rlm_ldap: multiple user profile attributes combined with multiple user attributes

Florian Reinholz me at netvipe.com
Sun Jun 17 14:01:18 CEST 2007 

hi,

i'm currently trying to setup a scalable freeradius implemention based 
on rlm_ldap.
everything works real fine except one thing:

two major profiles are provided

1. l2tp settings for my local nas
2. l2tp settings for the nas of another carrier

there are always minimum 2 vendor specific attributes for each profile.
all users are mapped to their specific profile.
some users have their own attributes which must extend the profile 
attributes.

for example:

profiles

    -- local
	radiusTunnelServerID = local
         Cisco-AVPair = +=lcp:interface-config=ip vrf forwarding LO
         Cisco-AVPair = +=lcp:interface-config=ip os netw broadcast

    -- remote
	radiusTunnelServerID = remote
         Cisco-AVPair = +=lcp:interface-config=ip vrf forwarding RE
         Cisco-AVPair = +=lcp:interface-config=ip rip trigger


users

    -- user01
         radiusProfileDN = cn=local,ou=profiles,ou=radius,dc=acme,dc=com
         Cisco-AVPair = +=lcp:interface-config=descr Local
         Cisco-AVPair = +=lcp:interface-config=service output qos_user01
	
    -- user02
         radiusProfileDN = cn=remote,ou=profiles,ou=radius,dc=acme,dc=com
         Cisco-AVPair = +=lcp:interface-config=descr Remote
         Cisco-AVPair = +=lcp:interface-config=service output qos_user02


the radiusd debug shows me the all attributes are processed and ok but 
only the user specific attributes are replied.
the result is ok when i define profile attributes. but not when i 
combine user and profile attributes.

thanks in advance for your help!

