Users-file and LDAP backend mixing questions
Hello! I'm using FreeRadius 2.1.3 with LDAP (eDirectory) and plain-text (users file) backends and I don't know how to solve a couple of problems :( 1. Is possible to mix users with same names, but different passwords from LDAP and from users file? There are some old time users in my org, who don't belong to eDirectory tree and there are users in eDirectory with same names that should not be treated like old-time ones. 2. I need some special DEFAULT with Fall-Through=yes rules that should match only users, authenticated by LDAP backend. I've tried Ldap-UserDn in check section of users file, but it seems to me, that Ldap-UserDn attribute is empty everytime :( 3. Also i need a reject rule for those users, who was authenticated by LDAP and do not belong to any ldap-group. I've tried Ldap-Group !*, but this attribute always exists for every user :( Please help. --- Sincerely yours, Maxim
Куприянов Максим wrote:
I'm using FreeRadius 2.1.3 with LDAP (eDirectory) and plain-text (users file) backends and I don't know how to solve a couple of problems :(
How do you tell the users apart?
1. Is possible to mix users with same names, but different passwords from LDAP and from users file? There are some old time users in my org, who don't belong to eDirectory tree and there are users in eDirectory with same names that should not be treated like old-time ones.
Maybe.
2. I need some special DEFAULT with Fall-Through=yes rules that should match only users, authenticated by LDAP backend. I've tried Ldap-UserDn in check section of users file, but it seems to me, that Ldap-UserDn attribute is empty everytime :(
Don't use the "users" file for this. See "man unlang".
3. Also i need a reject rule for those users, who was authenticated by LDAP and do not belong to any ldap-group. I've tried Ldap-Group !*, but this attribute always exists for every user :(
I'm not sure how you would do that. Maybe do an LDAP query for group membership, and check if the returned string is empty. Alan DeKok.
19.01.09, 12:30, "Alan DeKok" <aland@deployingradius.com>:
Куприянов Максим wrote:
I'm using FreeRadius 2.1.3 with LDAP (eDirectory) and plain-text (users file) backends and I don't know how to solve a couple of problems :( How do you tell the users apart? 1. Is possible to mix users with same names, but different passwords from LDAP and from users file? There are some old time users in my org, who don't belong to eDirectory tree and there are users in eDirectory with same names that should not be treated like old-time ones. Maybe. I'm sure they have different passwords (password policy is different), but I don't understand how to configure the logic "First try to authenticate to eDirectory with User-Password, if it fails - try plain-text comparison with Clear-Password attribute, which was set in users file".
2. I need some special DEFAULT with Fall-Through=yes rules that should match only users, authenticated by LDAP backend. I've tried Ldap-UserDn in check section of users file, but it seems to me, that Ldap-UserDn attribute is empty everytime :( Don't use the "users" file for this. See "man unlang". Thanks for hint, I'll take a look.
3. Also i need a reject rule for those users, who was authenticated by LDAP and do not belong to any ldap-group. I've tried Ldap-Group !*, but this attribute always exists for every user :( I'm not sure how you would do that. Maybe do an LDAP query for group membership, and check if the returned string is empty. It will not work :-(. He're is a quote from rlm_ldap.c:ldap_groupcmp(): if (check->vp_strvalue == NULL || check->length == 0){ DEBUG("rlm_ldap::ldap_groupcmp: Illegal group name"); return 1; }
Alan DeKok.
