Do not query LDAP if authenticated via proxy

Steven Carr steven.carr at sunderland.ac.uk
Mon Aug 10 10:39:22 CEST 2009 

Hi list,

I have the following question, not entirely sure how to stop FreeRADIUS
(Debian recompile 2.0.4) from doing this so any ideas would be grateful.

We are joining Eduroam and we have our FreeRADIUS set to proxy on the
DEFAULT realm and have a separate realm for our local domain.

If we pass a request to the proxy to be authenticated both before and
after the request has been proxied it queries our LDAP server to check
if the user exists.

> rad_recv: Access-Request packet from host 127.0.0.1 port 43386, id=216, length=82
> 	User-Name = "user at domain.com"
> 	User-Password = "******"
> 	NAS-IP-Address = 157.228.68.190
> 	NAS-Port = 1
> +- entering group authorize
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
>     rlm_realm: Looking up realm "domain.com" for User-Name = "user at domain.com"
>     rlm_realm: Found realm "DEFAULT"
>     rlm_realm: Adding Realm = "DEFAULT"
>     rlm_realm: Proxying request from user user to realm DEFAULT
>     rlm_realm: Preparing to proxy authentication request to realm "DEFAULT" 
> ++[suffix] returns updated
>   rlm_eap: No EAP-Message, not doing EAP
> ++[eap] returns noop
> ++[unix] returns notfound
> ++[files] returns noop
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for user at domain.com
> WARNING: Deprecated conditional expansion ":-".  See "man unlang" for details
> 	expand: (&(objectclass=uosperson)(!(mailuserstatus=inactive))(uid=%{Stripped-User-Name:-%{User-Name}})) -> (&(objectclass=uosperson)(!(mailuserstatus=inactive))(uid=user at domain.com))
> 	expand: dc=domain,dc=com -> dc=domain,dc=com
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in dc=domain,dc=com, with filter (&(objectclass=uosperson)(!(mailuserstatus=inactive))(uid=user at domain.com))
> rlm_ldap: object not found or got ambiguous search result
> rlm_ldap: search failed
> rlm_ldap: ldap_release_conn: Release Id: 0
> ++[ldap] returns notfound
> ++[expiration] returns noop
> ++[logintime] returns noop
> ++[pap] returns noop
> Sending Access-Request of id 112 to 194.83.56.233 port 1812
> 	User-Name = "user at domain.com"
> 	User-Password = "******"
> 	NAS-IP-Address = 157.228.68.190
> 	NAS-Port = 1
> 	Proxy-State = 0x323136
> Proxying request 1 to home server 194.83.56.233 port 1812
> Sending Access-Request of id 112 to 194.83.56.233 port 1812
> 	User-Name = "user at domain.com"
> 	User-Password = "******"
> 	NAS-IP-Address = 157.228.68.190
> 	NAS-Port = 1
> 	Proxy-State = 0x323136
> Going to the next request
> Waking up in 0.9 seconds.
> rad_recv: Access-Accept packet from host 194.83.56.233 port 1812, id=112, length=25
> 	Proxy-State = 0x323136
> +- entering group post-proxy
>   rlm_eap: No pre-existing handler found
> ++[eap] returns noop
> +- entering group authorize
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
>     rlm_realm: Proxy reply, or no User-Name.  Ignoring.
> ++[suffix] returns noop
> ++[eap] returns noop
> ++[unix] returns notfound
> ++[files] returns noop
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for user at domain.com
> WARNING: Deprecated conditional expansion ":-".  See "man unlang" for details
> 	expand: (&(objectclass=uosperson)(!(mailuserstatus=inactive))(uid=%{Stripped-User-Name:-%{User-Name}})) -> (&(objectclass=uosperson)(!(mailuserstatus=inactive))(uid=user at domain.com))
> 	expand: dc=domain,dc=com -> dc=domain,dc=com
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in dc=domain,dc=com, with filter (&(objectclass=uosperson)(!(mailuserstatus=inactive))(uid=user at domain.com))
> rlm_ldap: object not found or got ambiguous search result
> rlm_ldap: search failed
> rlm_ldap: ldap_release_conn: Release Id: 0
> ++[ldap] returns notfound
> ++[expiration] returns noop
> ++[logintime] returns noop
> ++[pap] returns noop
>   rad_check_password:  Found Auth-Type 
>   rad_check_password: Auth-Type = Accept, accepting the user
> Login OK: [user at domain.com/******] (from client localhost port 1)
> +- entering group post-auth
> ++[exec] returns noop
> Sending Access-Accept of id 216 to 127.0.0.1 port 43386
> Finished request 1.
> Going to the next request
> Waking up in 4.9 seconds.
> Cleaning up request 1 ID 216 with timestamp +10
> Ready to process requests.

How can I stop it from doing this? it is a waste of time and an
unnecessary connection/query to our LDAP server as it is never going to
be authenticated by our LDAP server.

Thanks

Steve

-- 
Steven Carr
Systems Development Officer
SLS/ITS/Systems - (0191) 515 3953

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 258 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090810/c3747637/attachment.pgp>

More information about the Freeradius-Users mailing list