LDAP authentication trouble on 3.0

David Aldwinckle daldwinckle at uwaterloo.ca
Thu Jul 5 14:15:23 CEST 2012


Hi,

That is what I originally hoped for. Your post made me go back and rewrite my ldap module config, which in the end didn't change anything. I also did a search on the entire directory for any instances of "Auth-Type" to verify that I had not set it to "Accept". I found no occurrences that weren't in unused sites or documentation. So then I tried:

1. Uncommenting LDAP in the authorization and authentication sections of the default virtual server. They are commented out in my 2.2 config, because I don't use the default virtual server to handle ldap. More on this later.
2. Removed the NULL realm so that these requests would be handled locally.

And success! A login that should work, works, and one that should not, doesn't. However, this isn't an acceptable solution in the long run.

Then I tried adding the NULL realm back to proxy.conf to send the request to another virtual server, and adding a DEFAULT line to the users file, with Proxy-To-Realm, to make sure it gets there.

I saw again that any random user and password would be accepted. I can clearly see the LDAP search fail with [ldap] = notfound. 

The reason I proxy the null realm is because of the variety of things the server has to handle:

1. local EAP and 802.1x - done in the default virtual server since you can't proxy twice.
2. proxying to eduroam - I use realm DEFAULT to send to the eduroam pool.
3. captive portal logins - no realm in username, ldap with group checking
4. vpn logins - no realm in username
5. network device management (ssh) - no realm in username, ldap with group checking
6. guest wireless authentication - no realm in username, different ldap server with group checking

So, what I was doing was using the users file to match a specific attribute from each request, and then Proxy-To-Realm, so I could handle each in its own virtual server. I understand that its kind of ugly and I am open to suggestions on how to improve, or redesign if needed.

Anyway, here is an example of the ldap search failing, but Access-Accept.


