Re: Checkval weird issue with LDAP backend and PAM authentication
Sorry Alan I've not realized that the logs had became a garbage :O( - maybe a webmail realted issue of my ISP. Now I Bcc myself to see how does it appear to recipients I tried "man unlang" but got no manual entry - I'm using Freeradius packaged for CentOS - I'll give a look to http://freeradius.org/radiusd/man/unlang.html, I think is the same. As for the previous post, ... here it is Hi, I'm facing this issue in configuring radius: I'm developing a GPLv3 script that will easily setup a whole linux server with lots of usefull services (NTP,DHCP,DNS with DDNS update to DHCP, MIT-Kerberos, OpenLDAP (Kerberized), FreeRadius, MySQL, Apache, ProFTP, SQUID, Samba (kerberized), Appletalk File Protocol, Postfix and Dovecot (also with public and shared folders), roundcube webmail, LDAP Addressbook, PPTP and L2TP over IPSec VPNs, Egroupware. And it works with SeLinux enabled.The script is quite mature (it is named ECK - you can download from sourceforge if you want to). It can install almost everything mentioned above, and they could even work ;O) - I've started the development of a GTKmm- based GUI that will easily administer almost everything (although I have not published the GUI yet - the app is stable, but I've just finished the user manager, so I have a lot of work more to have somthing to publish) And now the trouble with freeradius: I' d like to have most of the services with Radius Based Authentication - I think this will let me have a better loggiAggiungi un appuntamento per ogging system, expecially to trace sessions. As about authentication everything works fine. But I want also to do Authorization: I mean that I want to allow services FTP, VPN, Apache userdirs, Squid proxy, ecc. on per user basisI started with proftpd with mod_radius: the idea is to use checkval module to catch the NAS-Identifier parameter that the proftpd module set as "ftp". here is an example requestrad_recv: Access-Request packet from host 127.0.0.1:9409, id=74, length=93 User-Name = "testuser" User-Password = "test1Test" NAS-Identifier = "ftp" NAS-Port = 21 NAS-Port-Type = Virtual Calling-Station-Id = "::ffff:127.0.0.1" Service-Type = 0x0000000100000000 I inserted the following lines in my radiusd.conf: checkval NAS{ item-name = NAS-Identifier check-name = NAS-Identifier data-type = string notfound-reject=yes } and added "NAS" in the authorize sectionauthorize { ... NAS ... } I also updated ldap.attrmap inserting the following line checkItem NAS-Identifier eckAllowedServices and obviously extended the LDAP schema (eck.schema) attributetype ( 1.3.6.1.4.1.26309.1.1.11 NAME 'eckAllowedServices' DESC 'Services the user is allowed to login' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} ) objectClass ( 1.3.6.1.4.1.26309.1.1.1 NAME 'eckGenericObject' AUXILIARY DESC 'an ECK generic object' MAY ( locked $ eckPublicKey $ eckPrivateKey $ userPKCS12 $ allowProxy $ eckAllowedServices)) The script creates 2 users: Administrator - that is actually an administrator, and testuser. In my test environment I added 2 attributes eckAllowedServices to testuser (ftp and httpproxy) and left Administrator without eckAllowedServices attributeAnd now the weird issue: checkval is able to realize that testuser has the ftp attribute modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for testuser radius_xlat: '(uid=testuser)' radius_xlat: 'DC=marcolinux,DC=local' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 127.0.0.1:389, authentication 0 rlm_ldap: bind as CN=FreeRADIUS,OU=AAA,OU=Services,DC=marcolinux,DC=local/wRtEYnd3sGkEa.Y4 to 127.0.0.1:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in DC=marcolinux,DC=local, with filter (uid=testuser) rlm_ldap: checking if remote access for testuser is allowed by dialupAccess rlm_ldap: Added password AB39C1761CF4947661DAB7AF9849A61E in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding eckAllowedServices as NAS-Identifier, value ftp & op=21 rlm_ldap: Adding eckAllowedServices as NAS-Identifier, value httpProxy & op=21 rlm_ldap: Adding sambaAcctFlags as SMB-Account-CTRL-TEXT, value [U ] & op=21 rlm_ldap: Adding sambaNTPassword as NT-Password, value AB39C1761CF4947661DAB7AF9849A61E & op=21 rlm_ldap: Adding radiusAuthType as Auth-Type, value pam & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: Adding FTPQuotaFilesTransferred as ArticaECK-FTP-Quota-Files-Transferred, value 0 & op=11 rlm_ldap: Adding FTPQuotaFilesOutgoing as ArticaECK-FTP-Quota-Files-Outgoing, value 0 & op=11 rlm_ldap: Adding FTPQuotaFilesIncoming as ArticaECK-FTP-Quota-Files-Incoming, value 50 & op=11 rlm_ldap: Adding FTPQuotaBytesTransferred as ArticaECK-FTP-Quota-Bytes-Transferred, value 0 & op=11 rlm_ldap: Adding FTPQuotaBytesOutgoing as ArticaECK-FTP-Quota-Bytes-Outgoing, value 0 & op=11 rlm_ldap: Adding FTPQuotaBytesIncoming as ArticaECK-FTP-Quota-Bytes-Incoming, value 200 & op=11 rlm_ldap: Adding FTPQuotaIsPerSession as ArticaECK-FTP-Quota-Is-Per-Session, value FALSE & op=11 rlm_ldap: Adding FTPQuotaLimitType as ArticaECK-FTP-Quota-Limit-Type, value soft & op=11 rlm_ldap: Adding loginShell as ArticaECK-FTP-Shell, value /bin/tcsh & op=11 rlm_ldap: Adding homeDirectory as ArticaECK-FTP-Home, value /home/testuser & op=11 rlm_ldap: Adding gidNumber as ArticaECK-FTP-GID, value 100 & op=11 rlm_ldap: Adding uidNumber as ArticaECK-FTP-UID, value 1001 & op=11 rlm_ldap: user testuser authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 rlm_checkval: Item Name: NAS-Identifier, Value: ftp rlm_checkval: Value Name: NAS-Identifier, Value: ftp modcall[authorize]: module "NAS" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type pam auth: type "PAM" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 pam_pass: using pamauth string <radiusd> for pam.conf lookup pam_pass: authentication succeeded for <testuser> modcall[authenticate]: module "pam" returns ok for request 0 modcall: leaving group authenticate (returns ok) for request 0 Processing the post-auth section of radiusd.conf and that Administrator doesn't rlm_ldap: Adding loginShell as ArticaECK-FTP-Shell, value /bin/bash & op=11 rlm_ldap: Adding homeDirectory as ArticaECK-FTP-Home, value /home/Administrator & op=11 rlm_ldap: Adding gidNumber as ArticaECK-FTP-GID, value 100 & op=11 rlm_ldap: Adding uidNumber as ArticaECK-FTP-UID, value 1000 & op=11 rlm_ldap: user Administrator authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 rlm_checkval: Item Name: NAS-Identifier, Value: ftp rlm_checkval: Could not find attribute named NAS-Identifier in check pairs modcall[authorize]: module "NAS" returns notfound for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type pam auth: type "PAM" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 pam_pass: using pamauth string <radiusd> for pam.conf lookup pam_pass: authentication succeeded for <Administrator> modcall[authenticate]: module "pam" returns ok for request 0 modcall: leaving group authenticate (returns ok) for request 0 Processing the post-auth section of radiusd.conf but I always got both of them authorized. How is it possible? What I did wrong? Why freeradius goes to the authentication section altought checkval module module "NAS" returned notfound? I'm sure I did some kind of mistake, but I really am not able to find it. Now are days I'm googling around and getting quite crazy - I hope that someone of you may help meThank you very much Marco Carcano Configuration files ########################RADIUSD.CONF############################### prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = /usr/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd log_file = ${logdir}/radius.log libdir = /usr/lib pidfile = ${run_dir}/radiusd.pid user = radiusd group = radiusd max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 bind_address = * port = 0 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log_stripped_names = no log_auth = no log_auth_badpass = no log_auth_goodpass = no usercollide = no lower_user = no lower_pass = no nospace_user = no nospace_pass = no checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = no } proxy_requests = yes $INCLUDE ${confdir}/proxy.conf $INCLUDE ${confdir}/clients.conf snmp = no $INCLUDE ${confdir}/snmp.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { pap { encryption_scheme = crypt } chap { authtype = CHAP } pam { pam_auth = radiusd } $INCLUDE ${confdir}/eap.conf mschap { use_mppe = yes require_encryption = yes require_strong = yes } ldap { server = "127.0.0.1" identity = "CN=FreeRADIUS,OU=AAA,OU=Services,DC=marcolinux,DC=local" password = wRtEYnd3sGkEa.Y4 basedn = "DC=marcolinux,DC=local" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" start_tls = no access_attr = "dialupAccess" dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 password_attribute = sambaNTPassword timeout = 4 timelimit = 3 net_timeout = 1 } realm IPASS { format = prefix delimiter = "/" ignore_default = no ignore_null = no } realm suffix { format = suffix delimiter = "@" ignore_default = no ignore_null = no } realm realmpercent { format = suffix delimiter = "%" ignore_default = no ignore_null = no } realm ntdomain { format = prefix delimiter = "\" ignore_default = no ignore_null = no } checkval NAS{ item-name = NAS-Identifier check-name = NAS-Identifier data-type = string notfound-reject=yes } preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users preproxy_usersfile = ${confdir}/preproxy_users compat = no } detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 } acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } $INCLUDE ${confdir}/sql.conf radutmp { filename = ${logdir}/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 0600 callerid = "yes" } radutmp sradutmp { filename = ${logdir}/sradutmp perm = 0644 callerid = "no" } attr_filter { attrsfile = ${confdir}/attrs } counter daily { filename = ${raddbdir}/db.daily key = User-Name count-attribute = Acct-Session-Time reset = daily counter-name = Daily-Session-Time check-name = Max-Daily-Session allowed-servicetype = Framed-User cache-size = 5000 } sqlcounter dailycounter { counter-name = Daily-Session-Time check-name = Max-Daily-Session sqlmod-inst = sql key = User-Name reset = daily query = "SELECT SUM(AcctSessionTime - GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'" } sqlcounter monthlycounter { counter-name = Monthly-Session-Time check-name = Max-Monthly-Session sqlmod-inst = sql key = User-Name reset = monthly