unlang post-auth group-name
Hi I'm trying to obtain the Group-Name for the requested user and use it with unlang in the Post-Auth section of my sites-available/default config. This hasn't work thus far, and I have tried a number of other ideas, such as getting it whilst in the Authorize section and creating new variable to hold it there and then referencing that, but still with no success. Can someone tell me how I can accomplish this, below is a snippet of my config so you can see what I am trying to accomplish, any help would be greatly appreciated. post-auth {
switch "%{client:vendor}" {
case adva { switch "%{Group-Name}" {
case net_ro { update reply { ADVA-UUM-User-Level := "Monitor" } }
case net_rw { update reply { ADVA-UUM-User-Level := "Admin" } }
case net_su { update reply { ADVA-UUM-User-Level := "Root" } } } }
case cisco { ... }
case netscreen { ... } } }
Cheers Cam. --
Cameron Wood wrote:
I'm trying to obtain the Group-Name for the requested user and use it with unlang in the Post-Auth section of my sites-available/default config.
That won't work. The user may be a member of many groups, so "obtaining" the group name is not possible. You can *compare* to see if the user is a member of a group. If you want different kinds of groups, see "man rlm_passwd" Alan DeKok.
Thanks for the reply Alan. Thanks for the reply Alan. That won't work. The user may be a member of many groups, so
"obtaining" the group name is not possible.
That makes perfect sense. You can *compare* to see if the user is a member of a group.
How can I compare this data? I've tried comparing for it in the Authorize section using an IF statement, but that didn't work. Cheers Cam. -- On Sat, Sep 25, 2010 at 17:07, Alan DeKok <aland@deployingradius.com> wrote:
Cameron Wood wrote:
I'm trying to obtain the Group-Name for the requested user and use it with unlang in the Post-Auth section of my sites-available/default config.
That won't work. The user may be a member of many groups, so "obtaining" the group name is not possible. You can *compare* to see if the user is a member of a group.
If you want different kinds of groups, see "man rlm_passwd"
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I first tried using Group-Name as that works in the Users file... if (Group-Name == "net_su") { update control { Tmp-String-0 := "net_su" } } Then after searching the mailing list I came across Ldap-Group and gave that a try as well... if (Ldap-Group == "net_su") { update control { Tmp-String-0 := "net_su" } } Cam. -- On Sat, Sep 25, 2010 at 18:12, Alan DeKok <aland@deployingradius.com> wrote:
Cameron Wood wrote:
How can I compare this data? I've tried comparing for it in the Authorize section using an IF statement, but that didn't work.
<sigh>
*What* did you try?
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
The debug output says almost nothing for that statement... ++? if (Group-Name == "net_su")
? Evaluating (Group-Name == "net_su") -> FALSE ++? if (Group-Name == "net_su") -> FALSE
Cam. -- On Sat, Sep 25, 2010 at 19:06, Alan DeKok <aland@deployingradius.com> wrote:
Cameron Wood wrote:
I first tried using Group-Name as that works in the Users file...
if (Group-Name == "net_su") {
And the debug mode says... ?
If you're interested in never solving the problem, you're off to a good start.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I don't understand how you could have arrived at this position. All I have been doing is seeking some help with my problem; politely asking questions and providing what I thought was relevant information when asked. If any of the questions I have asked were too brief or not detailed enough then surely you could have asked me to provide more detail? Could you please reconsider helping me with this problem of mine. Regards Cam. -- On Sat, Sep 25, 2010 at 22:55, Alan DeKok <aland@deployingradius.com> wrote:
Cameron Wood wrote:
The debug output says almost nothing for that statement...
You've repeatedly tried to make it impossible for anyone to help you. I have no idea why, but I definitely get the message.
Good luck solving the problem.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cameron Wood wrote:
If any of the questions I have asked were too brief or not detailed enough then surely you could have asked me to provide more detail?
I did. You *repeatedly* gave minimal information in response to a question. It's like asking you where you live. You respond "Earth". Yes... which country "In the northern hemisphere". Yes... which one? "Some people speak English". That narrows it down to about 20 countries, and shows a distinct lack of respect in the conversation. Alan DeKok.
