Problem in freeradius 2.1.10, ldap and huntgroups
Hi, I have installed fr 2.1.10 w openldap and I can authenticate users against ldap. I have also added groups in ldap and allowed ldap module to search groups and it also works fine. Now the problem is that is huntgroups wont work. I need to restrict access to NAS for specific groups. I can see that groups match "rlm_ldap::ldap_groupcmp: User found in group xxxx", huntgroup match wont work. file huntgroups: xxxx NAS-IP-Address == 172.150.0.1 file users: DEFAULT Ldap-Group == "xxxx" Huntgroup-Name == "xxxx" I am very glad for any help and if someone have better solution for this i'm happy to hear it. There is about 600 NAS (sw's and routers) for different customers and we need to provide mgmt access to customers and our NOC staff, so i think we need to use huntgroups w groups and if someone have example for this one I'm very glad for that also. Best regards, Ville Leinonen
Hi, Thank you for your reply. It was my mistake, when i was testing. Corrected DEFAULT Ldap-Group == "xxxx", Huntgroup-Name == "xxxx" Still not working as i want. Br, Ville
Hi,
file users:
DEFAULT Ldap-Group == "xxxx" Huntgroup-Name == "xxxx"
multiple lines? the first line is CHECK items. other lines are REPY items
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Here comes: rlm_ldap::ldap_groupcmp: User found in group xxxx and user still access in. I noticed that if i disable ldap and put user in users file like this: ville@xxxx.fi Cleartext-Password := "zzzz", Huntgroup-Name == "xxxx" it works and i can filter users based on huntgroup. Br, Ville
Hi,
It was my mistake, when i was testing.
Corrected DEFAULT Ldap-Group == "xxxx", Huntgroup-Name == "xxxx" Still not working as i want.
output?
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Here: rad_recv: Access-Request packet from host 172.150.0.62 port 25196, id=194, length=63 User-Name = "testuser@xxxx.fi" User-Password = "testpass" NAS-IP-Address = 172.150.0.62 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/172.150.0.62/auth-detail-20130805 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/172.150.0.62/auth-detail-20130805 [auth_log] expand: %t -> Mon Aug 5 19:03:20 2013 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] Looking up realm "xxxx.fi" for User-Name = "testuser@xxxx.fi" [suffix] No such realm "xxxx.fi" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [ldap] Entering ldap_groupcmp() [files] expand: dc=demonet,dc=local -> dc=demonet,dc=local [files] expand: %{Stripped-User-Name} -> [files] ... expanding second conditional [files] expand: %{User-Name} -> testuser@xxxx.fi [files] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=testuser@xxxx.fi) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=demonet,dc=local, with filter (uid=testuser@xxxx.fi) [ldap] ldap_release_conn: Release Id: 0 [files] expand: (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=cn\3dTauno Testaaja\2cou\3dxxxx\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dTauno Testaaja\2cou\3dxxxx\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal))) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=demonet,dc=local, with filter (&(cn=xxxx)(|(&(objectClass=GroupOfNames)(member=cn\3dTauno Testaaja\2cou\3dxxxx\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dTauno Testaaja\2cou\3dxxxx\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal)))) [ldap] object not found [ldap] ldap_release_conn: Release Id: 0 [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=Tauno Testaaja,ou=xxxx,ou=Customers,dc=demonet,dc=local, with filter (objectclass=*) rlm_ldap::ldap_groupcmp: User found in group xxxx [ldap] ldap_release_conn: Release Id: 0 [ldap] Entering ldap_groupcmp() [files] expand: dc=demonet,dc=local -> dc=demonet,dc=local [files] expand: (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=cn\3dTauno Testaaja\2cou\3dxxxx\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dTauno Testaaja\2cou\3dxxxx\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal))) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=demonet,dc=local, with filter (&(cn=disabled)(|(&(objectClass=GroupOfNames)(member=cn\3dTauno Testaaja\2cou\3dxxxx\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dTauno Testaaja\2cou\3dxxxx\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal)))) [ldap] object not found [ldap] ldap_release_conn: Release Id: 0 [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=Tauno Testaaja,ou=xxxx,ou=Customers,dc=demonet,dc=local, with filter (objectclass=*) rlm_ldap::groupcmp: Group disabled not found or user not a member [ldap] ldap_release_conn: Release Id: 0 ++[files] returns noop [ldap] performing user authorization for testuser@xxxx.fi [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> testuser@xxxx.fi [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=testuser@xxxx.fi) [ldap] expand: dc=demonet,dc=local -> dc=demonet,dc=local [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=demonet,dc=local, with filter (uid=testuser@xxxx.fi) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] userPassword -> Password-With-Header == "{SSHA}g5PDm9CrOOQu+XjbMGHTPnY43mifXND0" [ldap] looking for reply items in directory... [ldap] Setting Auth-Type = LDAP [ldap] user testuser@xxxx.fi authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing SSHA1-Password from base64 encoding [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = LDAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group LDAP {...} [ldap] login attempt by "testuser@xxxx.fi" with password "testpass" [ldap] user DN: cn=Tauno Testaaja,ou=xxxx,ou=Customers,dc=demonet,dc=local [ldap] (re)connect to 172.150.0.22:389, authentication 1 [ldap] bind as cn=Tauno Testaaja,ou=xxxx,ou=Customers,dc=demonet,dc=local/testpass to 172.150.0.22:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] user testuser@xxxx.fi authenticated succesfully ++[ldap] returns ok Login OK: [testuser@xxxx.fi/testpass] (from client demonet-VPN01 port 0) # Executing section post-auth from file /etc/freeradius/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 194 to 172.150.0.62 port 25196 Finished request 6. Going to the next request Waking up in 4.9 seconds. Cleaning up request 6 ID 194 with timestamp +42 Ready to process requests. Br, Ville
