LDAP group check not working with SQL expansion
Hi, I'm using FreeRADIUS Version 3.0.12. I'm doing EAP-TTLS/PAP and I have the following policy in the authorize section of the inner tunnel virtual server (same behaviour when it's in post-auth): w2vgroupcheck { if("%{Stripped-User-Domain}" =~ /^([^\.]+)\.w2v\.kit\.edu$/) { if ("%{sql:SELECT COUNT(*) FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}" > 0) { if (LDAP-Group == "%{sql:SELECT group_name FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}") { update reply { Tunnel-Private-Group-Id := "%{sql:SELECT vlan_id FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}" Tunnel-Type := VLAN Tunnel-Medium-Type := IEEE-802 } } else { reject } } } } Which results in: (8) policy w2vgroupcheck { (8) if ("%{Stripped-User-Domain}" =~ /^([^\.]+)\.w2v\.kit\.edu$/) { (8) EXPAND %{Stripped-User-Domain} (8) --> vlan-1.w2v.kit.edu (8) if ("%{Stripped-User-Domain}" =~ /^([^\.]+)\.w2v\.kit\.edu$/) -> TRUE (8) if ("%{Stripped-User-Domain}" =~ /^([^\.]+)\.w2v\.kit\.edu$/) { (8) if ("%{sql:SELECT COUNT(*) FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}" > 0) { rlm_sql (sql): Reserved connection (0) (8) Executing select query: SELECT COUNT(*) FROM w2v WHERE vlan_name=regexp_replace('vlan-1.w2v.kit.edu', '\.w2v\.kit\.edu$', '') rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 1 , fields = 1 rlm_sql (sql): Released connection (0) (8) EXPAND %{sql:SELECT COUNT(*) FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')} (8) --> 1 (8) if ("%{sql:SELECT COUNT(*) FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}" > 0) -> TRUE (8) if ("%{sql:SELECT COUNT(*) FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}" > 0) { (8) if (LDAP-Group == "%{sql:SELECT group_name FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}") { rlm_sql (sql): Reserved connection (1) (8) Executing select query: SELECT group_name FROM w2v WHERE vlan_name=regexp_replace('vlan-1.w2v.kit.edu', '\.w2v\.kit\.edu$', '') rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 1 , fields = 1 rlm_sql (sql): Released connection (1) (8) EXPAND %{sql:SELECT group_name FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')} (8) --> KIT-Group-1 (8) if (LDAP-Group == "%{sql:SELECT group_name FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}") -> FALSE (8) else { (8) [reject] = reject (8) } # else = reject (8) } # if ("%{sql:SELECT COUNT(*) FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}" > 0) = reject (8) } # if ("%{Stripped-User-Domain}" =~ /^([^\.]+)\.w2v\.kit\.edu$/) = reject (8) } # policy w2vgroupcheck = reject I don't understand it because the SQL expansion works but then there is no try to do the LDAP group check. It just says FALSE and rejects. When I replace (LDAP-Group == "%{sql:SELECT group_name FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}") with (LDAP-Group == "KIT-Group-1") it works: (8) policy w2vgroupcheck { [50/1950] (8) if ("%{Stripped-User-Domain}" =~ /^([^\.]+)\.w2v\.kit\.edu$/) { (8) EXPAND %{Stripped-User-Domain} (8) --> vlan-1.w2v.kit.edu (8) if ("%{Stripped-User-Domain}" =~ /^([^\.]+)\.w2v\.kit\.edu$/) -> TRUE (8) if ("%{Stripped-User-Domain}" =~ /^([^\.]+)\.w2v\.kit\.edu$/) { (8) if ("%{sql:SELECT COUNT(*) FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}" > 0) { rlm_sql (sql): Reserved connection (0) (8) Executing select query: SELECT COUNT(*) FROM w2v WHERE vlan_name=regexp_replace('vlan-1.w2v.kit.edu', '\.w2v\.kit\.edu$', '') rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 1 , fields = 1 rlm_sql (sql): Released connection (0) (8) EXPAND %{sql:SELECT COUNT(*) FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')} (8) --> 1 (8) if ("%{sql:SELECT COUNT(*) FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}" > 0) -> TRUE (8) if ("%{sql:SELECT COUNT(*) FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}" > 0) { (8) if (LDAP-Group == "KIT-Group-1") { (8) Searching for user in group "KIT-Group-1" rlm_ldap (ldap): Reserved connection (1) (8) Using user DN from request "uid=abc123,ou=People,ou=unix,ou=IDM,dc=kit,dc=edu" (8) Checking for user in group objects (8) EXPAND (&(cn=KIT-Group-1)(objectClass=posixGroup)(memberUid=%{%{Stripped-User-Name}:-%{User-Name}})) (8) --> (&(cn=KIT-Group-1)(objectClass=posixGroup)(memberUid=abc123)) (8) Performing search in "ou=unix,ou=IDM,dc=kit,dc=edu" with filter "(&(cn=KIT-Group-1)(objectClass=posixGroup)(memberUid=abc123))", scope "sub" (8) Waiting for search result... (8) User found in group object "ou=unix,ou=IDM,dc=kit,dc=edu" rlm_ldap (ldap): Released connection (1) (8) if (LDAP-Group == "KIT-Group-1") -> TRUE (8) if (LDAP-Group == "KIT-Group-1") { (8) update reply { rlm_sql (sql): Reserved connection (1) (8) Executing select query: SELECT vlan_id FROM w2v WHERE vlan_name=regexp_replace('vlan-1.w2v.kit.edu', '\.w2v\.kit\.edu$', '') rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 1 , fields = 1 rlm_sql (sql): Released connection (1) (8) EXPAND %{sql:SELECT vlan_id FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')} (8) --> 22 (8) Tunnel-Private-Group-Id := 22 (8) Tunnel-Type := VLAN (8) Tunnel-Medium-Type := IEEE-802 (8) } # update reply = noop (8) } # if (LDAP-Group == "KIT-Group-1") = noop (8) ... skipping else: Preceding "if" was taken (8) } # if ("%{sql:SELECT COUNT(*) FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}" > 0) = noop (8) } # if ("%{Stripped-User-Domain}" =~ /^([^\.]+)\.w2v\.kit\.edu$/) = noop (8) } # policy w2vgroupcheck = noop Thanks in advance Klara
I'm using FreeRADIUS Version 3.0.12.
I'm doing EAP-TTLS/PAP and I have the following policy in the authorize section of the inner tunnel virtual server (same behaviour when it's in post-auth):
That's an odd one, feel free to open a GitHub issue. For a quick workaround, you may be able to copy the value of the expansion to a temporary attribute and use that. i.e. update request { Tmp-String-0 := "%{sql:SELECT group_name FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}" } if (LDAP-Group == &Tmp-String-0) { update reply { Tunnel-Private-Group-Id := "%{sql:SELECT vlan_id FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}" Tunnel-Type := VLAN Tunnel-Medium-Type := IEEE-802 } } Let me know if it works. May give some insight as to what's going on. -Arran
Hi, On 07/24/2017 11:35 PM, Arran Cudbard-Bell wrote:
I'm using FreeRADIUS Version 3.0.12.
I'm doing EAP-TTLS/PAP and I have the following policy in the authorize section of the inner tunnel virtual server (same behaviour when it's in post-auth):
That's an odd one, feel free to open a GitHub issue.
For a quick workaround, you may be able to copy the value of the expansion to a temporary attribute and use that.
i.e.
update request { Tmp-String-0 := "%{sql:SELECT group_name FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}" }
if (LDAP-Group == &Tmp-String-0) { update reply { Tunnel-Private-Group-Id := "%{sql:SELECT vlan_id FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}" Tunnel-Type := VLAN Tunnel-Medium-Type := IEEE-802 } }
Let me know if it works. May give some insight as to what's going on.
Thanks for your quick response. Tried it but when I start freeradius: /etc/freeradius/3.0/policy.d/w2vgroupcheck[8]: Parse error in condition /etc/freeradius/3.0/policy.d/w2vgroupcheck[8]: (LDAP-Group == &Tmp-String-0) { /etc/freeradius/3.0/policy.d/w2vgroupcheck[8]: ^ Cannot use attribute reference on right side of condition Errors reading or parsing /etc/freeradius/3.0/radiusd.conf As you suggested I will open a GitHub issue. But are there any other suggestions for a workaround? Unfortunately I really need one. I thought about doing the group check more explicitly. Ist that possible somehow? Thanks Klara
Hi, On Tue, Jul 25, 2017 at 12:18:01AM +0200, Klara Mall wrote:
As you suggested I will open a GitHub issue. But are there any other suggestions for a workaround? Unfortunately I really need one. I thought about doing the group check more explicitly. Ist that possible somehow?
