Autz-Type examples and parse error

Harry Hoffman hhoffman at ip-solutions.net
Wed Oct 13 15:40:39 CEST 2010


Hi Alan,

Thanks for the help! This works well and lessens the confusion on my
part.

I do have one question. When using ldap as the authorization module the
Auth-Type gets set properly to siteone_ldap. But if I try using
ntlm_auth then the Auth-Type is not set even though ntlm_auth returns
OK.

rad_recv: Access-Request packet from host 127.0.0.1 port 38806, id=14,
length=63
	User-Name = "SITEONE\\hhoffman"
	User-Password = "password"
	NAS-IP-Address = 127.0.0.1
	NAS-Port = 1812
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "SITEONE\hhoffman", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] Looking up realm "SITEONE" for User-Name = "SITEONE\hhoffman"
[ntdomain] Found realm "SITEONE"
[ntdomain] Adding Stripped-User-Name = "hhoffman"
[ntdomain] Adding Realm = "SITEONE"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
++? if (!Realm)
? Evaluating !(Realm) -> FALSE
++? if (!Realm) -> FALSE
++? elsif (Realm == "siteone.edu")
? Evaluating (Realm == "siteone.edu") -> FALSE
++? elsif (Realm == "siteone.edu") -> FALSE
++? elsif (Realm == "SITEONE")
? Evaluating (Realm == "SITEONE") -> TRUE
++? elsif (Realm == "SITEONE") -> TRUE
++- entering elsif (Realm == "SITEONE") {...}
[siteone_ntlm_auth] 	expand: --username=%{Stripped-User-Name} ->
--username=hhoffman
[siteone_ntlm_auth] 	expand: --password=%{User-Password} ->
--password=password
Exec-Program output: NT_STATUS_OK: Success (0x0) 
Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0) 
Exec-Program: returned: 0
+++[siteone_ntlm_auth] returns ok
++- elsif (Realm == "SITEONE") returns ok
++ ... skipping elsif for request 6: Preceding "if" was taken
++ ... skipping elsif for request 6: Preceding "if" was taken
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
No authenticate method (Auth-Type) configuration found for the request:
Rejecting the user
Failed to authenticate the user.
Login incorrect: [SITEONE\\hhoffman] (from client localhost port 1812)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] 	expand: %{User-Name} -> SITEONE\hhoffman
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 6 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 6
Sending Access-Reject of id 14 to 127.0.0.1 port 38806
Waking up in 4.9 seconds.
Cleaning up request 6 ID 14 with timestamp +864
Ready to process requests.




On Tue, 2010-10-12 at 21:48 +0200, Alan DeKok wrote:
> Harry Hoffman wrote:
> > I'm following along with the docs for Autz-Type in freeradius-2.1.8,
> > specifically the section about selecting between multiple instances of a
> > module.
> 
>   In 2.x, there are better ways to do this.  See "man unlang" for
> conditionally calling a module.
> 
> > In users.conf I have:
> > DEFAULT Realm == "siteone.edu", Autz-Type := siteone_ldap, Auth-Type :=
> > siteone_ldap
> 
>   Please don't say "users.conf".  It's the "users" file.
> 
>   The issue is that 2.x has the "inner-tunnel" virtual server, and the
> documentation is left over from 1.1.x.  The solution is instead to *not*
> use the "users" file.  Instead, do:
> 
> authorize {
> 	...
> 	if (Realm == "siteone.edu") {
> 		siteone_ldap
> 	}
> 	...
> }
> 
>   This will *also* have it automatically set "Auth-Type" to
> siteone_ldap, too.  That's simpler than the "users" file entry, and
> gives less room for mistakes.
> 
>   Alan DeKok.
> 





More information about the Freeradius-Users mailing list