Particularly concerned about the F5-LTM-User-Role attribute since its an integer. I want to provide Manager (100) access to this user account, as defined in the F5 dictionary. Have I defined this attribute right in openldap. Would really appreciate if you could throw some light on that, and the rest of the attributes.


Thank you.



On Tue, May 20, 2014 at 11:59 AM, Ajinkya Fotedar <ajinkyafotedar@gmail.com> wrote:
Hi Arran,

Thank you so much for the reply. I have made the above changes and I can see the attributes in the reply message (Access-accept packet).
Although, I am not sure if this is what it should look like. I have not tested it with F5 but just want to make sure that I am heading in the right direction.
Below is the debug and some configurations from FreeRADIUS and OpenLDAP.

Please let me know your thoughts.

Thank you.



RADIUS debug


rad_recv: Access-Request packet from host 198.82.169.55 port 50524, id=211, length=132

User-Name = 'dawson'

NAS-IP-Address = 198.82.169.55

NAS-Port = 234234

Message-Authenticator = 0x14e775dc18fbbbd91c707988226a3a22

MS-CHAP-Challenge = 0xa92999be9652acdb

MS-CHAP-Response = 0x00010000000000000000000000000000000000000000000000003ef65405da922bbe8b1f37ff9ba63458917d6bc42cf704c3

(0) # Executing section authorize from file /apps/home/radius/freeradius/load-balancing/etc/raddb/sites-enabled/default

(0)   authorize {

(0)   filter_username filter_username {

(0)    ? if (User-Name != "%{tolower:%{User-Name}}") 

(0) expand: "%{tolower:%{User-Name}}" -> 'dawson'

(0)    ? if (User-Name != "%{tolower:%{User-Name}}")  -> FALSE

(0)    ? if (User-Name =~ / /) 

(0)    ? if (User-Name =~ / /)  -> FALSE

(0)    ? if (User-Name =~ /@.*@/ ) 

(0)    ? if (User-Name =~ /@.*@/ )  -> FALSE

(0)    ? if (User-Name =~ /\\.\\./ ) 

(0)    ? if (User-Name =~ /\\.\\./ )  -> FALSE

(0)    ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))  

(0)    ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))   -> FALSE

(0)    ? if (User-Name =~ /\\.$/)  

(0)    ? if (User-Name =~ /\\.$/)   -> FALSE

(0)    ? if (User-Name =~ /@\\./)  

(0)    ? if (User-Name =~ /@\\./)   -> FALSE

(0)   } # filter_username filter_username = notfound

(0)   [preprocess] = ok

(0) auth_log : expand: "/apps/home/radius/freeradius/load-balancing/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" -> '/apps/home/radius/freeradius/load-balancing/var/log/radius/radacct/198.82.169.55/auth-detail-20140520'

(0) auth_log : /apps/home/radius/freeradius/load-balancing/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /apps/home/radius/freeradius/load-balancing/var/log/radius/radacct/198.82.169.55/auth-detail-20140520

(0) auth_log : expand: "%t" -> 'Tue May 20 11:37:46 2014'

(0)   [auth_log] = ok

(0)   update control {

(0) expand: "uid=%{User-Name},ou=People,ou=NIS,o=vt" -> 'uid=dawson,ou=People,ou=NIS,o=vt'

(0) Ldap-UserDn := "uid=dawson,ou=People,ou=NIS,o=vt"

(0)   } # update control = noop

rlm_ldap (ldap): Reserved connection (4)

(0) ldap : expand: "(&(uid=%{%{Stripped-User-Name}:-%{User-Name}}))" -> '(&(uid=dawson))'

(0) ldap : expand: "ou=People,ou=NIS,o=vt" -> 'ou=People,ou=NIS,o=vt'

(0) ldap : Performing search in 'ou=People,ou=NIS,o=vt' with filter '(&(uid=dawson))'

(0) ldap : Waiting for search result...

