Release 1.1.0 this week?

Markus Krause krause at biochem.mpg.de
Tue Jan 10 17:52:08 CET 2006 

Zitat von Nicolas Baradakis <nbk at sitadelle.com>:
> Markus Krause wrote:
>
> > Zitat von Nicolas Baradakis <nbk at sitadelle.com>:
> >
> > > And finally, if someone has a setup with ldap backend, and is
> volunteering
> > > to test the patch under bug #261 (ldap_pairget fixes), perhaps it could
> be
> > > added to 1.1.1, too. I'm not using LDAP on my site, therefore I can't
> test
> > > it myself easily.
> >
> > i have a testing installation with freeradius using ldap on which i could
> > do some tests if necessary. unfortunatly i am not a freeradius expert,
> > but if you tell me what i should test/try i would be glad to help!
>
> Thanks, that'd be useful. Here you are the detailed instructions:
>
> $ cvs -d :pserver:anoncvs at cvs.freeradius.org:/source login
> CVS password: anoncvs
> $ cvs -d :pserver:anoncvs at cvs.freeradius.org:/source checkout -r branch_1_1
> radiusd
> $ cd radiusd
> $ wget 'http://bugs.freeradius.org/showattachment.cgi?attach_id=113' -O
> ldap_pairget.patch
> $ patch -p0 < ldap_pairget.patch
>
> Then recompile FreeRADIUS like usual and test with a user from your LDAP
> directory. If that works, the next step is to enter the test values
> from the bugzilla into LDAP, and verify if the RADIUS values are
> correct in the reply packet.
>
> See http://bugs.freeradius.org/show_bug.cgi?id=261
>
> --
> Nicolas Baradakis
so here is what i did and what happend (on a current debian sarge linux, suse
seems to be missing some packages):

atlas:~/radius-test# cvs -d :pserver:anoncvs at cvs.freeradius.org:/source login
Logging in to :pserver:anoncvs at cvs.freeradius.org:2401/source
CVS password: <i typed "anoncvs">
atlas:~/radius-test# cvs -d :pserver:anoncvs at cvs.freeradius.org:/source checkout
-r branch_1_1 radiusd
[lots of cvs messages "U radiusd/ ..."]
atlas:~/radius-test# cd radiusd/
atlas:~/radius-test/radiusd# wget
'http://bugs.freeradius.org/showattachment.cgi?attach_id=113' -O ldap_pairg
et.patch
[wget output]
atlas:~/radius-test/radiusd# patch -p0 < ldap_pairget.patch
patching file src/modules/rlm_ldap/rlm_ldap.c
Hunk #1 succeeded at 2309 (offset 32 lines).
atlas:~/radius-test/radiusd# dpkg-buildpackage -us -uc -b
[lot of output, all seems successful, results are debian packages]
atlas:~/radius-test/radiusd# cd ..
atlas:~/radius-test# dpkg -i freeradius_1.1.0-0_i386.deb
freeradius-ldap_1.1.0-0_i386.deb freeradius-mysql_1.1.0-0_i386.deb
[some output, all ok]
atlas:~/radius-test#

now the entry of a ldap user (as ldif):
# testuser2, People, mogli.de
dn: uid=testuser2,ou=People,dc=mogli,dc=de
cn: testuser2
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: radiusprofile
uidNumber: 501
gidNumber: 100
homeDirectory: /home/testuser1
loginShell: /bin/bash
uid: testuser2
dialupAccess: 1
radiusTunnelMediumType: IEEE-802
radiusTunnelPrivateGroupId: 1
radiusTunnelType: VLAN
radiusFramedIPAddress: 192.168.0.112
radiusFramedIPNetmask: 255.255.255.0
radiusExpiration: 11 Jan 2006 13:00:00
userPassword: {CRYPT}sefjKaLm7zybE
radiusReplyItem: Reply-Message := foo bar
radiusReplyItem: Reply-Message += This_is_a_Reply
radiusReplyItem: Reply-Message += This is another Reply with spaces
radiusReplyItem: Reply-Message += This_is_yet_another_Reply_without_spaces

now a test with radtest:

