Use rlm_ldap reply for the next authorization module
Hello, In order to allow a user to access the service (send a Access-Accept) I need to validate several things: First the password must be OK: * The User-name and password are stored in cleartext in a ldap (I use Chap), I must get another ldap attribute wich specify the crm Id matching the username. The user must be allowed to use the service: * Daily I get a files matching a crm Id and a status (can access, cant access) => I can't have a matching between user-name / Status. The crm don't know the user-name, and the ldap don't know the client's status (only the Crm ID) I have no trouble to check the User-Name/Password using ldap and chap modules. But I can't figure out how to use the ldap reply to request the local mysql where is store the match between crm Id and status. I don't know how to use a reply of a authorization module (ldap) in an another one (sql). Since I didn't find out how to do this, I tried to add the crmID in a unused radius attribute: Callback-Number: In the ldap attrmap configuration file I added: replyItem Callback-Number SFRrelationLoginService And in the sql configuration: sql_user_name = "%{Callback-Number}" Unfortunately as expected the replyItem is only add when the reply is generate. I also tried with a checkItem without more success... Is it possible to configure the ldap module in order to store a ldapattribute in a variable usable by the mysql module ? Or to replace/add a radius attribute in the request, base on the ldap reply before the next module is compute? Examples : Goal case: echo "User-Name= toto,Chap-Password=111111", | sudo radclient -x 172.16.0.135:1812 auth secret Sending Access-Request of id 202 to 172.16.0.135 port 1812 User-Name = "toto" CHAP-Password = 0xcab5c3da9c9ebb891608c1991c2e37bea3 rad_recv: Access-Reject packet from host 172.16.0.135 port 1812, id=202, length=20 log: Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: Waking up in 0.9 seconds. Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: rlm_ldap: waiting for bind result ... Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: rlm_ldap: Bind was successful Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: rlm_ldap: performing search in ou=EndUser,dc=USER,dc=fr, with filter (USERlogin=toto*) Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: [ldapClear] No default NMAS login sequence Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: [ldapClear] looking for check items in directory... Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: rlm_ldap: USERrelationLoginService -> Callback-Number == "siebelsIdFortoto" Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: rlm_ldap: USERuserPassword -> Cleartext-Password == "111111" Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: rlm_ldap: USERlogin -> User-Name == "toto" Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: [ldapClear] looking for reply items in directory... Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: [ldapClear] user toto authorized to use remote access Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: rlm_ldap: ldap_release_conn: Release Id: 0 Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: ++[ldapClear] returns ok Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: [sql_crm_abv] #011expand: %{Callback-Number} -> Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: [sql_crm_abv] sql_set_user escaped user --> '' Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: rlm_sql (sql_crm_abv): Reserving sql socket id: 1 Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: [sql_crm_abv] #011expand: SELECT Identifiant, Status FROM siebel WHERE Identifiant = '%{Callback-Number}' AND Status='1' -> SELECT Identifiant, Status FROM siebel WHERE Identifiant = '' AND Status='1' Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: rlm_sql_mysql: query: SELECT Identifiant, Status FROM siebel WHERE Identifiant = '' AND Status='1' Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: rlm_sql (sql_crm_abv): Released sql socket id: 1 Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: [sql_crm_abv] User not found Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: ++[sql_crm_abv] returns notfound Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: [chap] Setting 'Auth-Type := CHAP' Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: ++[chap] returns ok Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: ++[expiration] returns noop Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: ++[logintime] returns noop Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: [pap] Found existing Auth-Type, not changing it. Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: ++[pap] returns noop Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: rlm_sqlcounter: Entering module authorize code Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: rlm_sqlcounter: Could not find Key value pair Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: ++[scratchcounter_lyo] returns noop Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: Found Auth-Type = CHAP Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: +- entering group CHAP {...} Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: [chap] login attempt by "toto" with CHAP password Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: [chap] Using clear text password "111111" for user toto authentication. Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: [chap] chap user toto authenticated succesfully Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: ++[chap] returns ok Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: Login OK: [toto/<CHAP-Password>] (from client ext port 0) Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: +- entering group post-auth {...} Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: ++[reply_log] returns ok Test addin the crmId in the request before computing => not possible in real situation, but to test everything else echo "User-Name= toto,Chap-Password=111111",Callback-Number='siebelsIdFortoto' | sudo radclient -x 172.16.0.135:1812 auth secret Sending Access-Request of id 159 to 172.16.0.135 port 1812 User-Name = "toto" CHAP-Password = 0x9fb08ff7f454d0c9998fc5dd72479940cd Callback-Number = "siebelsIdFortoto" rad_recv: Access-Accept packet from host 172.16.0.135 port 1812, id=159, length=20 log: Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: Thread 4 got semaphore Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: Thread 4 handling request 0, (1 handled so far) Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: +- entering group authorize {...} Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: ++[preprocess] returns ok Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: ++[mschap] returns noop Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [IPASS] No '/' in User-Name = "toto", looking up realm NULL Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [IPASS] No such realm "NULL" Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: ++[IPASS] returns noop Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [suffix] No '@' in User-Name = "toto", looking up realm NULL Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [suffix] No such realm "NULL" Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: ++[suffix] returns noop Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: ++[files] returns noop Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [ldapClear] performing user authorization for toto Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [ldapClear] #011expand: %{Stripped-User-Name} -> Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [ldapClear] #011expand: %{User-Name} -> toto Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [ldapClear] #011expand: (USERlogin=%{%{Stripped-User-Name}:-%{User-Name}}*) -> (USERlogin=toto*) Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [ldapClear] #011expand: ou=EndUser,dc=USER,dc=fr -> ou=EndUser,dc=USER,dc=fr Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: rlm_ldap: ldap_get_conn: Checking Id: 0 Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: rlm_ldap: ldap_get_conn: Got Id: 0 Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: rlm_ldap: attempting LDAP reconnection Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: rlm_ldap: (re)connect to 10.33.245.241:389, authentication 0 Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: rlm_ldap: bind as cn=Radius Gp,ou=Application,dc=USER,dc=fr/radiusgp to 10.33.245.241:389 Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: Threads: total/active/spare threads = 5/1/4 Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: Waking up in 0.9 seconds. Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: rlm_ldap: waiting for bind result ... Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: rlm_ldap: Bind was successful Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: rlm_ldap: performing search in ou=EndUser,dc=USER,dc=fr, with filter (USERlogin=toto*) Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [ldapClear] No default NMAS login sequence Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [ldapClear] looking for check items in directory... Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: rlm_ldap: USERrelationLoginService -> Callback-Number == "siebelsIdFortoto" Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: rlm_ldap: USERuserPassword -> Cleartext-Password == "111111" Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: rlm_ldap: USERlogin -> User-Name == "toto" Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [ldapClear] looking for reply items in directory... Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [ldapClear] user toto authorized to use remote access Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: rlm_ldap: ldap_release_conn: Release Id: 0 Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: ++[ldapClear] returns ok Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [sql_crm_abv] #011expand: %{Callback-Number} -> siebelsIdFortoto Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [sql_crm_abv] sql_set_user escaped user --> 'siebelsIdFortoto' Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: rlm_sql (sql_crm_abv): Reserving sql socket id: 1 Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [sql_crm_abv] #011expand: SELECT Identifiant, Status FROM siebel WHERE Identifiant = '%{Callback-Number}' AND Status='1' -> SELECT Identifiant, Status FROM siebel WHERE Identifiant = 'siebelsIdFortoto' AND Status='1' Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: rlm_sql_mysql: query: SELECT Identifiant, Status FROM siebel WHERE Identifiant = '=siebelsIdFortoto' AND Status='1' Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: rlm_sql (sql_crm_abv): Released sql socket id: 1 Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [sql_crm_abv] User siebelsIdFortoto not found Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: ++[sql_crm_abv] returns notfound Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [chap] Setting 'Auth-Type := CHAP' Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: ++[chap] returns ok Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: ++[expiration] returns noop Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: ++[logintime] returns noop Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [pap] Found existing Auth-Type, not changing it. Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: ++[pap] returns noop Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: rlm_sqlcounter: Entering module authorize code Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: rlm_sqlcounter: Could not find Key value pair Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: Found Auth-Type = CHAP Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: +- entering group CHAP {...} Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [chap] login attempt by "toto" with CHAP password Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [chap] Using clear text password "111111" for user toto authentication. Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [chap] chap user toto authenticated succesfully Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: ++[chap] returns ok Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: Login OK: [toto/<CHAP-Password>] (from client ext port 0) Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: +- entering group post-auth {...} JJun 16 12:33:29 radius-wifi1-aub freeradius[7106]: Finished request 0. Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: Going to the next request Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: Thread 4 waiting to be assigned a request Jun 16 12:33:30 radius-wifi1-aub freeradius[7106]: Waking up in 4.0 seconds. Jun 16 12:33:34 radius-wifi1-aub freeradius[7106]: Cleaning up request 0 ID 159 with timestamp +4 Jun 16 12:33:34 radius-wifi1-aub freeradius[7106]: Ready to process requests.
JUND wrote:
I have no trouble to check the User-Name/Password using ldap and chap modules. But I can’t figure out how to use the ldap reply to request the local mysql where is store the match between crm Id and status.
I don’t know how to use a reply of a authorization module (ldap) in an another one (sql).
You can't. It's usually not necessary.
Since I didn’t find out how to do this, I tried to add the crmID in a unused radius attribute: Callback-Number:
In the ldap attrmap configuration file I added:
replyItem Callback-Number SFRrelationLoginService
That should add it to the *reply* items.
And in the sql configuration:
sql_user_name = "%{Callback-Number}"
That looks up the Callback-Number in the *request*. See "man unlang". You want: sql_user_name = "%{reply:Callback-Number}"
Is it possible to configure the ldap module in order to store a ldapattribute in a variable usable by the mysql module ?
Yes. You're doing it. You're just not referencing the variable correctly.
Or to replace/add a radius attribute in the request, base on the ldap reply before the next module is compute?
The LDAP module can't update the request. Alan DeKok.
participants (2)
-
Alan DeKok -
JUND, Aurélien