Problem with LDAP and Groups
Bryan Evege
bryan at bevege.com
Thu Oct 11 20:39:46 CEST 2007
freeradius-users-request at lists.freeradius.org wrote:
> Send Freeradius-Users mailing list submissions to
> freeradius-users at lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
> freeradius-users-request at lists.freeradius.org
>
> You can reach the person managing the list at
> freeradius-users-owner at lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
> 1. Re: Problem with LDAP and Groups (Alan DeKok)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 11 Oct 2007 09:58:49 +0200
> From: Alan DeKok <aland at deployingradius.com>
> Subject: Re: Problem with LDAP and Groups
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Message-ID: <470DD7B9.9040607 at deployingradius.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Bryan Evege wrote:
>
>> Here's the problem. When a user logs in and is a member of more than
>> one group radius only uses the first one to match. I've included the
>> users file below.
>>
>
> In which you tell it to stop matching after the first one.
>
>
>> DEFAULT Ldap-Group == packeteer_read_only,User-Profile :=
>> "uid=packeteer_read_only,ou=profiles,ou=radius,dc=csctus,dc=net",
>> Auth-Type := LDAP
>> Fall-Through = no
>>
>
> See "man users" for the meaning of Fall-Through. Then, change this to
> "yes".
>
> Alan DeKok.
>
>
> ------------------------------
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
> End of Freeradius-Users Digest, Vol 30, Issue 40
> ************************************************
>
Thank you for the reply. If I change the fall through to yes it still
matches as many groups as the user is in. How can I tell freeradius
which attributes to send back? It only sends back the attributes of the
last group it finds.
For example, bevege is a member of the following groups, packetshapper,
cisco_priv_15, cisco_priv_1, linux. Here is what happens when I try to
log into one of the packet shappers. I get the attributes for the
cisco_priv_1 because it's last in the list and I can't logon. I f I
change all of the users groups to fall-through=no the packetshapper
allows me to login but then the cisco profiles don't work because it
never makes it to them.
Basically this setup works fine if you're only in one group! What's the
point of groups if you can only be in one.
Any help would be appreciated.
_*Radius -X -A output
*_freeradius-users-request at lists.freeradius.org wrote:
> Send Freeradius-Users mailing list submissions to
> freeradius-users at lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
> freeradius-users-request at lists.freeradius.org
>
> You can reach the person managing the list at
> freeradius-users-owner at lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
> 1. Re: Problem with LDAP and Groups (Alan DeKok)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 11 Oct 2007 09:58:49 +0200
> From: Alan DeKok <aland at deployingradius.com>
> Subject: Re: Problem with LDAP and Groups
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Message-ID: <470DD7B9.9040607 at deployingradius.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Bryan Evege wrote:
>> Here's the problem. When a user logs in and is a member of more than
>> one group radius only uses the first one to match. I've included the
>> users file below.
>
> In which you tell it to stop matching after the first one.
>
>> DEFAULT Ldap-Group == packeteer_read_only,User-Profile :=
>> "uid=packeteer_read_only,ou=profiles,ou=radius,dc=csctus,dc=net",
>> Auth-Type := LDAP
>> Fall-Through = no
>
> See "man users" for the meaning of Fall-Through. Then, change this to
> "yes".
>
> Alan DeKok.
>
>
> ------------------------------
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>
>
> End of Freeradius-Users Digest, Vol 30, Issue 40
> ************************************************
Thank you for the reply. If I change the fall through to yes it still
matches as many groups as the user is in. How can I tell freeradius
which attributes to send back? It only sends back the attributes of the
last group it finds.
