Problem with two ldap connections
Hello at all i have a small problem an dhope anyone can help me. First my configuration and the debug output: --- sites-available/radius-staging --- (is also linked in sites-enabled) authorize { if ("%{User-Name}" =~ /^(.*)#(.*)@domain.de$/) { update request { Group-Name := "%{1}" Stripped-User-Name := "%{2}" } } else { reject } #"%{exec:/usr/bin/printenv}" ldap-kap-costumertype if ("%{ldap-kap-costumertype:ldap:///dc=domain,dc=de?businessCategory?one?ou=%{Group-Name}}" == unmanaged) { update control { Proxy-to-Realm := unmanagedCostumers } # updated } else { ldap-kap-staging # updated } } authenticate { Auth-Type PAP { pap } Auth-Type LDAP { ldap-kap-staging } } --- modules/ldap-kap-staging --- ldap ldap-kap-staging { server := "test" identity := "cn=radiusbinduser,ou=admins,dc=domain,dc=de" password := "XXXXXXX" basedn := "ou=%{Group-Name},dc=domain,dc=de" filter := "(&(uid=%{Stripped-User-Name})(userEnabled=true))" dictionary_mapping = ${confdir}/ldap.attrmap set_auth_type = yes } --- modules/ldap-kap-costumertype --- ldap ldap-kap-costumertype { server := "test" identity := "cn=radiusbinduser,ou=admins,dc=domain,dc=de" password := "XXXXX" basedn := "dc=domain,dc=de" filter := "ou=%{Group-Name}" dictionary_mapping = ${confdir}/ldap.attrmap set_auth_type = no } --- debug output from freeradius --- Ready to process requests. rad_recv: Access-Request packet from host 10.10.20.100 port 55835, id=1, length=131 User-Name = "rplus.dt#test@domain.de" Acct-Session-Id = "1489473128K1snz" NAS-IP-Address = 127.0.0.1 NAS-Identifier = "Localhost" NAS-Port = 0 Calling-Station-Id = "1115551212" User-Password = "testpass" Message-Authenticator = 0xb33a7beab35041d5b1c179deef4d6376 server radius-staging { # Executing section authorize from file /etc/freeradius/sites-enabled/radius-staging +group authorize { ++? if ("%{User-Name}" =~ /^(.*)#(.*)@domain.de$/) expand: %{User-Name} -> rplus.dt#test@domain.de ? Evaluating ("%{User-Name}" =~ /^(.*)#(.*)@domain.de$/) -> TRUE ++? if ("%{User-Name}" =~ /^(.*)#(.*)@domain.de$/) -> TRUE ++if ("%{User-Name}" =~ /^(.*)#(.*)@domain.de$/) { +++update request { expand: %{1} -> domain.dt expand: %{2} -> test +++} # update request = noop ++} # if ("%{User-Name}" =~ /^(.*)#(.*)@domain.de$/) = noop ++ ... skipping else for request 0: Preceding "if" was taken [ldap-kap-costumertype] performing user authorization for test [ldap-kap-costumertype] expand: ou=%{Group-Name} -> ou=rplus.dt [ldap-kap-costumertype] expand: dc=domain,dc=de -> dc=domain,dc=de [ldap-kap-costumertype] ldap_get_conn: Checking Id: 0 [ldap-kap-costumertype] ldap_get_conn: Got Id: 0 [ldap-kap-costumertype] attempting LDAP reconnection [ldap-kap-costumertype] (re)connect to test:636, authentication 0 [ldap-kap-costumertype] setting TLS mode to 1 [ldap-kap-costumertype] bind as cn=radiusbinduser,ou=admins,dc=domain,dc=de/XXXXX to test:636 [ldap-kap-costumertype] waiting for bind result ... [ldap-kap-costumertype] Bind was successful [ldap-kap-costumertype] performing search in dc=domain,dc=de, with filter ou=rplus.dt [ldap-kap-costumertype] No default NMAS login sequence [ldap-kap-costumertype] looking for check items in directory... [ldap-kap-costumertype] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap-kap-costumertype] ldap_release_conn: Release Id: 0 ++[ldap-kap-costumertype] = ok ++? if ("%{ldap-kap-costumertype:ldap:///dc=domain,dc=de?businessCategory?one?ou=%{Group-Name}}" == unmanaged) [ldap-kap-costumertype] - ldap_xlat expand: ldap:///dc=domain,dc=de?businessCategory?one?ou=%{Group-Name} -> ldap:///dc=domain,dc=de?businessCategory?one?ou=rplus.dt [ldap-kap-costumertype] ldap_get_conn: Checking Id: 0 [ldap-kap-costumertype] ldap_get_conn: Got Id: 0 [ldap-kap-costumertype] performing search in dc=domain,dc=de, with filter ou=rplus.dt [ldap-kap-costumertype] Adding attribute businessCategory, value: managed [ldap-kap-costumertype] ldap_release_conn: Release Id: 0 [ldap-kap-costumertype] - ldap_xlat end expand: %{ldap-kap-costumertype:ldap:///dc=domain,dc=de?businessCategory?one?ou=%{Group-Name}} -> managed ? Evaluating ("%{ldap-kap-costumertype:ldap:///dc=domain,dc=de?businessCategory?one?ou=%{Group-Name}}" == unmanaged) -> FALSE ++? if ("%{ldap-kap-costumertype:ldap:///dc=domain,dc=de?businessCategory?one?ou=%{Group-Name}}" == unmanaged) -> FALSE ++else else { [ldap-kap-staging] performing user authorization for test [ldap-kap-staging] expand: (&(uid=%{Stripped-User-Name})(userEnabled=true)) -> (&(uid=test)(userEnabled=true)) <--------------------------------------- [ldap-kap-staging] expand: ou=%{Group-Name},dc=domain,dc=de -> ou=rplus.dt,dc=domain,dc=de <--------------------------------------- [ldap-kap-staging] ldap_get_conn: Checking Id: 0 [ldap-kap-staging] ldap_get_conn: Got Id: 0 [ldap-kap-staging] attempting LDAP reconnection [ldap-kap-staging] (re)connect to test:636, authentication 0 [ldap-kap-staging] setting TLS mode to 1 [ldap-kap-staging] bind as cn=radiusbinduser,ou=admins,dc=domain,dc=de/XXXXX to test:636 [ldap-kap-staging] waiting for bind result ... [ldap-kap-staging] Bind was successful [ldap-kap-staging] performing search in ou=rplus.dt,dc=domain,dc=de, with filter (&(uid=test)(userEnabled=true)) [ldap-kap-staging] No default NMAS login sequence [ldap-kap-staging] looking for check items in directory... [ldap-kap-staging] userPassword -> Password-With-Header == "{SSHA}ac2cE0LcZb04Hr9mGf5RIvfeoDlDkT5BaEB4tw==" [ldap-kap-staging] looking for reply items in directory... [ldap-kap-staging] Setting Auth-Type = LDAP [ldap-kap-staging] ldap_release_conn: Release Id: 0 +++[ldap-kap-staging] = ok ++} # else else = ok +} # group authorize = ok Found Auth-Type = LDAP # Executing group from file /etc/freeradius/sites-enabled/radius-staging +group LDAP { [ldap-kap-staging] login attempt by "test" with password "testpass" [ldap-kap-staging] user DN: ou=rplus.dt,dc=domain,dc=de <--------------------------------------- [ldap-kap-staging] (re)connect to test:636, authentication 1 [ldap-kap-staging] setting TLS mode to 1 [ldap-kap-staging] bind as ou=rplus.dt,dc=telekom,dc=de/testpass to test:636 <--------------------------------------- [ldap-kap-staging] waiting for bind result ... [ldap-kap-staging] Bind failed with invalid credentials ++[ldap-kap-staging] = reject +} # group LDAP = reject Failed to authenticate the user. } # server radius-staging Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/radius-staging +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> rplus.dt#test@domain.de attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 0 for 1 seconds Can anyone explain me why freeradius use two different userdn's for the same ldap configuration [ldap-kap-staging]? That he is authorizing the user is good, but why is freeradius using the wrong dn at the authenticate stage for the same ldapconfig? Thank you very much Jörn Volkhausen
