Hi experts, I'm running a Radius 3.0.10, the config it's working fine, I just ask for advice to do one step in a faster way. I've declared multiple LDAP instances "vlan1,vlan2....vlanN" in /etc/raddb/mods-enabled/ldap . Each one queries just the ldap subtree assigned to a particular vlan. Each vlan subtree contains it's allowed mac's (uid=mac) Each mac (uid) has all needed radius attributes for the radius accept packet, that are populated from ldap. Actually, all ldap instancies are asked for every "uid=mac" in order sequence, so if there's a match, the attributes are updated from the ldap. Unfortunately , If one "mac" matches two ldap instances (ex: vlan1 & vlan2), the last matched instance(vlan2) overwrites the previous populated attributes(vlan1). My goal is somehow to stop ldap executing the next instances(vlan2,vlan3...N) if the actual one(vlan 1) got the jackpot, to avoid so many ldap queries. Right now I'm forced to use a inverse priority ( the last match got the jackpot), that is not the right solution. Any clues, or advice? /etc/raddb/sites-available/default (...) authorize { filter_username preprocess chap mschap digest suffix eap { ok = return } #ldap instance asking for mac in vlan1 vlan1 { ok = return #noop = return } #ldap instance asking for mac in vlan2 vlan2 { ok = return } (...) #ldap instance asking for mac in vlanN vlanN { ok = return } files expiration logintime } (....)
On Nov 2, 2016, at 1:31 PM, Ramon Escriba <escriba@cells.es> wrote:
I'm running a Radius 3.0.10, the config it's working fine, I just ask for advice to do one step in a faster way.
I've declared multiple LDAP instances "vlan1,vlan2....vlanN" in /etc/raddb/mods-enabled/ldap . Each one queries just the ldap subtree assigned to a particular vlan. Each vlan subtree contains it's allowed mac's (uid=mac) Each mac (uid) has all needed radius attributes for the radius accept packet, that are populated from ldap.
OK.
Actually, all ldap instancies are asked for every "uid=mac" in order sequence, so if there's a match, the attributes are updated from the ldap.
The recommended approach is to figure out which LDAP server the user belongs to, and query just that one. Querying all of them is inefficient, and wastes time. It's also more complex.
Unfortunately , If one "mac" matches two ldap instances (ex: vlan1 & vlan2), the last matched instance(vlan2) overwrites the previous populated attributes(vlan1).
That's how the LDAP module works.
My goal is somehow to stop ldap executing the next instances(vlan2,vlan3...N) if the actual one(vlan 1) got the jackpot, to avoid so many ldap queries.
Why not figure out which LDAP server the user belongs to, and query just that one? i.e. have one mapping table of MAC to LDAP server, and the query just that one? Or, why do you need 4 LDAP servers in the first place? Especially because they have overlapping data. That's a nightmare to manage, and looks like you're just putting random MACs into random LDAP servers, which makes no sense.
Right now I'm forced to use a inverse priority ( the last match got the jackpot), that is not the right solution. Any clues, or advice?
The config you posted should work. If the information is found in ldap server 1, it returns, and doesn't check ldap server 2. Alan DeKok.
Hi Alan,
Actually, all ldap instancies are asked for every "uid=mac" in order sequence, so if there's a match, the attributes are updated from the ldap. The recommended approach is to figure out which LDAP server the user belongs to, and query just that one. Querying all of them is inefficient, and wastes time. It's also more complex.
We only use one Ldap server. Each vlan has one subtree with all macs allowed to connect there. So a Ldap query, "the instance", does a mac search in only this vlan subtree. Maybe is not the use 'ldap instances' were designed to.
My goal is somehow to stop ldap executing the next instances(vlan2,vlan3...N) if the actual one(vlan 1) got the jackpot, to avoid so many ldap queries. Why not figure out which LDAP server the user belongs to, and query just that one?
i.e. have one mapping table of MAC to LDAP server, and the query just that one?
So a kind off multi evaluated field, it makes sense, but, how can I extract/use each of those individual fields via ldap?
Right now I'm forced to use a inverse priority ( the last match got the jackpot), that is not the right solution. Any clues, or advice?
The config you posted should work. If the information is found in ldap server 1, it returns, and doesn't check ldap server 2. It worked fine in old v 1.1, but not in v3.0. Now, with v3.0.10, all ldap subtrees are checked anyway.
