Do not query LDAP if authenticated via proxy
Hi list, I have the following question, not entirely sure how to stop FreeRADIUS (Debian recompile 2.0.4) from doing this so any ideas would be grateful. We are joining Eduroam and we have our FreeRADIUS set to proxy on the DEFAULT realm and have a separate realm for our local domain. If we pass a request to the proxy to be authenticated both before and after the request has been proxied it queries our LDAP server to check if the user exists.
rad_recv: Access-Request packet from host 127.0.0.1 port 43386, id=216, length=82 User-Name = "user@domain.com" User-Password = "******" NAS-IP-Address = 157.228.68.190 NAS-Port = 1 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: Looking up realm "domain.com" for User-Name = "user@domain.com" rlm_realm: Found realm "DEFAULT" rlm_realm: Adding Realm = "DEFAULT" rlm_realm: Proxying request from user user to realm DEFAULT rlm_realm: Preparing to proxy authentication request to realm "DEFAULT" ++[suffix] returns updated rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for user@domain.com WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (&(objectclass=uosperson)(!(mailuserstatus=inactive))(uid=%{Stripped-User-Name:-%{User-Name}})) -> (&(objectclass=uosperson)(!(mailuserstatus=inactive))(uid=user@domain.com)) expand: dc=domain,dc=com -> dc=domain,dc=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=domain,dc=com, with filter (&(objectclass=uosperson)(!(mailuserstatus=inactive))(uid=user@domain.com)) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns notfound ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Sending Access-Request of id 112 to 194.83.56.233 port 1812 User-Name = "user@domain.com" User-Password = "******" NAS-IP-Address = 157.228.68.190 NAS-Port = 1 Proxy-State = 0x323136 Proxying request 1 to home server 194.83.56.233 port 1812 Sending Access-Request of id 112 to 194.83.56.233 port 1812 User-Name = "user@domain.com" User-Password = "******" NAS-IP-Address = 157.228.68.190 NAS-Port = 1 Proxy-State = 0x323136 Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Accept packet from host 194.83.56.233 port 1812, id=112, length=25 Proxy-State = 0x323136 +- entering group post-proxy rlm_eap: No pre-existing handler found ++[eap] returns noop +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: Proxy reply, or no User-Name. Ignoring. ++[suffix] returns noop ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for user@domain.com WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (&(objectclass=uosperson)(!(mailuserstatus=inactive))(uid=%{Stripped-User-Name:-%{User-Name}})) -> (&(objectclass=uosperson)(!(mailuserstatus=inactive))(uid=user@domain.com)) expand: dc=domain,dc=com -> dc=domain,dc=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=domain,dc=com, with filter (&(objectclass=uosperson)(!(mailuserstatus=inactive))(uid=user@domain.com)) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns notfound ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop rad_check_password: Found Auth-Type rad_check_password: Auth-Type = Accept, accepting the user Login OK: [user@domain.com/******] (from client localhost port 1) +- entering group post-auth ++[exec] returns noop Sending Access-Accept of id 216 to 127.0.0.1 port 43386 Finished request 1. Going to the next request Waking up in 4.9 seconds. Cleaning up request 1 ID 216 with timestamp +10 Ready to process requests.
How can I stop it from doing this? it is a waste of time and an unnecessary connection/query to our LDAP server as it is never going to be authenticated by our LDAP server. Thanks Steve -- Steven Carr Systems Development Officer SLS/ITS/Systems - (0191) 515 3953
Steven Carr wrote:
We are joining Eduroam and we have our FreeRADIUS set to proxy on the DEFAULT realm and have a separate realm for our local domain.
If we pass a request to the proxy to be authenticated both before and after the request has been proxied it queries our LDAP server to check if the user exists.
So... use "unlang" to check for your local domain, and run the "ldap" module only if it matches the local domain if (User-Name =~ /@my_domain.com/) { ldap }
How can I stop it from doing this? it is a waste of time and an unnecessary connection/query to our LDAP server as it is never going to be authenticated by our LDAP server.
You don't "stop" it. You tell it to query the LDAP server *ONLY* when it sees Access-Requests where User-Name contains your domain. Once you formulate the problem that way, the solution becomes obvious. Alan DeKok.
On 10/8/09 14:34, Alan DeKok wrote:
So... use "unlang" to check for your local domain, and run the "ldap" module only if it matches the local domain
if (User-Name =~ /@my_domain.com/) { ldap }
Ta for the pointer :) now works as I want it. Steve -- Steven Carr Systems Development Officer SLS/ITS/Systems - (0191) 515 3953
participants (2)
-
Alan DeKok -
Steven Carr