best regards

florian


-- START radiusd DEBUG --

rad_recv: Access-Request packet from host 127.0.0.1:33570, id=21, length=92
         Service-Type = Framed-User
         Framed-Protocol = PPP
         NAS-Port = 1041
         NAS-Port-Id = "Uniq-Sess-ID1041"
         NAS-Port-Type = Virtual
         NAS-IP-Address = 1.2.3.4
         User-Name = "test"
         User-Password = "test"
Sun Jun 17 13:32:46 2007 : Debug:   Processing the authorize section of 
radiusd.conf
Sun Jun 17 13:32:46 2007 : Debug: modcall: entering group authorize for 
request 0
Sun Jun 17 13:32:46 2007 : Debug:   modsingle[authorize]: calling 
preprocess (rlm_preprocess) for request 0
Sun Jun 17 13:32:46 2007 : Debug:   modsingle[authorize]: returned from 
preprocess (rlm_preprocess) for request 0
Sun Jun 17 13:32:46 2007 : Debug:   modcall[authorize]: module 
"preprocess" returns ok for request 0
Sun Jun 17 13:32:46 2007 : Debug:   modsingle[authorize]: calling chap 
(rlm_chap) for request 0
Sun Jun 17 13:32:46 2007 : Debug:   modsingle[authorize]: returned from 
chap (rlm_chap) for request 0
Sun Jun 17 13:32:46 2007 : Debug:   modcall[authorize]: module "chap" 
returns noop for request 0
Sun Jun 17 13:32:46 2007 : Debug:   modsingle[authorize]: calling mschap 
(rlm_mschap) for request 0
Sun Jun 17 13:32:46 2007 : Debug:   modsingle[authorize]: returned from 
mschap (rlm_mschap) for request 0
Sun Jun 17 13:32:46 2007 : Debug:   modcall[authorize]: module "mschap" 
returns noop for request 0
Sun Jun 17 13:32:46 2007 : Debug:   modsingle[authorize]: calling IPASS 
(rlm_realm) for request 0
Sun Jun 17 13:32:46 2007 : Debug:     rlm_realm: No '/' in User-Name = 
"test", looking up realm NULL
Sun Jun 17 13:32:46 2007 : Debug:     rlm_realm: No such realm "NULL"
Sun Jun 17 13:32:46 2007 : Debug:   modsingle[authorize]: returned from 
IPASS (rlm_realm) for request 0
Sun Jun 17 13:32:46 2007 : Debug:   modcall[authorize]: module "IPASS" 
returns noop for request 0
Sun Jun 17 13:32:46 2007 : Debug:   modsingle[authorize]: calling suffix 
(rlm_realm) for request 0
Sun Jun 17 13:32:46 2007 : Debug:     rlm_realm: No '@' in User-Name = 
"test", looking up realm NULL
Sun Jun 17 13:32:46 2007 : Debug:     rlm_realm: No such realm "NULL"
Sun Jun 17 13:32:46 2007 : Debug:   modsingle[authorize]: returned from 
suffix (rlm_realm) for request 0
Sun Jun 17 13:32:46 2007 : Debug:   modcall[authorize]: module "suffix" 
returns noop for request 0
Sun Jun 17 13:32:46 2007 : Debug:   modsingle[authorize]: calling 
ntdomain (rlm_realm) for request 0
Sun Jun 17 13:32:46 2007 : Debug:     rlm_realm: No '\' in User-Name = 
"test", looking up realm NULL
Sun Jun 17 13:32:46 2007 : Debug:     rlm_realm: No such realm "NULL"
Sun Jun 17 13:32:46 2007 : Debug:   modsingle[authorize]: returned from 
ntdomain (rlm_realm) for request 0
Sun Jun 17 13:32:46 2007 : Debug:   modcall[authorize]: module 
"ntdomain" returns noop for request 0
Sun Jun 17 13:32:46 2007 : Debug:   modsingle[authorize]: calling eap 
(rlm_eap) for request 0
Sun Jun 17 13:32:46 2007 : Debug:   rlm_eap: No EAP-Message, not doing EAP
Sun Jun 17 13:32:46 2007 : Debug:   modsingle[authorize]: returned from 
eap (rlm_eap) for request 0
Sun Jun 17 13:32:46 2007 : Debug:   modcall[authorize]: module "eap" 
returns noop for request 0
Sun Jun 17 13:32:46 2007 : Debug:   modsingle[authorize]: calling ldap 
(rlm_ldap) for request 0
Sun Jun 17 13:32:46 2007 : Debug: rlm_ldap: - authorize
Sun Jun 17 13:32:46 2007 : Debug: rlm_ldap: performing user 
authorization for test
Sun Jun 17 13:32:46 2007 : Debug: radius_xlat: 
'(|(&(objectClass=radiusUser)(uid=test))(&(objectClass=radiusUser)(cn=test)))'
Sun Jun 17 13:32:46 2007 : Debug: radius_xlat: 
'ou=radius,ou=services,dc=acme,dc=com'
Sun Jun 17 13:32:46 2007 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0
Sun Jun 17 13:32:46 2007 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0
Sun Jun 17 13:32:46 2007 : Debug: rlm_ldap: attempting LDAP reconnection
Sun Jun 17 13:32:46 2007 : Debug: rlm_ldap: (re)connect to 
127.0.0.1:389, authentication 0
Sun Jun 17 13:32:46 2007 : Debug: rlm_ldap: bind as 
cn=read,ou=radius,ou=services,dc=acme,dc=com/radius to 127.0.0.1:389
Sun Jun 17 13:32:46 2007 : Debug: rlm_ldap: waiting for bind result ...
Sun Jun 17 13:32:46 2007 : Debug: rlm_ldap: Bind was successful
Sun Jun 17 13:32:46 2007 : Debug: rlm_ldap: performing search in 
ou=radius,ou=services,dc=acme,dc=com, with filter 
(|(&(objectClass=radiusUser)(uid=test))(&(objectClass=radiusUser)(cn=test)))
Sun Jun 17 13:32:46 2007 : Debug: rlm_ldap: checking if remote access 
for test is allowed by dialupAccess
Sun Jun 17 13:32:46 2007 : Debug: rlm_ldap: performing search in 
cn=Default,ou=profiles,ou=radius,ou=services,dc=acme,dc=com, with filter 
