problem with ldap search filter with '/'s (front slashes)

Mark T. Valites mvalites at buffalo.edu
Tue Dec 12 23:03:15 CET 2006


On Tue, 12 Dec 2006, Kostas Kalevras wrote:

> Mark T. Valites wrote:
>
>> I'm trying to set up authentication to a SunOne Directory that requires not 
>> only a successful bind with by radius on behalf of the user attempting to 
>> authticate to it, but also a specified LDAP search filter to return a 
>> result as well. I can't seem to get the freeradius ldap module to return 
>> any result when the value of the attribute I'm comparing against contains a 
>> '/', as often found in the 'homeDirectory' and 'loginShell' LDAP 
>> attributes.
>> 
>>> From the command line, the search and filter returns correctly:
>> 
>> 
>> $ ldapsearch -v -H ldaps://ldapserver.domain.com \
>>   -b ou=people,dc=domain,dc=com -x -D \
>>   "uid=myuid,ou=people,dc=domain,dc=com" -W \
>>   '(&(uid=myuid)(loginShell=/bin/tcsh))'
>> 
>> The corresponding SunOne log:
>> 
>> [12/Dec/2006:11:10:24 -0500] conn=4896 op=-1 msgId=-1 - fd=45 slot=45 LDAPS 
>> connection from www.xxx.yyy.zzz to xxx.yyy.zzz.www
>> [12/Dec/2006:11:10:24 -0500] conn=4896 op=0 msgId=1 - BIND 
>> dn="uid=myuid,ou=people,dc=domain,dc=com" method=128 version=3
>> [12/Dec/2006:11:10:24 -0500] conn=4896 op=0 msgId=1 - RESULT err=0 tag=97 
>> nentries=0 etime=0 dn="uid=myuid,ou=people,dc=domain,dc=com"
>> [12/Dec/2006:11:10:24 -0500] conn=4896 op=1 msgId=2 - SRCH 
>> base="ou=people,dc=domain,dc=com" scope=2 
>> filter="(&(uid=myuid)(loginShell=/bin/tcsh))" 
>> attrs=ALL[12/Dec/2006:11:10:24 -0500] conn=4896 op=1 msgId=2 - RESULT err=0 
>> tag=101 nentries=1 etime=0
>> [12/Dec/2006:11:10:24 -0500] conn=4896 op=2 msgId=3 - UNBIND
>> [12/Dec/2006:11:10:24 -0500] conn=4896 op=2 msgId=-1 - closing - U1
>> [12/Dec/2006:11:10:25 -0500] conn=4896 op=-1 msgId=-1 - closed.
>> 
>> A snippet from my radiusd.conf:
>>
>>    server = "ldapserver.domain.com"
>>                 basedn = "ou=people,dc=domain,dc=com"
>>                 filter = "(&(uid=%u)(loginshell=/bin/tcsh))"
>> 
>> The output from running radiusd in debug mode:
>> 
>> rlm_ldap: - authorize
>> rlm_ldap: performing user authorization for myuid
>> radius_xlat:  '(&(uid=myuid)(loginShell=/bin/tcsh))'
>> radius_xlat:  'ou=people,dc=domain,dc=com'
>> rlm_ldap: ldap_get_conn: Checking Id: 0
>> rlm_ldap: ldap_get_conn: Got Id: 0
>> rlm_ldap: attempting LDAP reconnection
>> rlm_ldap: (re)connect to ldapserver.domain.com:636, authentication 0
>> rlm_ldap: setting TLS mode to 1
>> rlm_ldap: setting TLS Require Cert to never
>> rlm_ldap: bind as / to ldapserver.domain.com:636
>> TLS certificate verification: Error, Unknown error
>> rlm_ldap: waiting for bind result ...
>> request 1 done
>> rlm_ldap: Bind was successful
>> rlm_ldap: performing search in ou=people,dc=domain,dc=com, with filter 
>> (&(uid=myuid)(loginShell=/bin/tcsh))
>> request 2 done
>> rlm_ldap: object not found or got ambiguous search result
>> rlm_ldap: search failed
>> rlm_ldap: ldap_release_conn: Release Id: 0
>>   modcall[authorize]: module "ldap" returns notfound for request 0
>> modcall: leaving group authorize (returns ok) for request 0
>>   rad_check_password:  Found Auth-Type LDAP
>> auth: type "ldap"
>>   Processing the authenticate section of radiusd.conf
>> modcall: entering group authenticate for request 0
>> rlm_ldap: - authenticate