# radtest 010101010101 010101010101 127.0.0.1 0 testpassword Sent Access-Request Id 159 from 0.0.0.0:58449 to 127.0.0.1:1812 length 82 User-Name = "010101010101" User-Password = "010101010101" NAS-IP-Address = XXX.XXX.XXX.XXX NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "010101010101" Received Access-Accept Id 159 from 127.0.0.1:1812 to 0.0.0.0:0 length 116 Tunnel-Private-Group-Id:0 = "3003" Extreme-CLI-Authorization = Disabled Extreme-Netlogin-Only = Enabled Extreme-Netlogin-Vlan = "VLAN03" Termination-Action = RADIUS-Request Session-Timeout = 7200 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 #radius -X (...) (0) VLAN01 EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (0) VLAN01 --> (uid=010101010101) (0) VLAN01 Performing search in "ou=VLAN01,ou=VLANS,dc=acme,dc=com" with filter "(uid=010101010101)", scope "sub" (0) VLAN01 Waiting for search result... (0) VLAN01 User object found at DN "uid=010101010101,ou=VLAN01,ou=VLANS,dc=acme,dc=com" (0) VLAN01 Processing user attributes (0) VLAN01 control:Password-With-Header += '010101010101' (0) VLAN01 reply:Reply-Message := 'Welcome-to-VLAN01.ldap' (0) VLAN01 reply:Tunnel-Private-Group-ID := '3001' (0) VLAN01 reply::Extreme-CLI-Authorization := Disabled (0) VLAN01 reply::Extreme-Netlogin-Only := Enabled (0) VLAN01 reply::Extreme-Netlogin-Vlan := 'VLAN01' (0) VLAN01 reply:Termination-Action := RADIUS-Request (0) VLAN01 reply:Session-Timeout := 7200 rlm_ldap (BL01): Released connection (0) rlm_ldap (BL01): Need 5 more connections to reach 10 spares rlm_ldap (BL01): Opening additional connection (5), 1 of 27 pending slots used rlm_ldap (BL01): Connecting to ldap://127.0.0.1:389 rlm_ldap (BL01): Waiting for bind result... rlm_ldap (BL01): Bind successful (0) [BL01] = updated (.....) rlm_ldap (VLAN02): Reserved connection (0) (0) VLAN02: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (0) VLAN02: --> (uid=010101010101) (0) VLAN02: Performing search in "ou=VLAN02,ou=VLANS,dc=acme,dc=com" with filter "(uid=010101010101)", scope "sub" (0) VLAN02: Waiting for search result... (0) VLAN02: Search returned no results rlm_ldap (VLAN02): Released connection (0) rlm_ldap (VLAN02): Need 5 more connections to reach 10 spares rlm_ldap (VLAN02): Opening additional connection (5), 1 of 27 pending slots used rlm_ldap (VLAN02): Connecting to ldap://127.0.0.1:389 rlm_ldap (VLAN02): Waiting for bind result... rlm_ldap (VLAN02): Bind successful (0) [VLAN02] = notfound rlm_ldap (VLAN03): Reserved connection (0) (0) VLAN03: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (0) VLAN03: --> (uid=010101010101) (0) VLAN03: Performing search in "ou=VLAN03,ou=VLANS,dc=acme,dc=com" with filter "(uid=010101010101)", scope "sub" (0) VLAN03: Waiting for search result... (0) VLAN03: User object found at DN "uid=010101010101,ou=VLAN03,ou=VLANS,dc=acme,dc=com" (0) VLAN03: Processing user attributes (0) VLAN03: control:Password-With-Header += '010101010101' (0) VLAN03: reply:Tunnel-Private-Group-ID := '3003' (0) VLAN03: reply::Extreme-CLI-Authorization := Disabled (0) VLAN03: reply::Extreme-Netlogin-Only := Enabled (0) VLAN03: reply::Extreme-Netlogin-Vlan := 'VLAN03' (0) VLAN03: reply:Termination-Action := RADIUS-Request (0) VLAN03: reply:Session-Timeout := 7200 rlm_ldap (VLAN03): Released connection (0) rlm_ldap (VLAN03): Need 5 more connections to reach 10 spares rlm_ldap (VLAN03): Opening additional connection (5), 1 of 27 pending slots used rlm_ldap (VLAN03): Connecting to ldap://127.0.0.1:389 rlm_ldap (VLAN03): Waiting for bind result... rlm_ldap (VLAN03): Bind successful (0) [VLAN03] = updated
Alan DeKok. Regards.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Nov 3, 2016, at 7:24 AM, Ramon Escriba <escriba@cells.es> wrote:
We only use one Ldap server. Each vlan has one subtree with all macs allowed to connect there. So a Ldap query, "the instance", does a mac search in only this vlan subtree. Maybe is not the use 'ldap instances' were designed to.
