Authentication against multiple LDAP sources.

Stuart Lawson stuart.j.lawson at gmail.com
Fri Jan 6 16:11:50 CET 2012


Looking for a bit of advice, I am starting to think I am chasing the
impossible and will have to start to use Realms or proxies to resolve
this issue.

FreeRADIUS 2.1.7

I have multiple LDAP sources, with different suffixes and I have to
take into account the possibility that there may be username overlap
between the two. AA from either one should be OK.

I have two LDAP modules configured. Say uk and fr.

I am happy that the authorize section works:

authorize {
 uk {
 fail = 2
 notfound = 2
 ok = 1
 }
 fr {
 fail = 2
 notfound = 2
 ok = 1
 }
}

This gives an authorization if the user exists in either of the LDAP
sources. Auth-Type is being set to LDAP

authenticate {
 Auth-Type LDAP {
 uk {
  reject = 1
  fail = 1
  notfound = 1
  ok = return
 }
 fr {
  reject = 1
  fail = 1
  notfound = 1
  ok = return
 }
}

What I hoped this would do is return OK if authentication against
either of the sources worked. This is similar to the duplicate-users
scenario in many ways I suppose.

However (output below) it attempts to do the authentication against
both LDAP sources using the first suffix from the authorisation or
carried over from the first Authentication attempt (I don't know
which).


[uk] performing user authorization for user
[uk]    expand: %{Stripped-User-Name} ->
[uk]    expand: %{User-Name} -> user
[uk]    expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=user)
[uk]    expand: ou=people,dc=uk,dc=com -> ou=people,dc=uk,dc=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 127.0.0.1:389, authentication 0
rlm_ldap: bind as STUFF/STUFF to 127.0.0.1:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=people,dc=uk,dc=com, with filter (uid=user)
[uk] looking for check items in directory...
[uk] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure
that the user is configured correctly?
[uk] Setting Auth-Type = LDAP
[uk] user user authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[uk] returns ok

** It has found a user "user" in the correct UK suffix, so that is as expected.

[fr] performing user authorization for user
[fr]  expand: %{Stripped-User-Name} ->
[fr]  expand: %{User-Name} -> user
[fr]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=user)
[fr]  expand: ou=people,dc=fr,dc=com -> ou=people,dc=fr,dc=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 192.168.0.2:389, authentication 0
rlm_ldap: bind as STUFF/STUFF to 192.168.0.2:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=people,dc=fr,dc=com, with filter (uid=user)
[fr] looking for check items in directory...
[fr] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure
that the user is configured correctly?
[fr] user user authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[fr] returns ok

** It has found a user "user" in the correct FR suffix, so that is good.

** Aggregate outcome of the authorise group is "ok". All I need to do
is get a successful Auth against either one of them.

++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = LDAP
+- entering group LDAP {...}
[uk] login attempt by "user" with password "stuff"
[uk] user DN: uid=user,ou=people,dc=uk,dc=com
rlm_ldap: (re)connect to 127.0.0.1:389, authentication 1
rlm_ldap: bind as uid=user,ou=people,dc=uk,dc=com/stuff to 127.0.0.1:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind failed with invalid credentials
++[uk] returns reject

** This is OK - this user "user" is not the UK one, they are the FR one.

[fr] login attempt by "user" with password "stuff"
[fr] user DN: uid=user,ou=uk,dc=com
rlm_ldap: (re)connect to 192.168.0.2:389, authentication 1
rlm_ldap: bind as uid=user,ou=people,dc=uk,dc=com/stuff to 192.168.0.2:389
rlm_ldap: waiting for bind result ...
rlm_ldap: uid=user,ou=people,dc=uk,dc=com bind to 192.168.0.2:389
failed No such object
[fr] ldap_connect() failed
++[fr] returns fail
Failed to authenticate the user.

** It has attempted to bind to LDAP using the UK suffix, not the FR
one, so fails where it should not.

Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> user
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 43 to 127.0.0.1 port 59453
Waking up in 4.9 seconds.
Cleaning up request 0 ID 43 with timestamp +3
Ready to process requests.



More information about the Freeradius-Users mailing list