(0) ldap : User object found at DN "uid=dawson,ou=People,ou=NIS,o=vt"

(0) ldap : expand: "(&)" -> '(&)'

(0) ldap : Performing search in 'cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt' with filter '(&)'

(0) ldap : Waiting for search result...

(0) ldap : Processing profile attributes

(0) ldap : reply:Reply-Message := 'F5-LTM-User-Info-1+=\"R&D\"'

(0) ldap : reply:Reply-Message := 'F5-LTM-User-Partition+=\"RnD\"'

(0) ldap : reply:Reply-Message := 'F5-LTM-User-Role+=100'

(0) ldap : reply:Reply-Message := 'F5-LTM-User-Shell+=\"tmsh\"'

(0) ldap : Processing user attributes

(0) ldap : control:Password-With-Header += '{nt}D3055AE4C0D68D8BA71C538D1518B5CD'

(0) ldap : control:Password-With-Header += '{SSHA}omkfyFmnMrEq1jWG9T86Gh+XlpR87z11'

(0) ldap : control:Prohibited := FALSE

(0) ldap : control:Radius-Profile-DN := 'cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt'

rlm_ldap (ldap): Released connection (4)

(0)   [-ldap] = ok

(0) pap : Normalizing NT-Password from hex encoding

(0) pap : Normalizing SSHA1-Password from base64 encoding

(0) pap : No clear-text password in the request.  Not performing PAP.

(0)   [pap] = noop

(0) mschap : Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'

(0)   [mschap] = ok

(0)   ? if (!(control:NT-Password) || control:Prohibited == TRUE)

(0)   ? if (!(control:NT-Password) || control:Prohibited == TRUE) -> FALSE

(0)   ? if (Ldap-Group != "%{control:Radius-Profile-DN}")

(0) expand: "%{control:Radius-Profile-DN}" -> 'cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt'

(0) Searching for user in group "cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt"

rlm_ldap (ldap): Reserved connection (4)

(0) Using user DN from request "uid=dawson,ou=People,ou=NIS,o=vt"

(0) Checking for user in group objects

(0) expand: "(&(objectClass=groupOfNames)(member=%{control:Ldap-UserDn}))" -> '(&(objectClass=groupOfNames)(member=uid\3ddawson\2cou\3dPeople\2cou\3dNIS\2co\3dvt))'

(0) Performing search in 'cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt' with filter '(&(objectClass=groupOfNames)(member=uid\3ddawson\2cou\3dPeople\2cou\3dNIS\2co\3dvt))'

(0) Waiting for search result...

(0) User found in group object

rlm_ldap (ldap): Released connection (4)

(0)   ? if (Ldap-Group != "%{control:Radius-Profile-DN}") -> FALSE

(0)   else else {

(0)    update control {

(0) Auth-Type := Accept

(0)    } # update control = noop

(0)   } # else else = noop

(0)   ? if ("%{reply:F5-LTM-User-Info-1}")

(0) expand: "%{reply:F5-LTM-User-Info-1}" -> ''

(0)   ? if ("%{reply:F5-LTM-User-Info-1}") -> FALSE

(0)  } #  authorize = ok

(0) Found Auth-Type = Accept

(0) Auth-Type = Accept, accepting the user

(0) WARNING: Empty post-auth section.  Using default return values.

(0) # Executing section post-auth from file /apps/home/radius/freeradius/load-balancing/etc/raddb/sites-enabled/default

Sending Access-Accept of id 211 from 198.82.169.55 port 1830 to 198.82.169.55 port 50524

Reply-Message = 'F5-LTM-User-Info-1+=\"R&D\"'

Reply-Message = 'F5-LTM-User-Partition+=\"RnD\"'

Reply-Message = 'F5-LTM-User-Role+=100'

Reply-Message = 'F5-LTM-User-Shell+=\"tmsh\"'

(0) Finished request 0.

Waking up in 0.3 seconds.

Waking up in 4.6 seconds.