>> rlm_ldap: login attempt by "myuid" with password "mypasswd"
>> radius_xlat:  '(&(uid=myuid)(loginShell=/bin/tcsh))'
>> radius_xlat:  'ou=people,dc=domain,dc=com'
>> rlm_ldap: ldap_get_conn: Checking Id: 0
>> rlm_ldap: ldap_get_conn: Got Id: 0
>> rlm_ldap: performing search in ou=people,dc=domain,dc=com, with filter 
>> (&(uid=myuid)(loginShell=/bin/tcsh))
>> request 3 done
>> rlm_ldap: object not found or got ambiguous search result
>> rlm_ldap: ldap_release_conn: Release Id: 0
>>   modcall[authenticate]: module "ldap" returns notfound for request 0
>> modcall: leaving group authenticate (returns notfound) for request 0
>> auth: Failed to validate the user.
>> 
>> 
>> The corresponding SunOne log:
>> 
>> [12/Dec/2006:11:12:33 -0500] conn=4897 op=-1 msgId=-1 - fd=45 slot=45 LDAPS 
>> connection from www.xxx.yyy.zzz to xxx.yyy.zzz.www
>> [12/Dec/2006:11:12:33 -0500] conn=4897 op=0 msgId=1 - BIND dn="" method=128 
>> version=3
>> [12/Dec/2006:11:12:33 -0500] conn=4897 op=0 msgId=1 - RESULT err=0 tag=97 
>> nentries=0 etime=0 dn=""
>> [12/Dec/2006:11:12:33 -0500] conn=4897 op=1 msgId=2 - SRCH 
>> base="ou=people,dc=domina,dc=com" scope=2 
>> filter="(&(uid=myuid)(loginShell=/bin/tcsh))" attrs="radiusnasipaddress 
>> radiusexpiration acctflags ntpassword lmpassword radiuscallingstationid 
>> radiuscalledstationid radiussimultaneoususe radiusauthtype radiuscheckitem 
>> radiusreplymessage radiusloginlatport radiusportlimit 
>> radiusframedappletalkzone radiusframedappletalknetwork 
>> radiusframedappletalklink radiusloginlatgroup radiusloginlatnode 
>> radiusloginlatservice radiusterminationaction radiusidletimeout 
>> radiussessiontimeout radiusclass radiusframedipxnetwork radiuscallbackid 
>> radiuscallbacknumber radiuslogintcpport radiusloginservice 
>> radiusloginiphost radiusframedcompression radiusframedmtu radiusfilterid 
>> radiusframedrouting radiusframedroute radiusframedipnetmask 
>> radiusframedipaddress radiusframedprotocol radiusservicetype 
>> radiusreplyitem"
>> [12/Dec/2006:11:12:33 -0500] conn=4897 op=1 msgId=2 - RESULT err=0 tag=101 
>> nentries=0 etime=0
>> [12/Dec/2006:11:12:33 -0500] conn=4897 op=2 msgId=3 - SRCH 
>> base="ou=people,dc=domain,dc=com" scope=2 
>> filter="(&(uid=myuid)(loginShell=/bin/tcsh))" attrs="uid"
>> [12/Dec/2006:11:12:33 -0500] conn=4897 op=2 msgId=3 - RESULT err=0 tag=101 
>> nentries=0 etime=0
>
>
> Both searches in this log don't return any results. Also, compared to the 
> command line search, you are binding as anonymous in this case. So make sure 
> that anonymous searches work correctly.

The command line search did return something, but I didn't include the 
result.

Nonetheless, your reply helped me - an ACL on the loginShell and 
homeDirectory attributes was preventing me from seeing them. A command 
line ldapsearch with an anonymous bind made this very evident.

It was dumb luck that the filter with attributes other than loginShell and 
homeDirectory that I were checking weren't foiled by the ACL. I now see 
clearly see the distinction between the ways authN and authZ work when 
connecting to ldap and the (now) obvious debug log entries. I'll either 
adjust attribute ACLs appropriately or bind as a user with priveledges to 
see them.

Sorry for that noise and thank you for the help!

-Mark

-- 
Mark T. Valites
Senior Systems Administrator
University at Buffalo



More information about the Freeradius-Users mailing list