That wasn't my intention, I thought pasting the entire sites-available/default and debug output might be frowned upon. I've attached a copy of my entire sites-available/default config and debug log to this email for reference. If you could take a look and help me work through this problem I would greatly appreciate it. Regards Cam. -- On Sun, Sep 26, 2010 at 00:44, Alan DeKok <aland@deployingradius.com> wrote:
Cameron Wood wrote:
If any of the questions I have asked were too brief or not detailed enough then surely you could have asked me to provide more detail?
I did. You *repeatedly* gave minimal information in response to a question.
It's like asking you where you live. You respond "Earth". Yes... which country "In the northern hemisphere". Yes... which one? "Some people speak English". That narrows it down to about 20 countries, and shows a distinct lack of respect in the conversation.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
That wasn't my intention, I thought pasting the entire sites-available/default and debug output might be frowned upon.
pasting the config file is not necessary. if you read the docs and the mailing list history, you will see that posting the full, complete debug output log from 'radiusd -X' is *exactly* what you need to do
++? if ("%{Group-Name}" == "net_su") expand: %{Group-Name} -> ? Evaluating ("%{Group-Name}" == "net_su") -> FALSE ++? if ("%{Group-Name}" == "net_su") -> FALSE
you posted this information in a previous email - and asked questions about it. so i will clarify. line 1 the config file says I should check Group-Name line 2 the current value of Group-Name (blank!) line 3 lets check (evaluate) the value....is it net_su ? no. (FALSE) line 4 the output result debug showing the line 1 statement evaluation is FALSE so, basically, that value isnt net_su - you need to get the right attribute (or ensure it gets populated!) and then your Tmp attribute will be set right and everything will be closer to what you want alan
Alan Buxey wrote:
Hi,
That wasn't my intention, I thought pasting the entire sites-available/default and debug output might be frowned upon.
pasting the config file is not necessary. if you read the docs and the mailing list history, you will see that posting the full, complete debug output log from 'radiusd -X' is *exactly* what you need to do
++? if ("%{Group-Name}" == "net_su") ... the config file says I should check Group-Name
It says *expand* the value, which is blank as you noted... because Group-Name only does comparisons. And this example is different than what he posted previously. <sigh>
so, basically, that value isnt net_su - you need to get the right attribute (or ensure it gets populated!) and then your Tmp attribute will be set right and everything will be closer to what you want
Group-Name (and Group) don't get populated, because the user may be a member of many, many, groups. Alan DeKok.
Thank you Alan B & Alan D for your comments, and I'll make sure to include the full, complete debug output log in future. I don't think the logic of my example has changed since my earlier post, but I admittedly have tried encasing it in %{...} and adding a list to it as well to try and get it to compare against the right data. Is the comparison in the right location, in the Authorize section, and if so am I trying to compare against the wrong attribute, hence it getting expanded and not returning anything? Alan D could you shed some light on how the Group-Name attribute in Users is populated/gets compared when doing checks there? I suspect from your comment that the field I am trying to check against since you say it can contain many values "because the user may be a member of many, many, groups" could be a long string with separators or an array of values, would this be right? In which case do I need to use a regex method or access a specific value within an array? Regards Cam. -- On Sun, Sep 26, 2010 at 05:50, Alan DeKok <aland@deployingradius.com> wrote:
Alan Buxey wrote:
Hi,
That wasn't my intention, I thought pasting the entire sites-available/default and debug output might be frowned upon.
pasting the config file is not necessary. if you read the docs and the mailing list history, you will see that posting the full, complete debug output log from 'radiusd -X' is *exactly* what you need to do
++? if ("%{Group-Name}" == "net_su") ... the config file says I should check Group-Name
It says *expand* the value, which is blank as you noted... because Group-Name only does comparisons.
And this example is different than what he posted previously. <sigh>
so, basically, that value isnt net_su - you need to get the right attribute (or ensure it gets populated!) and then your Tmp attribute will be set right and everything will be closer to what you want
Group-Name (and Group) don't get populated, because the user may be a member of many, many, groups.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cameron Wood wrote:
Is the comparison in the right location, in the Authorize section, and if so am I trying to compare against the wrong attribute, hence it getting expanded and not returning anything?
The previous explanations already answered this.
Alan D could you shed some light on how the Group-Name attribute in Users is populated/gets compared when doing checks there?
It allows checks for membership in the Unix groups.
