User-Profile per user per NAS via LDAP?
Running version 2.0.5, with LDAP backend for authentication/authorization. Needed functionality: A single user account needs a different ldap/radius profile depending on which huntgroup the request is coming in on... the reason is that each user has a different Framed-IP-Address for each VPN concentrator they are coming in on. So each user needs a profile per NAS, I believe. I have separated out each NAS into its appropriate huntgroup, and am matching on that in the users file. Also trying to dynamically set the User-Profile. DEFAULT Huntgroup-Name == jup-rtr-xauth, Ldap-Group == `cn=%{Huntgroup-Name},ou=Groups,ou=Radius,dc=geowireless,dc=net`, User-Profile := `uid=%{User-Name},ou=jup-rtr-xauth,ou=Profiles,ou=Radius,dc=geowireless,dc=net` Fall-Through = no (entire users file at the end of this message). The user is authenticated successfully (so the group matching and the %{Huntgroup-Name} expansion are working fine), but the User-Profile is not being set. If I hard code in the value for uid, it works, so the problem is in the variable. radiusd -X output: rad_recv: Access-Request packet from host 192.168.17.1 port 57383, id=124, length=121 User-Name = "sbowman" User-Password = "XXX" Acct-Session-Id = "NS-00000035" NAS-IP-Address = 192.168.17.1 NAS-Port = 24824 NAS-Port-Type = Virtual Called-Station-Id = "75.145.224.194" Calling-Station-Id = "140.32.244.99" Netscreen-Attr-10 = 0x00000003 +- entering group authorize expand: %{Packet-Src-IP-Address} -> 192.168.17.1 ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "sbowman", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop rlm_ldap: Entering ldap_groupcmp() expand: ou=People,dc=domain,dc=net -> ou=People,dc=domain,dc=net WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=sbowman) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap.domain.net:389, authentication 0 rlm_ldap: setting TLS CACert File to /etc/pki/tls/certs/ca-bundle.crt rlm_ldap: starting TLS request done: ld 0x84e1340 msgid 1 rlm_ldap: bind as uid=redpillradius,ou=Clients,dc=domain,dc=net/XXX to ldap.domain.net:389 rlm_ldap: waiting for bind result ... request done: ld 0x84e1340 msgid 2 rlm_ldap: Bind was successful rlm_ldap: performing search in ou=People,dc=domain,dc=net, with filter (uid=sbowman) request done: ld 0x84e1340 msgid 3 rlm_ldap: ldap_release_conn: Release Id: 0 expand: (|(&(objectClass=GroupOfNames)(member=%{check:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{check:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=uid\3dsbowman\2cou\3dPeople\2cdc\3ddomain\2cdc\3dnet))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3dsbowman\2cou\3dPeople\2cdc\3ddomain\2cdc\3dnet))) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,dc=domain,dc=net, with filter (&(cn=disabled)(|(&(objectClass=GroupOfNames)(member=uid\3dsbowman\2cou\3dPeople\2cdc\3ddomain\2cdc\3dnet))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3dsbowman\2cou\3dPeople\2cdc\3ddomain\2cdc\3dnet)))) request done: ld 0x84e1340 msgid 4 rlm_ldap: object not found or got ambiguous search result rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap::ldap_groupcmp: Group disabled not found or user is not a member. expand: cn=%{Huntgroup-Name},ou=Groups,ou=Radius,dc=domain,dc=net -> cn=jup-rtr-xauth,ou=Groups,ou=Radius,dc=domain,dc=net rlm_ldap: Entering ldap_groupcmp() expand: ou=People,dc=domain,dc=net -> ou=People,dc=domain,dc=net expand: (|(&(objectClass=GroupOfNames)(member=%{check:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{check:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=uid\3dsbowman\2cou\3dPeople\2cdc\3ddomain\2cdc\3dnet))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3dsbowman\2cou\3dPeople\2cdc\3ddomain\2cdc\3dnet))) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in cn=jup-rtr-xauth,ou=Groups,ou=Radius,dc=domain,dc=net, with filter (|(&(objectClass=GroupOfNames)(member=uid\3dsbowman\2cou\3dPeople\2cdc\3ddomain\2cdc\3dnet))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3dsbowman\2cou\3dPeople\2cdc\3ddomain\2cdc\3dnet))) request done: ld 0x84e1340 msgid 5 rlm_ldap::ldap_groupcmp: User found in group cn=jup-rtr-xauth,ou=Groups,ou=Radius,dc=domain,dc=net rlm_ldap: ldap_release_conn: