Problem in freeradius 2.1.10, ldap and huntgroups

ville at leinonen.org ville at leinonen.org
Mon Aug 5 18:08:17 CEST 2013


Here:

rad_recv: Access-Request packet from host 172.150.0.62 port 25196, id=194,
length=63
        User-Name = "testuser at xxxx.fi"
        User-Password = "testpass"
        NAS-IP-Address = 172.150.0.62
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log]      expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/freeradius/radacct/172.150.0.62/auth-detail-20130805
[auth_log]
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/172.150.0.62/auth-detail-20130805
[auth_log]      expand: %t -> Mon Aug  5 19:03:20 2013
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] Looking up realm "xxxx.fi" for User-Name = "testuser at xxxx.fi"
[suffix] No such realm "xxxx.fi"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
  [ldap] Entering ldap_groupcmp()
[files]         expand: dc=demonet,dc=local -> dc=demonet,dc=local
[files]         expand: %{Stripped-User-Name} ->
[files]         ... expanding second conditional
[files]         expand: %{User-Name} -> testuser at xxxx.fi
[files]         expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(uid=testuser at xxxx.fi)
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in dc=demonet,dc=local, with filter
(uid=testuser at xxxx.fi)
  [ldap] ldap_release_conn: Release Id: 0
[files]         expand:
(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))
-> (|(&(objectClass=GroupOfNames)(member=cn\3dTauno
Testaaja\2cou\3dxxxx\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dTauno
Testaaja\2cou\3dxxxx\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal)))
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in dc=demonet,dc=local, with filter
(&(cn=xxxx)(|(&(objectClass=GroupOfNames)(member=cn\3dTauno
Testaaja\2cou\3dxxxx\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dTauno
Testaaja\2cou\3dxxxx\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal))))
  [ldap] object not found
  [ldap] ldap_release_conn: Release Id: 0
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in cn=Tauno
Testaaja,ou=xxxx,ou=Customers,dc=demonet,dc=local, with filter
(objectclass=*)
rlm_ldap::ldap_groupcmp: User found in group xxxx
  [ldap] ldap_release_conn: Release Id: 0
  [ldap] Entering ldap_groupcmp()
[files]         expand: dc=demonet,dc=local -> dc=demonet,dc=local
[files]         expand:
(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))
-> (|(&(objectClass=GroupOfNames)(member=cn\3dTauno
Testaaja\2cou\3dxxxx\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dTauno
Testaaja\2cou\3dxxxx\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal)))
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in dc=demonet,dc=local, with filter
(&(cn=disabled)(|(&(objectClass=GroupOfNames)(member=cn\3dTauno
Testaaja\2cou\3dxxxx\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dTauno
Testaaja\2cou\3dxxxx\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal))))
  [ldap] object not found
  [ldap] ldap_release_conn: Release Id: 0
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in cn=Tauno
Testaaja,ou=xxxx,ou=Customers,dc=demonet,dc=local, with filter
(objectclass=*)
rlm_ldap::groupcmp: Group disabled not found or user not a member
  [ldap] ldap_release_conn: Release Id: 0
++[files] returns noop
[ldap] performing user authorization for testuser at xxxx.fi
[ldap]  expand: %{Stripped-User-Name} ->
[ldap]  ... expanding second conditional
[ldap]  expand: %{User-Name} -> testuser at xxxx.fi
[ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(uid=testuser at xxxx.fi)
[ldap]  expand: dc=demonet,dc=local -> dc=demonet,dc=local
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in dc=demonet,dc=local, with filter
(uid=testuser at xxxx.fi)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
  [ldap] userPassword -> Password-With-Header ==
"{SSHA}g5PDm9CrOOQu+XjbMGHTPnY43mifXND0"
[ldap] looking for reply items in directory...
[ldap] Setting Auth-Type = LDAP
[ldap] user testuser at xxxx.fi authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing SSHA1-Password from base64 encoding
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] returns noop
Found Auth-Type = LDAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group LDAP {...}
[ldap] login attempt by "testuser at xxxx.fi" with password "testpass"
[ldap] user DN: cn=Tauno Testaaja,ou=xxxx,ou=Customers,dc=demonet,dc=local
  [ldap] (re)connect to 172.150.0.22:389, authentication 1
  [ldap] bind as cn=Tauno
Testaaja,ou=xxxx,ou=Customers,dc=demonet,dc=local/testpass to
172.150.0.22:389
  [ldap] waiting for bind result ...
  [ldap] Bind was successful
[ldap] user testuser at xxxx.fi authenticated succesfully
++[ldap] returns ok
Login OK: [testuser at xxxx.fi/testpass] (from client demonet-VPN01 port 0)
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 194 to 172.150.0.62 port 25196
Finished request 6.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 6 ID 194 with timestamp +42
Ready to process requests.

Br,

Ville

> Hi,
>> Here comes:
>>
>> rlm_ldap::ldap_groupcmp: User found in group xxxx
>
> radiusd -X
>
>
> its what the docs say. for a reason
>
> alan
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>




More information about the Freeradius-Users mailing list