I've found a dirty workaround with an explicit LDAP lookup: w2vgroupcheck { if("%{Stripped-User-Domain}" =~ /^([^\.]+)\.w2v\.kit\.edu$/) { # does realm exist? if("%{sql:SELECT COUNT(*) FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}" > 0) { update request { Tmp-String-0 := "%{sql:SELECT group_name FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}" Tmp-String-1 := "%{ldap:ldaps://ldap-1.xyz.kit.edu ldap-2.xyz.kit.edu/ou=unix,ou=IDM,dc=kit,dc=edu?memberUid?sub?(&(cn=%{Tmp-String-0})(objectClass=posixGroup)(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))}" } # is user in group according to realm? if (&Tmp-String-1 != "") { update reply { Tunnel-Private-Group-Id := "%{sql:SELECT vlan_id FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}" Tunnel-Type := VLAN Tunnel-Medium-Type := IEEE-802 } } else { reject } } else { reject } } } Klara
I've found a dirty workaround with an explicit LDAP lookup:
w2vgroupcheck { if("%{Stripped-User-Domain}" =~ /^([^\.]+)\.w2v\.kit\.edu$/) { # does realm exist? if("%{sql:SELECT COUNT(*) FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}" > 0) { update request { Tmp-String-0 := "%{sql:SELECT group_name FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}" Tmp-String-1 := "%{ldap:ldaps://ldap-1.xyz.kit.edu ldap-2.xyz.kit.edu/ou=unix,ou=IDM,dc=kit,dc=edu?memberUid?sub?(&(cn=%{Tmp-String-0})(objectClass=posixGroup)(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))}" } # is user in group according to realm? if (&Tmp-String-1 != "") { update reply { Tunnel-Private-Group-Id := "%{sql:SELECT vlan_id FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}" Tunnel-Type := VLAN Tunnel-Medium-Type := IEEE-802 } } else { reject } } else { reject } } }
Pushed a fix. Could you test and see if it addresses your issue. https://github.com/FreeRADIUS/freeradius-server/commit/e56048c98bfab25ae9453... Thanks, -Arran
Hi, On 07/25/2017 08:08 PM, Arran Cudbard-Bell wrote:
I've found a dirty workaround with an explicit LDAP lookup:
w2vgroupcheck { if("%{Stripped-User-Domain}" =~ /^([^\.]+)\.w2v\.kit\.edu$/) { # does realm exist? if("%{sql:SELECT COUNT(*) FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}" > 0) { update request { Tmp-String-0 := "%{sql:SELECT group_name FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}" Tmp-String-1 := "%{ldap:ldaps://ldap-1.xyz.kit.edu ldap-2.xyz.kit.edu/ou=unix,ou=IDM,dc=kit,dc=edu?memberUid?sub?(&(cn=%{Tmp-String-0})(objectClass=posixGroup)(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))}" } # is user in group according to realm? if (&Tmp-String-1 != "") { update reply { Tunnel-Private-Group-Id := "%{sql:SELECT vlan_id FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}" Tunnel-Type := VLAN Tunnel-Medium-Type := IEEE-802 } } else { reject } } else { reject } } }
Pushed a fix. Could you test and see if it addresses your issue.
https://github.com/FreeRADIUS/freeradius-server/commit/e56048c98bfab25ae9453...
Wonderful. I patched the freeradius version in Debian Stretch with it and it works. :) Thank you Klara
On Jul 25, 2017, at 3:38 PM, Klara Mall <klara.mall@kit.edu> wrote:
Hi,
On 07/25/2017 08:08 PM, Arran Cudbard-Bell wrote:
I've found a dirty workaround with an explicit LDAP lookup:
w2vgroupcheck { if("%{Stripped-User-Domain}" =~ /^([^\.]+)\.w2v\.kit\.edu$/) { # does realm exist? if("%{sql:SELECT COUNT(*) FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}" > 0) { update request { Tmp-String-0 := "%{sql:SELECT group_name FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}" Tmp-String-1 := "%{ldap:ldaps://ldap-1.xyz.kit.edu ldap-2.xyz.kit.edu/ou=unix,ou=IDM,dc=kit,dc=edu?memberUid?sub?(&(cn=%{Tmp-String-0})(objectClass=posixGroup)(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))}" } # is user in group according to realm? if (&Tmp-String-1 != "") { update reply { Tunnel-Private-Group-Id := "%{sql:SELECT vlan_id FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}" Tunnel-Type := VLAN Tunnel-Medium-Type := IEEE-802 } } else { reject } } else { reject } } }
Pushed a fix. Could you test and see if it addresses your issue.
https://github.com/FreeRADIUS/freeradius-server/commit/e56048c98bfab25ae9453...
Wonderful. I patched the freeradius version in Debian Stretch with it and it works. :)
Excellent, thanks for confirming! -Arran
On Jul 24, 2017, at 5:03 PM, Klara Mall <klara.mall@kit.edu> wrote:
I'm doing EAP-TTLS/PAP and I have the following policy in the authorize section of the inner tunnel virtual server (same behaviour when it's in post-auth):
w2vgroupcheck { if("%{Stripped-User-Domain}" =~ /^([^\.]+)\.w2v\.kit\.edu$/) { if ("%{sql:SELECT COUNT(*) FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}" > 0) { if (LDAP-Group == "%{sql:SELECT group_name FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}") {
It's probably the same issue as: https://github.com/FreeRADIUS/freeradius-server/issues/1947 Alan DeKok.
participants (3)
-
Alan DeKok -
Arran Cudbard-Bell -
Klara Mall