I suspect from your comment that the field I am trying to check against since you say it can contain many values "because the user may be a member of many, many, groups" could be a long string with separators or an array of values, would this be right? In which case do I need to use a regex method or access a specific value within an array?
My first response to you already answered this. In case you don't find this message helpful: 1) you have already been told the answers to those questions 2) my responses are no more obtuse than yours Alan DeKok.
On 09/26/2010 03:08 AM, Cameron Wood wrote:
Thank you Alan B & Alan D for your comments, and I'll make sure to include the full, complete debug output log in future.
I don't think the logic of my example has changed since my earlier post, but I admittedly have tried encasing it in %{...} and adding a list to it as well to try and get it to compare against the right data.
That *is* a logic change. To be clear: The Group-Name attribute, along with similar attributes (SQL-Group, LDAP-Group) does not have a "value". You cannot have it on the right hand side of an operator. The only valid location for these attributes is on the left hand side of an == operator, because internally they "hook" tne == operator, and do this: for group in all_groups: if group == right-hand-side return True return False So, this is valid in an "unlang" block: if (Group-Name == ANYVALUE) ...but ANYTHING alse you might try is not. In particular, none of the following will work: if ("%{Group-Name]" ...) update control { An-Attribute = "%{Group-Name}" } if (An-Attribute) ...and so on.
Is the comparison in the right location, in the Authorize section, and if so am I trying to compare against the wrong attribute, hence it getting expanded and not returning anything?
Alan D could you shed some light on how the Group-Name attribute in Users is populated/gets compared when doing checks there?
It does not get "populated". The attribute implements its own == handler, which operates as above.
I suspect from your comment that the field I am trying to check against since you say it can contain many values "because the user may be a member of many, many, groups" could be a long string with separators or an array of values, would this be right? In which case do I need to use a regex method or access a specific value within an array?
No. See above. It does NOT have a "value". Do you know any programming languages? If so, think "operator overloading".
Thanks for explaining that Phil, appreciate it. I had come to the conclusion that I couldn't enclose these references because it was trying to expand them and thus expecting them to have a single value. Similarly I couldn't assign from them because of this same reason. But still I was missing the point that you made, that these references implement their own == routine to accomplish these comparisons. I hadn't dealt with Operator Overloading before either so that helped put that in perspective when I looked that up. I'm still completely stumped though why I can't get any joy from my comparisons using the following IF statement if (Group-Name == 'net_su') { update control { Tmp-String-2 := 'net_su' } } The Group-Name checks I have in my Users file return as expected, but I couldn't see any reason why they aren't working here from the output of my debug log below [ldap] performing user authorization for cameron [ldap] expand: %{Stripped-User-Name} -> [ldap] expand: %{User-Name} -> cameron [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=cameron) [ldap] expand: dc=ac3,dc=com,dc=au -> dc=ac3,dc=com,dc=au rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to kenrose.ac3.com.au:389, authentication 0 rlm_ldap: bind as / to kenrose.ac3.com.au:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=ac3,dc=com,dc=au, with filter (uid=cameron) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] Setting Auth-Type = LDAP [ldap] user cameron authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop ++? if (Ldap-Group == 'net_su') rlm_ldap: Entering ldap_groupcmp() expand: dc=ac3,dc=com,dc=au -> dc=ac3,dc=com,dc=au expand: (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=ac3,dc=com,dc=au, with filter (&(cn=net_su)(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=)))) rlm_ldap: object not found rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap::ldap_groupcmp: Group net_su not found or user is not a member. ? Evaluating (Ldap-Group == 'net_su') -> FALSE ++? if (Ldap-Group == 'net_su') -> FALSE ++? if (Group-Name == 'net_su') ? Evaluating (Group-Name == 'net_su') -> FALSE ++? if (Group-Name == 'net_su') -> FALSE Found Auth-Type = LDAP +- entering group LDAP {...} [ldap] login attempt by "cameron" with password "password123 [ldap] user DN: uid=cameron,ou=People,dc=ac3,dc=com,dc=au rlm_ldap: (re)connect to kenrose.ac3.com.au:389, authentication 1 rlm_ldap: bind as uid=cameron,ou=People,dc=ac3,dc=com,dc=au/password123 to kenrose.ac3.com.au:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful [ldap] user cameron authenticated succesfully ++[ldap] returns ok The only thing I could think of is that the LDAP settings aren't correct and hence not finding my group memberships, but if this is the case how does Group-Name when used in the Users file find my assigned groups and successfully compares them? Regards Cam. -- On Sun, Sep 26, 2010 at 19:01, Phil Mayers <p.mayers@imperial.ac.uk> wrote:
On 09/26/2010 03:08 AM, Cameron Wood wrote:
Thank you Alan B & Alan D for your comments, and I'll make sure to include the full, complete debug output log in future.