atlas:~# radtest testuser2 secret localhost 0 testing123
Sending Access-Request of id 7 to 127.0.0.1 port 1812
        User-Name = "testuser2"
        User-Password = "secret"
        NAS-IP-Address = 255.255.255.255
        NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=7, length=97
        Framed-IP-Netmask = 255.255.255.0
        Framed-IP-Address = 192.168.0.112
        Reply-Message = "This_is_a_Reply"
        Reply-Message = "This_is_yet_another_Reply_without_spaces"
        Session-Timeout = 70115
atlas:~#

it looks like the reply-message items containing spaces are ignored, the debug
output of freeradius -XA says:

rad_recv: Access-Request packet from host 127.0.0.1:32784, id=33, length=61
        User-Name = "testuser2"
        User-Password = "secret"
        NAS-IP-Address = 255.255.255.255
        NAS-Port = 0
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
  modcall[authorize]: module "files" returns notfound for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for testuser2
radius_xlat:  '(uid=testuser2)'
radius_xlat:  'dc=mogli,dc=de'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldapserv1.mogli.de:389, authentication 0
rlm_ldap: bind as / to ldapserv1.mogli.de:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=mogli,dc=de, with filter (uid=testuser2)
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding radiusExpiration as Expiration, value 11 Jan 2006 13:00:00 &
op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusFramedIPNetmask as Framed-IP-Netmask, value 255.255.255.0
& op=11
rlm_ldap: Adding radiusFramedIPAddress as Framed-IP-Address, value 192.168.0.112
& op=11
rlm_ldap: parsing radiusReplyItem failed: Reply-Message := foo bar
rlm_ldap: extracted attribute Reply-Message from generic item Reply-Message +=
This_is_a_Reply
rlm_ldap: parsing radiusReplyItem failed: Reply-Message += This is another Reply
with spaces
rlm_ldap: extracted attribute Reply-Message from generic item Reply-Message +=
This_is_yet_another_Reply_without_spaces
rlm_ldap: user testuser2 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
  rad_check_password:  Found Auth-Type ldap
auth: type "LDAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group LDAP for request 0
rlm_ldap: - authenticate
rlm_ldap: login attempt by "testuser2" with password "secret"
rlm_ldap: user DN: uid=testuser2,ou=People,dc=mogli,dc=de
rlm_ldap: (re)connect to ldapserv1.mogli.de:389, authentication 1
rlm_ldap: bind as uid=testuser2,ou=People,dc=mogli,dc=de/secret to
ldapserv1.mogli.de:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: user testuser2 authenticated succesfully
  modcall[authenticate]: module "ldap" returns ok for request 0
modcall: leaving group LDAP (returns ok) for request 0
radius_xlat:  'This_is_a_Reply'
radius_xlat:  'This_is_yet_another_Reply_without_spaces'
  Processing the post-auth section of radiusd.conf
modcall: entering group post-auth for request 0
radius_xlat:  '/var/log/freeradius/radacct/127.0.0.1/reply-detail-20060110'
rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d
expands to /var/log/freeradius/radacct/127.0.0.1/reply-detail-20060110
  modcall[post-auth]: module "reply_log" returns ok for request 0
rlm_sql (sql): Processing sql_postauth
radius_xlat:  'testuser2'
rlm_sql (sql): sql_set_user escaped user --> 'testuser2'
radius_xlat:  'INSERT into radpostauth (id, user, pass, reply, date) values ('',
'testuser2', 'secret', 'Access-Accept', NOW())'
rlm_sql (sql) in sql_postauth: query is INSERT into radpostauth (id, user, pass,
reply, date) values ('', 'testuser2', 'secret', 'Access-Accept', NOW())
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql (sql): Released sql socket id: 4
  modcall[post-auth]: module "sql" returns ok for request 0
modcall: leaving group post-auth (returns ok) for request 0
Sending Access-Accept of id 33 to 127.0.0.1 port 32784
        Framed-IP-Netmask = 255.255.255.0
        Framed-IP-Address = 192.168.0.112
        Reply-Message += "This_is_a_Reply"
        Reply-Message += "This_is_yet_another_Reply_without_spaces"
        Session-Timeout := 70038
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 33 with timestamp 43c3e1aa
Nothing to do.  Sleeping until we see a request.


