using previous DN in DEFAULT
Rohaizam Abu Bakar
haizam at myjaring.net
Mon Jul 24 06:47:42 CEST 2006
I'm still can't find solution.. why it keep referring to previous DN to do
LDAP bind... although both Autz-Type & Auth-Type already been sent (in debug
log) to the correct one...
--haizam
----- Original Message -----
From: "Rohaizam Abu Bakar" <haizam at myjaring.net>
To: "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org>
Sent: Thursday, July 20, 2006 2:51 PM
Subject: using previous DN in DEFAULT
> Hi..
>
> Freeradius 1.1.2
> OS : FreeBSD 6.1
>
> Referring to below debug logs and config.. I'm planning to have 2 DEFAULT
> entries in users.. One that read LDAP tree ou=DIALUP & one ou=RADIUS
>
> but 1st DEFAULT entry will only be matched if it contain attribute
> "jaringService = REAL" in ou=DIALUP.. Other than that it will match 2nd
> entry...
>
> But the problem is that although first DEFAULT is NOT matched, and matched
> 2nd DEFAULT (Auth & Autz Type LDAP), it will still bind using ou=DIALUP
> (from 1st DEFAULT) to LDAP....
>
>>>>rlm_ldap: user DN:
>>>>uniqueIdentifier=10614,ou=DIALUP,ou=AAA,ou=People,dc=jaring,dc=my
>
> The problem happen when both LDAP tree has entry with same uid... but
> different password and belong to different person.
>
>
> users:-
> ====
>
> ## NEW Dialup (REAL TIME)
> DEFAULT ldapdialup1-Ldap-Group == "REAL", Autz-Type := DIALUP,
> Auth-Type :=DIALUP
>
> ## NORMAL DIALUP
> DEFAULT Autz-Type := LDAP, Auth-Type := LDAP
>
>
> radiusd.conf
> ========
>
> ldap ldap1 {
> basedn = "ou=RADIUS,ou=People,dc=jaring,dc=my"
> groupname_attribute = jaringConnectionType
> groupmembership_filter =
> "(&(uid=%{Stripped-User-Name:-%{User-Name}})(objectclass=radiusprofile))"
> }
> ldap ldap2 {
> basedn = "ou=RADIUS,ou=People,dc=jaring,dc=my"
> groupname_attribute = jaringConnectionType
> groupmembership_filter =
> "(&(uid=%{Stripped-User-Name:-%{User-Name}})(objectclass=radiusprofile))"
> }
> ldap ldapdialup1 {
> basedn = "ou=DIALUP,ou=AAA,ou=People,dc=jaring,dc=my"
> groupname_attribute = jaringService
> groupmembership_filter =
> "(&(uid=%{Stripped-User-Name:-%{User-Name}})(objectclass=radiusprofile))"
> }
> ldap ldapdialup2 {
> basedn = "ou=DIALUP,ou=AAA,ou=People,dc=jaring,dc=my"
> groupname_attribute = jaringService
> groupmembership_filter =
> "(&(uid=%{Stripped-User-Name:-%{User-Name}})(objectclass=radiusprofile))"
> }
>
> Autz-Type LDAP {
> redundant {
> ldap1
> ldap2
> }
> }
> Autz-Type DIALUP {
> redundant {
> ldapdialup1
> ldapdialup2
> }
> }
>
> Auth-Type LDAP {
> redundant {
> ldap1
> ldap2
> }
> }
> Auth-Type DIALUP {
> redundant {
> ldapdialup1
> ldapdialup2
> }
> }
>
>
> debug:-
> =====
>
> rad_recv: Access-Request packet from host xxxxxxxxxxxxxxx:60005, id=41,
> length=46
> User-Name = "bacang"
> User-Password = "xxxxxx"
> rad_rmspace_pair: User-Name now 'bacang'
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 0
> modcall[authorize]: module "preprocess" returns ok for request 0
> modcall[authorize]: module "chap" returns noop for request 0
> modcall[authorize]: module "mschap" returns noop for request 0
> rlm_realm: No '/' in User-Name = "bacang", skipping NULL due to config.
> modcall[authorize]: module "IPASS" returns noop for request 0
> rlm_realm: No '@' in User-Name = "bacang", looking up realm NULL
> rlm_realm: Found realm "NULL"
> rlm_realm: Adding Stripped-User-Name = "bacang"
> rlm_realm: Proxying request from user bacang to realm NULL
> rlm_realm: Adding Realm = "NULL"
> rlm_realm: Authentication realm is LOCAL.
