Expanding run-time variables and checking access_attr for allow

Nicolás Velázquez nicolas.velazquez at uam.es
Wed Nov 18 15:30:20 CET 2009 

Hi all,

We are running 2.1.3 and we'll upgrade soon for several reasons.
Two of them can be the questions I'll explain now.

We need to search the authorize check for users in one place of LDAP tree
and the user password must be checked in another place.
My config file is as follows:

dictionary_mapping=/etc/raddb/ldapmap_vpn.conf
ldap_connections_number=10
timeout=10
server="ldap://canela.ti.uam.es"
port=389
identity="cn=uam_voip_admin,cn=users,dc=uam,dc=es"
password="#######"
base_filter = "(uniquemember=cn=%{User-Name},cn=users,dc=uam,dc=es)"
basedn="dc=uam,dc=es"
filter="(uid=%{Stripped-User-Name:-%{User-Name}})"
default_profile = "cn=ACCESSO_CUDI,cn=Groups,dc=uam,dc=es"
access_attr_used_for_allow = yes
access_attr = "cn"

The non-usual parameters to do what we need are base_filter and
default_profile.
But the problem is that base_filter doesn't expand.
The debug shows us the process and base_filter doesn't expand.

rad_recv: Access-Request packet from host 150.244.108.4 port 1025, id=69,
length=158
        User-Name = "nicolas.velazquez at uam.es"
        User-Password = "########"
        NAS-Port = 5259264
        Called-Station-Id = "150.244.108.4"
        Calling-Station-Id = "150.244.2.23"
        NAS-Port-Type = Virtual
        Tunnel-Client-Endpoint:0 = "150.244.2.23"
        NAS-IP-Address = 150.244.108.4
        Cisco-AVPair = "ip:source-ip=150.244.2.23"
server vpn_auth {
+- entering group authorize {...}
[suffix] Looking up realm "uam.es" for User-Name =
"nicolas.velazquez at uam.es"
[suffix] Found realm "uam.es"
[suffix] Adding Realm = "uam.es"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[users_vpn] users: Matched entry DEFAULT at line 3
[users_vpn]     expand: %{User-Name} -> nicolas.velazquez at uam.es
[users_vpn] users: Matched entry nicolas.velazquez at uam.es at line 16
++[users_vpn] returns ok
[uam_vpn] performing user authorization for nicolas.velazquez at uam.es
[uam_vpn] WARNING: Deprecated conditional expansion ":-".  See "man unlang"
for details
[uam_vpn]       expand: (uid=%{Stripped-User-Name:-%{User-Name}}) ->
(uid=nicolas.velazquez at uam.es)
[uam_vpn]       expand: dc=uam,dc=es -> dc=uam,dc=es
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap://canela.ti.uam.es, authentication 0
rlm_ldap: setting TLS Require Cert to never
rlm_ldap: bind as cn=uam_voip_admin,cn=users,dc=uam,dc=es/######## to
ldap://canela.ti.uam.es
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=uam,dc=es, with filter
(uid=nicolas.velazquez at uam.es)
[uam_vpn] checking if remote access for nicolas.velazquez at uam.es is allowed
by cn
rlm_ldap: performing search in cn=ACCESSO_CUDI,cn=Groups,dc=uam,dc=es, with
filter (uniquemember=cn=%{User-Name},cn=users,dc=uam,dc=es)
rlm_ldap: object not found or got ambiguous search result
[uam_vpn] default_profile/user-profile search failed
[uam_vpn] looking for check items in directory...
[uam_vpn] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that the
user is configured correctly?
[uam_vpn] user nicolas.velazquez at uam.es authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[uam_vpn] returns ok
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
Found Auth-Type = UAM_VPN
+- entering group UAM_VPN {...}
[uam_vpn] login attempt by "nicolas.velazquez at uam.es" with password
"#######"
[uam_vpn] user DN: cn=nicolas.velazquez at uam.es,cn=Users,dc=uam,dc=es
rlm_ldap: (re)connect to ldap://canela.ti.uam.es, authentication 1
rlm_ldap: setting TLS Require Cert to never
rlm_ldap: bind as cn=nicolas.velazquez at uam.es,cn=Users,dc=uam,dc=es/########
to ldap://canela.ti.uam.es
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
[uam_vpn] user nicolas.velazquez at uam.es authenticated succesfully
++[uam_vpn] returns ok
Login OK: [nicolas.velazquez at uam.es] (from client asa-vpn port 5259264 cli
150.244.2.23)
} # server vpn_auth
Sending Access-Accept of id 69 to 150.244.108.4 port 1025
        User-Name = "nicolas.velazquez at uam.es"
        Class = "OU=########"
Finished request 0.

Is this a failure corrected in any of the versions form 2.1.3? 
Or am I doing anything wrong?

The second question.

If I put, ONLY FOR CHECK, the base_filter =
"(uniquemember=cn=nicolas.velazquez at uam.es,cn=users,dc=uam,dc=es)" the LDAP
replies with No Such Object. But the radius authorization sends ok. 
The misconfiguration of LDAP is not the question here.
The question here is: documentation says if the parameter not exists the
authorization doesn't work.
Is the server using the cn string used in the request?
Am I doing ANOTHER thing wrong?

Thank you very much in advance,

  Nicolas

Nicolás Velazquez Campoy
Unidad Técnica de Comunicaciones
Tecnologías de la Información. UAM
http://rincon.uam.es/dir?cw=389407348632812

More information about the Freeradius-Users mailing list