radius -X -A output
rad_recv: Access-Request packet from host 10.17.71.10:4852, id=68, length=58
User-Name = "bevege"
User-Password = "xxxxxxx"
Service-Type = Login-User
NAS-IP-Address = 10.17.71.10
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
rlm_realm: No '@' in User-Name = "bevege", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_ldap: Entering ldap_groupcmp()
radius_xlat: 'ou=users,ou=radius,dc=csctus,dc=net'
radius_xlat: '(uid=bevege)'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as cn=Manager,dc=csctus,dc=net/xxxxx to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=users,ou=radius,dc=csctus,dc=net, with
filter (uid=bevege)
rlm_ldap: ldap_release_conn: Release Id: 0
radius_xlat: '(&(uid=bevege)(objectclass=radiusprofile))'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=users,ou=radius,dc=csctus,dc=net, with
filter
(&(radiusGroupName=acct_disabled)(&(uid=bevege)(objectclass=radiusprofile)))
rlm_ldap: object not found or got ambiguous search result (user is not a
memeber)
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in
uid=bevege,ou=Atlanta,ou=users,ou=radius,dc=csctus,dc=net, with filter
(objectclass=*)
rlm_ldap::groupcmp: Group acct_disabled not found ????or user not a
member (this is true)
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: Entering ldap_groupcmp()
radius_xlat: 'ou=users,ou=radius,dc=csctus,dc=net'
radius_xlat: '(&(uid=bevege)(objectclass=radiusprofile))'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=users,ou=radius,dc=csctus,dc=net, with
filter
(&(radiusGroupName=packeteer_read_only)(&(uid=bevege)(objectclass=radiusprofile)))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in
uid=bevege,ou=Atlanta,ou=users,ou=radius,dc=csctus,dc=net, with filter
(objectclass=*)
rlm_ldap::groupcmp: Group packeteer_read_only not found ????or user not
a member (this is true)
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: Entering ldap_groupcmp()
radius_xlat: 'ou=users,ou=radius,dc=csctus,dc=net'
radius_xlat: '(&(uid=bevege)(objectclass=radiusprofile))'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=users,ou=radius,dc=csctus,dc=net, with
filter
(&(radiusGroupName=Packeteer)(&(uid=bevege)(objectclass=radiusprofile)))
rlm_ldap::ldap_groupcmp: User found in group Packeteer (this is true)
rlm_ldap: ldap_release_conn: Release Id: 0
users: Matched entry DEFAULT at line 162 (this is correct.)
rlm_ldap: Entering ldap_groupcmp()
radius_xlat: 'ou=users,ou=radius,dc=csctus,dc=net'
radius_xlat: '(&(uid=bevege)(objectclass=radiusprofile))'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=users,ou=radius,dc=csctus,dc=net, with
filter
(&(radiusGroupName=netscreen)(&(uid=bevege)(objectclass=radiusprofile)))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in
uid=bevege,ou=Atlanta,ou=users,ou=radius,dc=csctus,dc=net, with filter
(objectclass=*)
rlm_ldap::groupcmp: Group netscreen not found ????or user not a member
(this is correct)
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: Entering ldap_groupcmp()
radius_xlat: 'ou=users,ou=radius,dc=csctus,dc=net'
radius_xlat: '(&(uid=bevege)(objectclass=radiusprofile))'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=users,ou=radius,dc=csctus,dc=net, with
filter
(&(radiusGroupName=cisco_priv_15)(&(uid=bevege)(objectclass=radiusprofile)))
rlm_ldap::ldap_groupcmp: User found in group cisco_priv_15 (this is correct)
rlm_ldap: ldap_release_conn: Release Id: 0
users: Matched entry DEFAULT at line 168 (this is correct)
rlm_ldap: Entering ldap_groupcmp()
radius_xlat: 'ou=users,ou=radius,dc=csctus,dc=net'
radius_xlat: '(&(uid=bevege)(objectclass=radiusprofile))'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=users,ou=radius,dc=csctus,dc=net, with
filter
(&(radiusGroupName=cisco_priv_1)(&(uid=bevege)(objectclass=radiusprofile)))
rlm_ldap::ldap_groupcmp: User found in group cisco_priv_1 (this is correct)
rlm_ldap: ldap_release_conn: Release Id: 0
users: Radius -X -A output
rad_recv: Access-Request packet from host 10.17.71.10:4852, id=68, length=58
User-Name = "bevege"
User-Password = "xxxxxxx"
Service-Type = Login-User
NAS-IP-Address = 10.17.71.10
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
rlm_realm: No '@' in User-Name = "bevege", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_ldap: Entering ldap_groupcmp()
radius_xlat: 'ou=users,ou=radius,dc=csctus,dc=net'