Hi,
Here comes:
rlm_ldap::ldap_groupcmp: User found in group xxxx
radiusd -X
its what the docs say. for a reason
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi, Any news for this problem? Br, Ville 5.8.2013 19:08, ville@leinonen.org kirjoitti:
Here:
rad_recv: Access-Request packet from host 172.150.0.62 port 25196, id=194, length=63 User-Name = "testuser@xxxx.fi" User-Password = "testpass" NAS-IP-Address = 172.150.0.62 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/172.150.0.62/auth-detail-20130805 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/172.150.0.62/auth-detail-20130805 [auth_log] expand: %t -> Mon Aug 5 19:03:20 2013 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] Looking up realm "xxxx.fi" for User-Name = "testuser@xxxx.fi" [suffix] No such realm "xxxx.fi" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [ldap] Entering ldap_groupcmp() [files] expand: dc=demonet,dc=local -> dc=demonet,dc=local [files] expand: %{Stripped-User-Name} -> [files] ... expanding second conditional [files] expand: %{User-Name} -> testuser@xxxx.fi [files] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=testuser@xxxx.fi) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=demonet,dc=local, with filter (uid=testuser@xxxx.fi) [ldap] ldap_release_conn: Release Id: 0 [files] expand: (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=cn\3dTauno Testaaja\2cou\3dxxxx\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dTauno Testaaja\2cou\3dxxxx\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal))) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=demonet,dc=local, with filter (&(cn=xxxx)(|(&(objectClass=GroupOfNames)(member=cn\3dTauno Testaaja\2cou\3dxxxx\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dTauno Testaaja\2cou\3dxxxx\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal)))) [ldap] object not found [ldap] ldap_release_conn: Release Id: 0 [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=Tauno Testaaja,ou=xxxx,ou=Customers,dc=demonet,dc=local, with filter (objectclass=*) rlm_ldap::ldap_groupcmp: User found in group xxxx [ldap] ldap_release_conn: Release Id: 0 [ldap] Entering ldap_groupcmp() [files] expand: dc=demonet,dc=local -> dc=demonet,dc=local [files] expand: (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=cn\3dTauno Testaaja\2cou\3dxxxx\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dTauno Testaaja\2cou\3dxxxx\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal))) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=demonet,dc=local, with filter (&(cn=disabled)(|(&(objectClass=GroupOfNames)(member=cn\3dTauno Testaaja\2cou\3dxxxx\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dTauno Testaaja\2cou\3dxxxx\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal)))) [ldap] object not found [ldap] ldap_release_conn: Release Id: 0 [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=Tauno Testaaja,ou=xxxx,ou=Customers,dc=demonet,dc=local, with filter (objectclass=*) rlm_ldap::groupcmp: Group disabled not found or user not a member [ldap] ldap_release_conn: Release Id: 0 ++[files] returns noop [ldap] performing user authorization for testuser@xxxx.fi [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> testuser@xxxx.fi [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=testuser@xxxx.fi) [ldap] expand: dc=demonet,dc=local -> dc=demonet,dc=local [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=demonet,dc=local, with filter (uid=testuser@xxxx.fi) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] userPassword -> Password-With-Header == "{SSHA}g5PDm9CrOOQu+XjbMGHTPnY43mifXND0" [ldap] looking for reply items in directory... [ldap] Setting Auth-Type = LDAP [ldap] user testuser@xxxx.fi authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing SSHA1-Password from base64 encoding [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = LDAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group LDAP {...} [ldap] login attempt by "testuser@xxxx.fi" with password "testpass" [ldap] user DN: cn=Tauno Testaaja,ou=xxxx,ou=Customers,dc=demonet,dc=local [ldap] (re)connect to 172.150.0.22:389, authentication 1 [ldap] bind as cn=Tauno Testaaja,ou=xxxx,ou=Customers,dc=demonet,dc=local/testpass to 172.150.0.22:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] user testuser@xxxx.fi authenticated succesfully ++[ldap] returns ok Login OK: [testuser@xxxx.fi/testpass] (from client demonet-VPN01 port 0) # Executing section post-auth from file /etc/freeradius/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 194 to 172.150.0.62 port 25196 Finished request 6. Going to the next request Waking up in 4.9 seconds. Cleaning up request 6 ID 194 with timestamp +42 Ready to process requests.
Br,
Ville
Hi,
Here comes:
rlm_ldap::ldap_groupcmp: User found in group xxxx radiusd -X
its what the docs say. for a reason
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
A.L.M.Buxey@lboro.ac.uk -
Ville Leinonen -
ville@leinonen.org