--- Sincerely yours, Maxim
19.01.09, 16:52, tnt@kalik.net:
3. Also i need a reject rule for those users, who was authenticated by LDAP and do not belong to any ldap-group. I've tried Ldap-Group !*, but this attribute always exists for every user :( Try unlang: if (!control:Ldap-Group) { ... Ivan Kalik Kalik Informatika ISP
It doesn't work. For example, user for sure belongs to some LDAP-group: Mon Jan 19 19:16:42 2009 : Debug: rlm_ldap: performing search in ou=radius,o=myorg, with filter (&(cn=telnet)(&(objectclass=radiusprofile)(|(&(objectClass=groupOfNames)(member=cn\3dmax\2cou\3dradius\2co\3dmyorg))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dmax\2cou\3dradius\2co\3dmyorg))))) Mon Jan 19 19:16:42 2009 : Debug: rlm_ldap::ldap_groupcmp: User found in group telnet Here is a part of my test configuration from authorize section: if (!Ldap-Group) { ok } if (!control:Ldap-Group) { ok } if (!request:Ldap-Group) { ok } if (!reply:Ldap-Group) { ok } if (!config:Ldap-Group) { ok } Here're results from -X: Mon Jan 19 19:16:42 2009 : Info: ++++? if (!Ldap-Group) Mon Jan 19 19:16:42 2009 : Info: ? Evaluating !(Ldap-Group) -> FALSE Mon Jan 19 19:16:42 2009 : Info: ++++? if (!Ldap-Group) -> TRUE Mon Jan 19 19:16:42 2009 : Info: ++++- entering if (!Ldap-Group) {...} Mon Jan 19 19:16:42 2009 : Info: +++++[ok] returns ok Mon Jan 19 19:16:42 2009 : Info: ++++- if (!Ldap-Group) returns ok Mon Jan 19 19:16:42 2009 : Info: ++++? if (!control:Ldap-Group) Mon Jan 19 19:16:42 2009 : Info: ? Evaluating !(control:Ldap-Group) -> FALSE Mon Jan 19 19:16:42 2009 : Info: ++++? if (!control:Ldap-Group) -> TRUE Mon Jan 19 19:16:42 2009 : Info: ++++- entering if (!control:Ldap-Group) {...} Mon Jan 19 19:16:42 2009 : Info: +++++[ok] returns ok Mon Jan 19 19:16:42 2009 : Info: ++++- if (!control:Ldap-Group) returns ok Mon Jan 19 19:16:42 2009 : Info: ++++? if (!request:Ldap-Group) Mon Jan 19 19:16:42 2009 : Info: ? Evaluating !(request:Ldap-Group) -> FALSE Mon Jan 19 19:16:42 2009 : Info: ++++? if (!request:Ldap-Group) -> TRUE Mon Jan 19 19:16:42 2009 : Info: ++++- entering if (!request:Ldap-Group) {...} Mon Jan 19 19:16:42 2009 : Info: +++++[ok] returns ok Mon Jan 19 19:16:42 2009 : Info: ++++- if (!request:Ldap-Group) returns ok Mon Jan 19 19:16:42 2009 : Info: ++++? if (!reply:Ldap-Group) Mon Jan 19 19:16:42 2009 : Info: ? Evaluating !(reply:Ldap-Group) -> FALSE Mon Jan 19 19:16:42 2009 : Info: ++++? if (!reply:Ldap-Group) -> TRUE Mon Jan 19 19:16:42 2009 : Info: ++++- entering if (!reply:Ldap-Group) {...} Mon Jan 19 19:16:42 2009 : Info: +++++[ok] returns ok Mon Jan 19 19:16:42 2009 : Info: ++++- if (!reply:Ldap-Group) returns ok Mon Jan 19 19:16:42 2009 : Info: ++++? if (!config:Ldap-Group) Mon Jan 19 19:16:42 2009 : Info: ? Evaluating !(config:Ldap-Group) -> FALSE Mon Jan 19 19:16:42 2009 : Info: ++++? if (!config:Ldap-Group) -> TRUE Mon Jan 19 19:16:42 2009 : Info: ++++- entering if (!config:Ldap-Group) {...} Mon Jan 19 19:16:42 2009 : Info: +++++[ok] returns ok Mon Jan 19 19:16:42 2009 : Info: ++++- if (!config:Ldap-Group) returns ok Mon Jan 19 19:16:42 2009 : Info: +++- if (ok) returns ok I've also tried Ldap-Group != "*", which always should return something for that user. But LDAP backend can only deal with one-record-only results :( --- Maxim
3. Also i need a reject rule for those users, who was authenticated by LDAP and do not belong to any ldap-group. I've tried Ldap-Group !*, but this attribute always exists for every user :( Try unlang: if (!control:Ldap-Group) { ... Ivan Kalik Kalik Informatika ISP
It doesn't work. For example, user for sure belongs to some LDAP-group:
Hm, and you are sure that empty string value check: if('%{control:Ldap-Group}' != "") { ... isn't working? Ivan Kalik Kalik Informatika ISP
19.01.09, 18:13, tnt@kalik.net:
3. Also i need a reject rule for those users, who was authenticated by LDAP and do not belong to any ldap-group. I've tried Ldap-Group !*, but this attribute always exists for every user :( Try unlang: if (!control:Ldap-Group) { ...
It doesn't work. For example, user for sure belongs to some LDAP-group: Hm, and you are sure that empty string value check: if('%{control:Ldap-Group}' != "") { ... isn't working?