query = "SELECT SUM(AcctSessionTime - GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'" } always fail { rcode = fail } always reject { rcode = reject } always ok { rcode = ok simulcount = 0 mpp = no } expr { } digest { } exec { wait = yes input_pairs = request } exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = request output_pairs = reply } ippool main_pool { range-start = 192.168.1.150 range-stop = 192.168.1.199 netmask = 255.255.255.0 cache-size = 800 session-db = ${localstatedir}/lib/raddb/db.ippool ip-index = ${localstatedir}/lib/raddb/db.ipindex override = no maximum-timeout = 0 } } instantiate { exec expr } authorize { preprocess chap mschap suffix eap ldap NAS } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } pam eap } preacct { preprocess acct_unique suffix files } accounting { detail radutmp main_pool sql } session { radutmp } post-auth { main_pool } pre-proxy { } post-proxy { eap } ##########################USERS################################ DEFAULT Auth-Type = pam Fall-Through = 1 DEFAULT Service-Type == Framed-User Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes DEFAULT Pool-Name := main_pool Fall-Through = Yes DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "CSLIP" Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "SLIP" Framed-Protocol = SLIP ##################radiusd -X -f output ############## Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/lib" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "radiusd" main: group = "radiusd" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = yes mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded Pam pam: pam_auth = "radiusd" Module: Instantiated pam (pam) Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/etc/raddb/huntgroups" preprocess: hints = "/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded LDAP ldap: server = "127.0.0.1" ldap: port = 389 ldap: net_timeout = 1 ldap: timeout = 4 ldap: timelimit = 3 ldap: identity = "CN=FreeRADIUS,OU=AAA,OU=Services,DC=marcolinux,DC=local" ldap: tls_mode = no ldap: start_tls = no ldap: tls_cacertfile = "(null)" ldap: tls_cacertdir = "(null)" ldap: tls_certfile = "(null)" ldap: tls_keyfile = "(null)" ldap: tls_randfile = "(null)" ldap: tls_require_cert = "allow" ldap: password = "wRtEYnd3sGkEa.Y4" ldap: basedn = "DC=marcolinux,DC=local" ldap: filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" ldap: base_filter = "(objectclass=radiusprofile)" ldap: default_profile = "(null)" ldap: profile_attribute = "(null)" ldap: password_header = "(null)" ldap: password_attribute = "sambaNTPassword" ldap: access_attr = "dialupAccess" ldap: groupname_attribute = "cn" ldap: groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" ldap: groupmembership_attribute = "(null)" ldap: dictionary_mapping = "/etc/raddb/ldap.attrmap" ldap: ldap_debug = 0 ldap: ldap_connections_number = 5 ldap: compare_check_items = no ldap: access_attr_used_for_allow = yes ldap: do_xlat = yes ldap: set_auth_type = yes rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: Over-riding set_auth_type, as we're not listed in the "authenticate" section. rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP sambaLMPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNTPassword mapped to RADIUS NT-Password rlm_ldap: LDAP sambaAcctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP eckAllowedServices mapped to RADIUS NAS-Identifier rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message rlm_ldap: LDAP uidNumber mapped to RADIUS ArticaECK-FTP-UID rlm_ldap: LDAP gidNumber mapped to RADIUS ArticaECK-FTP-GID rlm_ldap: LDAP homeDirectory mapped to RADIUS ArticaECK-FTP-Home rlm_ldap: LDAP loginShell mapped to RADIUS ArticaECK-FTP-Shell rlm_ldap: LDAP FTPQuotaLimitType mapped to RADIUS ArticaECK-FTP-Quota-Limit-Type rlm_ldap: LDAP FTPQuotaIsPerSession mapped to RADIUS ArticaECK-FTP-Quota-Is-Per-Session rlm_ldap: LDAP FTPQuotaBytesIncoming mapped to RADIUS ArticaECK-FTP-Quota-Bytes-Incoming rlm_ldap: LDAP FTPQuotaBytesOutgoing mapped to RADIUS ArticaECK-FTP-Quota-Bytes-Outgoing rlm_ldap: LDAP FTPQuotaBytesTransferred mapped to RADIUS ArticaECK-FTP-Quota-Bytes-Transferred rlm_ldap: LDAP FTPQuotaFilesIncoming mapped to RADIUS ArticaECK-FTP-Quota-Files-Incoming rlm_ldap: LDAP FTPQuotaFilesOutgoing mapped to RADIUS ArticaECK-FTP-Quota-Files-Outgoing rlm_ldap: LDAP FTPQuotaFilesTransferred mapped to RADIUS ArticaECK-FTP-Quota-Files-Transferred conns: 0x2ba4857109b0 Module: Instantiated ldap (ldap) Module: Loaded checkval checkval: item-name = "NAS-Identifier" checkval: check-name = "NAS-Identifier" checkval: data-type = "string" checkval: notfound-reject = yes rlm_checkval: Registered name NAS-Identifier for attribute 32 Module: Instantiated checkval (NAS) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded files files: usersfile = "/etc/raddb/users" files: acctusersfile = "/etc/raddb/acct_users" files: preproxy_usersfile = "/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded detail detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Module: Loaded IPPOOL ippool: session-db = "/var/lib/raddb/db.ippool" ippool: ip-index = "/var/lib/raddb/db.ipindex" ippool: range-start = 192.168.1.150 IP address [192.168.1.150] ippool: range-stop = 192.168.1.199 IP address [192.168.1.199] ippool: netmask = 255.255.255.0 IP address [255.255.255.0] ippool: cache-size = 800 ippool: override = no ippool: maximum-timeout = 0 Module: Instantiated ippool (main_pool) Module: Loaded SQL sql: driver = "rlm_sql_mysql" sql: server = "localhost" sql: port = "" sql: login = "FreeRADIUS" sql: password = "wRtEYnd3sGkEa.Y4" sql: radius_db = "radius" sql: nas_table = "nas" sql: sqltrace = no sql: sqltracefile = "/var/log/radius/sqltrace.sql" sql: readclients = no sql: deletestalesessions = yes sql: num_sql_socks = 5 sql: sql_user_name = "%{User-Name}" sql: default_user_profile = "" sql: query_on_not_found = no sql: authorize_check_query = "SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id" sql: authorize_reply_query = "SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id" sql: authorize_group_check_query = "SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id" sql: authorize_group_reply_query = "SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id" sql: accounting_onoff_query = "UPDATE radacct SET AcctStopTime='%S', AcctSessionTime=unix_timestamp('%S') - unix_timestamp(AcctStartTime), AcctTerminateCause='%{Acct-Terminate-Cause}', AcctStopDelay = '%{Acct-Delay-Time}' WHERE AcctSessionTime=0 AND AcctStopTime=0 AND NASIPAddress= '%{NAS-IP-Address}' AND AcctStartTime <= '%S'" sql: accounting_update_query = "UPDATE radacct SET FramedIPAddress = '%{Framed-IP-Address}', AcctSessionTime = '%{Acct-Session-Time}', AcctInputOctets = '%{Acct-Input-Octets}', AcctOutputOctets = '%{Acct-Output-Octets}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress= '%{NAS-IP-Address}'" sql: accounting_update_query_alt = "INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S',INTERVAL (%{Acct-Session-Time:-0} + %{Acct-Delay-Time:-0}) SECOND), '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Acct-Input-Octets}', '%{Acct-Output-Octets}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0')" sql: accounting_start_query = "INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', '0', '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{Acct-Delay-Time}', '0')" sql: accounting_start_query_alt = "UPDATE radacct SET AcctStartTime = '%S', AcctStartDelay = '%{Acct-Delay-Time}', ConnectInfo_start = '%{Connect-Info}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}'" sql: accounting_stop_query = "UPDATE radacct SET AcctStopTime = '%S', AcctSessionTime = '%{Acct-Session-Time}', AcctInputOctets = '%{Acct-Input-Octets}', AcctOutputOctets = '%{Acct-Output-Octets}', AcctTerminateCause = '%{Acct-Terminate-Cause}', AcctStopDelay = '%{Acct-Delay-Time}', ConnectInfo_stop = '%{Connect-Info}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}'" sql: accounting_stop_query_alt = "INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{Acct-Session-Time:-0} + %{Acct-Delay-Time:-0}) SECOND), '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Connect-Info}', '%{Acct-Input-Octets}', '%{Acct-Output-Octets}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Acct-Terminate-Cause}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{Acct-Delay-Time}')" sql: group_membership_query = "SELECT GroupName FROM usergroup WHERE UserName='%{SQL-User-Name}'" sql: connect_failure_retry_delay = 60 sql: simul_count_query = "" sql: simul_verify_query = "SELECT RadAcctId, AcctSessionId, UserName, NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, FramedProtocol FROM radacct WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0" sql: postauth_query = "INSERT into radpostauth (id, user, pass, reply, date) values ('', '%{User-Name}', '%{User-Password:-Chap-Password}', '%{reply:Packet-Type}', NOW())" sql: safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked rlm_sql (sql): Attempting to connect to FreeRADIUS@localhost:/radius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_mysql #0 rlm_sql_mysql: Starting connect to MySQL server for #0 rlm_sql (sql): Connected new DB handle, #0 rlm_sql (sql): starting 1 rlm_sql (sql): Attempting to connect rlm_sql_mysql #1 rlm_sql_mysql: Starting connect to MySQL server for #1 rlm_sql (sql): Connected new DB handle, #1 rlm_sql (sql): starting 2 rlm_sql (sql): Attempting to connect rlm_sql_mysql #2 rlm_sql_mysql: Starting connect to MySQL server for #2 rlm_sql (sql): Connected new DB handle, #2 rlm_sql (sql): starting 3 rlm_sql (sql): Attempting to connect rlm_sql_mysql #3 rlm_sql_mysql: Starting connect to MySQL server for #3 rlm_sql (sql): Connected new DB handle, #3 rlm_sql (sql): starting 4 rlm_sql (sql): Attempting to connect rlm_sql_mysql #4 rlm_sql_mysql: Starting connect to MySQL server for #4 rlm_sql (sql): Connected new DB handle, #4 Module: Instantiated sql (sql) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests.
marco wrote:
Sorry Alan
I've not realized that the logs had became a garbage :O( - maybe a webmail realted issue of my ISP. Now I Bcc myself to see how does it appear to recipients
I tried "man unlang" but got no manual entry - I'm using Freeradius packaged for CentOS - I'll give a look to http://freeradius.org/radiusd/man/unlang.html, I think is the same.
<shrug> Upgrade to 2.1.10. You're using a very old version of the server. Alan DeKok.