I don't think the logic of my example has changed since my earlier post, but I admittedly have tried encasing it in %{...} and adding a list to it as well to try and get it to compare against the right data.
That *is* a logic change.
To be clear: The Group-Name attribute, along with similar attributes (SQL-Group, LDAP-Group) does not have a "value". You cannot have it on the right hand side of an operator.
The only valid location for these attributes is on the left hand side of an == operator, because internally they "hook" tne == operator, and do this:
for group in all_groups: if group == right-hand-side return True return False
So, this is valid in an "unlang" block:
if (Group-Name == ANYVALUE)
...but ANYTHING alse you might try is not. In particular, none of the following will work:
if ("%{Group-Name]" ...)
update control { An-Attribute = "%{Group-Name}" } if (An-Attribute)
...and so on.
Is the comparison in the right location, in the Authorize section, and
if so am I trying to compare against the wrong attribute, hence it getting expanded and not returning anything?
Alan D could you shed some light on how the Group-Name attribute in Users is populated/gets compared when doing checks there?
It does not get "populated". The attribute implements its own == handler, which operates as above.
I suspect from your comment that the field I am trying to check against since you say it can contain many values "because the user may be a member of many, many, groups" could be a long string with separators or an array of values, would this be right? In which case do I need to use a regex method or access a specific value within an array?
No. See above. It does NOT have a "value".
Do you know any programming languages? If so, think "operator overloading".
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 09/26/2010 11:47 AM, Cameron Wood wrote:
I'm still completely stumped though why I can't get any joy from my comparisons using the following IF statement
if (Group-Name == 'net_su') { update control { Tmp-String-2 := 'net_su' } }
The Group-Name checks I have in my Users file return as expected, but I couldn't see any reason why they aren't working here from the output of my debug log below
Are we talking about Group-Name (which is implemented by the "unix" module and comes from /etc/group) or Ldap-Group (which is implemented by the ldap module and comes from ldap lookups)? Both implement their own == hooks so the same constraints apply, but the difference is relevant of course! Below you show an attempt to match both in turn. For Group-Name, the comparison seems to fail; implying that either the "unix" module isn't configured/loaded or the username isn't in the group you're matching. For Ldap-Group; the issue seems to be that when the group comparison is done, "Ldap-UserDn" is null. I don't see how that is possible in the source code, but... You've only posted a subset of the debug output; seriously, please don't trim it. You want to do something like: /usr/sbin/radiusd -X | tee log # make your login/radius request in another window, then # Ctrl+C ...and send the contents of "log". If you are trying to match (unix) Group-Name, you will need to ensure the "unix" module is present and instantiated in the config - either by ensuring it's present in the "authorize" section, or if you don't want to run it, putting it in the "instantiate" section of radiusd.conf If you are trying to match (ldap) Ldap-Group, you will need to ensure that the LDAP directory is correctly populated. Either way, we keep getting partial info from you, so it's hard to help. A full "radiusd -X" debug will allow us to see exactly what the full module config, load order and processing chain for a request is. Help us to help you ;o) Cheers, Phil
If he is using LDAP then my prior post about the howto would work for him: https://lists.freeradius.org/pipermail/freeradius-users/2010-September/msg00... On Mon, Sep 27, 2010 at 6:48 AM, Phil Mayers <p.mayers@imperial.ac.uk>wrote:
On 09/26/2010 11:47 AM, Cameron Wood wrote:
I'm still completely stumped though why I can't get any joy from my comparisons using the following IF statement
if (Group-Name == 'net_su') { update control { Tmp-String-2 := 'net_su' } }
The Group-Name checks I have in my Users file return as expected, but I couldn't see any reason why they aren't working here from the output of my debug log below
Are we talking about Group-Name (which is implemented by the "unix" module and comes from /etc/group) or Ldap-Group (which is implemented by the ldap module and comes from ldap lookups)?