The issue isn't design. The issue is you're doing 4 times the queries necessary.
So a kind off multi evaluated field, it makes sense, but, how can I extract/use each of those individual fields via ldap?
That's largely up to you. A good part of system design is *design*. Design the database schema so that you need one query to get the data you need.
The config you posted should work. If the information is found in ldap server 1, it returns, and doesn't check ldap server 2. It worked fine in old v 1.1, but not in v3.0. Now, with v3.0.10, all ldap subtrees are checked anyway.
Well... read the debug log.
rlm_ldap (BL01): Opening additional connection (5), 1 of 27 pending slots used rlm_ldap (BL01): Connecting to ldap://127.0.0.1:389 rlm_ldap (BL01): Waiting for bind result... rlm_ldap (BL01): Bind successful (0) [BL01] = updated
Change the configuration to return on "updated", instead of "ok". Alan DeKok.
Hi Alan,
The config you posted should work. If the information is found in ldap server 1, it returns, and doesn't check ldap server 2. It worked fine in old v 1.1, but not in v3.0. Now, with v3.0.10, all ldap subtrees are checked anyway.
Well... read the debug log. Change the configuration to return on "updated", instead of "ok". Alan DeKok.
Now the first match enters, but fails due the lack of "Auth-Type", because we do no reach 'files'. "(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject" If I move 'files', containing " DEFAULT Auth-Type := Accept (..)" , on top it does the trick, but is not very elegant. Where do I force the "Accept" in a more professional way without relay on 'files' ? /etc/raddb/sites-available/default (...) authorize { (..) # Moving "files" here does the trick..... --> "DEFAULT Auth-Type := Accept ..." but is not very elegant. files VLAN1 { #ok = return updated = return } VLAN2 { # ok = return updated = return } (...) ##files old files location. (...) } #radius -X (..) (0) [VLAN1] = notfound rlm_ldap (VLAN2): Reserved connection (0) (0) VLAN2: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (0) VLAN2: --> (uid=010101010101) (0) VLAN2: Performing search in "ou=VLAN2,ou=VLANS,dc=acme,dc=com" with filter "(uid=010101010101)", scope "sub" (0) VLAN2: Waiting for search result... (0) VLAN2: User object found at DN "uid=010101010101,ou=VLAN2,ou=VLANS,dc=acme,dc=com" (0) VLAN2: Processing user attributes (0) VLAN2: control:Password-With-Header += '010101010101' (0) VLAN2: reply:Tunnel-Private-Group-ID := '3002' (0) VLAN2: reply::Extreme-CLI-Authorization := Disabled (0) VLAN2: reply::Extreme-Netlogin-Only := Enabled (0) VLAN2: reply::Extreme-Netlogin-Vlan := 'VLAN2' (0) VLAN2: reply:Termination-Action := RADIUS-Request (0) VLAN2: reply:Session-Timeout := 7200 rlm_ldap (VLAN2): Released connection (0) rlm_ldap (VLAN2): Need 5 more connections to reach 10 spares rlm_ldap (VLAN2): Opening additional connection (5), 1 of 27 pending slots used rlm_ldap (VLAN2): Connecting to ldap://127.0.0.1:389 rlm_ldap (VLAN2): Waiting for bind result... rlm_ldap (VLAN2): Bind successful (0) [VLAN2] = updated (0) } # authorize = updated (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject <<<<<<----- (0) Failed to authenticate the user (0) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject): [010101010101] (from client localhost port 0) (...) Regards. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Nov 4, 2016, at 9:20 AM, Ramon Escriba <escriba@cells.es> wrote:
Now the first match enters, but fails due the lack of "Auth-Type", because we do no reach 'files'.
"(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject"
If I move 'files', containing " DEFAULT Auth-Type := Accept (..)" , on top it does the trick, but is not very elegant.
You should understand what you want to do, rather than just making random changes.
Where do I force the "Accept" in a more professional way without relay on 'files' ?
It depends on what you want to do. Figure that out, and then write the unlang rules to match. I can't answer this question, because I don't know what you want to do. Or what *else* the system is doing. Alan DeKok.
If you could grab another copy of the v3.0.x branch, that would help. I've pushed some more changes. Alan DeKok.
participants (2)
-
Alan DeKok -
Ramon Escriba