bug in rlm_ldap?

Norbert Wegener nw at sbs.de
Fri Dec 16 17:25:16 CET 2005 

Dusty Doris wrote:

>>
> Did you get the second email I sent.  I don't believe you can use that 
> check item from ldap in the users file.  Try the ldap-group options I 
> sent over in the last email.  That should work for you.

Thank you, I got it and already tried that attribute. The behaviour is a 
bit better, but does not really lead to the desired result, as the 
client gets an:
Incoming RADIUS packet did not have correct Message-Authenticator - dropped

With a users file:
###############
DEFAULT Ldap-Group == "515", Auth-Type := Accept
        Framed-Type = Framed,
        Tunnel-Type:1 = VLAN,
        Tunnel-Medium-Type:1 = IEEE-802,
        Tunnel-Private-Group-ID:1 = 100

DEFAULT Auth-Type := Reject

an ldap module:
ldap ldap1 {
                server = "globalcatalogue"
                port = 3268     #global catalogue server
                identity = "testrad at TDE002.MYDOM.NET"
                password = "mypass"
                basedn = "dc=MYDOM,dc=NET"
                filter = 
"(&(servicePrincipalName=%{Stripped-User-Name:-%{User-Name}})(objectClass=computer)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"
                ldap_debug= 0xFFFF
                timeout = 40
                timelimit = 30
                net_timeout = 10
                tls {
                        start_tls = no
                }
                dictionary_mapping = ${raddbdir}/ldap.attrmap
                groupmembership_attribute = "primaryGroupID"
        }
a files section of:
files files1 {
                usersfile = ${confdir}/users
                acctusersfile = ${confdir}/acct_users
                preproxy_usersfile = ${confdir}/preproxy_users
                compat = no
        }


and an authorize section:
authorize {
        preprocess
        eap
        ldap1 {
                notfound = reject
                }
        files1 {
                notfound = reject
                }
}

radiusd -AX gives me:
....

....
rlm_ldap::ldap_groupcmp: User found in group 515
rlm_ldap: ldap_release_conn: Release Id: 0
    users: Matched entry DEFAULT at line 1
  modcall[authorize]: module "files1" returns ok for request 0
modcall: leaving group authorize (returns updated) for request 0
  rad_check_password:  Found Auth-Type Accept
  rad_check_password: Auth-Type = Accept, accepting the user
Sending Access-Accept of id 0 to 149.246.133.44 port 32770
        Tunnel-Type:1 = VLAN
        Tunnel-Medium-Type:1 = IEEE-802
        Tunnel-Private-Group-Id:1 = "100"
Finished request 0


Seems ok, but unfortunately on the other side, the result is not that 
good. Alan proposed eapol_test recently for testing of such 
connections(thank you, very usefull) and this tool shows me:
...
Received RADIUS message
RADIUS message: code=2 (Access-Accept) identifier=0 length=38
   Attribute 64 (?Unknown?) length=6
   Attribute 65 (?Unknown?) length=6
   Attribute 81 (?Unknown?) length=6
STA 00:00:00:00:00:02: Received RADIUS packet matched with a pending 
request, round trip time 0.15 sec
No Message-Authenticator attribute found
Incoming RADIUS packet did not have correct Message-Authenticator - dropped
STA 00:00:00:00:00:02: No RADIUS RX handler found (type=0 code=2 id=0) - 
dropping packet
EAPOL: startWhen --> 0
EAPOL test timed out
MPPE keys OK: 0  mismatch: 1
FAILURE

Any idea?

More information about the Freeradius-Users mailing list