Both implement their own == hooks so the same constraints apply, but the difference is relevant of course!
Below you show an attempt to match both in turn. For Group-Name, the comparison seems to fail; implying that either the "unix" module isn't configured/loaded or the username isn't in the group you're matching.
For Ldap-Group; the issue seems to be that when the group comparison is done, "Ldap-UserDn" is null. I don't see how that is possible in the source code, but...
You've only posted a subset of the debug output; seriously, please don't trim it. You want to do something like:
/usr/sbin/radiusd -X | tee log # make your login/radius request in another window, then # Ctrl+C
...and send the contents of "log".
If you are trying to match (unix) Group-Name, you will need to ensure the "unix" module is present and instantiated in the config - either by ensuring it's present in the "authorize" section, or if you don't want to run it, putting it in the "instantiate" section of radiusd.conf
If you are trying to match (ldap) Ldap-Group, you will need to ensure that the LDAP directory is correctly populated.
Either way, we keep getting partial info from you, so it's hard to help. A full "radiusd -X" debug will allow us to see exactly what the full module config, load order and processing chain for a request is. Help us to help you ;o)
Cheers, Phil
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks for the link Peter, I'm talking over the possibility of this with the people who run LDAP at my organisation. Regards Cam. -- On Mon, Sep 27, 2010 at 04:30, Peter Lambrechtsen <plambrechtsen@gmail.com>wrote:
If he is using LDAP then my prior post about the howto would work for him:
https://lists.freeradius.org/pipermail/freeradius-users/2010-September/msg00...
On Mon, Sep 27, 2010 at 6:48 AM, Phil Mayers <p.mayers@imperial.ac.uk>wrote:
On 09/26/2010 11:47 AM, Cameron Wood wrote:
I'm still completely stumped though why I can't get any joy from my comparisons using the following IF statement
if (Group-Name == 'net_su') { update control { Tmp-String-2 := 'net_su' } }
The Group-Name checks I have in my Users file return as expected, but I couldn't see any reason why they aren't working here from the output of my debug log below
Are we talking about Group-Name (which is implemented by the "unix" module and comes from /etc/group) or Ldap-Group (which is implemented by the ldap module and comes from ldap lookups)?
Both implement their own == hooks so the same constraints apply, but the difference is relevant of course!
Below you show an attempt to match both in turn. For Group-Name, the comparison seems to fail; implying that either the "unix" module isn't configured/loaded or the username isn't in the group you're matching.
For Ldap-Group; the issue seems to be that when the group comparison is done, "Ldap-UserDn" is null. I don't see how that is possible in the source code, but...
You've only posted a subset of the debug output; seriously, please don't trim it. You want to do something like:
/usr/sbin/radiusd -X | tee log # make your login/radius request in another window, then # Ctrl+C
...and send the contents of "log".
If you are trying to match (unix) Group-Name, you will need to ensure the "unix" module is present and instantiated in the config - either by ensuring it's present in the "authorize" section, or if you don't want to run it, putting it in the "instantiate" section of radiusd.conf
If you are trying to match (ldap) Ldap-Group, you will need to ensure that the LDAP directory is correctly populated.
Either way, we keep getting partial info from you, so it's hard to help. A full "radiusd -X" debug will allow us to see exactly what the full module config, load order and processing chain for a request is. Help us to help you ;o)
Cheers, Phil
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
/usr/sbin/radiusd -X | tee log # make your login/radius request in another window, then # Ctrl+C
Thanks for that suggestion, I hadn't actually used 'tee' before, so that will help me make sure I have a full debug log each time. Are we talking about Group-Name (which is implemented by the "unix" module
and comes from /etc/group) or Ldap-Group (which is implemented by the ldap module and comes from ldap lookups)? Both implement their own == hooks so the same constraints apply, but the difference is relevant of course!
I honestly don't know which one I should be using; the information is in LDAP, the local system is configured for LDAP and issuing the groups command returns the local and LDAP groups the user is assigned to. Would this suggest that I could just use Group-Name, making use of the unix module? Below you show an attempt to match both in turn. For Group-Name, the
comparison seems to fail; implying that either the "unix" module isn't configured/loaded or the username isn't in the group you're matching.