there seems to be (still?) a problem with spaces:

rlm_ldap: parsing radiusReplyItem failed: Reply-Message := foo bar
rlm_ldap: parsing radiusReplyItem failed: Reply-Message += This is another Reply
with spaces

to be sure it is not due to "+=" i entered the following to users in ldap (again
ldif):
# testuser3, People, mogli.de
dn: uid=testuser3,ou=People,dc=mogli,dc=de
cn: testuser3
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: radiusprofile
uidNumber: 501
gidNumber: 100
homeDirectory: /home/testuser1
loginShell: /bin/bash
uid: testuser3
dialupAccess: 1
userPassword: {CRYPT}sefjKaLm7zybE
radiusReplyItem: Reply-Message := foo bar

# testuser4, People, mogli.de
dn: uid=testuser4,ou=People,dc=mogli,dc=de
cn: testuser4
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: radiusprofile
uidNumber: 501
gidNumber: 100
homeDirectory: /home/testuser1
loginShell: /bin/bash
uid: testuser4
dialupAccess: 1
userPassword: {CRYPT}sefjKaLm7zybE
radiusReplyItem: Reply-Message := foo_bar

radtest says:
atlas:~# radtest testuser3 secret localhost 0 testing123
Sending Access-Request of id 243 to 127.0.0.1 port 1812
        User-Name = "testuser3"
        User-Password = "secret"
        NAS-IP-Address = 255.255.255.255
        NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=243, length=20
atlas:~# radtest testuser4 secret localhost 0 testing123
Sending Access-Request of id 248 to 127.0.0.1 port 1812
        User-Name = "testuser4"
        User-Password = "secret"
        NAS-IP-Address = 255.255.255.255
        NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=248, length=29
        Reply-Message = "foo_bar"
atlas:~#