On 11/23/2010 08:33 AM, Alan DeKok wrote:
marco wrote:
Sorry Alan
I've not realized that the logs had became a garbage :O( - maybe a webmail realted issue of my ISP. Now I Bcc myself to see how does it appear to recipients
I tried "man unlang" but got no manual entry - I'm using Freeradius packaged for CentOS - I'll give a look to http://freeradius.org/radiusd/man/unlang.html, I think is the same.
<shrug> Upgrade to 2.1.10. You're using a very old version of the server.
The 2.x versions of FreeRADIUS on CentOS are under the package name freeradius2, not freeradius. -- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/
Hi John thank you very much for the reply - I haven't noticed that exists a freeradius2 rpm package I tried, and after a lot of arrangement on the config files - freeradius2 splits a lot radiusd.conf - I got it working but I have to point out this thing - that I hope you - Red Hat - will fix: /etc/pam.d/radiusd is wrong (maybe the issue is only in CentOS package): this is the content of the original file #%PAM-1.0 auth include password-auth account required pam_nologin.so account include password-auth password include password-auth session include password-auth it is wrong: it causes PAM auth to fail with a really strange error pam_pass: using pamauth string <radiusd> for pam.conf lookup pam_pass: function pam_authenticate FAILED for <testuser>. Reason: Module is unknown ++[pam] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} this error caused me a little headache because initially I tough it was a mine misconfiguration of freeradius. the fix is to replace the contents of /etc/pam.d/radiusd with #%PAM-1.0 auth include system-auth account required pam_nologin.so account include system-auth password include system-auth session include system-auth PAM is usefull in situations like the my Easy Configuration Kit - ECK: I built an AAA system that relies on Freeradius that do Accounting in MySQL, Authorization with OpenLDAP and Authentication by Kerberos - the LDAP directory is Kerberized. I think that PAM and SASL are the good way to accomplish this - In ECK it works. Maybe you already know about this issue - I hope this post can help anybody will get this strange error - until the package got fixed as for my checkval issue, .... have not been able to fix it! I tried to learn unlang, but the only thing I have now in my head is a lot of confusion, ... but I'll answer directly to Alan reply in order not to post the same message twice thank you again, you bring me on the right way Marco Carcano Il giorno 23/nov/10, alle ore 16:25, John Dennis ha scritto:
On 11/23/2010 08:33 AM, Alan DeKok wrote:
marco wrote:
Sorry Alan
I've not realized that the logs had became a garbage :O( - maybe a webmail realted issue of my ISP. Now I Bcc myself to see how does it appear to recipients
I tried "man unlang" but got no manual entry - I'm using Freeradius packaged for CentOS - I'll give a look to http://freeradius.org/radiusd/man/unlang.html , I think is the same.
<shrug> Upgrade to 2.1.10. You're using a very old version of the server.
The 2.x versions of FreeRADIUS on CentOS are under the package name freeradius2, not freeradius.
-- John Dennis <jdennis@redhat.com>
Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 11/25/2010 04:24 PM, Marco Carcano wrote:
Hi John
thank you very much for the reply - I haven't noticed that exists a freeradius2 rpm package
I tried, and after a lot of arrangement on the config files - freeradius2 splits a lot radiusd.conf - I got it working
but I have to point out this thing - that I hope you - Red Hat - will fix: /etc/pam.d/radiusd is wrong (maybe the issue is only in CentOS package):
this is the content of the original file
#%PAM-1.0 auth include password-auth account required pam_nologin.so account include password-auth password include password-auth session include password-auth
it is wrong: it causes PAM auth to fail with a really strange error
pam_pass: using pamauth string<radiusd> for pam.conf lookup pam_pass: function pam_authenticate FAILED for<testuser>. Reason: Module is unknown ++[pam] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...}
this error caused me a little headache because initially I tough it was a mine misconfiguration of freeradius.
the fix is to replace the contents of /etc/pam.d/radiusd with
#%PAM-1.0 auth include system-auth account required pam_nologin.so account include system-auth password include system-auth session include system-auth
PAM is usefull in situations like the my Easy Configuration Kit - ECK: I built an AAA system that relies on Freeradius that do Accounting in MySQL, Authorization with OpenLDAP and Authentication by Kerberos - the LDAP directory is Kerberized. I think that PAM and SASL are the good way to accomplish this - In ECK it works.
Maybe you already know about this issue - I hope this post can help anybody will get this strange error - until the package got fixed
/etc/pam.d/radiusd was deliberately changed from using system-auth to use password-auth about a year ago. The reason is that the services cannot use the local means of authentication with an out-of-band data channel for the credentials such as Fingerprint and Smart card devices and should use password-auth instead of system-auth file. SMTP, FTP, and other services use it as well. So the problem is not in the change in the freeradius radiusd PAM config. There is likely an error in the password-auth file on your system. It should be possible to find out in /var/log/secure which module is the problem. -- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/
On 11/30/2010 09:45 AM, John Dennis wrote:
On 11/25/2010 04:24 PM, Marco Carcano wrote:
Hi John
thank you very much for the reply - I haven't noticed that exists a freeradius2 rpm package
I tried, and after a lot of arrangement on the config files - freeradius2 splits a lot radiusd.conf - I got it working
but I have to point out this thing - that I hope you - Red Hat - will fix: /etc/pam.d/radiusd is wrong (maybe the issue is only in CentOS package):
this is the content of the original file
#%PAM-1.0 auth include password-auth account required pam_nologin.so account include password-auth password include password-auth session include password-auth
it is wrong: it causes PAM auth to fail with a really strange error
pam_pass: using pamauth string<radiusd> for pam.conf lookup pam_pass: function pam_authenticate FAILED for<testuser>. Reason: Module is unknown ++[pam] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...}
this error caused me a little headache because initially I tough it was a mine misconfiguration of freeradius.
