On Fri, May 9, 2014 at 3:52 PM, Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
I've fixed it in v3.0.x HEAD (which will become 3.0.3 very soon) so that it just works. If you could test it'd be very much appreciated :)
For your setup with LDAP and crypt, it'd be something like: authorize { yubikey ldap }
authenticate { Auth-Type yubikey { yubikey pap } }
Alas, does not seem to work with the configuration you suggest :-( Relevant configuration files and debug output: mods-enabled/yubikey: yubikey { split = yes decrypt = no validate = yes validation { servers { } client_id = XXXXX api_key = 'OBSCURED' pool { start = 5 min = 4 max = 10 spare = 3 uses = 0 lifetime = 0 idle_timeout = 60 spread = yes } } } sites-enabled/default: server default { listen { type = auth ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { ipaddr = * port = 0 type = acct limit { } } authorize { preprocess yubikey -ldap expiration logintime } authenticate { Auth-Type yubikey { yubikey pap } } preacct { preprocess acct_unique suffix files } accounting { detail unix -sql exec attr_filter.accounting_response } session { } post-auth { exec remove_reply_message_if_eap Post-Auth-Type REJECT { -sql attr_filter.access_reject eap remove_reply_message_if_eap } } pre-proxy { } post-proxy { eap } } and the debugging output: Received Access-Request Id 9 from 127.0.0.1:37537 to 127.0.0.1:1812 length 121 User-Name = 'fes' User-Password = 'testingpasswordccccccdbkebjkgfkgdrvthntvckrnifbicgrdgrldigl' NAS-IP-Address = 172.16.35.65 NAS-Port = 0 Message-Authenticator = 0x9c976b6fd97fd7fc4d98acd97be8fc27 Fri May 9 16:41:15 2014 : Debug: (0) # Executing section authorize from file /etc/freeradius/sites-enabled/default Fri May 9 16:41:15 2014 : Debug: (0) authorize { Fri May 9 16:41:15 2014 : Debug: (0) modsingle[authorize]: calling preprocess (rlm_preprocess) for request 0 Fri May 9 16:41:15 2014 : Debug: (0) modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 0 Fri May 9 16:41:15 2014 : Debug: (0) [preprocess] = ok Fri May 9 16:41:15 2014 : Debug: (0) modsingle[authorize]: calling yubikey (rlm_yubikey) for request 0 Fri May 9 16:41:15 2014 : Debug: (0) yubikey : User-Password (aes-block) value contains non modhex chars Fri May 9 16:41:15 2014 : Debug: (0) modsingle[authorize]: returned from yubikey (rlm_yubikey) for request 0 Fri May 9 16:41:15 2014 : Debug: (0) [yubikey] = noop Fri May 9 16:41:15 2014 : Debug: (0) modsingle[authorize]: calling ldap (rlm_ldap) for request 0 Fri May 9 16:41:15 2014 : Debug: rlm_ldap (ldap): Reserved connection (4) Fri May 9 16:41:15 2014 : Debug: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) Fri May 9 16:41:15 2014 : Debug: Parsed xlat tree: Fri May 9 16:41:15 2014 : Debug: literal --> (uid= Fri May 9 16:41:15 2014 : Debug: if { Fri May 9 16:41:15 2014 : Debug: attribute --> Stripped-User-Name Fri May 9 16:41:15 2014 : Debug: { Fri May 9 16:41:15 2014 : Debug: ref 2 Fri May 9 16:41:15 2014 : Debug: list 1 Fri May 9 16:41:15 2014 : Debug: tag -128 Fri May 9 16:41:15 2014 : Debug: } Fri May 9 16:41:15 2014 : Debug: } Fri May 9 16:41:15 2014 : Debug: else { Fri May 9 16:41:15 2014 : Debug: attribute --> User-Name Fri May 9 16:41:15 2014 : Debug: { Fri May 9 16:41:15 2014 : Debug: ref 2 Fri May 9 16:41:15 2014 : Debug: list 1 Fri May 9 16:41:15 2014 : Debug: tag -128 Fri May 9 16:41:15 2014 : Debug: } Fri May 9 16:41:15 2014 : Debug: } Fri May 9 16:41:15 2014 : Debug: literal --> ) Fri May 9 16:41:15 2014 : Debug: (0) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) Fri May 9 16:41:15 2014 : Debug: (0) ldap : --> (uid=fes) Fri May 9 16:41:15 2014 : Debug: ou=People,dc=escaux,dc=com Fri May 9 16:41:15 2014 : Debug: Parsed xlat tree: Fri May 9 16:41:15 2014 : Debug: literal --> ou=People,dc=escaux,dc=com Fri May 9 16:41:15 2014 : Debug: (0) ldap : EXPAND ou=People,dc=escaux,dc=com Fri May 9 16:41:15 2014 : Debug: (0) ldap : --> ou=People,dc=escaux,dc=com Fri May 9 16:41:15 2014 : Debug: (0) ldap : Performing search in 'ou=People,dc=escaux,dc=com' with filter '(uid=fes)', scope 'sub' Fri May 9 16:41:15 2014 : Debug: (0) ldap : Waiting for search result... Fri May 9 16:41:15 2014 : Debug: (0) ldap : User object found at DN "uid=fes,ou=People,dc=escaux,dc=com" Fri May 9 16:41:15 2014 : Debug: (0) ldap : Processing user attributes Fri May 9 16:41:15 2014 : Debug: (0) ldap : control:Password-With-Header += ''{CRYPT}$6$rounds=1000$czjqtQQw5Sx6BURM$67zg9ok5r8IVTQNcQkdx1Mbi5A75gbHgt5I3oI/Z038MPg8htLLswallK.ou/r914j/0Tkwyuf92ZHsVg1DTz.'' Fri May 9 16:41:15 2014 : Debug: (0) ldap : Attribute "ntPassword" not found in LDAP object Fri May 9 16:41:15 2014 : Debug: rlm_ldap (ldap): Released connection (4) Fri May 9 16:41:15 2014 : Debug: (0) modsingle[authorize]: returned from ldap (rlm_ldap) for request 0 Fri May 9 16:41:15 2014 : Debug: (0) [ldap] = ok Fri May 9 16:41:15 2014 : Debug: (0) modsingle[authorize]: calling expiration (rlm_expiration) for request 0 Fri May 9 16:41:15 2014 : Debug: (0) modsingle[authorize]: returned from expiration (rlm_expiration) for request 0 Fri May 9 16:41:15 2014 : Debug: (0) [expiration] = noop Fri May 9 16:41:15 2014 : Debug: (0) modsingle[authorize]: calling logintime (rlm_logintime) for request 0 Fri May 9 16:41:15 2014 : Debug: (0) modsingle[authorize]: returned from logintime (rlm_logintime) for request 0 Fri May 9 16:41:15 2014 : Debug: (0) [logintime] = noop Fri May 9 16:41:15 2014 : Debug: (0) } # authorize = ok Fri May 9 16:41:15 2014 : ERROR: (0) No Auth-Type found: rejecting the user via Post-Auth-Type = Reject Fri May 9 16:41:15 2014 : Debug: (0) Failed to authenticate the user. Fri May 9 16:41:15 2014 : Debug: (0) Using Post-Auth-Type Reject Fri May 9 16:41:15 2014 : Debug: (0) # Executing group from file /etc/freeradius/sites-enabled/default Fri May 9 16:41:15 2014 : Debug: (0) Post-Auth-Type REJECT { Fri May 9 16:41:15 2014 : Debug: (0) modsingle[post-auth]: calling attr_filter.access_reject (rlm_attr_filter) for request 0 Fri May 9 16:41:15 2014 : Debug: %{User-Name} Fri May 9 16:41:15 2014 : Debug: Parsed xlat tree: Fri May 9 16:41:15 2014 : Debug: attribute --> User-Name Fri May 9 16:41:15 2014 : Debug: { Fri May 9 16:41:15 2014 : Debug: ref 2 Fri May 9 16:41:15 2014 : Debug: list 1 Fri May 9 16:41:15 2014 : Debug: tag -128 Fri May 9 16:41:15 2014 : Debug: } Fri May 9 16:41:15 2014 : Debug: (0) attr_filter.access_reject : EXPAND %{User-Name} Fri May 9 16:41:15 2014 : Debug: (0) attr_filter.access_reject : --> fes Fri May 9 16:41:15 2014 : Debug: (0) attr_filter.access_reject : Matched entry DEFAULT at line 11 Fri May 9 16:41:15 2014 : Debug: (0) modsingle[post-auth]: returned from attr_filter.access_reject (rlm_attr_filter) for request 0 Fri May 9 16:41:15 2014 : Debug: (0) [attr_filter.access_reject] = updated Fri May 9 16:41:15 2014 : Debug: (0) modsingle[post-auth]: calling eap (rlm_eap) for request 0 Fri May 9 16:41:15 2014 : Debug: (0) eap : Request didn't contain an EAP-Message, not inserting EAP-Failure Fri May 9 16:41:15 2014 : Debug: (0) modsingle[post-auth]: returned from eap (rlm_eap) for request 0 Fri May 9 16:41:15 2014 : Debug: (0) [eap] = noop Fri May 9 16:41:15 2014 : Debug: (0) remove_reply_message_if_eap remove_reply_message_if_eap { Fri May 9 16:41:15 2014 : Debug: (0) if (reply:EAP-Message && reply:Reply-Message) Fri May 9 16:41:15 2014 : Debug: (0) if (reply:EAP-Message && reply:Reply-Message) -> FALSE Fri May 9 16:41:15 2014 : Debug: (0) else else { Fri May 9 16:41:15 2014 : Debug: (0) modsingle[post-auth]: calling noop (rlm_always) for request 0 Fri May 9 16:41:15 2014 : Debug: (0) modsingle[post-auth]: returned from noop (rlm_always) for request 0 Fri May 9 16:41:15 2014 : Debug: (0) [noop] = noop Fri May 9 16:41:15 2014 : Debug: (0) } # else else = noop Fri May 9 16:41:15 2014 : Debug: (0) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop Fri May 9 16:41:15 2014 : Debug: (0) } # Post-Auth-Type REJECT = updated Fri May 9 16:41:15 2014 : Debug: (0) Delaying response for 1 seconds Fri May 9 16:41:15 2014 : Debug: Waking up in 0.3 seconds. Fri May 9 16:41:16 2014 : Debug: Waking up in 0.6 seconds. Fri May 9 16:41:16 2014 : Debug: (0) Sending delayed response Sending Access-Reject Id 9 from 127.0.0.1:1812 to 127.0.0.1:37537 Fri May 9 16:41:16 2014 : Debug: Waking up in 3.9 seconds. Fri May 9 16:41:20 2014 : Debug: (0) Cleaning up request packet ID 9 with timestamp +11 Fri May 9 16:41:20 2014 : Info: Ready to process requests. Let me know if there is anything more that you need tested. Frederic