> modcall[authorize]: module "suffix" returns noop for request 0
> rlm_eap: No EAP-Message, not doing EAP
> modcall[authorize]: module "eap" returns noop for request 0
> rlm_ldap: Entering ldap_groupcmp()
> radius_xlat: 'ou=DIALUP,ou=AAA,ou=People,dc=jaring,dc=my'
> radius_xlat: '(uid=bacang)'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to xxxxxxxxx:389, authentication 0
> rlm_ldap: bind as cn=xxxxxxxxx,ou=Applications,dc=jaring,dc=my/xxxxxxxxxxx
> to xxxxxxxxx:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: performing search in ou=DIALUP,ou=AAA,ou=People,dc=jaring,dc=my,
> with filter (uid=bacang)
> rlm_ldap: ldap_release_conn: Release Id: 0
> radius_xlat: '(&(uid=bacang)(objectclass=radiusprofile))'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in ou=DIALUP,ou=AAA,ou=People,dc=jaring,dc=my,
> with filter
> (&(jaringService=REAL)(&(uid=bacang)(objectclass=radiusprofile)))
> rlm_ldap: object not found or got ambiguous search result
> rlm_ldap: ldap_release_conn: Release Id: 0
> rlm_ldap::ldap_groupcmp: Group REAL not found or user is not a member.
> users: Matched entry DEFAULT at line 23
> modcall[authorize]: module "files" returns ok for request 0
> modcall: leaving group authorize (returns ok) for request 0
> Found Autz-Type LDAP
> Processing the authorize section of radiusd.conf
> modcall: entering group LDAP for request 0
> modcall: entering group redundant for request 0
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for bacang
> radius_xlat: '(uid=bacang)'
> radius_xlat: 'ou=RADIUS,ou=People,dc=jaring,dc=my'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to xxxxxxxxxx:389, authentication 0
> rlm_ldap: bind as cn=xxxxxxxxx,ou=Applications,dc=jaring,dc=my/xxxxxxxxxxx
> to xxxxxxxxxxxx:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: performing search in ou=RADIUS,ou=People,dc=jaring,dc=my, with
> filter (uid=bacang)
> rlm_ldap: checking if remote access for bacang is allowed by dialupAccess
> rlm_ldap: Added password {CRYPT}Y3EhshegMNPxA in check items
> rlm_ldap: looking for check items in directory...
> rlm_ldap: looking for reply items in directory...
> rlm_ldap: Adding radiusFramedCompression as Framed-Compression, value
> Van-Jacobson-TCP-IP & op=11
> rlm_ldap: Adding radiusFramedMTU as Framed-MTU, value 1500 & op=11
> rlm_ldap: Adding radiusFramedProtocol as Framed-Protocol, value PPP &
> op=11
> rlm_ldap: Adding radiusServiceType as Service-Type, value Framed-User &
> op=11
> rlm_ldap: user bacang authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0
> modcall[authorize]: module "ldap1" returns ok for request 0
> modcall: leaving group redundant (returns ok) for request 0
> modcall: leaving group LDAP (returns ok) for request 0
> rad_check_password: Found Auth-Type LDAP
> auth: type "LDAP"
> Processing the authenticate section of radiusd.conf
> modcall: entering group LDAP for request 0
> modcall: entering group redundant for request 0
> rlm_ldap: - authenticate
> rlm_ldap: login attempt by "bacang" with password "xxxxxxxx"
> rlm_ldap: user DN:
> uniqueIdentifier=10614,ou=DIALUP,ou=AAA,ou=People,dc=jaring,dc=my
> rlm_ldap: (re)connect to xxxxxxxxxxxxxx:389, authentication 1
> rlm_ldap: bind as
> uniqueIdentifier=10614,ou=DIALUP,ou=AAA,ou=People,dc=jaring,dc=my/xxxxxxxxx
> to xxxxxxxxxxxx:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind failed with invalid credentials
> modcall[authenticate]: module "ldap1" returns reject for request 0
> modcall: leaving group redundant (returns reject) for request 0
> modcall: leaving group LDAP (returns reject) for request 0
> auth: Failed to validate the user.
> Login incorrect (rlm_ldap: Bind as user failed): [bacang] (from client
> sysadmin port 0)
>
>
>
> - List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list