[freeradius] fail-over ldap + reply-item missing

François Mehault Francois.Mehault at netplus.fr
Tue Jun 9 16:27:57 CEST 2009 

Thanks for your responce, I read http://freeradius.org/radiusd/doc/rlm_ldap , I am focus on section GROUP SUPPORT.

So I have two ldap module instances in raddb/modules/ldap :

ldap ldaplabobe2 { [...] }
ldap ldaplabobe1 { [...] }

I added the ldap module in the instantiate{} block in radiusd.conf.

instantiate {
        exec
        expr
        expiration
        logintime
        ldaplabobe2
        ldaplabobe1
}

I use this form in my raddb/users :

DEFAULT ldaplabobe2-Ldap-Group == administrateur, User-Profile := "cn=administrateur,ou=Profiles,dc=netplus,dc=fr"
        Reply-Message = "Utilisateur: %{User-name}, group: Administrateur",
        Fall-Through = yes

DEFAULT ldaplabobe2-Ldap-Group == stagiaire, User-Profile := "cn=stagiaire,ou=Profiles,dc=netplus,dc=fr"
        Reply-Message = "Utilisateur: %{User-name}, group: Stagiaire",
        Fall-Through = yes

DEFAULT ldaplabobe1-Ldap-Group == administrateur, User-Profile := "cn=administrateur,ou=Profiles,dc=netplus,dc=fr"
        Reply-Message = "Utilisateur: %{User-name}, group: Administrateur",
        Fall-Through = yes

DEFAULT ldaplabobe1-Ldap-Group == stagiaire, User-Profile := "cn=stagiaire,ou=Profiles,dc=netplus,dc=fr"
        Reply-Message = "Utilisateur: %{User-name}, group: Stagiaire",
        Fall-Through = yes

Instead of

DEFAULT Ldap-Group == administrateur, User-Profile := "cn=administrateur,ou=Profiles,dc=netplus,dc=fr"
        Reply-Message = "Utilisateur: %{User-name}, group: Administrateur",
        Fall-Through = yes

DEFAULT Ldap-Group == stagiaire, User-Profile := "cn=stagiaire,ou=Profiles,dc=netplus,dc=fr"
        Reply-Message = "Utilisateur: %{User-name}, group: Stagiaire",
        Fall-Through = yes

Then I still use redundant in authorize and authenticate section in raddb/site-available/default (I test whithout also)

And now I have Access-Reject for all, some reply-item are in the users file, others are in my openldap (I use radiusgroupname with ou=profiles,dc=netplus,dc=fr + radiusprofile attribute ...)



So I progress I think but it doesn't work for now. Sorry if I need some help, I begin with openldap, I read lot of documentation freeradius, openldap, PAM (my head will explose) and all is new for me , so maybe I read the solution at my problem but don't remember :s

Thansk for your help.