(objectClass=radiusObject)
Sun Jun 17 13:32:46 2007 : Debug: rlm_ldap: Adding radiusFramedProtocol 
as Framed-Protocol, value PPP & op=11
Sun Jun 17 13:32:46 2007 : Debug: rlm_ldap: Adding radiusServiceType as 
Service-Type, value Framed & op=11
Sun Jun 17 13:32:46 2007 : Debug: rlm_ldap: performing search in 
cn=test,cn=wonderland,ou=profiles,ou=radius,ou=services,dc=acme,dc=com, 
with filter (objectClass=radiusObject)
Sun Jun 17 13:32:46 2007 : Debug: rlm_ldap: Adding Cisco-AVpair as 
Cisco-AVPair, value lcp:interface-config=ip rip trigger & op=8
Sun Jun 17 13:32:46 2007 : Debug: rlm_ldap: Adding 
radiusTunnelServerAuthId as Tunnel-Server-Auth-ID, value server01 & op=11
Sun Jun 17 13:32:46 2007 : Debug: rlm_ldap: Adding 
radiusTunnelClientAuthId as Tunnel-Client-Auth-ID, value client01 & op=11
Sun Jun 17 13:32:46 2007 : Debug: rlm_ldap: Adding radiusTunnelPassword 
as Tunnel-Password, value acme& op=11
Sun Jun 17 13:32:46 2007 : Debug: rlm_ldap: Adding 
radiusTunnelServerEndpoint as Tunnel-Server-Endpoint, value 5.6.7.8 & op=11
Sun Jun 17 13:32:46 2007 : Debug: rlm_ldap: Adding 
radiusTunnelMediumType as Tunnel-Medium-Type, value 1 & op=11
Sun Jun 17 13:32:46 2007 : Debug: rlm_ldap: Adding radiusTunnelType as 
Tunnel-Type, value L2TP & op=11
Sun Jun 17 13:32:46 2007 : Debug: rlm_ldap: Adding radiusFramedProtocol 
as Framed-Protocol, value PPP & op=11
Sun Jun 17 13:32:46 2007 : Debug: rlm_ldap: Adding radiusServiceType as 
Service-Type, value Framed & op=11
Sun Jun 17 13:32:46 2007 : Debug: rlm_ldap: extracted attribute 
Cisco-AVPair from generic item Cisco-AVPair += "lcp:interface-config=ip 
os netw broadcast"
Sun Jun 17 13:32:46 2007 : Debug: rlm_ldap: Added password test in check 
items
Sun Jun 17 13:32:46 2007 : Debug: rlm_ldap: looking for check items in 
directory...
Sun Jun 17 13:32:46 2007 : Debug: rlm_ldap: looking for reply items in 
directory...
Sun Jun 17 13:32:46 2007 : Debug: rlm_ldap: Adding Cisco-AVpair as 
Cisco-AVPair, value lcp:interface-config=descr User: test & op=8
Sun Jun 17 13:32:46 2007 : Debug: rlm_ldap: Adding Cisco-AVpair as 
Cisco-AVPair, value lcp:interface-config=service-policy output 
QoS_egress & op=8
Sun Jun 17 13:32:46 2007 : Debug: rlm_ldap: Setting Auth-Type = ldap
Sun Jun 17 13:32:46 2007 : Debug: rlm_ldap: user test authorized to use 
remote access
Sun Jun 17 13:32:46 2007 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0
Sun Jun 17 13:32:46 2007 : Debug:   modsingle[authorize]: returned from 
ldap (rlm_ldap) for request 0
Sun Jun 17 13:32:46 2007 : Debug:   modcall[authorize]: module "ldap" 
returns ok for request 0
Sun Jun 17 13:32:46 2007 : Debug: modcall: leaving group authorize 
(returns ok) for request 0
Sun Jun 17 13:32:46 2007 : Debug:   rad_check_password:  Found Auth-Type 
ldap
Sun Jun 17 13:32:46 2007 : Debug: auth: type "LDAP"
Sun Jun 17 13:32:46 2007 : Debug:   Processing the authenticate section 
of radiusd.conf
Sun Jun 17 13:32:46 2007 : Debug: modcall: entering group LDAP for request 0
Sun Jun 17 13:32:46 2007 : Debug:   modsingle[authenticate]: calling 
ldap (rlm_ldap) for request 0
Sun Jun 17 13:32:46 2007 : Debug: rlm_ldap: - authenticate
Sun Jun 17 13:32:46 2007 : Debug: rlm_ldap: login attempt by "test" with 
password "test"
Sun Jun 17 13:32:46 2007 : Debug: rlm_ldap: user DN: 
cn=test,ou=cisco,ou=users,ou=radius,ou=services,dc=acme,dc=com
Sun Jun 17 13:32:46 2007 : Debug: rlm_ldap: (re)connect to 
127.0.0.1:389, authentication 1
Sun Jun 17 13:32:46 2007 : Debug: rlm_ldap: bind as 
cn=test,ou=cisco,ou=users,ou=radius,ou=services,dc=acme,dc=com/test to 
127.0.0.1:389
Sun Jun 17 13:32:46 2007 : Debug: rlm_ldap: waiting for bind result ...
Sun Jun 17 13:32:46 2007 : Debug: rlm_ldap: Bind was successful
Sun Jun 17 13:32:46 2007 : Debug: rlm_ldap: user test authenticated 
succesfully
Sun Jun 17 13:32:46 2007 : Debug:   modsingle[authenticate]: returned 
from ldap (rlm_ldap) for request 0
Sun Jun 17 13:32:46 2007 : Debug:   modcall[authenticate]: module "ldap" 
returns ok for request 0
Sun Jun 17 13:32:46 2007 : Debug: modcall: leaving group LDAP (returns 
ok) for request 0
Sun Jun 17 13:32:46 2007 : Auth: Login OK: [test] (from client localhost 
port 1041)
Sending Access-Accept of id 21 to 127.0.0.1 port 33570
         Tunnel-Server-Auth-Id:0 = "server01"
         Tunnel-Client-Auth-Id:0 = "client01"
         Tunnel-Password:0 = "acme"
         Tunnel-Server-Endpoint:0 = "5.6.7.8"
         Tunnel-Medium-Type:0 = IPv4
         Tunnel-Type:0 = L2TP
         Framed-Protocol = PPP
         Service-Type = Framed-User
         Cisco-AVPair += "lcp:interface-config=descr User: test"
         Cisco-AVPair += "lcp:interface-config=service-policy output 
QoS_egress"

-- END radiusd DEBUG --

More information about the Freeradius-Users mailing list