(0) Cleaning up request packet ID 211 with timestamp +2

Ready to process requests.




radtest


$ radtest -t mschap -x dawson wakkawakka 198.82.169.55:1830 234234 testing123

/apps/radius/freeradius-3.0.1/bin/radclient: /usr/local/samba/lib/libtalloc.so.2: no version information available (required by /apps/radius/freeradius-3.0.1/bin/radclient)

/apps/radius/freeradius-3.0.1/bin/radclient: /usr/local/samba/lib/libtalloc.so.2: no version information available (required by /apps/radius/freeradius-3.0.1/lib/libfreeradius-radius.so)

Sending Access-Request of id 211 from 0.0.0.0 port 50524 to 198.82.169.55 port 1830

User-Name = 'dawson'

NAS-IP-Address = 198.82.169.55

NAS-Port = 234234

Message-Authenticator = 0x00

MS-CHAP-Challenge = 0xa92999be9652acdb

MS-CHAP-Response = 0x00010000000000000000000000000000000000000000000000003ef65405da922bbe8b1f37ff9ba63458917d6bc42cf704c3

  Code: 1

  Id: 211

  Length: 132

  Vector: b3c92ab8d0c718d8e265b6301bae7a11

  Data: 01  08  64 61 77 73 6f 6e 

04  06  c6 52 a9 37 

05  06  00 03 92 fa 

50  12  14 e7 75 dc 18 fb bb d9 1c 70 79 88 22 6a 3a 22 

1a  10  00 00 01 37 0b 0a a9 29 99 be 96 52 ac db 

1a  3a  00 00 01 37 01 34 00 01 00 00 00 00 00 00 00 00 

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 

3e f6 54 05 da 92 2b be 8b 1f 37 ff 9b a6 34 58 

91 7d 6b c4 2c f7 04 c3 

rad_recv: Access-Accept packet from host 198.82.169.55 port 1830, id=211, length=127

  Code: 2

  Id: 211

  Length: 127

  Vector: ff52e972ccb4ee95c7b64719c2ea3986

  Data: 12  1b  46 35 2d 4c 54 4d 2d 55 73 65 72 2d 49 6e 66 6f 

2d 31 2b 3d 22 52 26 44 22 

12  1e  46 35 2d 4c 54 4d 2d 55 73 65 72 2d 50 61 72 74 

69 74 69 6f 6e 2b 3d 22 52 6e 44 22 

12  17  46 35 2d 4c 54 4d 2d 55 73 65 72 2d 52 6f 6c 65 

2b 3d 31 30 30 

12  1b  46 35 2d 4c 54 4d 2d 55 73 65 72 2d 53 68 65 6c 

6c 2b 3d 22 74 6d 73 68 22 

Reply-Message = 'F5-LTM-User-Info-1+=\"R&D\"'

Reply-Message = 'F5-LTM-User-Partition+=\"RnD\"'

Reply-Message = 'F5-LTM-User-Role+=100'

Reply-Message = 'F5-LTM-User-Shell+=\"tmsh\"'




sites-enabled/default


authorize {

    filter_username

    preprocess

    auth_log

    

    update control{

        Ldap-UserDn := "uid=%{User-Name},ou=People,ou=NIS,o=vt"

    }

    

    -ldap

    pap

    mschap


    if(!(control:NT-Password) || control:Prohibited == TRUE){

    update control{

        Auth-Type := Reject

        }

    }


    if(Ldap-Group != "%{control:Radius-Profile-DN}"){

      update control{

          Auth-Type:=Reject

        }

    }

    else{

      update control{

          Auth-Type:=Accept

        }

       

}


authenticate {

        mschap

        pap

}




mods-enabled/ldap


update {

        control:Password-With-Header    += 'userPassword'

        control:NT-Password     := 'ntPassword'

        control:Prohibited      := 'prohibited'

        control:Radius-Profile-DN       :=  'radiusProfileDn'

        reply:Reply-Message     := 'radiusReplyMessage'