rad_recv: Access-Request packet from host 172.x.x.x port 33182, id=73, length=170
  Code:		1
  Id:		73
  Length:	170
  Vector:	42ff0476073ba8c8168873d6f27aabd1
  Data:		04  06  ac 10 20 8a 
		05  06  00 00 00 00 
		3d  06  00 00 00 13 
		01  05  31 32 33 
		02  12  03 c5 b2 f2 1f 3c 3b 4b f1 89 27 84 0c 63 6f b3 
		1f  0e  43 38 42 43 43 38 45 44 32 37 36 38 
		1e  0e  30 30 30 42 38 36 30 39 33 39 38 30 
		08  06  ac 15 0d af 
		06  06  00 00 00 01 
		1a  0e  000039e7 (14823)  05 08 75 77 2d 6e 73 64 
		1a  17  000039e7 (14823)  06 11 41 53 2d 41 50 2d 4d 43 2d 31 30 39 35 2d 
			42 
		1a  0e  000039e7 (14823)  0a 08 4d 43 2d 73 74 64 
		50  12  fb b9 f9 b2 c5 c3 8e 04 95 e6 03 39 64 97 79 4b 
	NAS-IP-Address = 172.x.x.x
	NAS-Port = 0
	NAS-Port-Type = Wireless-802.11
	User-Name = "123"
	User-Password = "123"
	Calling-Station-Id = "redacted"
	Called-Station-Id = "redacted"
	Framed-IP-Address = 172.x.x.x
	Service-Type = Login-User
	Aruba-Essid-Name = "wireless"
	Aruba-Location-Id = "AP1"
	Aruba-AP-Group = "MC-std"
	Message-Authenticator = 0xfbb9f9b2c5c38e0495e603396497794b
Thu Jul  5 07:59:33 2012 : Info: (0) # Executing section authorize from file /etc/raddb/sites-enabled/default
Thu Jul  5 07:59:33 2012 : Info: (0)   group authorize {
Thu Jul  5 07:59:33 2012 : Info: (0)  - entering group authorize {...}
Thu Jul  5 07:59:33 2012 : Info: (0)   [preprocess] = ok
Thu Jul  5 07:59:33 2012 : Info: (0)   [chap] = noop
Thu Jul  5 07:59:33 2012 : Info: (0)   [mschap] = noop
Thu Jul  5 07:59:33 2012 : Info: (0)   [digest] = noop
Thu Jul  5 07:59:33 2012 : Info: (0) suffix : No '@' in User-Name = "123", looking up realm NULL
Thu Jul  5 07:59:33 2012 : Info: (0) suffix : Found realm "NULL"
Thu Jul  5 07:59:33 2012 : Info: (0) suffix : Adding Stripped-User-Name = "123"
Thu Jul  5 07:59:33 2012 : Info: (0) suffix : Adding Realm = "NULL"
Thu Jul  5 07:59:33 2012 : Info: (0) suffix : Proxying request from user 123 to realm NULL
Thu Jul  5 07:59:33 2012 : Info: (0) suffix : Preparing to proxy authentication request to realm "NULL" 
Thu Jul  5 07:59:33 2012 : Info: (0)   [suffix] = updated
Thu Jul  5 07:59:33 2012 : Info: (0) eap : No EAP-Message, not doing EAP
Thu Jul  5 07:59:33 2012 : Info: (0)   [eap] = noop
Thu Jul  5 07:59:33 2012 : Info: (0) files : users: Matched entry DEFAULT at line 207
Thu Jul  5 07:59:33 2012 : Info: (0)   [files] = ok
Thu Jul  5 07:59:33 2012 : Info: (0) ldap : performing user authorization for 123
Thu Jul  5 07:59:33 2012 : Info: (0) ldap : 	expand: %{Stripped-User-Name} -> 123
Thu Jul  5 07:59:33 2012 : Info: (0) ldap : 	expand: (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}}) -> (samaccountname=123)
Thu Jul  5 07:59:33 2012 : Info: (0) ldap : 	expand: dc=ads,dc=xxxxxx,dc=ca -> dc=ads,dc=xxxxx,dc=ca
Thu Jul  5 07:59:33 2012 : Debug:   [ldap] ldap_get_conn: Checking Id: 0
Thu Jul  5 07:59:33 2012 : Debug:   [ldap] ldap_get_conn: Got Id: 0
Thu Jul  5 07:59:33 2012 : Debug:   [ldap] attempting LDAP reconnection
Thu Jul  5 07:59:33 2012 : Debug:   [ldap] (re)connect to ldap.xxxxxx.ca:389, authentication 0
Thu Jul  5 07:59:33 2012 : Debug:   [ldap] bind as AD\xxxxx/xxxxx to ldap.xxxxxx.ca:389
Thu Jul  5 07:59:33 2012 : Debug:   [ldap] waiting for bind result ...
Thu Jul  5 07:59:33 2012 : Debug:   [ldap] Bind was successful
Thu Jul  5 07:59:33 2012 : Debug:   [ldap] performing search in dc=ads,dc=xxxxxx,dc=ca, with filter (samaccountname=123)
Thu Jul  5 07:59:33 2012 : Debug:   [ldap] object not found
Thu Jul  5 07:59:33 2012 : Info: (0) ldap : search failed
Thu Jul  5 07:59:33 2012 : Debug:   [ldap] ldap_release_conn: Release Id: 0
Thu Jul  5 07:59:33 2012 : Info: (0)   [ldap] = notfound
Thu Jul  5 07:59:33 2012 : Info: (0)   [expiration] = noop
Thu Jul  5 07:59:33 2012 : Info: (0)   [logintime] = noop
Thu Jul  5 07:59:33 2012 : Info: (0)   [pap] = noop
Thu Jul  5 07:59:33 2012 : Info: (0)   WARNING: Empty pre-proxy section.  Using default return values.
Thu Jul  5 07:59:33 2012 : Debug: Proxying to virtual server captive_portal
Thu Jul  5 07:59:33 2012 : Info: (0) # Executing section authorize from file /etc/raddb/sites-enabled/default