I read through the debug log to check that the unix module is getting loaded, which it appears to be, I'm not aware of any configuration that needs to be provided for that module, is there any? As for the user being in the group that is definitely the case, I have verified this locally on the system, and the Group-Name comparison in Users succeeds for this case. If you are trying to match (ldap) Ldap-Group, you will need to ensure that
the LDAP directory is correctly populated.
This I am looking into, to my knowledge it is correctly setup as there are lots of other systems around our organisation that are referencing this successfully, but I wonder if the LDAP module is configured correctly, maybe there is a problem with the search string/query? Regards Cam. -- On Mon, Sep 27, 2010 at 03:48, Phil Mayers <p.mayers@imperial.ac.uk> wrote:
On 09/26/2010 11:47 AM, Cameron Wood wrote:
I'm still completely stumped though why I can't get any joy from my comparisons using the following IF statement
if (Group-Name == 'net_su') { update control { Tmp-String-2 := 'net_su' } }
The Group-Name checks I have in my Users file return as expected, but I couldn't see any reason why they aren't working here from the output of my debug log below
Are we talking about Group-Name (which is implemented by the "unix" module and comes from /etc/group) or Ldap-Group (which is implemented by the ldap module and comes from ldap lookups)?
Both implement their own == hooks so the same constraints apply, but the difference is relevant of course!
Below you show an attempt to match both in turn. For Group-Name, the comparison seems to fail; implying that either the "unix" module isn't configured/loaded or the username isn't in the group you're matching.
For Ldap-Group; the issue seems to be that when the group comparison is done, "Ldap-UserDn" is null. I don't see how that is possible in the source code, but...
You've only posted a subset of the debug output; seriously, please don't trim it. You want to do something like:
/usr/sbin/radiusd -X | tee log # make your login/radius request in another window, then # Ctrl+C
...and send the contents of "log".
If you are trying to match (unix) Group-Name, you will need to ensure the "unix" module is present and instantiated in the config - either by ensuring it's present in the "authorize" section, or if you don't want to run it, putting it in the "instantiate" section of radiusd.conf
If you are trying to match (ldap) Ldap-Group, you will need to ensure that the LDAP directory is correctly populated.
Either way, we keep getting partial info from you, so it's hard to help. A full "radiusd -X" debug will allow us to see exactly what the full module config, load order and processing chain for a request is. Help us to help you ;o)
Cheers, Phil
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 09/27/2010 01:09 AM, Cameron Wood wrote:
Are we talking about Group-Name (which is implemented by the "unix" module and comes from /etc/group) or Ldap-Group (which is implemented by the ldap module and comes from ldap lookups)? Both implement their own == hooks so the same constraints apply, but the difference is relevant of course!
I honestly don't know which one I should be using; the information is in LDAP, the local system is configured for LDAP and issuing the groups command returns the local and LDAP groups the user is assigned to. Would this suggest that I could just use Group-Name, making use of the unix module?
If you can query LDAP directly, do so. Do not use rlm_unix for LDAP queries, even if nssswitch is setup for it.
Below you show an attempt to match both in turn. For Group-Name, the comparison seems to fail; implying that either the "unix" module isn't configured/loaded or the username isn't in the group you're matching.
I read through the debug log to check that the unix module is getting loaded, which it appears to be, I'm not aware of any configuration that needs to be provided for that module, is there any? As for the user
No. As long as the module is being instantiated (which it is) then Group-Name should work.
being in the group that is definitely the case, I have verified this locally on the system, and the Group-Name comparison in Users succeeds for this case.
Really? Hmm.
If you are trying to match (ldap) Ldap-Group, you will need to ensure that the LDAP directory is correctly populated.
This I am looking into, to my knowledge it is correctly setup as there are lots of other systems around our organisation that are referencing this successfully, but I wonder if the LDAP module is configured correctly, maybe there is a problem with the search string/query?
I think there might be actually; you have: groupmembership_filter = "...(member=%{Ldap-UserDn}..." ...but the default/sample configs that come with the server have: groupmembership_filter = "...(member=%{control:Ldap-UserDn}..." That "control:" is important. Which version of the server are you using and where did you get the configs from? If you replace "Ldap-UserDn" with "control:Ldap-UserDn" (it appears twice in the group filter) does it work?
