Receivin a full DN in a radius request
Hello there, For some purpose, I'm receiving a full DN in a radius request, which I must authenticate on a LDAP server. FOr now, I got a problem : radiusd strips everything after the first "=", leaving me with a username of "uid" ... Is there something I missed ? I read all the documentation I can find, nothing helped. Regards, Jean-Francois Gobin ---------- Jean-Francois Gobin - Administrateur gobinjf.be http://www.gobinjf.be mailto:gobin@gobinjf.be
For now, the radius request is generated through "radtest". --> Client : [root@netlab01 root]# radtest "uid=P06227,ou=people,o=nrb,c=be" ******* localhost 0 *********** Sending Access-Request of id 100 to 127.0.0.1:1812 User-Name = "uid=P06227,ou=people,o=nrb,c=be" User-Password = "*****" NAS-IP-Address = netlab01 NAS-Port = 0 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=100, length=20 --> Server rlm_ldap: - authorize rlm_ldap: performing user authorization for uid=P06227,ou=people,o=nrb,c=be radius_xlat: '(uid)' radius_xlat: ' ' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in , with filter (uid) rlm_ldap: ldap_search() failed: Bad search filter: (uid) rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns fail for request 1 modcall: group authorize returns fail for request 1 So, the error is between the radius receives the packet and the rtm_ldap sends the packet to the server. It seems that "radius_xlat" truncates my username. On Mon, 12 Sep 2005, Nicolas Baradakis wrote:
En réponse à Jean-Francois Gobin :
For now, I got a problem : radiusd strips everything after the first "=", leaving me with a username of "uid" ...
Where does the string come from? Is it truncated in the RADIUS packet or in the LDAP entry?
-- Nicolas Baradakis
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
---------- Jean-Francois Gobin - Administrateur gobinjf.be http://www.gobinjf.be mailto:gobin@gobinjf.be
Jean-Francois Gobin wrote:
rlm_ldap: - authorize rlm_ldap: performing user authorization for uid=P06227,ou=people,o=nrb,c=be radius_xlat: '(uid)' radius_xlat: ' ' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in , with filter (uid) rlm_ldap: ldap_search() failed: Bad search filter: (uid)
What is your filter in section ldap of radiusd.conf ? -- Nicolas Baradakis
Something (from memory) likes filter = "(%u)" jF On Tue, 13 Sep 2005, Nicolas Baradakis wrote:
Jean-Francois Gobin wrote:
rlm_ldap: - authorize rlm_ldap: performing user authorization for uid=P06227,ou=people,o=nrb,c=be radius_xlat: '(uid)' radius_xlat: ' ' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in , with filter (uid) rlm_ldap: ldap_search() failed: Bad search filter: (uid)
What is your filter in section ldap of radiusd.conf ?
-- Nicolas Baradakis
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
---------- Jean-Francois Gobin - Administrateur gobinjf.be http://www.gobinjf.be mailto:gobin@gobinjf.be
Here is my whole ldap definition : ldap { server = "ldap.xxxx.xxx" # identity = "cn=admin,o=My Org,c=UA" # password = mypass basedn = " " filter = "(%{User-Name})" # base_filter = "(objectclass=radiusprofile)" # set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # The StartTLS operation is supposed to be used with normal # ldap connections instead of using ldaps (port 689) connections start_tls = no # tls_cacertfile = /path/to/cacert.pem # tls_cacertdir = /path/to/ca/dir/ # tls_certfile = /path/to/radius.crt # tls_keyfile = /path/to/radius.key # tls_randfile = /path/to/rnd # tls_require_cert = "demand" # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" # profile_attribute = "radiusProfileDn" # access_attr = "dialupAccess" # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 # # NOTICE: The password_header directive is NOT case insensitive # # password_header = "{clear}" # # Set: # password_attribute = nspmPassword # # to get the user's password from a Novell eDirectory # backend. This will work *only if* freeRADIUS is # configured to build with --with-edir option. # # # The server can usually figure this out on its own, and pull # the correct User-Password or NT-Password from the database. # # Note that NT-Passwords MUST be stored as a 32-digit hex # string, and MUST start off with "0x", such as: # # 0x000102030405060708090a0b0c0d0e0f # # Without the leading "0x", NT-Passwords will not work. # This goes for NT-Passwords stored in SQL, too. # # password_attribute = userPassword # # Un-comment the following to disable Novell eDirectory account # policy check and intruder detection. This will work *only if* # FreeRADIUS is configured to build with --with-edir option. # # edir_account_policy_check=no # # groupname_attribute = cn # groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqu eNames)(uniquemember=%{Ldap-UserDn})))" # groupmembership_attribute = radiusGroupName timeout = 4 timelimit = 3 net_timeout = 1 # compare_check_items = yes # do_xlat = yes # access_attr_used_for_allow = yes } On Tue, 13 Sep 2005, Nicolas Baradakis wrote:
Jean-Francois Gobin wrote:
rlm_ldap: - authorize rlm_ldap: performing user authorization for uid=P06227,ou=people,o=nrb,c=be radius_xlat: '(uid)' radius_xlat: ' ' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in , with filter (uid) rlm_ldap: ldap_search() failed: Bad search filter: (uid)
What is your filter in section ldap of radiusd.conf ?