the fix is to replace the contents of /etc/pam.d/radiusd with
#%PAM-1.0 auth include system-auth account required pam_nologin.so account include system-auth password include system-auth session include system-auth
PAM is usefull in situations like the my Easy Configuration Kit - ECK: I built an AAA system that relies on Freeradius that do Accounting in MySQL, Authorization with OpenLDAP and Authentication by Kerberos - the LDAP directory is Kerberized. I think that PAM and SASL are the good way to accomplish this - In ECK it works.
Maybe you already know about this issue - I hope this post can help anybody will get this strange error - until the package got fixed
/etc/pam.d/radiusd was deliberately changed from using system-auth to use password-auth about a year ago.
The reason is that the services cannot use the local means of authentication with an out-of-band data channel for the credentials such as Fingerprint and Smart card devices and should use password-auth instead of system-auth file. SMTP, FTP, and other services use it as well. So the problem is not in the change in the freeradius radiusd PAM config.
There is likely an error in the password-auth file on your system. It should be possible to find out in /var/log/secure which module is the problem.
My apologies, I now realize there is a version mismatch. RHEL5 has not been updated with the password-auth module, it's exists only in Fedora and RHEL6. The RHEL5 version of /etc/pam.d/radiusd should be using system-auth as you correctly point out. The pam change was inadvertently copied into the RHEL5 version of FreeRADIUS, I will open a bug against the RHEL5 version. -- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/
Hi Alan I RTM unlang, but I have to admit I only got confused - The only thing I have understood is to write a simple statement like this (in authorize section) if (NAS-Identifier == "ftp" ) { ok } else { reject } and I think is even wrong because returns always OK :((((( I noticed on some posts people using a syntax like if (NAS-Identifier == %{sql: SELECT ... BLA BLA} ) but I have not been able to see a working example using ldap, ... may you provide an example, please? I've not been able to figure out how to write it down. my situation is this: eckAllowedServices is a multistring attribute that contains a NAS-Identifier per line. I use service names as NAS- Identifiers in order to perform users authorization to services - eg authorize ftp access on a per users basis this is what happen when I do a ldapsearch ldapsearch -LLL -b cn=testuser,ou=Users,dc=marcolinux,dc=local eckAllowedServices -x -D "CN=FreeRADIUS,OU=AAA,OU=Services,DC=marcolinux,DC=local" -w wRtEYnd3sGkEa.Y4 dn: cn=testuser,ou=Users,dc=marcolinux,dc=local eckAllowedServices: ftp eckAllowedServices: httpProxy that shows that the DN used by freeradius is able to read eckAllowedServices attribute as I wrote in the previous post, I updated ldap.attrmap inserting the following line checkItem NAS-Identifier eckAllowedServices in order to do the "binding" between radius and LDAP and this is the extension of the LDAP schema (eck.schema) attributetype ( 1.3.6.1.4.1.26309.1.1.11 NAME 'eckAllowedServices' DESC 'Services the user is allowed to login' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} ) objectClass ( 1.3.6.1.4.1.26309.1.1.1 NAME 'eckGenericObject' AUXILIARY DESC 'an ECK generic object' MAY ( locked $ eckPublicKey $ eckPrivateKey $ userPKCS12 $ allowProxy $ eckAllowedServices)) thinking at the %{sql:SELECT ...} example I tough I syntax almost like this if (NAS-Identifier == "ldap:cn=%{User- Name},ou=Users,dc=marcolinux,dc=local (eckAllowedServices)" ) { ok } else { reject } the aim is to check if NAS-Identifier supplied by the NAS is equal to one of the multivalue strings of eckAllowedServices but I always got this message - it doesnt matter if the user has got or hasn't the eckAllowedServices attribute: if (NAS-Identifier == "ldap:cn=%{User- Name},ou=Users,dc=marcolinux,dc=local (eckAllowedServices)" ) expand: ldap:cn=%{User-Name},ou=Users,dc=marcolinux,dc=local (eckAllowedServices) -> ldap:cn=testuser,ou=Users,dc=marcolinux,dc=local (eckAllowedServices) ? Evaluating (NAS-Identifier == "ldap:cn=%{User- Name},ou=Users,dc=marcolinux,dc=local (eckAllowedServices)" ) -> FALSE ++? if (NAS-Identifier == "ldap:cn=%{User- Name},ou=Users,dc=marcolinux,dc=local (eckAllowedServices)" ) -> FALSE ++- entering else else {...} +++[reject] returns reject I gave a look to ldap.log - with verbose debugging, ... I found references to eckAllowedServices, but not as a request for only one attribute - as I was expecting for the unlang expression I wrote: I got it mixed with lots of other attributes - that is the previous ldap lookup of the ldap module of the authorization section: in other words - I think the unlang expression above is useless and is not processed with a query to the ldap server . I certainly mis-typed the syntax, but I'm not able to figure a syntax :((( Alan, may you provide an example unlang for LDAP? Maybe I am slow learner, but I think it could help me (and I hope others) a lot Ah - I use freeradius2-2.1.7-7.el5 - that is the "official" from RedHat/CentOS - please, don't tell me I have to repackage it to 2.1.10 - I had done this with quite a lot of other packages in ECK Il giorno 23/nov/10, alle ore 14:33, Alan DeKok ha scritto:
marco wrote:
Sorry Alan
I've not realized that the logs had became a garbage :O( - maybe a webmail realted issue of my ISP. Now I Bcc myself to see how does it appear to recipients
I tried "man unlang" but got no manual entry - I'm using Freeradius packaged for CentOS - I'll give a look to http://freeradius.org/radiusd/man/unlang.html , I think is the same.