I think there might be actually; you have:
groupmembership_filter = "...(member=%{Ldap-UserDn}..."
...but the default/sample configs that come with the server have:
groupmembership_filter = "...(member=%{control:Ldap-UserDn}..."
That "control:" is important. Which version of the server are you using and where did you get the configs from? If you replace "Ldap-UserDn" with "control:Ldap-UserDn" (it appears twice in the group filter) does it work?
Good eye Phil, I had a look and the LDAP module configuration was correct, but as it turns out the Group membership checking was disabled. I did a quick test and that seems to be some default query that comes up if you have the Group membership checking disabled. I must have disabled this last night when I was messing around with it. Also I asked one of the admins at work today to take a look at our LDAP with me and our group object/name is actually posixGroup, so I updated the groupmembership_filter and re-enabled the Group membership checking as below...
groupname_attribute = cn groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=posixGroup)(memberUid=%{control:Ldap-UserDN}))" groupmembership_attribute = radiusGroupName
Attached is a debug log of my logon attempts with these settings, which still fails unfortunately. being in the group that is definitely the case, I have verified this
locally on the system, and the Group-Name comparison in Users succeeds for this case.
Really? Hmm.
I checked this whilst looking at the LDAP group object/name stuff today and my user account is definitely a member of the 'net_su' group, I also checked that I can still very this from the groups commands on LDAP connected systems and that the Users configuration file using this as a check item still works. If you can query LDAP directly, do so. Do not use rlm_unix for LDAP queries,
even if nssswitch is setup for it.
Noted, are you able to elaborate on why this is the case though, just like to understand, only if its not too much trouble though. Regards Cam. -- On Mon, Sep 27, 2010 at 17:53, Phil Mayers <p.mayers@imperial.ac.uk> wrote:
On 09/27/2010 01:09 AM, Cameron Wood wrote:
Are we talking about Group-Name (which is implemented by the "unix" module and comes from /etc/group) or Ldap-Group (which is implemented by the ldap module and comes from ldap lookups)? Both implement their own == hooks so the same constraints apply, but the difference is relevant of course!
I honestly don't know which one I should be using; the information is in LDAP, the local system is configured for LDAP and issuing the groups command returns the local and LDAP groups the user is assigned to. Would this suggest that I could just use Group-Name, making use of the unix module?
If you can query LDAP directly, do so. Do not use rlm_unix for LDAP queries, even if nssswitch is setup for it.
Below you show an attempt to match both in turn. For Group-Name, the comparison seems to fail; implying that either the "unix" module isn't configured/loaded or the username isn't in the group you're matching.
I read through the debug log to check that the unix module is getting loaded, which it appears to be, I'm not aware of any configuration that needs to be provided for that module, is there any? As for the user
No. As long as the module is being instantiated (which it is) then Group-Name should work.
being in the group that is definitely the case, I have verified this
locally on the system, and the Group-Name comparison in Users succeeds for this case.
Really? Hmm.
If you are trying to match (ldap) Ldap-Group, you will need to ensure that the LDAP directory is correctly populated.
This I am looking into, to my knowledge it is correctly setup as there are lots of other systems around our organisation that are referencing this successfully, but I wonder if the LDAP module is configured correctly, maybe there is a problem with the search string/query?
I think there might be actually; you have:
groupmembership_filter = "...(member=%{Ldap-UserDn}..."
...but the default/sample configs that come with the server have:
groupmembership_filter = "...(member=%{control:Ldap-UserDn}..."
That "control:" is important. Which version of the server are you using and where did you get the configs from? If you replace "Ldap-UserDn" with "control:Ldap-UserDn" (it appears twice in the group filter) does it work?
