Freeradius 2.0.5 & %{Ldap-UserDn} not correctly expanded ?

Pierre.Strazza-prestataire at labanquepostale.fr Pierre.Strazza-prestataire at labanquepostale.fr
Wed Jul 2 13:55:41 CEST 2008 

Hello,

Trying to setup group membership filtering against LDAP group membership 
for user authentication and authorization, seems that %{Ldap-UserDn} is 
not correctly expanded (shown as blank) in my conf.
Does anyone experienced same problems or has any idea about what is wrong 
in my conf ?

Here are some revelants parts :

radiusd.conf
------------------

module {
[...]
        ldap ldap {
                server = "myldapserver"
                identity = "cn=admin,dc=myorg"
                password = passw
                basedn = "dc=myorg"
                filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
                base_filter = "(objectclass=person)"
                ldap_connections_number = 5
                timeout = 4
                timelimit = 3
                net_timeout = 1
                tls {
                        start_tls = no
                }
                dictionary_mapping = ${raddbdir}/ldap.attrmap
                auto_header = yes
                groupname_attribute = cn
                groupmembership_filter = 
"(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))"
                # groupmembership_attribute = cn
        }
[...]
}

[..]

Autz-Type LDAP {
                ldap
        }
        expiration
        logintime
        pap
}
authenticate {
        Auth-Type LDAP {
                ldap
        }
}

[...]


users (matching huntgroup name "clientasa")
------------------------------------------------------------------

DEFAULT Huntgroup-Name == "clientasa", Ldap-Group=="ASA",  Autz-Type := 
LDAP
DEFAULT  Auth-Type := Reject



LDAP extract :
--------------------

dn: cn=ASA, dc=myorg
objectClass: groupOfNames
objectClass: posixGroup
objectClass: sambaGroupMapping
objectClass: top
cn: ASA
gidNumber: 512
member: uid=test,ou=people,dc=myorg


dn: uid=test,ou=people,dc=myorg
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: posixAccount
objectClass: sambaSamAccount
objectClass: shadowAccount
objectClass: top
cn: test
gidNumber: 512
uid: test
uidNumber: 0
loginShell: /bin/bash
userPassword:: {SSHA}mypassword


Debug info
----------------

rad_recv: Access-Request packet from host xxxxx port 1025, id=185, 
length=109
        User-Name = "test"
        NAS-IP-Address = ip1
        Calling-Station-Id = "xxxxxxx"
        User-Password = "mypassword"
        NAS-Port = 96
        Cisco-AVPair = "ip:source-ip=xxxxxxxxxx"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
    rlm_realm: No '@' in User-Name = "test", looking up realm NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_ldap: Entering ldap_groupcmp()
        expand: dc=myorg -> dc=myorg
WARNING: Deprecated conditional expansion ":-".  See "man unlang" for 
details
        expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=test)
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldapserver:389, authentication 0
rlm_ldap: bind as cn=admin,dc=myorg/ldappassword to ldapserver:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=myorg, with filter (uid=test)
rlm_ldap: ldap_release_conn: Release Id: 0
        expand: (&(objectClass=GroupOfNames)(member=%{Ldap-UserDn})) -> 
(&(objectClass=GroupOfNames)(member=))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=myorg, with filter 
(&(cn=ASA)(&(objectClass=GroupOfNames)(member=)))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap::ldap_groupcmp: Group ASA not found or user is not a member.
    users: Matched entry DEFAULT at line 210
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
  rad_check_password:  Found Auth-Type Reject
  rad_check_password: Auth-Type = Reject, rejecting user
auth: Failed to validate the user.
Login incorrect: [test/mypassword] (from client pixasa port 96 cli 
xxxxxxx)
Sending Access-Reject of id 185 to ip1 port 1025
Finished request 0.



A partir du 30 juin, le siege social et l'adresse postale de La Banque Postale a Paris changent et deviennent: 115, rue de Sevres, 75275 Paris Cedex 06
Le No du standard du Siege Central de la Banque Postale a Paris devient:  01 57 75 60 00


Le papier est un bien precieux, ne le gaspillez pas. N'imprimez ce document que si vous en avez vraiment besoin !


Ce message est confidentiel.

Sous reserve de tout accord conclu par ecrit entre vous et La Banque Postale, son contenu ne represente en aucun cas un engagement de la part de La Banque Postale.
Toute publication, utilisation ou diffusion, meme partielle, doit etre autorisee prealablement.

Si vous n'etes pas destinataire de ce message, merci d'en avertir immediatement l'expediteur.

More information about the Freeradius-Users mailing list