<shrug> Upgrade to 2.1.10. You're using a very old version of the server.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Marco Carcano wrote:
I RTM unlang, but I have to admit I only got confused - The only thing I have understood is to write a simple statement like this (in authorize section)
if (NAS-Identifier == "ftp" ) { ok } else { reject }
and I think is even wrong because returns always OK :(((((
And.... what does debug mode say?
I noticed on some posts people using a syntax like if (NAS-Identifier == %{sql: SELECT ... BLA BLA} )
See "man unlang". This is documented.
but I have not been able to see a working example using ldap,
if (NAS-Identifier == "%{ldap: ... ldap stuff ... }") {
thinking at the %{sql:SELECT ...} example I tough I syntax almost like this
if (NAS-Identifier == "ldap:cn=%{User-Name},ou=Users,dc=marcolinux,dc=local (eckAllowedServices)" ) {
You didn't use the same form as the SQL example. The brackets have *meaning*: %{} See "man unlang". Alan DeKok.
Hi Alan
but I have not been able to see a working example using ldap,
if (NAS-Identifier == "%{ldap: ... ldap stuff ... }") {
thinking at the %{sql:SELECT ...} example I tough I syntax almost like this
if (NAS-Identifier == "ldap:cn=%{User-Name},ou=Users,dc=marcolinux,dc=local (eckAllowedServices)" ) {
You didn't use the same form as the SQL example. The brackets have *meaning*: %{}
if (NAS-Identifier == {ldap:cn=%{User- Name},ou=Users,dc=marcolinux,dc=local (eckAllowedServices)} ) { ok } when start radiusd in debug mode I got: Expected string or numbers at: ldap:cn=%{User- Name},ou=Users,dc=marcolinux,dc=local (eckAllowedServices)} ) /etc/raddb/sites-enabled/default[62]: Errors parsing authorize section. is for that reason I did not use brackets - I got a syntax error, so I tought it was wrong to use them in this way if I modify to the following in if (NAS-Identifier == "{ldap:cn=%{User- Name},ou=Users,dc=marcolinux,dc=local (eckAllowedServices)}" ) { ok } radiusd starts well, but when tring to authenticate I got the following message: ++? if (NAS-Identifier == "{ldap:cn=%{User- Name},ou=Users,dc=marcolinux,dc=local (eckAllowedServices)}" ) expand: {ldap:cn=%{User-Name},ou=Users,dc=marcolinux,dc=local (eckAllowedServices)} -> {ldap:cn=testuser,ou=Users,dc=marcolinux,dc=local (eckAllowedServices)} ? Evaluating (NAS-Identifier == "{ldap:cn=%{User- Name},ou=Users,dc=marcolinux,dc=local (eckAllowedServices)}" ) -> FALSE ++? if (NAS-Identifier == "{ldap:cn=%{User- Name},ou=Users,dc=marcolinux,dc=local (eckAllowedServices)}" ) -> FALSE ++- entering else else {...} +++[reject] returns reject ++- else else returns reject Using Post-Auth-Type Reject %{User-Name} is expanded right, ... is my syntax that is certainly wrong so that unlang see is just like a string to compare Alan, ... why you don't just provide a working example - I'm working on a GPL'ed app - ECK, if you give a look to sourceforge you can find it - and now are almost two years I spent many of my nights - I have to work during the day - and part of my weekends in a project that I think somebody could find usefull. Maybe one day many people will use it to build their base system and simply do not write to this list asking ho to have freeradius working with PAM, LDAP and so on because thanks to ECK they'll got a working environment in less than an hour. Maybe they'll stress you just on how to improve it you work on freeradius because you belive in your project, I work on mine because I belive in mine. I belive in your project and put it into mine. We both work without beeing paid by anybody, just for passion Now I'm at the final race, ... I really do not understand why you cannot provide just an example - maybe I am a stupid, but I re-read more times unlang manual without beeing able to figure the right syntax Marco
Hi Alan, just to let you know: if (NAS-Identifier == "%{ldap:cn=%{User- Name},ou=Users,dc=marcolinux,dc=local (eckAllowedServices)}" ) { ok } message: ++? if (NAS-Identifier == "%{ldap:cn=%{User- Name},ou=Users,dc=marcolinux,dc=local (eckAllowedServices)}" ) rlm_ldap: - ldap_xlat expand: cn=%{User-Name},ou=Users,dc=marcolinux,dc=local (eckAllowedServices) -> cn=testuser,ou=Users,dc=marcolinux,dc=local (eckAllowedServices) rlm_ldap: String passed does not look like an LDAP URL. expand: %{ldap:cn=%{User- Name},ou=Users,dc=marcolinux,dc=local (eckAllowedServices)} -> it seems to me that it "fires" the ldap module but it don't like my syntax. the same is for if (NAS-Identifier == "%{ldap:cn=%{User- Name},ou=Users,dc=marcolinux,dc=local}" ) { ok } ++? if (NAS-Identifier == "%{ldap:cn=%{User- Name},ou=Users,dc=marcolinux,dc=local}" ) rlm_ldap: - ldap_xlat expand: cn=%{User-Name},ou=Users,dc=marcolinux,dc=local -> cn=testuser,ou=Users,dc=marcolinux,dc=local rlm_ldap: String passed does not look like an LDAP URL. I do not understand why the message complains about LDAP URL - ldap URL is the address of the server - what I provided is an LDAP DN I tought it is not necessary to supply the LDAP URL because they are already provided in modules/ldap file Now I'm sure I have undestood absolutely nothing about this module Marco