Quote from "default" file: authorize { .. ldap if (ok) { if("%{control:Ldap-Group}" != "") { ok } } .. } Quote from "users" file (for group existence testing): .. DEFAULT Framed-Protocol !* any, Ldap-Group == "telnet" .. Example 1: User belongs to one group: $ ldapsearch -x cn=test_user groupMembership | grep radius groupMembership: cn=telnet,ou=profiles,ou=radius,o=myorg $ radiusd -X -xx -s .. Tue Jan 20 10:42:26 2009 : Debug: rlm_ldap: performing search in ou=radius,o=myorg, with filter (&(cn=telnet)(&(objectclass=radiusprofile)(|(&(objectClass=groupOfNames)(member=cn\3dtest_user\2cou\3dusers\2cou\3dradius\2co\3dmyorg))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dtest_user\2cou\3dusers\2cou\3dradius\2co\3dmyorg))))) Tue Jan 20 10:42:27 2009 : Debug: rlm_ldap::ldap_groupcmp: User found in group telnet Tue Jan 20 10:42:27 2009 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 .. Tue Jan 20 10:42:27 2009 : Info: ++++? if ("%{control:Ldap-Group}" != "") Tue Jan 20 10:42:27 2009 : Info: expand: %{control:Ldap-Group} -> Tue Jan 20 10:42:27 2009 : Info: ? Evaluating ("%{control:Ldap-Group}" != "") -> FALSE Tue Jan 20 10:42:27 2009 : Info: ++++? if ("%{control:Ldap-Group}" != "") -> FALSE .. Example 2: User does not belong to any group: $ ldapsearch -x cn=test_user groupMembership uid | egrep "(uid|radius)" # requesting: groupMembership uid uid: test_user $ radiusd -X -xx -s .. Tue Jan 20 10:49:57 2009 : Debug: rlm_ldap: performing search in ou=radius,o=myorg, with filter (&(cn=telnet)(&(objectclass=radiusprofile)(|(&(objectClass=groupOfNames)(member=cn\3dtest_user\2cou\3dusers\2cou\3dradius\2co\3dmyorg))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dtest_user\2cou\3dusers\2cou\3dradius\2co\3dmyorg))))) Tue Jan 20 10:49:57 2009 : Debug: rlm_ldap: object not found or got ambiguous search result .. Tue Jan 20 10:49:57 2009 : Info: ++++? if ("%{control:Ldap-Group}" != "") Tue Jan 20 10:49:57 2009 : Info: expand: %{control:Ldap-Group} -> Tue Jan 20 10:49:57 2009 : Info: ? Evaluating ("%{control:Ldap-Group}" != "") -> FALSE Tue Jan 20 10:49:57 2009 : Info: ++++? if ("%{control:Ldap-Group}" != "") -> FALSE .. --- Maxim
OK. Let's backtrack. Something is wrong here.
Try unlang: if (!control:Ldap-Group) { ...
I have done this with Auth-Type before and it works. But you say that this is active regardles of user being in ldap group or not. Try this: ldap if(!control:Ldap-Group) { } update control { Ldap-Group = "something" } if(!control:Ldap-Group) { } It looks to me that your ldap module is not populating Ldap-Group. Ivan Kalik Kalik Informatika ISP
OK. Let's backtrack. Something is wrong here. Try unlang: if (!control:Ldap-Group) { ...
I have done this with Auth-Type before and it works. But you say that this is active regardles of user being in ldap group or not. Try this:
ldap
if(!control:Ldap-Group) { } update control { Ldap-Group = "something" } if(!control:Ldap-Group) { }
It looks to me that your ldap module is not populating Ldap-Group.
