Assistance in handling ldap query failure scenario

Gary Prosser gary.prosser at trinity-bris.ac.uk
Fri Aug 6 19:30:23 CEST 2010 

I'm sure Alan or someone else will correct me if wrong, but I belive you
can prioritise the call result so that eg notfound overrides fail but
found ends the process.

Our config (following Alan's advice does this kind of thing)

modules

        ldap ldap1 {

                server = "localhost"
                basedn = "ou=TrinityStudentLogins,dc=our-domain"
                filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"

                start_tls = no
                dictionary_mapping = ${raddbdir}/ldap.attrmap
                ldap_connections_number = 5
                edir_account_policy_check=no
                timeout = 4
                timelimit = 3
                net_timeout = 3
        }
        ldap ldap2 {
config for different ldap server or different ou
        }
        ldap ldap3 {
config for different ldap server or different ou
        }

authorise {
        preprocess
chap
mschap
        suffix

        redundant {
                ldap1 {
                        fail = 1
                        noop = 2
                        notfound = 3
                        ok = return
                        reject = return
                        userlock = return
                        invalid = return
                }
                ldap2 {
                        fail = 1
                        noop = 2
                        notfound = 3
                        ok = return
                        reject = return
                        userlock = return
                        invalid = return
                }
                ldap3 {
                        fail = 1
                        noop = 2
                        notfound = 3
                        ok = return
                        reject = return
                        userlock = return
                        invalid = return
                }

authenticate {
          ldap1
          ldap2
          ldap3
          chap
}

Gary
-  
IT Manager
Trinity College, Bristol (http://www.trinity-bris.ac.uk)


-----Original Message-----
From: John Douglass <john.douglass at oit.gatech.edu>
Reply-To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
To: freeradius-users at lists.freeradius.org
Subject: Assistance in handling ldap query failure scenario
Date: Fri, 06 Aug 2010 12:54:06 -0400

I believe this bit of magic can be done based on other configurations 
but I can't work out the right "foo" so hopefully someone can help me 
out. I have my service manager asking for some additional magic out of 
our freeradius servers that handle our wireless WPA enterprise 
authentication/authorization.

Situation: LDAP connect/lookup fails (returns 'fail') and I want to 
continue processing as if it were "ok". Right now we want to ensure to 
err on the side of the customer and continue in the event there is an 
LDAP service outage.

Setup: I have the system working correctly with LDAP utilizing 
Freeradius 1.1.9. However, I am not sure how to do unlang control in the 
event of an LDAP failure. I am handling if an LDAP lookup is not found 
however.

Test: What I am attempting to test with is configure the ldap module 
with a non-existent LDAP server to fail but continue processing in the 
event of an LDAP failure.

I have Googled, read many configuration examples, and got a decent grip 
of unlang so hopefully someone can point me in the right direction. I'm 
close, but missing a small key component I imagine.

Here are (what I believe to be ) he important configuration sections and 
debug output.

authorize {
         preprocess

         #  This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP 
authentication.

         eap {
                ok = return
         }

         # LDAP: Development where if not found, steer them to group 
vlan0316

         # This part works as expected when LDAP answers and the user is 
not found
         gted-lawn-authz
         if(notfound) {
            update reply {
               Tunnel-Type := "VLAN"
               Tunnel-Medium-Type := "IEEE-802"
               Tunnel-Private-Group-Id := 316
            }
            notfound = return
         }

         #  Look in an SQL database.  The schema of the database is 
meant to mirror the "users" file.
         sqlwpa
}

The LDAP module configuration is as follows:

ldap gted-lawn-authz {
     #
     #  Note that this needs to match the name in the LDAP
     #  server certificate, if you're using ldaps.
     server = "ldaps://blahserver.gatech.edu"
     port = 636
     identity = "myBindDNDeletedForPrivacy"
     password = "myPasswordDeletedForPrivacy"
     basedn = "myBaseDNdeletedForPrivacy"
     filter = "myFilterThatWorksNormallyDeleted"

     ldap_connections_number = 10
     timeout = 4
     timelimit = 10
     net_timeout = 1

     tls {
         start_tls = no
         tls_mode = no
         require_cert    = "never"
     }

     # Mapping of RADIUS dictionary attributes to LDAP directory attributes.
     dictionary_mapping = ${confdir}/ldap.attrmap

     edir_account_policy_check = no
     set_auth_type = no
}

I have tried to handle this in the authorize{} section but not sure how 
to override the "fail" returncode from the ldap module in order to continue.

         gted-lawn-authz
         # want to detect a failure of the above gted-lawn-authz module, 
on failure skip to the next section which is "sqlwpa"
         if(fail) {
            fail = return
         }
         if(notfound) {
            update reply {
               Tunnel-Type := "VLAN"
               Tunnel-Medium-Type := "IEEE-802"
               Tunnel-Private-Group-Id := 316
            }
            notfound = return
         }
        #  Look in an SQL database.  The schema of the database is meant 
to mirror the "users" file.
        sqlwpa

Running it in debug mode I see it never hits the if(fail) section. My 
guess (but I haven't found any concrete info on how to continue) would 
be to have something in the gted-lawn-authz ldap module configuration as 
it looks like it breaks out of the loop there.

+- entering group authorize {...}
++[preprocess] returns ok
[eap] EAP packet type response id 0 length 10
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[gted-lawn-authz] performing user authorization for test-account
[gted-lawn-authz]     expand: (filterDeleted)
[gted-lawn-authz]     expand: (baseDeleted)
   [gted-lawn-authz] ldap_get_conn: Checking Id: 0
   [gted-lawn-authz] ldap_get_conn: Got Id: 0
   [gted-lawn-authz] attempting LDAP reconnection
   [gted-lawn-authz] (re)connect to ldaps://bleh.gatech.edu, 
authentication 0
   [gted-lawn-authz] setting TLS Require Cert to never
   [gted-lawn-authz] bind as uid=deletedForPrivacy
   [gted-lawn-authz] uid=deletedForPrivacy
   [gted-lawn-authz] (re)connection attempt failed
[gted-lawn-authz] search failed
   [gted-lawn-authz] ldap_release_conn: Release Id: 0
++[gted-lawn-authz] returns fail
Invalid user: [jd187/<via Auth-Type = EAP>] (from client localhost port 
0 cli 02-00-00-00-00-01)
} # server wpa
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> jd187
  attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated

Thanks in advance,
- John Douglass, Georgia Institute of Technology
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


To ensure you receive email from Trinity College into your inbox, please add @trinity-bris.ac.uk to your email safe list (also known as whitelist).

More information about the Freeradius-Users mailing list