Hi Alan OK - Got working - did a look at rlm_ldap.c, and ldap.h (ldap_is_ldap_url and ldap_url_parse fuctions) - altough I have one issue more, ... se below if ("%{ldap:ldap://127.0.0.1/CN=%{User- Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices}" == "%{NAS- Identifier}" ) { ok } else { reject } debug is ++? if ("%{ldap:ldap://127.0.0.1/CN=%{User- Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices}" == "%{NAS- Identifier}" ) rlm_ldap: - ldap_xlat expand: ldap://127.0.0.1/CN=%{User- Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices -> ldap:// 127.0.0.1/CN=testuser,OU=Users,DC=marcolinux,DC=local?eckAllowedServices rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in CN=testuser,OU=Users,DC=marcolinux,DC=local, with filter (null) rlm_ldap: Adding attribute eckAllowedServices, value: ftp rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: - ldap_xlat end expand: %{ldap:ldap://127.0.0.1/CN=%{User- Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices} -> ftp expand: %{NAS-Identifier} -> ftp ? Evaluating ("%{ldap:ldap://127.0.0.1/CN=%{User- Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices}" == "%{NAS- Identifier}" ) -> TRUE ++? if ("%{ldap:ldap://127.0.0.1/CN=%{User- Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices}" == "%{NAS- Identifier}" ) -> TRUE ++- entering if ("%{ldap:ldap://127.0.0.1/CN=%{User- Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices}" == "%{NAS- Identifier}" ) {...} +++[ok] returns ok ++- if ("%{ldap:ldap://127.0.0.1/CN=%{User- Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices}" == "%{NAS- Identifier}" ) returns ok ++ ... skipping else for request 0: Preceding "if" was taken Found Auth-Type = PAM but it works only if eckAllowedServices has only one value. eckAllowedServices is a multi-string attribute, that is for example eckAllowedServices[0]=httpProxy eckAllowedServices[1]=ftp eckAllowedServices[2]=VPN ecc it works only for the first element of the array, ... so in the preceding example only if eckAllowedServices[0]=ftp is there a way to have it recursively process all the elements of the array to do the comparison? I tried if ("%{ldap:ldap://127.0.0.1/CN=%{User- Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices[*]}" == "% {NAS-Identifier}" ) and if ("%{ldap:ldap://127.0.0.1/CN=%{User- Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices}[*]" == "% {NAS-Identifier}" ) but had no luck Marco Carcano just for info (for other users that may read this post in the future): I was wondering if it performed an anonymous bind to the directory - LDAP URL does not contain credentials, so I raised up ldap server verbosity and gave a look to the log, .... it works authenticated as in modules/ldap - I think this is really important: in my server I prohibited anonymous binding also from localhost Il giorno 26/nov/10, alle ore 09:31, Alan DeKok ha scritto:
Marco Carcano wrote:
I RTM unlang, but I have to admit I only got confused - The only thing I have understood is to write a simple statement like this (in authorize section)
if (NAS-Identifier == "ftp" ) { ok } else { reject }
and I think is even wrong because returns always OK :(((((
And.... what does debug mode say?
I noticed on some posts people using a syntax like if (NAS- Identifier == %{sql: SELECT ... BLA BLA} )
See "man unlang". This is documented.
but I have not been able to see a working example using ldap,
if (NAS-Identifier == "%{ldap: ... ldap stuff ... }") {
thinking at the %{sql:SELECT ...} example I tough I syntax almost like this
if (NAS-Identifier == "ldap:cn=%{User-Name},ou=Users,dc=marcolinux,dc=local (eckAllowedServices)" ) {
You didn't use the same form as the SQL example. The brackets have *meaning*: %{}
See "man unlang".
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi Alan got E V E R Y T H I N G working if ("%{ldap:ldap://127.0.0.1/CN=%{User- Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices?base? eckAllowedServices=%{NAS-Identifier}}") { ok } else { reject } thank you anyway - you put me on the right way Within a few days I'll publish a new version of ECK with freeradius2 (the actual uses freeradius, and that let a granular service authorization by LDAP), ... thank you for all the time you spent and you are spending on freeradius project, ... I know what it mean Good luck Marco Carcano
participants (4)
-
Alan DeKok -
John Dennis -
marco -
Marco Carcano