radius_xlat: '(uid=bevege)'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as cn=Manager,dc=csctus,dc=net/xxxxx to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=users,ou=radius,dc=csctus,dc=net, with
filter (uid=bevege)
rlm_ldap: ldap_release_conn: Release Id: 0
radius_xlat: '(&(uid=bevege)(objectclass=radiusprofile))'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=users,ou=radius,dc=csctus,dc=net, with
filter
(&(radiusGroupName=acct_disabled)(&(uid=bevege)(objectclass=radiusprofile)))
rlm_ldap: object not found or got ambiguous search result (user is not a
memeber)
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in
uid=bevege,ou=Atlanta,ou=users,ou=radius,dc=csctus,dc=net, with filter
(objectclass=*)
rlm_ldap::groupcmp: Group acct_disabled not found ????or user not a
member (this is true)
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: Entering ldap_groupcmp()
radius_xlat: 'ou=users,ou=radius,dc=csctus,dc=net'
radius_xlat: '(&(uid=bevege)(objectclass=radiusprofile))'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=users,ou=radius,dc=csctus,dc=net, with
filter
(&(radiusGroupName=packeteer_read_only)(&(uid=bevege)(objectclass=radiusprofile)))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in
uid=bevege,ou=Atlanta,ou=users,ou=radius,dc=csctus,dc=net, with filter
(objectclass=*)
rlm_ldap::groupcmp: Group packeteer_read_only not found ????or user not
a member (this is true)
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: Entering ldap_groupcmp()
radius_xlat: 'ou=users,ou=radius,dc=csctus,dc=net'
radius_xlat: '(&(uid=bevege)(objectclass=radiusprofile))'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=users,ou=radius,dc=csctus,dc=net, with
filter
(&(radiusGroupName=Packeteer)(&(uid=bevege)(objectclass=radiusprofile)))
rlm_ldap::ldap_groupcmp: User found in group Packeteer (this is true)
rlm_ldap: ldap_release_conn: Release Id: 0
users: Matched entry DEFAULT at line 162 (this is correct.)
rlm_ldap: Entering ldap_groupcmp()
radius_xlat: 'ou=users,ou=radius,dc=csctus,dc=net'
radius_xlat: '(&(uid=bevege)(objectclass=radiusprofile))'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=users,ou=radius,dc=csctus,dc=net, with
filter
(&(radiusGroupName=netscreen)(&(uid=bevege)(objectclass=radiusprofile)))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in
uid=bevege,ou=Atlanta,ou=users,ou=radius,dc=csctus,dc=net, with filter
(objectclass=*)
rlm_ldap::groupcmp: Group netscreen not found ????or user not a member
(this is correct)
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: Entering ldap_groupcmp()
radius_xlat: 'ou=users,ou=radius,dc=csctus,dc=net'
radius_xlat: '(&(uid=bevege)(objectclass=radiusprofile))'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=users,ou=radius,dc=csctus,dc=net, with
filter
(&(radiusGroupName=cisco_priv_15)(&(uid=bevege)(objectclass=radiusprofile)))
rlm_ldap::ldap_groupcmp: User found in group cisco_priv_15 (this is correct)
rlm_ldap: ldap_release_conn: Release Id: 0
users: Matched entry DEFAULT at line 168 (this is correct)
rlm_ldap: Entering ldap_groupcmp()
radius_xlat: 'ou=users,ou=radius,dc=csctus,dc=net'
radius_xlat: '(&(uid=bevege)(objectclass=radiusprofile))'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=users,ou=radius,dc=csctus,dc=net, with
filter
(&(radiusGroupName=cisco_priv_1)(&(uid=bevege)(objectclass=radiusprofile)))
rlm_ldap::ldap_groupcmp: User found in group cisco_priv_1 (this is correct)
rlm_ldap: ldap_release_conn: Release Id: 0
users: Matched entry DEFAULT at line 171 (this is correct)
rlm_ldap: Entering ldap_groupcmp()
radius_xlat: 'ou=users,ou=radius,dc=csctus,dc=net'
radius_xlat: '(&(uid=bevege)(objectclass=radiusprofile))'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=users,ou=radius,dc=csctus,dc=net, with
filter
(&(radiusGroupName=netscreen)(&(uid=bevege)(objectclass=radiusprofile)))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in
uid=bevege,ou=Atlanta,ou=users,ou=radius,dc=csctus,dc=net, with filter
(objectclass=*)
rlm_ldap::groupcmp: Group netscreen not found ????or user not a member
(this is correct)
rlm_ldap: ldap_release_conn: Release Id: 0
users: Matched entry DEFAULT at line 177 (this is odd, why is it
matching on the last Group in the users file, DEFAULT Auth-Type := Reject
Reply-Message = "Please call the helpdesk.")
