon. I f I change all of the users groups to fall-through=no the packetshapper allows me to login but then the cisco profiles don't work because it never makes it to them. Basically this setup works fine if you're only in one group! What's the point of groups if you can only be in one. Any help would be appreciated. _*Radius -X -A output *_freeradius-users-request@lists.freeradius.org wrote:
Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-request@lists.freeradius.org
You can reach the person managing the list at freeradius-users-owner@lists.freeradius.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. Re: Problem with LDAP and Groups (Alan DeKok)
----------------------------------------------------------------------
Message: 1 Date: Thu, 11 Oct 2007 09:58:49 +0200 From: Alan DeKok <aland@deployingradius.com> Subject: Re: Problem with LDAP and Groups To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Message-ID: <470DD7B9.9040607@deployingradius.com> Content-Type: text/plain; charset=ISO-8859-1
Bryan Evege wrote:
Here's the problem. When a user logs in and is a member of more than one group radius only uses the first one to match. I've included the users file below.
In which you tell it to stop matching after the first one.
DEFAULT Ldap-Group == packeteer_read_only,User-Profile := "uid=packeteer_read_only,ou=profiles,ou=radius,dc=csctus,dc=net", Auth-Type := LDAP Fall-Through = no
See "man users" for the meaning of Fall-Through. Then, change this to "yes".
Alan DeKok.
------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
End of Freeradius-Users Digest, Vol 30, Issue 40 ************************************************
Thank you for the reply. If I change the fall through to yes it still matches as many groups as the user is in. How can I tell freeradius which attributes to send back? It only sends back the attributes of the last group it finds. radius -X -A output rad_recv: Access-Request packet from host 10.17.71.10:4852, id=68, length=58 User-Name = "bevege" User-Password = "xxxxxxx" Service-Type = Login-User NAS-IP-Address = 10.17.71.10 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 rlm_realm: No '@' in User-Name = "bevege", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'ou=users,ou=radius,dc=csctus,dc=net' radius_xlat: '(uid=bevege)' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=Manager,dc=csctus,dc=net/xxxxx to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=users,ou=radius,dc=csctus,dc=net, with filter (uid=bevege) rlm_ldap: ldap_release_conn: Release Id: 0 radius_xlat: '(&(uid=bevege)(objectclass=radiusprofile))' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=users,ou=radius,dc=csctus,dc=net, with filter (&(radiusGroupName=acct_disabled)(&(uid=bevege)(objectclass=radiusprofile))) rlm_ldap: object not found or got ambiguous search result (user is not a memeber) rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in uid=bevege,ou=Atlanta,ou=users,ou=radius,dc=csctus,dc=net, with filter (objectclass=*) rlm_ldap::groupcmp: Group acct_disabled not found ????or user not a member (this is true) rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'ou=users,ou=radius,dc=csctus,dc=net' radius_xlat: '(&(uid=bevege)(objectclass=radiusprofile))' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=users,ou=radius,dc=csctus,dc=net, with filter (&(radiusGroupName=packeteer_read_only)(&(uid=bevege)(objectclass=radiusprofile))) rlm_ldap: object not found or got ambiguous search result rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in uid=bevege,ou=Atlanta,ou=users,ou=radius,dc=csctus,dc=net, with filter (objectclass=*) rlm_ldap::groupcmp: Group packeteer_read_only not found ????or user not a member (this is true) rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'ou=users,ou=radius,dc=csctus,dc=net' radius_xlat: '(&(uid=bevege)(objectclass=radiusprofile))' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=users,ou=radius,dc=csctus,dc=net, with filter (&(radiusGroupName=Packeteer)(&(uid=bevege)(objectclass=radiusprofile))) rlm_ldap::ldap_groupcmp: User found in group Packeteer (this is true) rlm_ldap: ldap_release_conn: Release Id: 0 users: Matched entry DEFAULT at line 162 (this is correct.) rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'ou=users,ou=radius,dc=csctus,dc=net' radius_xlat: '(&(uid=bevege)(objectclass=radiusprofile))' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=users,ou=radius,dc=csctus,dc=net, with filter (&(radiusGroupName=netscreen)(&(uid=bevege)(objectclass=radiusprofile))) rlm_ldap: object not found or got ambiguous search result rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in uid=bevege,ou=Atlanta,ou=users,ou=radius,dc=csctus,dc=net, with filter (objectclass=*) rlm_ldap::groupcmp: Group netscreen not found ????or user not a member (this is correct) rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'ou=users,ou=radius,dc=csctus,dc=net' radius_xlat: '(&(uid=bevege)(objectclass=radiusprofile))' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=users,ou=radius,dc=csctus,dc=net, with filter (&(radiusGroupName=cisco_priv_15)(&(uid=bevege)(objectclass=radiusprofile))) rlm_ldap::ldap_groupcmp: User found in group cisco_priv_15 (this is correct) rlm_ldap: ldap_release_conn: Release Id: 0 users: Matched entry DEFAULT at line 168 (this is correct) rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'ou=users,ou=radius,dc=csctus,dc=net' radius_xlat: '(&(uid=bevege)(objectclass=radiusprofile))' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=users,ou=radius,dc=csctus,dc=net, with filter (&(radiusGroupName=cisco_priv_1)(&(uid=bevege)(objectclass=radiusprofile))) rlm_ldap::ldap_groupcmp: User found in group cisco_priv_1 (this is correct) rlm_ldap: ldap_release_conn: Release Id: 0 users: Radius -X -A output rad_recv: Access-Request packet from host 10.17.71.10:4852, id=68, length=58 User-Name = "bevege" User-Password = "xxxxxxx" Service-Type = Login-User NAS-IP-Address = 10.17.71.10 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 rlm_realm: No '@' in User-Name = "bevege", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'ou=users,ou=radius,dc=csctus,dc=net' radius_xlat: '(uid=bevege)' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=Manager,dc=csctus,dc=net/xxxxx to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=users,ou=radius,dc=csctus,dc=net, with filter (uid=bevege) rlm_ldap: ldap_release_conn: Release Id: 0 radius_xlat: '(&(uid=bevege)(objectclass=radiusprofile))' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=users,ou=radius,dc=csctus,dc=net, with filter (&(radiusGroupName=acct_disabled)(&(uid=bevege)(objectclass=radiusprofile))) rlm_ldap: object not found or got ambiguous search result (user is not a memeber) rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in uid=bevege,ou=Atlanta,ou=users,ou=radius,dc=csctus,dc=net, with filter (objectclass=*) rlm_ldap::groupcmp: Group acct_disabled not found ????or user not a member (this is true) rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'ou=users,ou=radius,dc=csctus,dc=net' radius_xlat: '(&(uid=bevege)(objectclass=radiusprofile))' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=users,ou=radius,dc=csctus,dc=net, with filter (&(radiusGroupName=packeteer_read_only)(&(uid=bevege)(objectclass=radiusprofile))) rlm_ldap: object not found or got ambiguous search result rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in uid=bevege,ou=Atlanta,ou=users,ou=radius,dc=csctus,dc=net, with filter (objectclass=*) rlm_ldap::groupcmp: Group packeteer_read_only not found ????or user not a member (this is true) rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'ou=users,ou=radius,dc=csctus,dc=net' radius_xlat: '(&(uid=bevege)(objectclass=radiusprofile))' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=users,ou=radius,dc=csctus,dc=net, with filter (&(radiusGroupName=Packeteer)(&(uid=bevege)(objectclass=radiusprofile))) rlm_ldap::ldap_groupcmp: User found in group Packeteer (this is true) rlm_ldap: ldap_release_conn: Release Id: 0 users: Matched entry DEFAULT at line 162 (this is correct.) rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'ou=users,ou=radius,dc=csctus,dc=net' radius_xlat: '(&(uid=bevege)(objectclass=radiusprofile))' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=users,ou=radius,dc=csctus,dc=net, with filter (&(radiusGroupName=netscreen)(&(uid=bevege)(objectclass=radiusprofile))) rlm_ldap: object not found or got ambiguous search result rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in uid=bevege,ou=Atlanta,ou=users,ou=radius,dc=csctus,dc=net, with filter (objectclass=*) rlm_ldap::groupcmp: Group netscreen not found ????or user not a member (this is correct) rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'ou=users,ou=radius,dc=csctus,dc=net' radius_xlat: '(&(uid=bevege)(objectclass=radiusprofile))' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=users,ou=radius,dc=csctus,dc=net, with filter (&(radiusGroupName=cisco_priv_15)(&(uid=bevege)(objectclass=radiusprofile))) rlm_ldap::ldap_groupcmp: User found in group cisco_priv_15 (this is correct) rlm_ldap: ldap_release_conn: Release Id: 0 users: Matched entry DEFAULT at line 168 (this is correct) rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'ou=users,ou=radius,dc=csctus,dc=net' radius_xlat: '(&(uid=bevege)(objectclass=radiusprofile))' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=users,ou=radius,dc=csctus,dc=net, with filter (&(radiusGroupName=cisco_priv_1)(&(uid=bevege)(objectclass=radiusprofile))) rlm_ldap::ldap_groupcmp: User found in group cisco_priv_1 (this is correct) rlm_ldap: ldap_release_conn: Release Id: 0 users: Matched entry DEFAULT at line 171 (this is correct) rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'ou=users,ou=radius,dc=csctus,dc=net' radius_xlat: '(&(uid=bevege)(objectclass=radiusprofile))' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=users,ou=radius,dc=csctus,dc=net, with filter (&(radiusGroupName=netscreen)(&(uid=bevege)(objectclass=radiusprofile))) rlm_ldap: object not found or got ambiguous search result rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in uid=bevege,ou=Atlanta,ou=users,ou=radius,dc=csctus,dc=net, with filter (objectclass=*) rlm_ldap::groupcmp: Group netscreen not found ????or user not a member (this is correct) rlm_ldap: ldap_release_conn: Release Id: 0 users: Matched entry DEFAULT at line 177 (this is odd, why is it matching on the last Group in the users file, DEFAULT Auth-Type := Reject Reply-Message = "Please call the helpdesk.") modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for bevege radius_xlat: '(uid=bevege)' radius_xlat: 'ou=users,ou=radius,dc=csctus,dc=net' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=users,ou=radius,dc=csctus,dc=net, with filter (uid=bevege) rlm_ldap: performing search in uid=cisco_priv_1,ou=profiles,ou=radius,dc=csctus,dc=net, with filter (objectclass=radiusprofile) rlm_ldap: extracted attribute Cisco-AVPair from generic item Cisco-AVPair ="priv-lvl=1" (why does it choose only this attribute to send back?) rlm_ldap: Added password {MD5}xxxxxxxxxxxxxxxx== in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user bevege authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type Reject rad_check_password: Auth-Type = Reject, rejecting user (I believe this is because it matches line 177 last which has Auth-Type reject) auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 68 to 10.17.71.10 port 4852 Reply-Message = "Please call the helpdesk." Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 68 with timestamp 470e2326 Nothing to do. Sleeping until we see a request. Users file for reference 156 DEFAULT Ldap-Group == acct_disabled, Auth-Type := Reject 157 Reply-Message = "Account disabled. Please call the helpdesk." 158 159 DEFAULT Ldap-Group == packeteer_read_only,User-Profile := "uid=packeteer_read_only,ou=profiles,ou=radius,dc=csctus,dc=net", Auth-Type := LDAP 160 Fall-Through = yes 161 162 DEFAULT Ldap-Group == Packeteer,User-Profile := "uid=Packeteer,ou=profiles,ou=radius,dc=csctus,dc=net", Auth-Type := LDAP 163 Fall-Through = yes 164 165 DEFAULT Ldap-Group == netscreen,User-Profile := "uid=netscreen,ou=profiles,ou=radius,dc=csctus,dc=net", Auth-Type := LDAP 166 Fall-Through = yes 167 168 DEFAULT Ldap-Group == cisco_priv_15,User-Profile := "uid=cisco_priv_15,ou=profiles,ou=radius,dc=csctus,dc=net", Auth-Type := LDAP 169 Fall-Through = yes 170 171 DEFAULT Ldap-Group == cisco_priv_1,User-Profile := "uid=cisco_priv_1,ou=profiles,ou=radius,dc=csctus,dc=net", Auth-Type := LDAP 172 Fall-Through = yes 173 174 DEFAULT Ldap-Group == netscreen,User-Profile := "uid=netscreen,ou=profiles,ou=radius,dc=csctus,dc=net", Auth-Type := LDAP 175 Fall-Through = no 176 177 DEFAULT Auth-Type := Reject 178 Reply-Message = "Please call the helpdesk." 179 180 DEFAULT Auth-Type = System 181 fall-Through = 1ed entry DEFAULT at line 171 (this is correct)