-- Nicolas Baradakis
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
---------- Jean-Francois Gobin - Administrateur gobinjf.be http://www.gobinjf.be mailto:gobin@gobinjf.be
On Wed, 14 Sep 2005, Jean-Francois Gobin wrote:
Here is my whole ldap definition :
ldap { server = "ldap.xxxx.xxx" # identity = "cn=admin,o=My Org,c=UA" # password = mypass basedn = " "
This should be an actual DN of your tree. Something like: ou=people,dc=company,dc=com
filter = "(%{User-Name})"
This is wrong. It should most probably read filter = "(uid=%{User-Name})"
# base_filter = "(objectclass=radiusprofile)"
# set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # The StartTLS operation is supposed to be used with normal # ldap connections instead of using ldaps (port 689) connections start_tls = no
# tls_cacertfile = /path/to/cacert.pem # tls_cacertdir = /path/to/ca/dir/ # tls_certfile = /path/to/radius.crt # tls_keyfile = /path/to/radius.key # tls_randfile = /path/to/rnd # tls_require_cert = "demand"
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" # profile_attribute = "radiusProfileDn" # access_attr = "dialupAccess"
# Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
# # NOTICE: The password_header directive is NOT case insensitive # # password_header = "{clear}" # # Set: # password_attribute = nspmPassword # # to get the user's password from a Novell eDirectory # backend. This will work *only if* freeRADIUS is # configured to build with --with-edir option. # # # The server can usually figure this out on its own, and pull # the correct User-Password or NT-Password from the database. # # Note that NT-Passwords MUST be stored as a 32-digit hex # string, and MUST start off with "0x", such as: # # 0x000102030405060708090a0b0c0d0e0f # # Without the leading "0x", NT-Passwords will not work. # This goes for NT-Passwords stored in SQL, too. # # password_attribute = userPassword # # Un-comment the following to disable Novell eDirectory account # policy check and intruder detection. This will work *only if* # FreeRADIUS is configured to build with --with-edir option. # # edir_account_policy_check=no # # groupname_attribute = cn # groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqu eNames)(uniquemember=%{Ldap-UserDn})))" # groupmembership_attribute = radiusGroupName timeout = 4 timelimit = 3 net_timeout = 1 # compare_check_items = yes # do_xlat = yes # access_attr_used_for_allow = yes }
On Tue, 13 Sep 2005, Nicolas Baradakis wrote:
Jean-Francois Gobin wrote:
rlm_ldap: - authorize rlm_ldap: performing user authorization for uid=P06227,ou=people,o=nrb,c=be radius_xlat: '(uid)' radius_xlat: ' ' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in , with filter (uid) rlm_ldap: ldap_search() failed: Bad search filter: (uid)
What is your filter in section ldap of radiusd.conf ?
-- Nicolas Baradakis
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
---------- Jean-Francois Gobin - Administrateur gobinjf.be http://www.gobinjf.be mailto:gobin@gobinjf.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Kostas Kalevras Network Operations Center kkalev@noc.ntua.gr National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf
So ...
