Expanding run-time variables and checking access_attr for allow
Hi all, We are running 2.1.3 and we'll upgrade soon for several reasons. Two of them can be the questions I'll explain now. We need to search the authorize check for users in one place of LDAP tree and the user password must be checked in another place. My config file is as follows: dictionary_mapping=/etc/raddb/ldapmap_vpn.conf ldap_connections_number=10 timeout=10 server="ldap://canela.ti.uam.es" port=389 identity="cn=uam_voip_admin,cn=users,dc=uam,dc=es" password="#######" base_filter = "(uniquemember=cn=%{User-Name},cn=users,dc=uam,dc=es)" basedn="dc=uam,dc=es" filter="(uid=%{Stripped-User-Name:-%{User-Name}})" default_profile = "cn=ACCESSO_CUDI,cn=Groups,dc=uam,dc=es" access_attr_used_for_allow = yes access_attr = "cn" The non-usual parameters to do what we need are base_filter and default_profile. But the problem is that base_filter doesn't expand. The debug shows us the process and base_filter doesn't expand. rad_recv: Access-Request packet from host 150.244.108.4 port 1025, id=69, length=158 User-Name = "nicolas.velazquez@uam.es" User-Password = "########" NAS-Port = 5259264 Called-Station-Id = "150.244.108.4" Calling-Station-Id = "150.244.2.23" NAS-Port-Type = Virtual Tunnel-Client-Endpoint:0 = "150.244.2.23" NAS-IP-Address = 150.244.108.4 Cisco-AVPair = "ip:source-ip=150.244.2.23" server vpn_auth { +- entering group authorize {...} [suffix] Looking up realm "uam.es" for User-Name = "nicolas.velazquez@uam.es" [suffix] Found realm "uam.es" [suffix] Adding Realm = "uam.es" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [users_vpn] users: Matched entry DEFAULT at line 3 [users_vpn] expand: %{User-Name} -> nicolas.velazquez@uam.es [users_vpn] users: Matched entry nicolas.velazquez@uam.es at line 16 ++[users_vpn] returns ok [uam_vpn] performing user authorization for nicolas.velazquez@uam.es [uam_vpn] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [uam_vpn] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=nicolas.velazquez@uam.es) [uam_vpn] expand: dc=uam,dc=es -> dc=uam,dc=es rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap://canela.ti.uam.es, authentication 0 rlm_ldap: setting TLS Require Cert to never rlm_ldap: bind as cn=uam_voip_admin,cn=users,dc=uam,dc=es/######## to ldap://canela.ti.uam.es rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=uam,dc=es, with filter (uid=nicolas.velazquez@uam.es) [uam_vpn] checking if remote access for nicolas.velazquez@uam.es is allowed by cn rlm_ldap: performing search in cn=ACCESSO_CUDI,cn=Groups,dc=uam,dc=es, with filter (uniquemember=cn=%{User-Name},cn=users,dc=uam,dc=es) rlm_ldap: object not found or got ambiguous search result [uam_vpn] default_profile/user-profile search failed [uam_vpn] looking for check items in directory... [uam_vpn] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [uam_vpn] user nicolas.velazquez@uam.es authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[uam_vpn] returns ok [eap] No EAP-Message, not doing EAP ++[eap] returns noop Found Auth-Type = UAM_VPN +- entering group UAM_VPN {...} [uam_vpn] login attempt by "nicolas.velazquez@uam.es" with password "#######" [uam_vpn] user DN: cn=nicolas.velazquez@uam.es,cn=Users,dc=uam,dc=es rlm_ldap: (re)connect to ldap://canela.ti.uam.es, authentication 1 rlm_ldap: setting TLS Require Cert to never rlm_ldap: bind as cn=nicolas.velazquez@uam.es,cn=Users,dc=uam,dc=es/######## to ldap://canela.ti.uam.es rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful [uam_vpn] user nicolas.velazquez@uam.es authenticated succesfully ++[uam_vpn] returns ok Login OK: [nicolas.velazquez@uam.es] (from client asa-vpn port 5259264 cli 150.244.2.23) } # server vpn_auth Sending Access-Accept of id 69 to 150.244.108.4 port 1025 User-Name = "nicolas.velazquez@uam.es" Class = "OU=########" Finished request 0. Is this a failure corrected in any of the versions form 2.1.3? Or am I doing anything wrong? The second question. If I put, ONLY FOR CHECK, the base_filter = "(uniquemember=cn=nicolas.velazquez@uam.es,cn=users,dc=uam,dc=es)" the LDAP replies with No Such Object. But the radius authorization sends ok. The misconfiguration of LDAP is not the question here. The question here is: documentation says if the parameter not exists the authorization doesn't work. Is the server using the cn string used in the request? Am I doing ANOTHER thing wrong? Thank you very much in advance, Nicolas Nicolás Velazquez Campoy Unidad Técnica de Comunicaciones Tecnologías de la Información. UAM http://rincon.uam.es/dir?cw=389407348632812
participants (1)
-
Nicolás Velázquez