Use rlm_ldap reply for the next authorization module

JUND, Aurélien aurelien.jund at sfr.com
Wed Jun 16 14:27:01 CEST 2010


Hello,

In order to allow a user to access the service (send a Access-Accept) I need to validate several things:

First the password must be OK:


 *   The User-name and password are stored in cleartext in a ldap (I use Chap), I must get another ldap attribute wich specify the crm Id matching the username.

The user must be allowed to use the service:


 *   Daily I get a files matching a crm Id and a status (can access, cant access) => I can't have a matching between user-name / Status. The crm don't know the user-name, and the ldap don't know the client's status (only the Crm ID)


I have no trouble to check the User-Name/Password using ldap and chap modules. But I can't figure out how to use the ldap reply to request the local mysql where is store the match between crm Id and status.
I don't know how to use a reply of a authorization module (ldap) in an another one (sql).

Since I didn't find out how to do this, I tried to add the crmID in a unused radius attribute: Callback-Number:

In the ldap attrmap configuration file I added:

replyItem       Callback-Number                 SFRrelationLoginService

And in the sql configuration:

sql_user_name = "%{Callback-Number}"


Unfortunately as expected the replyItem is only add when the reply is generate. I also tried with a checkItem without more success...

Is it possible to configure the ldap module in order to store a ldapattribute in a variable usable by the mysql module ? Or to replace/add a radius attribute in the request, base on the ldap reply before the next module is compute?



Examples :

Goal case:

echo "User-Name= toto,Chap-Password=111111", | sudo radclient -x 172.16.0.135:1812 auth secret
Sending Access-Request of id 202 to 172.16.0.135 port 1812
        User-Name = "toto"
        CHAP-Password = 0xcab5c3da9c9ebb891608c1991c2e37bea3
rad_recv: Access-Reject packet from host 172.16.0.135 port 1812, id=202, length=20


log:

Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: Waking up in 0.9 seconds.
Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: rlm_ldap: waiting for bind result ...
Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: rlm_ldap: Bind was successful
Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: rlm_ldap: performing search in ou=EndUser,dc=USER,dc=fr, with filter (USERlogin=toto*)
Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: [ldapClear] No default NMAS login sequence
Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: [ldapClear] looking for check items in directory...
Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: rlm_ldap: USERrelationLoginService -> Callback-Number == "siebelsIdFortoto"
Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: rlm_ldap: USERuserPassword -> Cleartext-Password == "111111"
Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: rlm_ldap: USERlogin -> User-Name == "toto"
Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: [ldapClear] looking for reply items in directory...
Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: [ldapClear] user toto authorized to use remote access
Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: rlm_ldap: ldap_release_conn: Release Id: 0
Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: ++[ldapClear] returns ok
Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: [sql_crm_abv] #011expand: %{Callback-Number} ->
Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: [sql_crm_abv] sql_set_user escaped user --> ''
Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: rlm_sql (sql_crm_abv): Reserving sql socket id: 1
Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: [sql_crm_abv] #011expand: SELECT Identifiant, Status           FROM siebel           WHERE Identifiant = '%{Callback-Number}' AND Status='1' -> SELECT Identifiant, Status           FROM siebel           WHERE Identifiant = '' AND Status='1'
Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: rlm_sql_mysql: query:  SELECT Identifiant, Status           FROM siebel           WHERE Identifiant = '' AND Status='1'
Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: rlm_sql (sql_crm_abv): Released sql socket id: 1
Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: [sql_crm_abv] User  not found
Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: ++[sql_crm_abv] returns notfound
Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: [chap] Setting 'Auth-Type := CHAP'
Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: ++[chap] returns ok
Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: ++[expiration] returns noop
Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: ++[logintime] returns noop
Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: [pap] Found existing Auth-Type, not changing it.
Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: ++[pap] returns noop
Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: rlm_sqlcounter: Entering module authorize code
Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: rlm_sqlcounter: Could not find Key value pair
Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: ++[scratchcounter_lyo] returns noop
Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: Found Auth-Type = CHAP
Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: +- entering group CHAP {...}
Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: [chap] login attempt by "toto" with CHAP password
Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: [chap] Using clear text password "111111" for user toto authentication.
Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: [chap] chap user toto authenticated succesfully
Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: ++[chap] returns ok
Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: Login OK: [toto/<CHAP-Password>] (from client ext port 0)
Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: +- entering group post-auth {...}
Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: ++[reply_log] returns ok




Test addin the crmId in the request before computing => not possible in real situation, but to test everything else

 echo "User-Name= toto,Chap-Password=111111",Callback-Number='siebelsIdFortoto' | sudo radclient -x 172.16.0.135:1812 auth secret
Sending Access-Request of id 159 to 172.16.0.135 port 1812
        User-Name = "toto"
        CHAP-Password = 0x9fb08ff7f454d0c9998fc5dd72479940cd
        Callback-Number = "siebelsIdFortoto"
rad_recv: Access-Accept packet from host 172.16.0.135 port 1812, id=159, length=20


log:


Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: Thread 4 got semaphore
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: Thread 4 handling request 0, (1 handled so far)
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: +- entering group authorize {...}
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: ++[preprocess] returns ok
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: ++[mschap] returns noop
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [IPASS] No '/' in User-Name = "toto", looking up realm NULL
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [IPASS] No such realm "NULL"
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: ++[IPASS] returns noop
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [suffix] No '@' in User-Name = "toto", looking up realm NULL
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [suffix] No such realm "NULL"
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: ++[suffix] returns noop
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: ++[files] returns noop
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [ldapClear] performing user authorization for toto
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [ldapClear] #011expand: %{Stripped-User-Name} ->
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [ldapClear] #011expand: %{User-Name} -> toto
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [ldapClear] #011expand: (USERlogin=%{%{Stripped-User-Name}:-%{User-Name}}*) -> (USERlogin=toto*)
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [ldapClear] #011expand: ou=EndUser,dc=USER,dc=fr -> ou=EndUser,dc=USER,dc=fr
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: rlm_ldap: ldap_get_conn: Checking Id: 0
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: rlm_ldap: ldap_get_conn: Got Id: 0
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: rlm_ldap: attempting LDAP reconnection
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: rlm_ldap: (re)connect to 10.33.245.241:389, authentication 0
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: rlm_ldap: bind as cn=Radius Gp,ou=Application,dc=USER,dc=fr/radiusgp to 10.33.245.241:389
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: Threads: total/active/spare threads = 5/1/4
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: Waking up in 0.9 seconds.
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: rlm_ldap: waiting for bind result ...
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: rlm_ldap: Bind was successful
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: rlm_ldap: performing search in ou=EndUser,dc=USER,dc=fr, with filter (USERlogin=toto*)
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [ldapClear] No default NMAS login sequence
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [ldapClear] looking for check items in directory...
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: rlm_ldap: USERrelationLoginService -> Callback-Number == "siebelsIdFortoto"
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: rlm_ldap: USERuserPassword -> Cleartext-Password == "111111"
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: rlm_ldap: USERlogin -> User-Name == "toto"
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [ldapClear] looking for reply items in directory...
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [ldapClear] user toto authorized to use remote access
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: rlm_ldap: ldap_release_conn: Release Id: 0
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: ++[ldapClear] returns ok
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [sql_crm_abv] #011expand: %{Callback-Number} -> siebelsIdFortoto
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [sql_crm_abv] sql_set_user escaped user --> 'siebelsIdFortoto'
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: rlm_sql (sql_crm_abv): Reserving sql socket id: 1
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [sql_crm_abv] #011expand: SELECT Identifiant, Status           FROM siebel           WHERE Identifiant = '%{Callback-Number}' AND Status='1' -> SELECT Identifiant, Status           FROM siebel           WHERE Identifiant = 'siebelsIdFortoto' AND Status='1'
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: rlm_sql_mysql: query:  SELECT Identifiant, Status           FROM siebel           WHERE Identifiant = '=siebelsIdFortoto' AND Status='1'
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: rlm_sql (sql_crm_abv): Released sql socket id: 1
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [sql_crm_abv] User siebelsIdFortoto not found
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: ++[sql_crm_abv] returns notfound
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [chap] Setting 'Auth-Type := CHAP'
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: ++[chap] returns ok
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: ++[expiration] returns noop
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: ++[logintime] returns noop
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [pap] Found existing Auth-Type, not changing it.
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: ++[pap] returns noop
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: rlm_sqlcounter: Entering module authorize code
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: rlm_sqlcounter: Could not find Key value pair
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: Found Auth-Type = CHAP
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: +- entering group CHAP {...}
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [chap] login attempt by "toto" with CHAP password
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [chap] Using clear text password "111111" for user toto authentication.
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [chap] chap user toto authenticated succesfully
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: ++[chap] returns ok
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: Login OK: [toto/<CHAP-Password>] (from client ext port 0)
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: +- entering group post-auth {...}
JJun 16 12:33:29 radius-wifi1-aub freeradius[7106]: Finished request 0.
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: Going to the next request
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: Thread 4 waiting to be assigned a request
Jun 16 12:33:30 radius-wifi1-aub freeradius[7106]: Waking up in 4.0 seconds.
Jun 16 12:33:34 radius-wifi1-aub freeradius[7106]: Cleaning up request 0 ID 159 with timestamp +4
Jun 16 12:33:34 radius-wifi1-aub freeradius[7106]: Ready to process requests.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100616/f89fd18c/attachment.html>


More information about the Freeradius-Users mailing list