From the preceding, preceding mail, you should have seen that %{User-Name} is equal to something like "uid=P0..., o=nrb, c=be" ... which is what I want to have checked against the LDAP.
For now, when I implement your suggestion, I just come out with "checking for dn=o=nrb,c=be, (uid=uid)", which corresponds to the truncating of my requesting DN. jF On Wed, 14 Sep 2005, Kostas Kalevras wrote:
On Wed, 14 Sep 2005, Jean-Francois Gobin wrote:
Here is my whole ldap definition :
ldap { server = "ldap.xxxx.xxx" # identity = "cn=admin,o=My Org,c=UA" # password = mypass basedn = " "
This should be an actual DN of your tree. Something like: ou=people,dc=company,dc=com
filter = "(%{User-Name})"
This is wrong. It should most probably read filter = "(uid=%{User-Name})"
# base_filter = "(objectclass=radiusprofile)"
# set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # The StartTLS operation is supposed to be used with normal # ldap connections instead of using ldaps (port 689) connections start_tls = no
# tls_cacertfile = /path/to/cacert.pem # tls_cacertdir = /path/to/ca/dir/ # tls_certfile = /path/to/radius.crt # tls_keyfile = /path/to/radius.key # tls_randfile = /path/to/rnd # tls_require_cert = "demand"
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" # profile_attribute = "radiusProfileDn" # access_attr = "dialupAccess"
# Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
# # NOTICE: The password_header directive is NOT case insensitive # # password_header = "{clear}" # # Set: # password_attribute = nspmPassword # # to get the user's password from a Novell eDirectory # backend. This will work *only if* freeRADIUS is # configured to build with --with-edir option. # # # The server can usually figure this out on its own, and pull # the correct User-Password or NT-Password from the database. # # Note that NT-Passwords MUST be stored as a 32-digit hex # string, and MUST start off with "0x", such as: # # 0x000102030405060708090a0b0c0d0e0f # # Without the leading "0x", NT-Passwords will not work. # This goes for NT-Passwords stored in SQL, too. # # password_attribute = userPassword # # Un-comment the following to disable Novell eDirectory account # policy check and intruder detection. This will work *only if* # FreeRADIUS is configured to build with --with-edir option. # # edir_account_policy_check=no # # groupname_attribute = cn # groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqu eNames)(uniquemember=%{Ldap-UserDn})))" # groupmembership_attribute = radiusGroupName timeout = 4 timelimit = 3 net_timeout = 1 # compare_check_items = yes # do_xlat = yes # access_attr_used_for_allow = yes }
On Tue, 13 Sep 2005, Nicolas Baradakis wrote:
Jean-Francois Gobin wrote:
rlm_ldap: - authorize rlm_ldap: performing user authorization for uid=P06227,ou=people,o=nrb,c=be radius_xlat: '(uid)' radius_xlat: ' ' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in , with filter (uid) rlm_ldap: ldap_search() failed: Bad search filter: (uid)
What is your filter in section ldap of radiusd.conf ?
-- Nicolas Baradakis
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
---------- Jean-Francois Gobin - Administrateur gobinjf.be http://www.gobinjf.be mailto:gobin@gobinjf.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Kostas Kalevras Network Operations Center kkalev@noc.ntua.gr National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
---------- Jean-Francois Gobin - Administrateur gobinjf.be http://www.gobinjf.be mailto:gobin@gobinjf.be
Jean-Francois Gobin <gobin@gobinjf.be> wrote:
For now, when I implement your suggestion, I just come out with
"checking for dn=o=nrb,c=be, (uid=uid)", which corresponds to the truncating of my requesting DN.
So you're logging in as user "uid"? And you're not posting the debug log with the *real* output? Alan DeKok.
;-) Nope, I'm really logging with P06227. The system formulates it "uid=P06227,o=nrb,c=be" to the radius. And that's what I want to be forwarded to the ldap server. On Wed, 14 Sep 2005, Alan DeKok wrote:
Jean-Francois Gobin <gobin@gobinjf.be> wrote:
For now, when I implement your suggestion, I just come out with
"checking for dn=o=nrb,c=be, (uid=uid)", which corresponds to the truncating of my requesting DN.
