LDAP module problem in 2.0.3
Hello, I'm testing upgrading to 2.0.3 from 1.1.7 and it appears that the LDAP module in 2.0.3 is not setting the Ldap-UserDn in a way that is available for further analysis. The problem shows up when using "edir_account_policy_check = yes" and PEAP. This is the error from the debug output. +- entering group post-auth rlm_ldap: User's FQDN not in config items list. ++[ldap] returns fail PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE The problem also shows up when checking the Ldap-UserDn with unlang or from the Files module. Here is my unlang config and the resulting error. if (Ldap-UserDn =~ /ou=is,ou=n,o=emu/i) { update reply { Tunnel-Type := "VLAN" Tunnel-Medium-Type := "IEEE-802" Tunnel-Private-Group-Id := 3 } } Error: ++? if (Ldap-UserDn =~ /ou=is,ou=n,o=emu/i) (Attribute Ldap-UserDn was not found) Here is the users file config I use in version 1.1.7. It also does not work in 2.0.3; the files module returns noop. DEFAULT Ldap-UserDn =~ "ou=is,ou=n,o=emu" Tunnel-Type = "VLAN", Tunnel-Medium-Type = "IEEE-802", Tunnel-Private-Group-Id = 3 I've tried setting both "copy_request_to_tunnel = yes" and "use_tunneled_reply = yes" but it makes no difference. I looked at the source file rlm_ldap.c and found this code at line 1306: /* * Adding new attribute containing DN for LDAP object associated with * given username */ pairadd(check_pairs, pairmake("Ldap-UserDn", user_dn, T_OP_EQ)); But in the code for version 1.1.7 the line is pairadd(&request->packet->vps, pairmake("Ldap-UserDn", user_dn, T_OP_EQ)); If I change it to the old way, everything works. Is this a bug in 2.0.3 or might I have overlooked a configuration detail? Jason
Jason Alderfer wrote:
Hello,
I'm testing upgrading to 2.0.3 from 1.1.7 and it appears that the LDAP module in 2.0.3 is not setting the Ldap-UserDn in a way that is available for further analysis.
It's now in the "control" item list. This should be better documented...
If I change it to the old way, everything works. Is this a bug in 2.0.3 or might I have overlooked a configuration detail?
The intent was to move control attributes to the control list. But this is a bit of a surprise for people expecting backwards compatibility with 1.1.x. Alan DeKok.
Jason Alderfer wrote:
I'm testing upgrading to 2.0.3 from 1.1.7 and it appears that the LDAP module in 2.0.3 is not setting the Ldap-UserDn in a way that is available for further analysis.
It's now in the "control" item list. This should be better documented...
But the function ldap_postauth in rlm_ldap.c still looks for Ldap-UserDn in request->packet->vps. Should I patch it to look in the new location? Or will it even exist in the control items in post auth? vp_fdn = pairfind(request->packet->vps, da->attr); if (vp_fdn == NULL) { DEBUG("rlm_ldap: User's FQDN not in config items list."); return RLM_MODULE_FAIL; } Also, I can see on the unlang man page how to update an item on the control list, but I'm not clear how to test one. What should I change in the unlang below? if (Ldap-UserDn =~ /ou=is,ou=n,o=emu/i) { update reply { Tunnel-Type := "VLAN" Tunnel-Medium-Type := "IEEE-802" Tunnel-Private-Group-Id := 3 } } Thanks Jason
Hi Jason, with the answer from Alan we have found the dn-information in the control item. You must use %{control:Ldap-UserDn} instead of %{Ldap-UserDn} Regards, Christan On Monday 14 April 2008 23:18:42 Jason Alderfer wrote:
Jason Alderfer wrote:
I'm testing upgrading to 2.0.3 from 1.1.7 and it appears that the LDAP module in 2.0.3 is not setting the Ldap-UserDn in a way that is available for further analysis.
It's now in the "control" item list. This should be better documented...
But the function ldap_postauth in rlm_ldap.c still looks for Ldap-UserDn in request->packet->vps. Should I patch it to look in the new location? Or will it even exist in the control items in post auth?
vp_fdn = pairfind(request->packet->vps, da->attr); if (vp_fdn == NULL) { DEBUG("rlm_ldap: User's FQDN not in config items list."); return RLM_MODULE_FAIL; }
Also, I can see on the unlang man page how to update an item on the control list, but I'm not clear how to test one. What should I change in the unlang below?
if (Ldap-UserDn =~ /ou=is,ou=n,o=emu/i) { update reply { Tunnel-Type := "VLAN" Tunnel-Medium-Type := "IEEE-802" Tunnel-Private-Group-Id := 3 } }
Thanks Jason
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi Jason, with the answer from Alan we have found the dn-information in the control item. You must use %{control:Ldap-UserDn} instead of %{Ldap-UserDn}
Perfect. Unlang works now. Thanks. However, there is still the problem with postauth.
the function ldap_postauth in rlm_ldap.c still looks for Ldap-UserDn in request->packet->vps.
The attached patch updates ldap_postauth to check the control items, which solves the problem for me. I assume that's the best way to fix it. Jason
Jason Alderfer wrote:
the function ldap_postauth in rlm_ldap.c still looks for Ldap-UserDn in request->packet->vps.
The attached patch updates ldap_postauth to check the control items, which solves the problem for me. I assume that's the best way to fix it.
I've added the patch, thanks. Alan DeKok.
participants (3)
-
Alan DeKok -
Christian Goebel -
Jason Alderfer