Just for information of other people who have the same problem. Issue: The two ldap configurations are interacting in an undocumented way. Twe configuration of the first module is touching the second module configuration and instance. Solution: For me it helped to just define the basedn and filter in one of the two ldap configurations. The other configuration worked also, because i use them only in pair with xlat. There is the possibility to define another dn and filter. I dont know, but could it be that this is not desired operating? Thanks and hope it helps Jörn Volkhausen Am 14.03.2017 um 07:56 schrieb Jörn Volkhausen:
Hello at all
i have a small problem an dhope anyone can help me. First my configuration and the debug output:
--- sites-available/radius-staging --- (is also linked in sites-enabled) authorize { if ("%{User-Name}" =~ /^(.*)#(.*)@domain.de$/) { update request { Group-Name := "%{1}" Stripped-User-Name := "%{2}" } } else { reject } #"%{exec:/usr/bin/printenv}" ldap-kap-costumertype if ("%{ldap-kap-costumertype:ldap:///dc=domain,dc=de?businessCategory?one?ou=%{Group-Name}}" == unmanaged) { update control { Proxy-to-Realm := unmanagedCostumers } # updated } else { ldap-kap-staging # updated } }
authenticate { Auth-Type PAP { pap } Auth-Type LDAP { ldap-kap-staging } }
--- modules/ldap-kap-staging --- ldap ldap-kap-staging { server := "test" identity := "cn=radiusbinduser,ou=admins,dc=domain,dc=de" password := "XXXXXXX" basedn := "ou=%{Group-Name},dc=domain,dc=de" filter := "(&(uid=%{Stripped-User-Name})(userEnabled=true))"
dictionary_mapping = ${confdir}/ldap.attrmap set_auth_type = yes }
--- modules/ldap-kap-costumertype --- ldap ldap-kap-costumertype { server := "test" identity := "cn=radiusbinduser,ou=admins,dc=domain,dc=de" password := "XXXXX" basedn := "dc=domain,dc=de" filter := "ou=%{Group-Name}"
dictionary_mapping = ${confdir}/ldap.attrmap set_auth_type = no }
--- debug output from freeradius --- Ready to process requests. rad_recv: Access-Request packet from host 10.10.20.100 port 55835, id=1, length=131 User-Name = "rplus.dt#test@domain.de" Acct-Session-Id = "1489473128K1snz" NAS-IP-Address = 127.0.0.1 NAS-Identifier = "Localhost" NAS-Port = 0 Calling-Station-Id = "1115551212" User-Password = "testpass" Message-Authenticator = 0xb33a7beab35041d5b1c179deef4d6376 server radius-staging { # Executing section authorize from file /etc/freeradius/sites-enabled/radius-staging +group authorize { ++? if ("%{User-Name}" =~ /^(.*)#(.*)@domain.de$/) expand: %{User-Name} -> rplus.dt#test@domain.de ? Evaluating ("%{User-Name}" =~ /^(.*)#(.*)@domain.de$/) -> TRUE ++? if ("%{User-Name}" =~ /^(.*)#(.*)@domain.de$/) -> TRUE ++if ("%{User-Name}" =~ /^(.*)#(.*)@domain.de$/) { +++update request { expand: %{1} -> domain.dt expand: %{2} -> test +++} # update request = noop ++} # if ("%{User-Name}" =~ /^(.*)#(.*)@domain.de$/) = noop ++ ... skipping else for request 0: Preceding "if" was taken [ldap-kap-costumertype] performing user authorization for test [ldap-kap-costumertype] expand: ou=%{Group-Name} -> ou=rplus.dt [ldap-kap-costumertype] expand: dc=domain,dc=de -> dc=domain,dc=de [ldap-kap-costumertype] ldap_get_conn: Checking Id: 0 [ldap-kap-costumertype] ldap_get_conn: Got Id: 0 [ldap-kap-costumertype] attempting LDAP reconnection [ldap-kap-costumertype] (re)connect to test:636, authentication 0 [ldap-kap-costumertype] setting TLS mode to 1 [ldap-kap-costumertype] bind as cn=radiusbinduser,ou=admins,dc=domain,dc=de/XXXXX to test:636 [ldap-kap-costumertype] waiting for bind result ... [ldap-kap-costumertype] Bind was successful [ldap-kap-costumertype] performing search in dc=domain,dc=de, with filter ou=rplus.dt [ldap-kap-costumertype] No default NMAS login sequence [ldap-kap-costumertype] looking for check items in directory... [ldap-kap-costumertype] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap-kap-costumertype] ldap_release_conn: