freeradius 2.2.0 stop authorization
I setup a centos 6.2 server that has freeradius 2.2.0 running on it. I have the mysql module running. Based on simple mac authentication with the username and password the mac address of the computer it appears to be working fine. What I want to do is setup ldap to authenticate against our Windows 2010 server where the computers are a part of the domain. I would like for it to query mysql first and then query ldap if it didn't find the computer in mysql. If I remove ldap for the defaults file I get an Access-Accept reply as expected. It just that if there is anything after sql in the defaults file then it will continue on to try and authenticate against another module. Below you can see a simple query with 'blake' being sent as both the user-name and password. It queries the db and finds it (as expected). However it continues to go to ldap and tries to find it to which I get an error. I understand that I don't have ldap working properly right now. However, first I just want to get the logic setup to where after finding a name in mysql it will stop and reply back with an Access-Accept and not query ldap. Is there a setting you have to put in a conf file? rad_recv: Access-Request packet from host 10.220.1.107 port 52258, id=10, length=45 User-Name = "blake" User-Password = "blake" # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [suffix] No '@' in User-Name = "blake", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [sql] expand: %{Stripped-User-Name} -> [sql] ... expanding second conditional [sql] expand: %{User-Name} -> blake [sql] expand: %{%{User-Name}:-DEFAULT} -> blake [sql] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> blake [sql] sql_set_user escaped user --> 'blake' rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'blake' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'blake' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'blake' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'blakegroup' ORDER BY id [sql] User found in group blakegroup [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'blakegroup' ORDER BY id rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok [ldap] performing user authorization for blake [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> blake [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=blake) [ldap] expand: o=My Org,c=UA -> o=My Org,c=UA [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to 10.193.0.90:389, authentication 0 [ldap] bind as CN=srvacct,OU=misc,OU=TechAdmin,OU=District,OU=Staff,DC=crcsd,DC=abc/ to 10.193.0.90:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in o=My Org,c=UA, with filter (uid=blake) [ldap] ldap_search() failed: Operations error [ldap] search failed [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns fail Using Post-Auth-Type REJECT # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> blake attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.7 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 10 to 10.220.1.107 port 52258 Waking up in 4.9 seconds. Cleaning up request 0 ID 10 with timestamp +3 Ready to process requests. Thanks in advance! -b
Wedel Blake wrote:
... What I want to do is setup ldap to authenticate against our Windows 2010 server where the computers are a part of the domain.
AD isn't really an LDAP server. You'll probably need to run Samba. See: http://deployingradius.com/documents/configuration/active_directory.html
I would like for it to query mysql first and then query ldap if it didn't find the computer in mysql.
authorize { ... sql if (notfound) { ldap } ... } Should work for PAP requests. (User-Name / User-Password)
If I remove ldap for the defaults file I get an Access-Accept reply as expected. It just that if there is anything after sql in the defaults file then it will continue on to try and authenticate against another module.
Use the configuration I posted above. It should help.
Below you can see a simple query with 'blake' being sent as both the user-name and password. It queries the db and finds it (as expected). However it continues to go to ldap and tries to find it to which I get an error.
Read raddb/modules/ldap. Look for "operations error"
I understand that I don't have ldap working properly right now. However, first I just want to get the logic setup to where after finding a name in mysql it will stop and reply back with an Access-Accept and not query ldap. Is there a setting you have to put in a conf file?
It's a policy you write. There is no "setting" to do if/then/else programming. Alan DeKok.
Thanks Alan for the info. By using the if statement I was able to stop the processing of the request. However I need to do more research and communicating with our AD or our NPS server. However since that doesn't involve the subject of this message I would start another question without 'stop authorization' in the subject line. Thanks again. -----Original Message----- From: freeradius-users-bounces+bwedel=cr.k12.ia.us@lists.freeradius.org [mailto:freeradius-users-bounces+bwedel=cr.k12.ia.us@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Tuesday, January 22, 2013 1:22 PM To: FreeRadius users mailing list Subject: Re: freeradius 2.2.0 stop authorization Wedel Blake wrote:
... What I want to do is setup ldap to authenticate against our Windows 2010 server where the computers are a part of the domain.
AD isn't really an LDAP server. You'll probably need to run Samba. See: http://deployingradius.com/documents/configuration/active_directory.html
I would like for it to query mysql first and then query ldap if it didn't find the computer in mysql.
authorize { ... sql if (notfound) { ldap } ... } Should work for PAP requests. (User-Name / User-Password)
If I remove ldap for the defaults file I get an Access-Accept reply as expected. It just that if there is anything after sql in the defaults file then it will continue on to try and authenticate against another module.
Use the configuration I posted above. It should help.
Below you can see a simple query with 'blake' being sent as both the user-name and password. It queries the db and finds it (as expected). However it continues to go to ldap and tries to find it to which I get an error.
Read raddb/modules/ldap. Look for "operations error"
I understand that I don't have ldap working properly right now. However, first I just want to get the logic setup to where after finding a name in mysql it will stop and reply back with an Access-Accept and not query ldap. Is there a setting you have to put in a conf file?
It's a policy you write. There is no "setting" to do if/then/else programming. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Alan DeKok -
Wedel Blake