modcall[authorize]: module "files" returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for bevege
radius_xlat: '(uid=bevege)'
radius_xlat: 'ou=users,ou=radius,dc=csctus,dc=net'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=users,ou=radius,dc=csctus,dc=net, with
filter (uid=bevege)
rlm_ldap: performing search in
uid=cisco_priv_1,ou=profiles,ou=radius,dc=csctus,dc=net, with filter
(objectclass=radiusprofile)
rlm_ldap: extracted attribute Cisco-AVPair from generic item
Cisco-AVPair ="priv-lvl=1" (why does it choose only this attribute to
send back?)
rlm_ldap: Added password {MD5}xxxxxxxxxxxxxxxx== in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user bevege authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type Reject
rad_check_password: Auth-Type = Reject, rejecting user (I believe this
is because it matches line 177 last which has Auth-Type reject)
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 68 to 10.17.71.10 port 4852
Reply-Message = "Please call the helpdesk."
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 68 with timestamp 470e2326
Nothing to do. Sleeping until we see a request.
Users file for reference
156 DEFAULT Ldap-Group == acct_disabled, Auth-Type := Reject
157 Reply-Message = "Account disabled. Please call the
helpdesk."
158
159 DEFAULT Ldap-Group == packeteer_read_only,User-Profile :=
"uid=packeteer_read_only,ou=profiles,ou=radius,dc=csctus,dc=net",
Auth-Type := LDAP
160 Fall-Through = yes
161
162 DEFAULT Ldap-Group == Packeteer,User-Profile :=
"uid=Packeteer,ou=profiles,ou=radius,dc=csctus,dc=net", Auth-Type := LDAP
163 Fall-Through = yes
164
165 DEFAULT Ldap-Group == netscreen,User-Profile :=
"uid=netscreen,ou=profiles,ou=radius,dc=csctus,dc=net", Auth-Type := LDAP
166 Fall-Through = yes
167
168 DEFAULT Ldap-Group == cisco_priv_15,User-Profile :=
"uid=cisco_priv_15,ou=profiles,ou=radius,dc=csctus,dc=net", Auth-Type :=
LDAP
169 Fall-Through = yes
170
171 DEFAULT Ldap-Group == cisco_priv_1,User-Profile :=
"uid=cisco_priv_1,ou=profiles,ou=radius,dc=csctus,dc=net", Auth-Type := LDAP
172 Fall-Through = yes
173
174 DEFAULT Ldap-Group == netscreen,User-Profile :=
"uid=netscreen,ou=profiles,ou=radius,dc=csctus,dc=net", Auth-Type := LDAP
175 Fall-Through = no
176
177 DEFAULT Auth-Type := Reject
178 Reply-Message = "Please call the helpdesk."
179
180 DEFAULT Auth-Type = System
181 fall-Through = 1ed entry DEFAULT at line 171 (this is
correct)
More information about the Freeradius-Users
mailing list