Thu Jul  5 07:59:33 2012 : Info: (0)   group authorize {
Thu Jul  5 07:59:33 2012 : Info: (0)  - entering group authorize {...}
Thu Jul  5 07:59:33 2012 : Info: (0)   [preprocess] = ok
Thu Jul  5 07:59:33 2012 : Info: (0)   [chap] = noop
Thu Jul  5 07:59:33 2012 : Info: (0)   [mschap] = noop
Thu Jul  5 07:59:33 2012 : Info: (0)   [digest] = noop
Thu Jul  5 07:59:33 2012 : Info: (0) suffix : Proxy reply, or no User-Name.  Ignoring.
Thu Jul  5 07:59:33 2012 : Info: (0)   [suffix] = ok
Thu Jul  5 07:59:33 2012 : Info: (0)   [eap] = noop
Thu Jul  5 07:59:33 2012 : Info: (0) files : users: Matched entry DEFAULT at line 207
Thu Jul  5 07:59:33 2012 : Info: (0)   [files] = ok
Thu Jul  5 07:59:33 2012 : Info: (0) ldap : performing user authorization for 123
Thu Jul  5 07:59:33 2012 : Info: (0) ldap : 	expand: %{Stripped-User-Name} -> 123
Thu Jul  5 07:59:33 2012 : Info: (0) ldap : 	expand: (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}}) -> (samaccountname=123)
Thu Jul  5 07:59:33 2012 : Info: (0) ldap : 	expand: dc=ads,dc=xxxxxxxx,dc=ca -> dc=ads,dc=xxxxxxxx,dc=ca
Thu Jul  5 07:59:33 2012 : Debug:   [ldap] ldap_get_conn: Checking Id: 0
Thu Jul  5 07:59:33 2012 : Debug:   [ldap] ldap_get_conn: Got Id: 0
Thu Jul  5 07:59:33 2012 : Debug:   [ldap] performing search in dc=ads,dc=xxxxxxx,dc=ca, with filter (samaccountname=123)
Thu Jul  5 07:59:33 2012 : Debug:   [ldap] object not found
Thu Jul  5 07:59:33 2012 : Info: (0) ldap : search failed
Thu Jul  5 07:59:33 2012 : Debug:   [ldap] ldap_release_conn: Release Id: 0
Thu Jul  5 07:59:33 2012 : Info: (0)   [ldap] = notfound
Thu Jul  5 07:59:33 2012 : Info: (0)   [expiration] = noop
Thu Jul  5 07:59:33 2012 : Info: (0)   [logintime] = noop
Thu Jul  5 07:59:33 2012 : Info: (0)   [pap] = noop
Thu Jul  5 07:59:33 2012 : Info: (0) Auth-Type = Accept, accepting the user
Thu Jul  5 07:59:33 2012 : Auth: (0) Login OK: [123] (from client wxxxxxxx port 0 cli C8BCC8ED2768)
Thu Jul  5 07:59:33 2012 : Info: (0) # Executing section post-auth from file /etc/raddb/sites-enabled/default
Thu Jul  5 07:59:33 2012 : Info: (0)   group post-auth {
Thu Jul  5 07:59:33 2012 : Info: (0)  - entering group post-auth {...}
Thu Jul  5 07:59:33 2012 : Info: (0)   [exec] = noop
Thu Jul  5 07:59:33 2012 : Info: (0)    policy remove_reply_message_if_eap {
Thu Jul  5 07:59:33 2012 : Info: (0)   - entering policy remove_reply_message_if_eap {...}
Thu Jul  5 07:59:33 2012 : Info: (0)    ? if (reply:EAP-Message && reply:Reply-Message)
Thu Jul  5 07:59:33 2012 : Info: (0) ? Evaluating (reply:EAP-Message ) -> FALSE
Thu Jul  5 07:59:33 2012 : Info: (0) ? Skipping (reply:Reply-Message)
Thu Jul  5 07:59:33 2012 : Info: (0)    ? if (reply:EAP-Message && reply:Reply-Message) -> FALSE
Thu Jul  5 07:59:33 2012 : Info: (0)     else else {
Thu Jul  5 07:59:33 2012 : Info: (0)    - entering else else {...}
Thu Jul  5 07:59:33 2012 : Info: (0)     [noop] = noop
Thu Jul  5 07:59:33 2012 : Info: (0)    - else else returns noop
Thu Jul  5 07:59:33 2012 : Info: (0)   - policy remove_reply_message_if_eap returns noop
Sending Access-Accept of id 73 to 172.16.32.138 port 33182
  Code:		2
  Id:		73
  Length:	20
  Vector:	69147ff0c996e2d6f56993d745fe3fca



Dave A.

On 2012-07-05, at 4:07 AM, Phil Mayers wrote:

On 07/05/2012 12:24 AM, David Aldwinckle wrote:
> Hello,
> 
> I am having a problem getting LDAP authentication working on FreeRADIUS
> Version 3.0.0. The behaviour I am experiencing is that the server will
> send an Access-Accept message without doing any checking of credentials.
> I would expect to see an LDAP bind, but that does not occur. In the
> debug output, I see a FreeRadius preparing to proxy, but this never
> happens. I'm hoping that I've overlooked something simple, it has been a
> while since I've done a fresh install.
> 


You've most likely misconfigured the server, possibly without realising it. I note you are proxying the NULL realm to a local virtual server, which is a very not-default configuration.

> (0) Auth-Type = Accept, accepting the user

Find out where this is configured, and remove it.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list