Release Id: 0 ++[ldap-kap-costumertype] = ok ++? if ("%{ldap-kap-costumertype:ldap:///dc=domain,dc=de?businessCategory?one?ou=%{Group-Name}}" == unmanaged) [ldap-kap-costumertype] - ldap_xlat expand: ldap:///dc=domain,dc=de?businessCategory?one?ou=%{Group-Name} -> ldap:///dc=domain,dc=de?businessCategory?one?ou=rplus.dt [ldap-kap-costumertype] ldap_get_conn: Checking Id: 0 [ldap-kap-costumertype] ldap_get_conn: Got Id: 0 [ldap-kap-costumertype] performing search in dc=domain,dc=de, with filter ou=rplus.dt [ldap-kap-costumertype] Adding attribute businessCategory, value: managed [ldap-kap-costumertype] ldap_release_conn: Release Id: 0 [ldap-kap-costumertype] - ldap_xlat end expand: %{ldap-kap-costumertype:ldap:///dc=domain,dc=de?businessCategory?one?ou=%{Group-Name}} -> managed ? Evaluating ("%{ldap-kap-costumertype:ldap:///dc=domain,dc=de?businessCategory?one?ou=%{Group-Name}}" == unmanaged) -> FALSE ++? if ("%{ldap-kap-costumertype:ldap:///dc=domain,dc=de?businessCategory?one?ou=%{Group-Name}}" == unmanaged) -> FALSE ++else else { [ldap-kap-staging] performing user authorization for test [ldap-kap-staging] expand: (&(uid=%{Stripped-User-Name})(userEnabled=true)) -> (&(uid=test)(userEnabled=true)) <--------------------------------------- [ldap-kap-staging] expand: ou=%{Group-Name},dc=domain,dc=de -> ou=rplus.dt,dc=domain,dc=de <--------------------------------------- [ldap-kap-staging] ldap_get_conn: Checking Id: 0 [ldap-kap-staging] ldap_get_conn: Got Id: 0 [ldap-kap-staging] attempting LDAP reconnection [ldap-kap-staging] (re)connect to test:636, authentication 0 [ldap-kap-staging] setting TLS mode to 1 [ldap-kap-staging] bind as cn=radiusbinduser,ou=admins,dc=domain,dc=de/XXXXX to test:636 [ldap-kap-staging] waiting for bind result ... [ldap-kap-staging] Bind was successful [ldap-kap-staging] performing search in ou=rplus.dt,dc=domain,dc=de, with filter (&(uid=test)(userEnabled=true)) [ldap-kap-staging] No default NMAS login sequence [ldap-kap-staging] looking for check items in directory... [ldap-kap-staging] userPassword -> Password-With-Header == "{SSHA}ac2cE0LcZb04Hr9mGf5RIvfeoDlDkT5BaEB4tw==" [ldap-kap-staging] looking for reply items in directory... [ldap-kap-staging] Setting Auth-Type = LDAP [ldap-kap-staging] ldap_release_conn: Release Id: 0 +++[ldap-kap-staging] = ok ++} # else else = ok +} # group authorize = ok Found Auth-Type = LDAP # Executing group from file /etc/freeradius/sites-enabled/radius-staging +group LDAP { [ldap-kap-staging] login attempt by "test" with password "testpass" [ldap-kap-staging] user DN: ou=rplus.dt,dc=domain,dc=de <--------------------------------------- [ldap-kap-staging] (re)connect to test:636, authentication 1 [ldap-kap-staging] setting TLS mode to 1 [ldap-kap-staging] bind as ou=rplus.dt,dc=telekom,dc=de/testpass to test:636 <--------------------------------------- [ldap-kap-staging] waiting for bind result ... [ldap-kap-staging] Bind failed with invalid credentials ++[ldap-kap-staging] = reject +} # group LDAP = reject Failed to authenticate the user. } # server radius-staging Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/radius-staging +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> rplus.dt#test@domain.de attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 0 for 1 seconds
Can anyone explain me why freeradius use two different userdn's for the same ldap configuration [ldap-kap-staging]? That he is authorizing the user is good, but why is freeradius using the wrong dn at the authenticate stage for the same ldapconfig?
