MSSCHAP auth + LDAP authorizaton

Andres Septer andres.septer at navirec.com
Wed Apr 4 11:53:33 CEST 2012 

----- Original Message -----
From: "Matthew Newton" <mcn4 at leicester.ac.uk>
Sent: Tue, 3.4.2012 13:01
To: "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org>
Subject: Re: MSSCHAP auth + LDAP authorizaton

[SNIP]

The LDAP module can be configured for group lookups - look about
half way down modules/ldap, you'll find the group settings. Check
radiusd -X to see what it's doing, as usual.

Use unlang in your inner-tunnel authorize section to check the
ldap group, something along the lines of (very untested):

if (!(Ldap-group == 'cn=group,dc=example,dc=com')) {
  reject
}

OK, thats an interesting idea. This should go to inner tunnel, and inner tunnel only???

I found some example on lists archives (fortunately, they work again) and follwed this one. 
It only used "filter" statement. I have read docs/rlm_ldap but still dont't quite get, whats "filter" and "group" filter are for. I tried this configuration:

Ldap module conf

ldap {

<------>server = "local.track.ee"
<------>identity = "CN=ldapbind,OU=SBSUsers,OU=Users,OU=Navirec,DC=local,DC=track,DC=ee"
<------>password = "XXXXXXXXXXXXXXX"
<------>basedn = "DC=local,DC=track,DC=ee"
<------>filter = "(&(SAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})(memberOf=CN=VPNUsers,OU=SBSUsers,OU=Users,OU=Navirec,DC=local,DC=track,DC=ee))"
<------>#base_filter = "(objectclass=radiusprofile)"

#debugging purposes
ldap_debug = 0x0028

LDAP bind and queries tested in JExplorer, they work ok

commented ldap in on authorization stanzas of innter-tunnel and tested. 
Here's output

rad_recv: Access-Request packet from host 127.0.0.1 port 34775, id=2, length=141
        User-Name = "freeradius.test"
        NAS-IP-Address = 10.128.160.4
        NAS-Port = 0
        Message-Authenticator = 0x530dad2e80d15ff25193eb9ff5834f96
        MS-CHAP-Challenge = 0x043031fc454d971c
        MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000093e05fd8f5df4a2ae229f031aa0f4290ea1debe45039c363
Wed Apr  4 12:50:29 2012 : Info: # Executing section authorize from file /etc/raddb/sites-enabled/default
Wed Apr  4 12:50:29 2012 : Info: +- entering group authorize {...}
Wed Apr  4 12:50:29 2012 : Info: ++[preprocess] returns ok
Wed Apr  4 12:50:29 2012 : Info: ++[chap] returns noop
Wed Apr  4 12:50:29 2012 : Info: [mschap] Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
Wed Apr  4 12:50:29 2012 : Info: ++[mschap] returns ok
Wed Apr  4 12:50:29 2012 : Info: ++[digest] returns noop
Wed Apr  4 12:50:29 2012 : Info: [suffix] No '@' in User-Name = "freeradius.test", looking up realm NULL
Wed Apr  4 12:50:29 2012 : Info: [suffix] No such realm "NULL"
Wed Apr  4 12:50:29 2012 : Info: ++[suffix] returns noop
Wed Apr  4 12:50:29 2012 : Info: [eap] No EAP-Message, not doing EAP
Wed Apr  4 12:50:29 2012 : Info: ++[eap] returns noop
Wed Apr  4 12:50:29 2012 : Info: ++[files] returns noop
Wed Apr  4 12:50:29 2012 : Info: [ldap] performing user authorization for freeradius.test
Wed Apr  4 12:50:29 2012 : Info: [ldap]         expand: %{Stripped-User-Name} ->
Wed Apr  4 12:50:29 2012 : Info: [ldap]         ... expanding second conditional
Wed Apr  4 12:50:29 2012 : Info: [ldap]         expand: %{User-Name} -> freeradius.test
Wed Apr  4 12:50:29 2012 : Info: [ldap]         expand: (&(SAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})(memberOf=CN=VPNUsers,OU=SBSUsers,OU=Users,OU=Navirec,DC=local,DC=track,DC=ee)) -> (&(SAMAccountName=freeradius.test)(memberOf=CN=VPNUsers,OU=SBSUsers,OU=Users,OU=Navirec,DC=local,DC=track,DC=ee))
Wed Apr  4 12:50:29 2012 : Info: [ldap]         expand: DC=local,DC=track,DC=ee -> DC=local,DC=track,DC=ee
Wed Apr  4 12:50:29 2012 : Debug:   [ldap] ldap_get_conn: Checking Id: 0
Wed Apr  4 12:50:29 2012 : Debug:   [ldap] ldap_get_conn: Got Id: 0
Wed Apr  4 12:50:29 2012 : Debug:   [ldap] attempting LDAP reconnection
Wed Apr  4 12:50:29 2012 : Debug:   [ldap] (re)connect to local.track.ee:389, authentication 0
Wed Apr  4 12:50:29 2012 : Debug:   [ldap] bind as CN=ldapbind,OU=SBSUsers,OU=Users,OU=Navirec,DC=local,DC=track,DC=ee/XXXXXXXXXX to local.track.ee:389
Wed Apr  4 12:50:29 2012 : Debug:   [ldap] waiting for bind result ...
Wed Apr  4 12:50:29 2012 : Debug:   [ldap] Bind was successful
Wed Apr  4 12:50:29 2012 : Debug:   [ldap] performing search in DC=local,DC=track,DC=ee, with filter (&(SAMAccountName=freeradius.test)(memberOf=CN=VPNUsers,OU=SBSUsers,OU=Users,OU=Navirec,DC=local,DC=track,DC=ee))
Wed Apr  4 12:50:29 2012 : Error:   [ldap] ldap_search() failed: Operations error
Wed Apr  4 12:50:29 2012 : Info: [ldap] search failed
Wed Apr  4 12:50:29 2012 : Debug:   [ldap] ldap_release_conn: Release Id: 0
Wed Apr  4 12:50:29 2012 : Info: ++[ldap] returns fail
Wed Apr  4 12:50:29 2012 : Info: Using Post-Auth-Type Reject
Wed Apr  4 12:50:29 2012 : Info: # Executing group from file /etc/raddb/sites-enabled/default
Wed Apr  4 12:50:29 2012 : Info: +- entering group REJECT {...}
Wed Apr  4 12:50:29 2012 : Info: [attr_filter.access_reject]    expand: %{User-Name} -> freeradius.test
Wed Apr  4 12:50:29 2012 : Debug: attr_filter: Matched entry DEFAULT at line 11
Wed Apr  4 12:50:29 2012 : Info: ++[attr_filter.access_reject] returns updated
Wed Apr  4 12:50:29 2012 : Info: Delaying reject of request 0 for 1 seconds
Wed Apr  4 12:50:29 2012 : Debug: Going to the next request
Wed Apr  4 12:50:29 2012 : Debug: Waking up in 0.9 seconds.
Wed Apr  4 12:50:30 2012 : Info: Sending delayed reject for request 0
Sending Access-Reject of id 2 to 127.0.0.1 port 34775

Why it fails on freeradius, though the query is correct. Am I following a wrong example afterall and Matthew's version is the way to go? Where goes initial LDAP configuration in Matthews suggestion? 

A.

More information about the Freeradius-Users mailing list