User-Profile per user per NAS via LDAP?

Stephen Bowman sbbowman at gmail.com
Tue Jul 22 22:01:22 CEST 2008


Running version 2.0.5, with LDAP backend for authentication/authorization.

Needed functionality: A single user account needs a different ldap/radius
profile depending on which huntgroup the request is coming in on... the
reason is that each user has a different Framed-IP-Address for each VPN
concentrator they are coming in on.  So each user needs a profile per NAS, I
believe.

I have separated out each NAS into its appropriate huntgroup, and am
matching on that in the users file.  Also trying to dynamically set the
User-Profile.

DEFAULT Huntgroup-Name == jup-rtr-xauth, Ldap-Group ==
`cn=%{Huntgroup-Name},ou=Groups,ou=Radius,dc=geowireless,dc=net`,
User-Profile :=
`uid=%{User-Name},ou=jup-rtr-xauth,ou=Profiles,ou=Radius,dc=geowireless,dc=net`
        Fall-Through = no

(entire users file at the end of this message).

The user is authenticated successfully (so the group matching and the
%{Huntgroup-Name} expansion are working fine), but the User-Profile is not
being set.  If I hard code in the value for uid, it works, so the problem is
in the variable.

radiusd -X output:

rad_recv: Access-Request packet from host 192.168.17.1 port 57383, id=124,
length=121
        User-Name = "sbowman"
        User-Password = "XXX"
        Acct-Session-Id = "NS-00000035"
        NAS-IP-Address = 192.168.17.1
        NAS-Port = 24824
        NAS-Port-Type = Virtual
        Called-Station-Id = "75.145.224.194"
        Calling-Station-Id = "140.32.244.99"
        Netscreen-Attr-10 = 0x00000003
+- entering group authorize
        expand: %{Packet-Src-IP-Address} -> 192.168.17.1
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: No '@' in User-Name = "sbowman", looking up realm NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
rlm_ldap: Entering ldap_groupcmp()
        expand: ou=People,dc=domain,dc=net -> ou=People,dc=domain,dc=net
WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
details
        expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=sbowman)
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap.domain.net:389, authentication 0
rlm_ldap: setting TLS CACert File to /etc/pki/tls/certs/ca-bundle.crt
rlm_ldap: starting TLS
request done: ld 0x84e1340 msgid 1
rlm_ldap: bind as uid=redpillradius,ou=Clients,dc=domain,dc=net/XXX to
ldap.domain.net:389
rlm_ldap: waiting for bind result ...
request done: ld 0x84e1340 msgid 2
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=People,dc=domain,dc=net, with filter
(uid=sbowman)
request done: ld 0x84e1340 msgid 3
rlm_ldap: ldap_release_conn: Release Id: 0
        expand:
(|(&(objectClass=GroupOfNames)(member=%{check:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{check:Ldap-UserDn})))
->
(|(&(objectClass=GroupOfNames)(member=uid\3dsbowman\2cou\3dPeople\2cdc\3ddomain\2cdc\3dnet))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3dsbowman\2cou\3dPeople\2cdc\3ddomain\2cdc\3dnet)))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=People,dc=domain,dc=net, with filter
(&(cn=disabled)(|(&(objectClass=GroupOfNames)(member=uid\3dsbowman\2cou\3dPeople\2cdc\3ddomain\2cdc\3dnet))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3dsbowman\2cou\3dPeople\2cdc\3ddomain\2cdc\3dnet))))
request done: ld 0x84e1340 msgid 4
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap::ldap_groupcmp: Group disabled not found or user is not a member.
        expand: cn=%{Huntgroup-Name},ou=Groups,ou=Radius,dc=domain,dc=net ->
cn=jup-rtr-xauth,ou=Groups,ou=Radius,dc=domain,dc=net