Ivan Kalik Kalik Informatika ISP
You're right. This is a test results for user, who for sure belongs to some groups: Wed Jan 21 11:27:35 2009 : Info: ++++? if (!control:Ldap-Group) Wed Jan 21 11:27:35 2009 : Info: ? Evaluating !(control:Ldap-Group) -> FALSE Wed Jan 21 11:27:35 2009 : Info: ++++? if (!control:Ldap-Group) -> TRUE Wed Jan 21 11:27:35 2009 : Info: ++++- entering if (!control:Ldap-Group) {...} Wed Jan 21 11:27:35 2009 : Info: +++++- if (!control:Ldap-Group) returns notfound Wed Jan 21 11:27:35 2009 : Info: ++++- if (ok) returns notfound Wed Jan 21 11:27:35 2009 : Info: ++++[control] returns notfound Wed Jan 21 11:27:35 2009 : Info: ++++? if (!control:Ldap-Group) Wed Jan 21 11:27:35 2009 : Info: ? Evaluating !(control:Ldap-Group) -> TRUE Wed Jan 21 11:27:35 2009 : Info: ++++? if (!control:Ldap-Group) -> FALSE Wed Jan 21 11:27:35 2009 : Info: +++- if (ok) returns notfound Another example with such a config: if(control:Ldap-Group == "telnet") { } if(Ldap-Group == "telnet") { } if(!Ldap-Group) { } if(!control:Ldap-Group) { } Wed Jan 21 11:44:18 2009 : Info: ++++? if (control:Ldap-Group == "telnet") Wed Jan 21 11:44:18 2009 : Info: (Attribute control:Ldap-Group was not found) Wed Jan 21 11:44:18 2009 : Info: ++++? if (Ldap-Group == "telnet") Wed Jan 21 11:44:18 2009 : Debug: rlm_ldap: Entering ldap_groupcmp() Wed Jan 21 11:44:18 2009 : Info: expand: o=myorg -> o=myorg Wed Jan 21 11:44:18 2009 : Info: expand: (&(objectclass=radiusprofile)(|(&(objectClass=groupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))) -> (&(objectclass=radiusprofile)(|(&(objectClass=groupOfNames)(member=cn\3dtest_user\2cou\3dusers\2co\3dmyorg))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dtest_user\2cou\3dusers\2co\3dmyorg)))) Wed Jan 21 11:44:18 2009 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0 Wed Jan 21 11:44:18 2009 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0 Wed Jan 21 11:44:18 2009 : Debug: rlm_ldap: performing search in o=myorg, with filter (&(cn=telnet)(&(objectclass=radiusprofile)(|(&(objectClass=groupOfNames)(member=cn\3dtest_user\2cou\3dusers\2co\3dmyorg))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dtest_user\2cou\3dusers\2co\3dmyorg))))) Wed Jan 21 11:44:18 2009 : Debug: rlm_ldap::ldap_groupcmp: User found in group telnet Wed Jan 21 11:44:18 2009 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Wed Jan 21 11:44:18 2009 : Info: ? Evaluating (Ldap-Group == "telnet") -> TRUE Wed Jan 21 11:44:18 2009 : Info: ++++? if (Ldap-Group == "telnet") -> TRUE Wed Jan 21 11:44:18 2009 : Info: ++++- entering if (Ldap-Group == "telnet") {...} Wed Jan 21 11:44:18 2009 : Info: +++++- if (Ldap-Group == "telnet") returns notfound Wed Jan 21 11:44:18 2009 : Info: ++++- if (ok) returns notfound Wed Jan 21 11:44:18 2009 : Info: ++++? if (!Ldap-Group) Wed Jan 21 11:44:18 2009 : Info: ? Evaluating !(Ldap-Group) -> FALSE Wed Jan 21 11:44:18 2009 : Info: ++++? if (!Ldap-Group) -> TRUE Wed Jan 21 11:44:18 2009 : Info: ++++- entering if (!Ldap-Group) {...} Wed Jan 21 11:44:18 2009 : Info: +++++- if (!Ldap-Group) returns notfound Wed Jan 21 11:44:18 2009 : Info: ++++- if (ok) returns notfound Wed Jan 21 11:44:18 2009 : Info: ++++? if (!control:Ldap-Group) Wed Jan 21 11:44:18 2009 : Info: ? Evaluating !(control:Ldap-Group) -> FALSE Wed Jan 21 11:44:18 2009 : Info: ++++? if (!control:Ldap-Group) -> TRUE Wed Jan 21 11:44:18 2009 : Info: ++++- entering if (!control:Ldap-Group) {...} Wed Jan 21 11:44:18 2009 : Info: +++++[ok] returns ok Wed Jan 21 11:44:18 2009 : Info: ++++- if (!control:Ldap-Group) returns ok
