Checkval weird issue with LDAP backend and PAM authentication

Marco Carcano marco at marcolinux.it
Thu Nov 25 23:12:50 CET 2010 

Hi Alan

I RTM unlang, but I have to admit I only got confused - The only thing  
I have understood is to write a simple statement like this (in  
authorize section)

         if (NAS-Identifier == "ftp" ) {
                 ok
         }
         else {
                 reject
         }

and I think is even wrong because returns always OK :(((((

I noticed on some posts people using a syntax like if (NAS-Identifier  
== %{sql: SELECT ... BLA BLA} )

but I have not been able to see a working example using ldap, ... may  
you provide an example, please? I've not been able to figure out how  
to write it down.

my situation is this: eckAllowedServices is a multistring attribute  
that contains a NAS-Identifier per line. I use service names as NAS- 
Identifiers in order to perform users authorization to services - eg  
authorize ftp access on a per users basis

this is what happen when I do a ldapsearch

ldapsearch -LLL -b cn=testuser,ou=Users,dc=marcolinux,dc=local  
eckAllowedServices -x -D  
"CN=FreeRADIUS,OU=AAA,OU=Services,DC=marcolinux,DC=local" -w  
wRtEYnd3sGkEa.Y4

dn: cn=testuser,ou=Users,dc=marcolinux,dc=local
eckAllowedServices: ftp
eckAllowedServices: httpProxy

that shows that the DN used by freeradius is able to read  
eckAllowedServices attribute

as I wrote in the previous post, I updated ldap.attrmap inserting the  
following line

checkItem       NAS-Identifier                  eckAllowedServices

in order to do the "binding" between radius and LDAP

and this is the extension of the LDAP schema (eck.schema)

attributetype ( 1.3.6.1.4.1.26309.1.1.11 NAME 'eckAllowedServices'    
DESC 'Services the user is allowed to login'   EQUALITY  
caseIgnoreIA5Match   SUBSTR caseIgnoreIA5SubstringsMatch   SYNTAX  
1.3.6.1.4.1.1466.115.121.1.26{128} )
objectClass ( 1.3.6.1.4.1.26309.1.1.1 NAME 'eckGenericObject'         
AUXILIARY        DESC 'an ECK generic object'        MAY ( locked $  
eckPublicKey $ eckPrivateKey $ userPKCS12 $ allowProxy $  
eckAllowedServices))

thinking at the %{sql:SELECT ...} example I tough I syntax almost like  
this

         if (NAS-Identifier == "ldap:cn=%{User- 
Name},ou=Users,dc=marcolinux,dc=local (eckAllowedServices)" ) {
                 ok
         }
         else {
                 reject
         }

the aim is to check if NAS-Identifier supplied by the NAS is equal to  
one of the multivalue strings of eckAllowedServices

but I always got this message - it doesnt matter if the user has got  
or hasn't the eckAllowedServices attribute:

  if (NAS-Identifier == "ldap:cn=%{User- 
Name},ou=Users,dc=marcolinux,dc=local (eckAllowedServices)" )
         expand: ldap:cn=%{User-Name},ou=Users,dc=marcolinux,dc=local  
(eckAllowedServices) ->  
ldap:cn=testuser,ou=Users,dc=marcolinux,dc=local (eckAllowedServices)
? Evaluating (NAS-Identifier == "ldap:cn=%{User- 
Name},ou=Users,dc=marcolinux,dc=local (eckAllowedServices)" ) -> FALSE
++? if (NAS-Identifier == "ldap:cn=%{User- 
Name},ou=Users,dc=marcolinux,dc=local (eckAllowedServices)" ) -> FALSE
++- entering else else {...}
+++[reject] returns reject

I gave a look to ldap.log - with verbose debugging, ... I found  
references to eckAllowedServices, but not as a request for only one  
attribute - as I was expecting for the unlang expression I wrote: I  
got it mixed with lots of other attributes - that is the previous ldap  
lookup of the ldap module of the authorization section: in other words  
- I think the unlang expression above is useless and is not processed  
with a query to the ldap server . I certainly mis-typed the syntax,  
but I'm not able to figure a syntax :(((


Alan, may you provide an example unlang for LDAP? Maybe I am slow  
learner, but I think it could help me (and I hope others) a lot

Ah - I use freeradius2-2.1.7-7.el5 - that is the "official" from  
RedHat/CentOS - please, don't tell me I have to repackage it to 2.1.10  
- I had done this with quite a lot of other packages in ECK




Il giorno 23/nov/10, alle ore 14:33, Alan DeKok ha scritto:

> marco wrote:
>> Sorry Alan
>>
>> I've not realized that the logs had became a garbage :O( - maybe a  
>> webmail realted issue of my ISP.
>> Now I Bcc myself to see how does it appear to recipients
>>
>> I tried "man unlang" but got no manual entry - I'm using Freeradius  
>> packaged for CentOS - I'll give a look to http://freeradius.org/radiusd/man/unlang.html 
>> , I think is the same.
>
>  <shrug>  Upgrade to 2.1.10.  You're using a very old version of the
> server.
>
>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list