Checkval weird issue with LDAP backend and PAM authentication
Marco Carcano
marco at marcolinux.it
Sat Nov 27 01:21:54 CET 2010
Hi Alan
OK - Got working - did a look at rlm_ldap.c, and ldap.h
(ldap_is_ldap_url and ldap_url_parse fuctions) - altough I have one
issue more, ... se below
if ("%{ldap:ldap://127.0.0.1/CN=%{User-
Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices}" == "%{NAS-
Identifier}" ) {
ok
}
else {
reject
}
debug is
++? if ("%{ldap:ldap://127.0.0.1/CN=%{User-
Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices}" == "%{NAS-
Identifier}" )
rlm_ldap: - ldap_xlat
expand: ldap://127.0.0.1/CN=%{User-
Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices -> ldap://
127.0.0.1/CN=testuser,OU=Users,DC=marcolinux,DC=local?eckAllowedServices
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in
CN=testuser,OU=Users,DC=marcolinux,DC=local, with filter (null)
rlm_ldap: Adding attribute eckAllowedServices, value: ftp
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: - ldap_xlat end
expand: %{ldap:ldap://127.0.0.1/CN=%{User-
Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices} -> ftp
expand: %{NAS-Identifier} -> ftp
? Evaluating ("%{ldap:ldap://127.0.0.1/CN=%{User-
Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices}" == "%{NAS-
Identifier}" ) -> TRUE
++? if ("%{ldap:ldap://127.0.0.1/CN=%{User-
Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices}" == "%{NAS-
Identifier}" ) -> TRUE
++- entering if ("%{ldap:ldap://127.0.0.1/CN=%{User-
Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices}" == "%{NAS-
Identifier}" ) {...}
+++[ok] returns ok
++- if ("%{ldap:ldap://127.0.0.1/CN=%{User-
Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices}" == "%{NAS-
Identifier}" ) returns ok
++ ... skipping else for request 0: Preceding "if" was taken
Found Auth-Type = PAM
but it works only if eckAllowedServices has only one value.
eckAllowedServices is a multi-string attribute, that is for example
eckAllowedServices[0]=httpProxy
eckAllowedServices[1]=ftp
eckAllowedServices[2]=VPN
ecc
it works only for the first element of the array, ... so in the
preceding example only if eckAllowedServices[0]=ftp
is there a way to have it recursively process all the elements of the
array to do the comparison?
I tried
if ("%{ldap:ldap://127.0.0.1/CN=%{User-
Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices[*]}" == "%
{NAS-Identifier}" )
and
if ("%{ldap:ldap://127.0.0.1/CN=%{User-
Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices}[*]" == "%
{NAS-Identifier}" )
but had no luck
Marco Carcano
just for info (for other users that may read this post in the future):
I was wondering if it performed an anonymous bind to the directory -
LDAP URL does not contain credentials, so I raised up ldap server
verbosity and gave a look to the log, ....
it works authenticated as in modules/ldap - I think this is really
important: in my server I prohibited anonymous binding also from
localhost
Il giorno 26/nov/10, alle ore 09:31, Alan DeKok ha scritto:
> Marco Carcano wrote:
>> I RTM unlang, but I have to admit I only got confused - The only
>> thing I
>> have understood is to write a simple statement like this (in
>> authorize
>> section)
>>
>> if (NAS-Identifier == "ftp" ) {
>> ok
>> }
>> else {
>> reject
>> }
>>
>> and I think is even wrong because returns always OK :(((((
>
> And.... what does debug mode say?
>
>> I noticed on some posts people using a syntax like if (NAS-
>> Identifier ==
>> %{sql: SELECT ... BLA BLA} )
>
> See "man unlang". This is documented.
>
>> but I have not been able to see a working example using ldap,
>
> if (NAS-Identifier == "%{ldap: ... ldap stuff ... }") {
>
>
>
>> thinking at the %{sql:SELECT ...} example I tough I syntax almost
>> like this
>>
>> if (NAS-Identifier ==
>> "ldap:cn=%{User-Name},ou=Users,dc=marcolinux,dc=local
>> (eckAllowedServices)" ) {
>
> You didn't use the same form as the SQL example. The brackets have
> *meaning*: %{}
>
> See "man unlang".
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list