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
rlm_ldap: Entering ldap_groupcmp() expand: dc=ac3,dc=com,dc=au -> dc=ac3,dc=com,dc=au expand: (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=posixGroup)(memberUid=%{control:Ldap-UserDN})) -> (|(&(objectClass=GroupOfNames)(member=uid\3dcameron\2cou\3dPeople\2cdc\3dac3\2cdc\3dcom\2cdc\3dau))(&(objectClass=posixGroup)(memberUid=uid\3dcameron\2cou\3dPeople\2cdc\3dac3\2cdc\3dcom\2cdc\3dau)) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=ac3,dc=com,dc=au, with filter (&(cn=net_su)(|(&(objectClass=GroupOfNames)(member=uid\3dcameron\2cou\3dPeople\2cdc\3dac3\2cdc\3dcom\2cdc\3dau))(&(objectClass=posixGroup)(memberUid=uid\3dcameron\2cou\3dPeople\2cdc\3dac3\2cdc\3dcom\2cdc\3dau))) rlm_ldap: ldap_search() failed: Bad search filter: (&(cn=net_su)(|(&(objectClass=GroupOfNames)(member=uid\3dcameron\2cou\3dPeople\2cdc\3dac3\2cdc\3dcom\2cdc\3dau))(&(objectClass=posixGroup)(memberUid=uid\3dcameron\2cou\3dPeople\2cdc\3dac3\2cdc\3dcom\2cdc\3dau))) rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap::ldap_groupcmp: Search returned error
note the "rlm_ldap: ldap_search() failed: Bad search filter" line alan
On 27/09/10 11:44, Cameron Wood wrote:
groupname_attribute = cn groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=posixGroup)(memberUid=%{control:Ldap-UserDN}))" groupmembership_attribute = radiusGroupName
Attached is a debug log of my logon attempts with these settings, which still fails unfortunately.
The filter is invalid. You're missing a trailing ")" which is easily done in the stupid LDAP filter syntax.
If you can query LDAP directly, do so. Do not use rlm_unix for LDAP queries, even if nssswitch is setup for it.
Noted, are you able to elaborate on why this is the case though, just like to understand, only if its not too much trouble though.
Two main reasons: firstly, doing the LDAP lookups indirectly via rlm_unix is difficult to debug (as we are finding). Secondly, doing the LDAP lookups directly gives you a more rich interface to the underlying LDAP data. Doing it via rlm_unix limits you to schema elements present in the posix LDAP schema and get*ent calls.
hello. I have freeradius2 on my centOS and it works fine! But now i want to add new feature. I want to disable user and stop his time. I am disabling user by adding auth-type := reject but he's time is not stopping. How can i stop user's time? For example user john have 25 days and i disabled this user for 2 days. This 25 days must be continue after 2 days. I hope there is a solution. Sorry for my bad English :(
note the "rlm_ldap: ldap_search() failed: Bad search filter" line
Thanks for pointing that out for me Alan, I missed that in the debug log. Two main reasons: firstly, doing the LDAP lookups indirectly via rlm_unix is
difficult to debug (as we are finding)
Secondly, doing the LDAP lookups directly gives you a more rich interface to the underlying LDAP data. Doing it via rlm_unix limits you to schema elements present in the posix LDAP schema and get*ent calls
Those both make perfect sense, thanks for explaining that Phil. I finally got this working with the following groupmembership_filter... "(&(objectClass=posixGroup)(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
Thanks again to those who helped me with this, it's appreciated. Regards Cameron. -- On Mon, Sep 27, 2010 at 22:44, Phil Mayers <p.mayers@imperial.ac.uk> wrote:
On 27/09/10 11:44, Cameron Wood wrote:
groupname_attribute = cn
groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=posixGroup)(memberUid=%{control:Ldap-UserDN}))" groupmembership_attribute = radiusGroupName
Attached is a debug log of my logon attempts with these settings, which still fails unfortunately.
The filter is invalid. You're missing a trailing ")" which is easily done in the stupid LDAP filter syntax.
If you can query LDAP directly, do so. Do not use rlm_unix for LDAP queries, even if nssswitch is setup for it.
Noted, are you able to elaborate on why this is the case though, just like to understand, only if its not too much trouble though.
Two main reasons: firstly, doing the LDAP lookups indirectly via rlm_unix is difficult to debug (as we are finding).
Secondly, doing the LDAP lookups directly gives you a more rich interface to the underlying LDAP data. Doing it via rlm_unix limits you to schema elements present in the posix LDAP schema and get*ent calls.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (6)
-
Alan Buxey -
Alan DeKok -
Cameron Wood -
Peter Lambrechtsen -
Phil Mayers -
ziko