}



user  {

        base_dn = "ou=People,${..base_dn}"

        filter = "(&(uid=%{%{Stripped-User-Name}:-%{User-Name}}))"

        scope = 'sub'

}



group {

        base_dn = "ou=Groups,ou=F5,ou=Configuration,${..base_dn}"

        filter = "(objectClass=groupOfNames)"

        scope = 'base'

        name_attribute = cn

        membership_filter = "(member=%{control:Ldap-UserDn})"

}




OpenLDAP


# R&D, Groups, F5, Configuration, NIS, vt

dn: cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt

cn: R&D

description: Entiries for the R&D group user accounts

member: uid=dawson,ou=People,ou=NIS,o=vt

radiusReplyMessage: F5-LTM-User-Info-1+="R&D"

radiusReplyMessage: F5-LTM-User-Partition+="RnD"

radiusReplyMessage: F5-LTM-User-Role+=100

radiusReplyMessage: F5-LTM-User-Shell+="tmsh"

objectClass: groupOfNames

objectClass: radiusprofile


# dawson, People, NIS, vt

dn: uid=dawson,ou=People,ou=NIS,o=vt

cn: Jacob M. Dawson

uid: dawson

sn: Dawson

givenName: Jacob

objectClass: inetOrgPerson

objectClass: nisUserAccount

objectClass: radiusprofile

prohibited: FALSE

radiusProfileDn: cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt




F5 VSAs


VENDOR      F5              3375

BEGIN-VENDOR    F5


ATTRIBUTE   F5-LTM-User-Role            1   integer

ATTRIBUTE   F5-LTM-User-Role-Universal      2   integer    # enable/disable

ATTRIBUTE   F5-LTM-User-Partition           3   string

ATTRIBUTE   F5-LTM-User-Console         4   integer    # enable/disable

ATTRIBUTE   F5-LTM-User-Shell           5   string     # supported values are disable, tmsh, and bpsh

ATTRIBUTE   F5-LTM-User-Context-1           10  integer

ATTRIBUTE   F5-LTM-User-Context-2           11  integer

ATTRIBUTE   F5-LTM-User-Info-1          12  string

ATTRIBUTE   F5-LTM-User-Info-2          13  string


VALUE   F5-LTM-User-Role        Administrator       0

VALUE   F5-LTM-User-Role        Resource-Admin      20

VALUE   F5-LTM-User-Role        User-Manager        40

VALUE   F5-LTM-User-Role        Manager         100

VALUE   F5-LTM-User-Role        App-Editor      300

VALUE   F5-LTM-User-Role        Operator        400

VALUE   F5-LTM-User-Role        Guest           700

VALUE   F5-LTM-User-Role        Policy-Editor       800

VALUE   F5-LTM-User-Role        No-Access       900


VALUE   F5-LTM-User-Role-Universal  Disabled        0

VALUE   F5-LTM-User-Role-Universal  Enabled         1


VALUE   F5-LTM-User-Console     Disabled        0

VALUE   F5-LTM-User-Console     Enabled         1


END-VENDOR   F5




On Mon, May 19, 2014 at 4:26 PM, Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:

On 19 May 2014, at 20:36, Ajinkya Fotedar <ajinkyafotedar@gmail.com> wrote:

> Also, the update section under the ldap modules looks like this.
>
> update {
>         control:Password-With-Header    += 'userPassword'
>         control:NT-Password     := 'ntPassword'
>         control:Prohibited      := 'prohibited'
>         control:Group-Membership    :=  'groupMembership'
>         reply:F5-LTM-User-Info-1    := 'userInfo'
>         reply:F5-LTM-User-Role      := 'userRole'
>         reply:F5-LTM-User-Partition := 'userPartition'
>         reply:F5-LTM-User-Shell     := 'userShell'
> }

Attributes are not retrieved for groups. You need to add profiles with the various reply attributes, and add that profile to the user.

-Arran

Arran Cudbard-Bell <a.cudbardb@freeradius.org>
FreeRADIUS Development Team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html