Release Id: 0 users: Matched entry DEFAULT at line 209 ++[files] returns ok rlm_ldap: - authorize rlm_ldap: performing user authorization for sbowman WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=sbowman) expand: ou=People,dc=domain,dc=net -> ou=People,dc=domain,dc=net rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,dc=domain,dc=net, with filter (uid=sbowman) request done: ld 0x84e1340 msgid 6 rlm_ldap: performing search in uid=%{User-Name},ou=jup-rtr-xauth,ou=Profiles,ou=Radius,dc=domain,dc=net, with filter (objectclass=radiusprofile) request done: ld 0x84e1340 msgid 7 rlm_ldap: object not found or got ambiguous search result rlm_ldap: default_profile/user-profile search failed rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? rlm_ldap: Setting Auth-Type = LDAP rlm_ldap: user sbowman authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop rad_check_password: Found Auth-Type LDAP auth: type "LDAP" +- entering group LDAP rlm_ldap: - authenticate rlm_ldap: login attempt by "sbowman" with password "XXX" rlm_ldap: user DN: uid=sbowman,ou=People,dc=domain,dc=net rlm_ldap: (re)connect to ldap.domain.net:389, authentication 1 rlm_ldap: setting TLS CACert File to /etc/pki/tls/certs/ca-bundle.crt rlm_ldap: starting TLS request done: ld 0x8572fe0 msgid 1 rlm_ldap: bind as uid=sbowman,ou=People,dc=domain,dc=net/XXX to ldap.domain.net:389 rlm_ldap: waiting for bind result ... request done: ld 0x8572fe0 msgid 2 rlm_ldap: Bind was successful rlm_ldap: user sbowman authenticated succesfully ++[ldap] returns ok Login OK: [sbowman] (from client jup-rtr-xauth port 24824 cli 140.32.244.99) +- entering group post-auth ++[exec] returns noop Sending Access-Accept of id 124 to 192.168.17.1 port 57383 Finished request 1. ------ users ----- DEFAULT Ldap-Group == disabled, Auth-Type := Reject Reply-Message = "Account disabled. Please call the helpdesk." DEFAULT Huntgroup-Name == jup-rtr-xauth, Ldap-Group == `cn=%{Huntgroup-Name},ou=Groups,ou=Radius,dc=geowireless,dc=net`, User-Profile := `uid=%{User-Name},ou=jup-rtr-xauth,ou=Profiles,ou=Radius,dc=geowireless,dc=net` Fall-Through = no DEFAULT Huntgroup-Name == jup-rtr-xauth, Auth-Type := Reject Reply-Message = "Not authorized for XAuth access. Please call the helpdesk.", Fall-Through = no DEFAULT Auth-Type := Reject Reply-Message = "Please call the helpdesk." -----------------
UNCLASSIFIED Running version 2.0.5, with LDAP backend for authentication/authorization. Needed functionality: A single user account needs a different ldap/radius profile depending on which huntgroup the request is coming in on... the reason is that each user has a different Framed-IP-Address for each VPN concentrator they are coming in on. So each user needs a profile per NAS, I believe. I have separated out each NAS into its appropriate huntgroup, and am matching on that in the users file. Also trying to dynamically set the User-Profile. DEFAULT Huntgroup-Name == jup-rtr-xauth, Ldap-Group == `cn=%{Huntgroup-Name},ou=Groups,ou=Radius,dc=geowireless,dc=net`, User-Profile := `uid=%{User-Name},ou=jup-rtr-xauth,ou=Profiles,ou=Radius,dc=geowireless, dc=net` Fall-Through = no (entire users file at the end of this message). The user is authenticated successfully (so the group matching and the %{Huntgroup-Name} expansion are working fine), but the User-Profile is not being set. If I hard code in the value for uid, it works, so the problem is in the variable. I had a similar problem and ended up using a rewrite rule to solve it. For 1.1.x here is the rule I used to derive a dn from a huntgroup: attr_rewrite uprof { attribute = User-Profile # may be "packet", "reply", "proxy", "proxy_reply" or "config" searchin = config searchfor = "" replacewith = "cn=%{Huntgroup-Name},ou=Profiles,dc=..." ignore_case = no new_attribute = yes max_matches = 10 append = no } The call to uprof is in the authorize section. I placed it after 'files' and before 'ldap'. So setting the replacewith = "uid=%{User-Name},ou=%{Huntgroup-Name},ou=Profiles,ou=Radius,dc=geowirel ess,dc=net" should do exactly what you want. However, using FR 2.x you can probably use unlang to do the same thing in a much clearer manner. regards, Frank Ranner
participants (2)
-
Ranner, Frank MR -
Stephen Bowman