rlm_ldap: Entering ldap_groupcmp()
        expand: ou=People,dc=domain,dc=net -> ou=People,dc=domain,dc=net
        expand:
(|(&(objectClass=GroupOfNames)(member=%{check:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{check:Ldap-UserDn})))
->
(|(&(objectClass=GroupOfNames)(member=uid\3dsbowman\2cou\3dPeople\2cdc\3ddomain\2cdc\3dnet))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3dsbowman\2cou\3dPeople\2cdc\3ddomain\2cdc\3dnet)))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in
cn=jup-rtr-xauth,ou=Groups,ou=Radius,dc=domain,dc=net, with filter
(|(&(objectClass=GroupOfNames)(member=uid\3dsbowman\2cou\3dPeople\2cdc\3ddomain\2cdc\3dnet))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3dsbowman\2cou\3dPeople\2cdc\3ddomain\2cdc\3dnet)))
request done: ld 0x84e1340 msgid 5
rlm_ldap::ldap_groupcmp: User found in group
cn=jup-rtr-xauth,ou=Groups,ou=Radius,dc=domain,dc=net
rlm_ldap: ldap_release_conn: Release Id: 0
    users: Matched entry DEFAULT at line 209
++[files] returns ok
rlm_ldap: - authorize
rlm_ldap: performing user authorization for sbowman
WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
details
        expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=sbowman)
        expand: ou=People,dc=domain,dc=net -> ou=People,dc=domain,dc=net
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=People,dc=domain,dc=net, with filter
(uid=sbowman)
request done: ld 0x84e1340 msgid 6
rlm_ldap: performing search in
uid=%{User-Name},ou=jup-rtr-xauth,ou=Profiles,ou=Radius,dc=domain,dc=net,
with filter (objectclass=radiusprofile)
request done: ld 0x84e1340 msgid 7
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: default_profile/user-profile search failed
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that the
user is configured correctly?
rlm_ldap: Setting Auth-Type = LDAP
rlm_ldap: user sbowman authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
  rad_check_password:  Found Auth-Type LDAP
auth: type "LDAP"
+- entering group LDAP
rlm_ldap: - authenticate
rlm_ldap: login attempt by "sbowman" with password "XXX"
rlm_ldap: user DN: uid=sbowman,ou=People,dc=domain,dc=net
rlm_ldap: (re)connect to ldap.domain.net:389, authentication 1
rlm_ldap: setting TLS CACert File to /etc/pki/tls/certs/ca-bundle.crt
rlm_ldap: starting TLS
request done: ld 0x8572fe0 msgid 1
rlm_ldap: bind as uid=sbowman,ou=People,dc=domain,dc=net/XXX to
ldap.domain.net:389
rlm_ldap: waiting for bind result ...
request done: ld 0x8572fe0 msgid 2
rlm_ldap: Bind was successful
rlm_ldap: user sbowman authenticated succesfully
++[ldap] returns ok
Login OK: [sbowman] (from client jup-rtr-xauth port 24824 cli 140.32.244.99)
+- entering group post-auth
++[exec] returns noop
Sending Access-Accept of id 124 to 192.168.17.1 port 57383
Finished request 1.


------ users -----

DEFAULT Ldap-Group == disabled, Auth-Type := Reject
        Reply-Message = "Account disabled.  Please call the helpdesk."

DEFAULT Huntgroup-Name == jup-rtr-xauth, Ldap-Group ==
`cn=%{Huntgroup-Name},ou=Groups,ou=Radius,dc=geowireless,dc=net`,
User-Profile :=
`uid=%{User-Name},ou=jup-rtr-xauth,ou=Profiles,ou=Radius,dc=geowireless,dc=net`
        Fall-Through = no

DEFAULT Huntgroup-Name == jup-rtr-xauth, Auth-Type := Reject
        Reply-Message = "Not authorized for XAuth access.  Please call the
helpdesk.",
        Fall-Through = no

DEFAULT Auth-Type := Reject
        Reply-Message = "Please call the helpdesk."

-----------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080722/07cff071/attachment.html>


More information about the Freeradius-Users mailing list