Thank you very much Jörn Volkhausen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Mar 14, 2017, at 7:09 AM, Jörn Volkhausen <volkhausen.joern@gmx.de> wrote:
Just for information of other people who have the same problem.
Issue:
The two ldap configurations are interacting in an undocumented way.
Please don't post uninformed and incorrect guesses to the mailing list. If you don't understand what the server is doing, the reason is most often that your understanding is wrong. Not that the server is doing something magic.
Twe configuration of the first module is touching the second module configuration and instance.
No. That does not happen. Ever.
Solution:
For me it helped to just define the basedn and filter in one of the two ldap configurations.
That will not fix the problem. The problem is that your LDAP server is returning a redirect. i.e. 1) you don't know how FreeRADIUS works. This is understandable, as the server is complicated. 2) you don't know how your own LDAP server works. This is a problem. 3) You made some erroneous conclusion because of (1) and (2), and 4) you're giving people the wrong advice. Please be sure to give *correct* advice.
Thanks and hope it helps
It doesn't help. It makes things worse. No one reading this should follow your advice. Alan DeKok.
Have the problem that i have configured the freeradius server and all is running fine. Thats not the problem. The problem is, when i start the server in debug mode, the answers to requests take about 70ms. When i start the server normally with service freeradius start, then the request takes about 250ms. How could it be that the server is faster in debug mode than in normal mode. Can anyone help?
On Mar 14, 2017, at 2:56 AM, Jörn Volkhausen <volkhausen.joern@gmx.de> wrote:
Can anyone explain me why freeradius use two different userdn's for the same ldap configuration [ldap-kap-staging]?
If you read the debug output, you will see that the LDAP server is returning a redirect. FreeRADIUS is just following that.
That he is authorizing the user is good, but why is freeradius using the wrong dn at the authenticate stage for the same ldapconfig?
Because your LDAP server is telling FreeRADIUS to use that DN. If you want FreeRADIUS to use the right DN, fix your LDAP server so that it doesn't return a redirect. Alan DeKok.
On Mar 14, 2017, at 2:56 AM, Jörn Volkhausen <volkhausen.joern@gmx.de> wrote:
Can anyone explain me why freeradius use two different userdn's for the same ldap configuration [ldap-kap-staging]? If you read the debug output, you will see that the LDAP server is returning a redirect. FreeRADIUS is just following that. Sorry for my misunderstanding. Can you please call me the line in output, where the redirect is referenced? I dont find it. That he is authorizing the user is good, but why is freeradius using the wrong dn at the authenticate stage for the same ldapconfig? Because your LDAP server is telling FreeRADIUS to use that DN.
If you want FreeRADIUS to use the right DN, fix your LDAP server so that it doesn't return a redirect.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Jörn Volkhausen
On Mar 15, 2017, at 2:40 AM, Jörn Volkhausen <volkhausen.joern@gmx.de> wrote:
On Mar 14, 2017, at 2:56 AM, Jörn Volkhausen <volkhausen.joern@gmx.de> wrote:
Can anyone explain me why freeradius use two different userdn's for the same ldap configuration [ldap-kap-staging]? If you read the debug output, you will see that the LDAP server is returning a redirect. FreeRADIUS is just following that. Sorry for my misunderstanding. Can you please call me the line in output, where the redirect is referenced? I dont find it.
You pointed it out in your original post. FreeRADIUS re-binds to another LDAP server. That's because of the redirect. Alan DeKok.
participants (2)
-
Alan DeKok -
Jörn Volkhausen