Wed Jan 21 11:44:18 2009 : Debug: rlm_ldap::ldap_groupcmp: User found in group telnet Wed Jan 21 11:44:18 2009 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Wed Jan 21 11:44:18 2009 : Info: ? Evaluating (Ldap-Group == "telnet") -> TRUE Wed Jan 21 11:44:18 2009 : Info: ++++? if (Ldap-Group == "telnet") -> TRUE Wed Jan 21 11:44:18 2009 : Info: ++++- entering if (Ldap-Group == "telnet") {...} Wed Jan 21 11:44:18 2009 : Info: +++++- if (Ldap-Group == "telnet") returns notfound Wed Jan 21 11:44:18 2009 : Info: ++++- if (ok) returns notfound Wed Jan 21 11:44:18 2009 : Info: ++++? if (!Ldap-Group) Wed Jan 21 11:44:18 2009 : Info: ? Evaluating !(Ldap-Group) -> FALSE Wed Jan 21 11:44:18 2009 : Info: ++++? if (!Ldap-Group) -> TRUE Wed Jan 21 11:44:18 2009 : Info: ++++- entering if (!Ldap-Group) {...} Wed Jan 21 11:44:18 2009 : Info: +++++- if (!Ldap-Group) returns notfound Wed Jan 21 11:44:18 2009 : Info: ++++- if (ok) returns notfound Wed Jan 21 11:44:18 2009 : Info: ++++? if (!control:Ldap-Group) Wed Jan 21 11:44:18 2009 : Info: ? Evaluating !(control:Ldap-Group) -> FALSE Wed Jan 21 11:44:18 2009 : Info: ++++? if (!control:Ldap-Group) -> TRUE Wed Jan 21 11:44:18 2009 : Info: ++++- entering if (!control:Ldap-Group) {..} Wed Jan 21 11:44:18 2009 : Info: +++++[ok] returns ok Wed Jan 21 11:44:18 2009 : Info: ++++- if (!control:Ldap-Group) returns ok
Hm, so it is there but not on the control list. I don't know what list is it on then. Ivan Kalik Kalik Informatika ISP
I've checked the sources - rlm_ldap NEVER sets Ldap-Group attribute. It is used for comparison only :(
Only option seems to be testing for Ldap-Group != "".
Ivan Kalik
It will not work. Quote from rlm_ldap.c: static int ldap_groupcmp(void *instance, REQUEST *req, UNUSED VALUE_PAIR *request, VALUE_PAIR *check, .. if (check->vp_strvalue == NULL || check->length == 0){ DEBUG("rlm_ldap::ldap_groupcmp: Illegal group name"); return 1; } It seems to me, that writing some patch is the only solution for my problem :) --- Maxim
I've checked the sources - rlm_ldap NEVER sets Ldap-Group attribute. It is used for comparison only :(
Only option seems to be testing for Ldap-Group != "".
Ivan Kalik
It will not work. Quote from rlm_ldap.c: static int ldap_groupcmp(void *instance, REQUEST *req, UNUSED VALUE_PAIR *request, VALUE_PAIR *check, ... if (check->vp_strvalue == NULL || check->length == 0){ DEBUG("rlm_ldap::ldap_groupcmp: Illegal group name"); return 1; }
It seems to me, that writing some patch is the only solution for my problem :)
I have a feeling that the same (you can check the value but not use it as an attribute) applies to SQL-Group. I will check that one. Ivan Kalik Kalik Informatika ISP
Куприянов Максим wrote:
I'm using FreeRadius 2.1.3 with LDAP (eDirectory) and plain-text (users file) backends and I don't know how to solve a couple of problems :(
How do you tell the users apart?
1. Is possible to mix users with same names, but different passwords from LDAP and from users file? There are some old time users in my org, who don't belong to eDirectory tree and there are users in eDirectory with same names that should not be treated like old-time ones.
Maybe.
I guess, I've found some kind of solution: /etc/raddb/dictionary: ATTRIBUTE Local-Skip-LDAP 3101 integer ATTRIBUTE Local-LDAP-User 3102 integer VALUE Local-Skip-LDAP true 1 VALUE Local-Skip-LDAP false 0 VALUE Local-LDAP-User true 1 VALUE Local-LDAP-User false 0 /etc/raddb/users: old_user User-Password == "testing", Cleartext-Password := "testing" Local-Skip-LDAP = true /etc/raddb/sites-available/default: authorize { .. if (!reply:Local-Skip-LDAP) { ldap if (ok) { update request { Local-LDAP-User := true } } } .. } The only problem i've got, that instead of using users file to specify default attributes for those none-LDAP user, I should use post-auth section of "default" site with (!request:Local-LDAP-User) and vice-versa condition. So, many thanks to Alan for "man unlang" hint :) But one problem still remain - i still don't understand how to check, that LDAP-user does not belong to any group. Any ideas? --- Maxim
participants (3)
-
Alan DeKok -
tnt@kalik.net -
Куприянов Максим