the debug output is similar to them for testuser2:
rad_recv: Access-Request packet from host 127.0.0.1:32791, id=243, length=61
        User-Name = "testuser3"
        User-Password = "secret"
        NAS-IP-Address = 255.255.255.255
        NAS-Port = 0
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
  modcall[authorize]: module "preprocess" returns ok for request 1
  modcall[authorize]: module "chap" returns noop for request 1
  modcall[authorize]: module "mschap" returns noop for request 1
  modcall[authorize]: module "files" returns notfound for request 1
rlm_ldap: - authorize
rlm_ldap: performing user authorization for testuser3
radius_xlat:  '(uid=testuser3)'
radius_xlat:  'dc=mogli,dc=de'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=mogli,dc=de, with filter (uid=testuser3)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: parsing radiusReplyItem failed: Reply-Message := foo bar
rlm_ldap: user testuser3 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 1
modcall: leaving group authorize (returns ok) for request 1
  rad_check_password:  Found Auth-Type ldap
auth: type "LDAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group LDAP for request 1
rlm_ldap: - authenticate
rlm_ldap: login attempt by "testuser3" with password "secret"
rlm_ldap: user DN: uid=testuser3,ou=People,dc=mogli,dc=de
rlm_ldap: (re)connect to ldapserv1.mogli.de:389, authentication 1
rlm_ldap: bind as uid=testuser3,ou=People,dc=mogli,dc=de/secret to
ldapserv1.mogli.de:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: user testuser3 authenticated succesfully
  modcall[authenticate]: module "ldap" returns ok for request 1
modcall: leaving group LDAP (returns ok) for request 1
  Processing the post-auth section of radiusd.conf
modcall: entering group post-auth for request 1
radius_xlat:  '/var/log/freeradius/radacct/127.0.0.1/reply-detail-20060110'
rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d
expands to /var/log/freeradius/radacct/127.0.0.1/reply-detail-20060110
  modcall[post-auth]: module "reply_log" returns ok for request 1
rlm_sql (sql): Processing sql_postauth
radius_xlat:  'testuser3'
rlm_sql (sql): sql_set_user escaped user --> 'testuser3'
radius_xlat:  'INSERT into radpostauth (id, user, pass, reply, date) values ('',
'testuser3', 'secret', 'Access-Accept', NOW())'
rlm_sql (sql) in sql_postauth: query is INSERT into radpostauth (id, user, pass,
reply, date) values ('', 'testuser3', 'secret', 'Access-Accept', NOW())
rlm_sql (sql): Reserving sql socket id: 3
rlm_sql (sql): Released sql socket id: 3
  modcall[post-auth]: module "sql" returns ok for request 1
modcall: leaving group post-auth (returns ok) for request 1
Sending Access-Accept of id 243 to 127.0.0.1 port 32791
Finished request 1
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 127.0.0.1:32792, id=248, length=61
        User-Name = "testuser4"
        User-Password = "secret"
        NAS-IP-Address = 255.255.255.255
        NAS-Port = 0
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
  modcall[authorize]: module "preprocess" returns ok for request 2
  modcall[authorize]: module "chap" returns noop for request 2
  modcall[authorize]: module "mschap" returns noop for request 2
  modcall[authorize]: module "files" returns notfound for request 2
rlm_ldap: - authorize
rlm_ldap: performing user authorization for testuser4
radius_xlat:  '(uid=testuser4)'
radius_xlat:  'dc=mogli,dc=de'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=mogli,dc=de, with filter (uid=testuser4)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: extracted attribute Reply-Message from generic item Reply-Message :=
foo_bar
rlm_ldap: user testuser4 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 2
modcall: leaving group authorize (returns ok) for request 2
  rad_check_password:  Found Auth-Type ldap
auth: type "LDAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group LDAP for request 2
rlm_ldap: - authenticate
rlm_ldap: login attempt by "testuser4" with password "secret"
rlm_ldap: user DN: uid=testuser4,ou=People,dc=mogli,dc=de
rlm_ldap: (re)connect to ldapserv1.mogli.de:389, authentication 1
rlm_ldap: bind as uid=testuser4,ou=People,dc=mogli,dc=de/secret to
ldapserv1.mogli.de:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: user testuser4 authenticated succesfully
  modcall[authenticate]: module "ldap" returns ok for request 2
modcall: leaving group LDAP (returns ok) for request 2
radius_xlat:  'foo_bar'
  Processing the post-auth section of radiusd.conf
modcall: entering group post-auth for request 2
radius_xlat:  '/var/log/freeradius/radacct/127.0.0.1/reply-detail-20060110'
rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d
expands to /var/log/freeradius/radacct/127.0.0.1/reply-detail-20060110
  modcall[post-auth]: module "reply_log" returns ok for request 2
rlm_sql (sql): Processing sql_postauth
radius_xlat:  'testuser4'
rlm_sql (sql): sql_set_user escaped user --> 'testuser4'
radius_xlat:  'INSERT into radpostauth (id, user, pass, reply, date) values ('',
'testuser4', 'secret', 'Access-Accept', NOW())'
rlm_sql (sql) in sql_postauth: query is INSERT into radpostauth (id, user, pass,
reply, date) values ('', 'testuser4', 'secret', 'Access-Accept', NOW())
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql (sql): Released sql socket id: 2
  modcall[post-auth]: module "sql" returns ok for request 2
modcall: leaving group post-auth (returns ok) for request 2
Sending Access-Accept of id 248 to 127.0.0.1 port 32792
        Reply-Message := "foo_bar"
Finished request 2
Going to the next request
--- Walking the entire request list ---
Waking up in 3 seconds...
--- Walking the entire request list ---
Cleaning up request 1 ID 243 with timestamp 43c3e448
Waking up in 3 seconds...
--- Walking the entire request list ---
Cleaning up request 2 ID 248 with timestamp 43c3e44b
Nothing to do.  Sleeping until we see a request.


of course there can be antoher error on my side, but seems that ldap reply items
containing spaces are not parsed correctly.

if i can test some more just let me know, sorry to be of no more help!

regards
   markus


--
Markus Krause                           email: krause at biochem.mpg.de
Computing Center                        Tel.: 089 - 89 40 85 99
Group Lottspeich / Proteomics           Fax.: 089 - 89 40 85 98

---------------------------------------------------------------------
     This message was sent using https://webmail.biochem.mpg.de
If you encounter any problems please report to rz-linux at biochem.mpg.de

More information about the Freeradius-Devel mailing list