[awful patch] "Multiple levels of TLS nesting is invalid."

Matt Bernstein +systems.extlists.freeradius-users at dcs.qmul.ac.uk
Fri Oct 17 16:04:28 CEST 2008 

At 14:19 +0200 Alan DeKok wrote:

>> I have run into another bug: if I instantiate rlm_ldap in my servers
>> "dcs-inner" and "maths-inner", it seems to use the base DN for
>> "maths-inner" (instantiated second) for queries from "dcs-inner".
>
>  As always, debug mode.

By this point we've correctly walked from default -> dcs -> dcs-inner.
But.. as dcs-inner invokes rlm_ldap, it's using the wrong ldap instance:

server dcs-inner {
+- entering group authorize {...}
[dcs-inner-preprocess]   hints: Matched DEFAULT at 1
++[dcs-inner-preprocess] returns ok
++? if ("%{User-Name}" =~ /^([^@]*)(@([-[:alnum:].]+))?$/)
     expand: %{User-Name} -> mb
? Evaluating ("%{User-Name}" =~ /^([^@]*)(@([-[:alnum:].]+))?$/) -> TRUE
++? if ("%{User-Name}" =~ /^([^@]*)(@([-[:alnum:].]+))?$/) -> TRUE
++- entering if ("%{User-Name}" =~ /^([^@]*)(@([-[:alnum:].]+))?$/) {...}
     expand: %{1} -> mb
+++[request] returns ok
++- if ("%{User-Name}" =~ /^([^@]*)(@([-[:alnum:].]+))?$/) returns ok
[mschap] Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
++[mschap] returns ok
[dcs-inner-eap] No EAP-Message, not doing EAP
++[dcs-inner-eap] returns noop
rlm_ldap: Entering ldap_groupcmp()
[dcs-inner-files]     expand: dc=maths,dc=qmul,dc=ac,dc=uk -> dc=maths,dc=qmul,dc=ac,dc=uk
[dcs-inner-files]     expand: (uid=%{Stripped-User-Name}) -> (uid=mb)
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldapserver.maths.qmul.ac.uk:389, authentication 0
rlm_ldap: setting TLS Require Cert to never
rlm_ldap: starting TLS
rlm_ldap: bind as cn=radiusd,dc=maths,dc=qmul,dc=ac,dc=uk/xxxxxxxx to ldapserver.maths.qmul.ac.uk:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=maths,dc=qmul,dc=ac,dc=uk, with filter (uid=mb)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap::ldap_groupcmp: search failed
rlm_ldap: ldap_release_conn: Release Id: 0

My radius.conf includes:

modules {
         $INCLUDE ${confdir}/modules/
         $INCLUDE ${confdir}/dcs/modules.conf
         $INCLUDE ${confdir}/maths/modules.conf
}

instantiate {
}

$INCLUDE ${confdir}/dcs/server
$INCLUDE ${confdir}/maths/server

NB x/modules.conf includes x/inner/modules.conf and x/server includes 
x/inner/server for x in {dcs, maths}. The "server" files, modulo these 
includes, only contain server{} blocks.

If I transpose the $INCLUDE ${confdir}/x/server lines, then it uses the 
dcs LDAP instance, AFAICT:

server dcs-inner {
+- entering group authorize {...}
[dcs-inner-preprocess]   hints: Matched DEFAULT at 1
++[dcs-inner-preprocess] returns ok
++? if ("%{User-Name}" =~ /^([^@]*)(@([-[:alnum:].]+))?$/)
     expand: %{User-Name} -> mb
? Evaluating ("%{User-Name}" =~ /^([^@]*)(@([-[:alnum:].]+))?$/) -> TRUE
++? if ("%{User-Name}" =~ /^([^@]*)(@([-[:alnum:].]+))?$/) -> TRUE
++- entering if ("%{User-Name}" =~ /^([^@]*)(@([-[:alnum:].]+))?$/) {...}
     expand: %{1} -> mb
+++[request] returns ok
++- if ("%{User-Name}" =~ /^([^@]*)(@([-[:alnum:].]+))?$/) returns ok
[mschap] Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
++[mschap] returns ok
[dcs-inner-eap] No EAP-Message, not doing EAP
++[dcs-inner-eap] returns noop
rlm_ldap: Entering ldap_groupcmp()
[dcs-inner-files]     expand: dc=dcs,dc=qmul,dc=ac,dc=uk -> dc=dcs,dc=qmul,dc=ac,dc=uk
[dcs-inner-files]     expand: %{Stripped-User-Name} -> mb
[dcs-inner-files]     expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=mb)
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to mortar.dcs.qmul.ac.uk:389, authentication 0
rlm_ldap: setting TLS CACert File to /etc/raddb/dcs/certs/DCS_CA_cert.pem
rlm_ldap: setting TLS Require Cert to demand
rlm_ldap: starting TLS
rlm_ldap: bind as cn=radiusd,ou=Infrastructure,dc=dcs,dc=qmul,dc=ac,dc=uk/xxxxxxxxxx to mortar.dcs.qmul.ac.uk:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=dcs,dc=qmul,dc=ac,dc=uk, with filter (uid=mb)
rlm_ldap: ldap_release_conn: Release Id: 0

${confdir}/dcs/inner/server references ${confdir}/dcs/inner/ldap.common 
which contains
 	identity = "cn=radiusd,ou=Infrastructure,dc=dcs,dc=qmul,dc=ac,dc=uk"
 	basedn = "dc=dcs,dc=qmul,dc=ac,dc=uk"
etc. whereas ${confdir}/maths/inner/server references 
${confdir}/maths/inner/ldap.common which contains
 	identity = "cn=radiusd,dc=maths,dc=qmul,dc=ac,dc=uk"
 	basedn = "dc=maths,dc=qmul,dc=ac,dc=uk"
and so on.

I'm guessing that such parameters aren't scoped locally enough.

HTH

Matt

More information about the Freeradius-Users mailing list