So you're logging in as user "uid"?
And you're not posting the debug log with the *real* output?
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
---------- Jean-Francois Gobin - Administrateur gobinjf.be http://www.gobinjf.be mailto:gobin@gobinjf.be
Jean-Francois Gobin <gobin@gobinjf.be> wrote:
Nope, I'm really logging with P06227.
Then you shouldn't see "uid=uid" in the LDAP query.
The system formulates it "uid=P06227,o=nrb,c=be" to the radius.
"The system"? What system?
And that's what I want to be forwarded to the ldap server.
So check the debug logs from FreeRADIUS. Alan DeKok.
I included them previously. You can see in them that the system sends me what I want. But the FreeRadius doesn't use it like that in the LDAP query. On Wed, 14 Sep 2005, Alan DeKok wrote:
Jean-Francois Gobin <gobin@gobinjf.be> wrote:
Nope, I'm really logging with P06227.
Then you shouldn't see "uid=uid" in the LDAP query.
The system formulates it "uid=P06227,o=nrb,c=be" to the radius.
"The system"? What system?
And that's what I want to be forwarded to the ldap server.
So check the debug logs from FreeRADIUS.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
---------- Jean-Francois Gobin - Administrateur gobinjf.be http://www.gobinjf.be mailto:gobin@gobinjf.be
Nope. I posted the config later, that's all. On Wed, 14 Sep 2005, Alan DeKok wrote:
Jean-Francois Gobin <gobin@gobinjf.be> wrote:
I included them previously.
Before you edited your config.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
---------- Jean-Francois Gobin - Administrateur gobinjf.be http://www.gobinjf.be mailto:gobin@gobinjf.be
Jean-Francois Gobin wrote:
From the preceding, preceding mail, you should have seen that %{User-Name} is equal to something like "uid=P0..., o=nrb, c=be" ... which is what I want to have checked against the LDAP.
For now, when I implement your suggestion, I just come out with "checking for dn=o=nrb,c=be, (uid=uid)", which corresponds to the truncating of my requesting DN.
I indeed found a bug in function ldap_escape_func(). However, after fixing the function I get the following line in my logs, which is still an invalid LDAP filter. rlm_ldap: performing search in ou=users,ou=radius,dc=mydomain,dc=com, with filter (uid\3dP06227\2cou\3dpeople\2co\3dnrb\2cc\3dbe) This is not a bug: user supplied strings are escaped from unsafe characters. In your case, I'd suggest to rewrite the User-Name to "P06227" with the module rlm_attr_rewrite and use the filter "(uid=%{User-Name})" in rlm_ldap. -- Nicolas Baradakis
Nicolas Baradakis <nbk@sitadelle.com> wrote:
rlm_ldap: performing search in ou=users,ou=radius,dc=mydomain,dc=com, with filter (uid\3dP06227\2cou\3dpeople\2co\3dnrb\2cc\3dbe)
This is not a bug: user supplied strings are escaped from unsafe characters.
Oh, I missed *that*. He's trying to pass an LDAP dn in a User-Name attribute? The answer is "edit the source code yourself". We will *not* be accepting patches for something like this. Alan DeKok.
Oh ... Ok ... I was not requesting a patch, I just wanted to know if there was a possibility to "forward the string without parsing/escaping". And BTW, you can stop the condescending air ... jF On Thu, 15 Sep 2005, Alan DeKok wrote:
Nicolas Baradakis <nbk@sitadelle.com> wrote:
rlm_ldap: performing search in ou=users,ou=radius,dc=mydomain,dc=com, with filter (uid\3dP06227\2cou\3dpeople\2co\3dnrb\2cc\3dbe)
This is not a bug: user supplied strings are escaped from unsafe characters.
Oh, I missed *that*. He's trying to pass an LDAP dn in a User-Name attribute?
The answer is "edit the source code yourself". We will *not* be accepting patches for something like this.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
---------- Jean-Francois Gobin - Administrateur gobinjf.be http://www.gobinjf.be mailto:gobin@gobinjf.be
participants (4)
-
Alan DeKok -
Jean-Francois Gobin -
Kostas Kalevras -
Nicolas Baradakis