Regards,

François

rad_recv: Access-Request packet from host 192.168.0.50 port 1812, id=253, length=80
        NAS-IP-Address = 192.168.0.50
        NAS-Port = 1
        NAS-Port-Type = Virtual
        User-Name = "fmehault"
        Calling-Station-Id = "192.168.0.80"
        User-Password = "toto"
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log]      expand: /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radacct/192.168.0.50/auth-detail-20090609
[auth_log] /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radacct/192.168.0.50/auth-detail-20090609
[auth_log]      expand: %t -> Tue Jun  9 16:27:02 2009
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "fmehault", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
rlm_ldap: Entering ldap_groupcmp()
[files]         expand: dc=netplus,dc=fr -> dc=netplus,dc=fr
[files] WARNING: Deprecated conditional expansion ":-".  See "man unlang" for details
[files]         expand: (&(uid=%{Stripped-User-Name:-%{User-Name}})(radiusHuntgroupName=%{Huntgroup-name})) -> (&(uid=fmehault)(radiusHuntgroupName=swLabo))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 10.96.18.10:389, authentication 0
rlm_ldap: bind as cn=root,dc=netplus,dc=fr/secret to 10.96.18.10:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=netplus,dc=fr, with filter (&(uid=fmehault)(radiusHuntgroupName=swLabo))
rlm_ldap: ldap_release_conn: Release Id: 0
[files]         expand: (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=cn\3dFrancois MEHAULT\2cou\3dUtilisateurs\2cdc\3dnetplus\2cdc\3dfr))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dFrancois MEHAULT\2cou\3dUtilisateurs\2cdc\3dnetplus\2cdc\3dfr)))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=netplus,dc=fr, with filter (&(cn=administrateur)(|(&(objectClass=GroupOfNames)(member=cn\3dFrancois MEHAULT\2cou\3dUtilisateurs\2cdc\3dnetplus\2cdc\3dfr))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dFrancois MEHAULT\2cou\3dUtilisateurs\2cdc\3dnetplus\2cdc\3dfr))))
rlm_ldap: object not found
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in cn=Francois MEHAULT,ou=Utilisateurs,dc=netplus,dc=fr, with filter (objectclass=*)
rlm_ldap::groupcmp: Group administrateur not found or user not a member
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: Entering ldap_groupcmp()
[files]         expand: dc=netplus,dc=fr -> dc=netplus,dc=fr
[files]         expand: (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=cn\3dFrancois MEHAULT\2cou\3dUtilisateurs\2cdc\3dnetplus\2cdc\3dfr))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dFrancois MEHAULT\2cou\3dUtilisateurs\2cdc\3dnetplus\2cdc\3dfr)))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=netplus,dc=fr, with filter (&(cn=stagiaire)(|(&(objectClass=GroupOfNames)(member=cn\3dFrancois MEHAULT\2cou\3dUtilisateurs\2cdc\3dnetplus\2cdc\3dfr))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dFrancois MEHAULT\2cou\3dUtilisateurs\2cdc\3dnetplus\2cdc\3dfr))))
rlm_ldap: object not found
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in cn=Francois MEHAULT,ou=Utilisateurs,dc=netplus,dc=fr, with filter (objectclass=*)
rlm_ldap::ldap_groupcmp: User found in group stagiaire
rlm_ldap: ldap_release_conn: Release Id: 0
[files] users: Matched entry DEFAULT at line 252
[files]         expand: Utilisateur: %{User-name}, group: Stagiaire -> Utilisateur: fmehault, group: Stagiaire
rlm_ldap: Entering ldap_groupcmp()
[files]         expand: dc=netplus,dc=fr -> dc=netplus,dc=fr
[files]         expand: (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=cn\3dFrancois MEHAULT\2cou\3dUtilisateurs\2cdc\3dnetplus\2cdc\3dfr))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dFrancois MEHAULT\2cou\3dUtilisateurs\2cdc\3dnetplus\2cdc\3dfr)))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 10.96.18.4:389, authentication 0
rlm_ldap: bind as cn=root,dc=netplus,dc=fr/secret to 10.96.18.4:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=netplus,dc=fr, with filter (&(cn=administrateur)(|(&(objectClass=GroupOfNames)(member=cn\3dFrancois MEHAULT\2cou\3dUtilisateurs\2cdc\3dnetplus\2cdc\3dfr))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dFrancois MEHAULT\2cou\3dUtilisateurs\2cdc\3dnetplus\2cdc\3dfr))))
rlm_ldap: object not found
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in cn=Francois MEHAULT,ou=Utilisateurs,dc=netplus,dc=fr, with filter (objectclass=*)
rlm_ldap::groupcmp: Group administrateur not found or user not a member
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: Entering ldap_groupcmp()
[files]         expand: dc=netplus,dc=fr -> dc=netplus,dc=fr
[files]         expand: (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=cn\3dFrancois MEHAULT\2cou\3dUtilisateurs\2cdc\3dnetplus\2cdc\3dfr))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dFrancois MEHAULT\2cou\3dUtilisateurs\2cdc\3dnetplus\2cdc\3dfr)))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=netplus,dc=fr, with filter (&(cn=stagiaire)(|(&(objectClass=GroupOfNames)(member=cn\3dFrancois MEHAULT\2cou\3dUtilisateurs\2cdc\3dnetplus\2cdc\3dfr))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dFrancois MEHAULT\2cou\3dUtilisateurs\2cdc\3dnetplus\2cdc\3dfr))))
rlm_ldap: object not found
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in cn=Francois MEHAULT,ou=Utilisateurs,dc=netplus,dc=fr, with filter (objectclass=*)
rlm_ldap::ldap_groupcmp: User found in group stagiaire
rlm_ldap: ldap_release_conn: Release Id: 0
[files] users: Matched entry DEFAULT at line 260
[files]         expand: Utilisateur: %{User-name}, group: Stagiaire -> Utilisateur: fmehault, group: Stagiaire
++[files] returns ok
++- entering policy redundant {...}
[ldaplabobe2] performing user authorization for fmehault
[ldaplabobe2] WARNING: Deprecated conditional expansion ":-".  See "man unlang" for details
[ldaplabobe2]   expand: (&(uid=%{Stripped-User-Name:-%{User-Name}})(radiusHuntgroupName=%{Huntgroup-name})) -> (&(uid=fmehault)(radiusHuntgroupName=swLabo))
[ldaplabobe2]   expand: dc=netplus,dc=fr -> dc=netplus,dc=fr
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=netplus,dc=fr, with filter (&(uid=fmehault)(radiusHuntgroupName=swLabo))
rlm_ldap: performing search in cn=stagiaire,ou=Profiles,dc=netplus,dc=fr, with filter (objectclass=radiusprofile)
rlm_ldap: radiusServiceType -> Service-Type = NAS-Prompt-User
[ldaplabobe2] looking for check items in directory...
[ldaplabobe2] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that the user is configured correctly?
[ldaplabobe2] user fmehault authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
+++[ldaplabobe2] returns ok
++- policy redundant returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> fmehault
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 253 to 192.168.0.50 port 1812
        Reply-Message = "Utilisateur: fmehault, group: Stagiaire"
Waking up in 4.5 seconds.

More information about the Freeradius-Users mailing list