Problem in freeradius 2.1.10, ldap and huntgroups

Ville Leinonen ville at leinonen.org
Wed Aug 14 18:39:53 CEST 2013


Hi,

Any news for this problem?

Br,

Ville

5.8.2013 19:08, ville at leinonen.org kirjoitti:
> Here:
>
> rad_recv: Access-Request packet from host 172.150.0.62 port 25196, id=194,
> length=63
>          User-Name = "testuser at xxxx.fi"
>          User-Password = "testpass"
>          NAS-IP-Address = 172.150.0.62
> # Executing section authorize from file /etc/freeradius/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> [auth_log]      expand:
> /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
> /var/log/freeradius/radacct/172.150.0.62/auth-detail-20130805
> [auth_log]
> /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
> expands to /var/log/freeradius/radacct/172.150.0.62/auth-detail-20130805
> [auth_log]      expand: %t -> Mon Aug  5 19:03:20 2013
> ++[auth_log] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] Looking up realm "xxxx.fi" for User-Name = "testuser at xxxx.fi"
> [suffix] No such realm "xxxx.fi"
> ++[suffix] returns noop
> [eap] No EAP-Message, not doing EAP
> ++[eap] returns noop
>    [ldap] Entering ldap_groupcmp()
> [files]         expand: dc=demonet,dc=local -> dc=demonet,dc=local
> [files]         expand: %{Stripped-User-Name} ->
> [files]         ... expanding second conditional
> [files]         expand: %{User-Name} -> testuser at xxxx.fi
> [files]         expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
> (uid=testuser at xxxx.fi)
>    [ldap] ldap_get_conn: Checking Id: 0
>    [ldap] ldap_get_conn: Got Id: 0
>    [ldap] performing search in dc=demonet,dc=local, with filter
> (uid=testuser at xxxx.fi)
>    [ldap] ldap_release_conn: Release Id: 0
> [files]         expand:
> (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))
> -> (|(&(objectClass=GroupOfNames)(member=cn\3dTauno
> Testaaja\2cou\3dxxxx\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dTauno
> Testaaja\2cou\3dxxxx\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal)))
>    [ldap] ldap_get_conn: Checking Id: 0
>    [ldap] ldap_get_conn: Got Id: 0
>    [ldap] performing search in dc=demonet,dc=local, with filter
> (&(cn=xxxx)(|(&(objectClass=GroupOfNames)(member=cn\3dTauno
> Testaaja\2cou\3dxxxx\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dTauno
> Testaaja\2cou\3dxxxx\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal))))
>    [ldap] object not found
>    [ldap] ldap_release_conn: Release Id: 0
>    [ldap] ldap_get_conn: Checking Id: 0
>    [ldap] ldap_get_conn: Got Id: 0
>    [ldap] performing search in cn=Tauno
> Testaaja,ou=xxxx,ou=Customers,dc=demonet,dc=local, with filter
> (objectclass=*)
> rlm_ldap::ldap_groupcmp: User found in group xxxx
>    [ldap] ldap_release_conn: Release Id: 0
>    [ldap] Entering ldap_groupcmp()
> [files]         expand: dc=demonet,dc=local -> dc=demonet,dc=local
> [files]         expand:
> (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))
> -> (|(&(objectClass=GroupOfNames)(member=cn\3dTauno
> Testaaja\2cou\3dxxxx\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dTauno
> Testaaja\2cou\3dxxxx\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal)))
>    [ldap] ldap_get_conn: Checking Id: 0
>    [ldap] ldap_get_conn: Got Id: 0
>    [ldap] performing search in dc=demonet,dc=local, with filter
> (&(cn=disabled)(|(&(objectClass=GroupOfNames)(member=cn\3dTauno
> Testaaja\2cou\3dxxxx\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dTauno
> Testaaja\2cou\3dxxxx\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal))))
>    [ldap] object not found
>    [ldap] ldap_release_conn: Release Id: 0
>    [ldap] ldap_get_conn: Checking Id: 0
>    [ldap] ldap_get_conn: Got Id: 0
>    [ldap] performing search in cn=Tauno
> Testaaja,ou=xxxx,ou=Customers,dc=demonet,dc=local, with filter
> (objectclass=*)
> rlm_ldap::groupcmp: Group disabled not found or user not a member
>    [ldap] ldap_release_conn: Release Id: 0
> ++[files] returns noop
> [ldap] performing user authorization for testuser at xxxx.fi
> [ldap]  expand: %{Stripped-User-Name} ->
> [ldap]  ... expanding second conditional
> [ldap]  expand: %{User-Name} -> testuser at xxxx.fi
> [ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
> (uid=testuser at xxxx.fi)
> [ldap]  expand: dc=demonet,dc=local -> dc=demonet,dc=local
>    [ldap] ldap_get_conn: Checking Id: 0
>    [ldap] ldap_get_conn: Got Id: 0
>    [ldap] performing search in dc=demonet,dc=local, with filter
> (uid=testuser at xxxx.fi)
> [ldap] No default NMAS login sequence
> [ldap] looking for check items in directory...
>    [ldap] userPassword -> Password-With-Header ==
> "{SSHA}g5PDm9CrOOQu+XjbMGHTPnY43mifXND0"
> [ldap] looking for reply items in directory...
> [ldap] Setting Auth-Type = LDAP
> [ldap] user testuser at xxxx.fi authorized to use remote access
>    [ldap] ldap_release_conn: Release Id: 0
> ++[ldap] returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] Normalizing SSHA1-Password from base64 encoding
> [pap] WARNING: Auth-Type already set.  Not setting to PAP
> ++[pap] returns noop
> Found Auth-Type = LDAP
> # Executing group from file /etc/freeradius/sites-enabled/default
> +- entering group LDAP {...}
> [ldap] login attempt by "testuser at xxxx.fi" with password "testpass"
> [ldap] user DN: cn=Tauno Testaaja,ou=xxxx,ou=Customers,dc=demonet,dc=local
>    [ldap] (re)connect to 172.150.0.22:389, authentication 1
>    [ldap] bind as cn=Tauno
> Testaaja,ou=xxxx,ou=Customers,dc=demonet,dc=local/testpass to
> 172.150.0.22:389
>    [ldap] waiting for bind result ...
>    [ldap] Bind was successful
> [ldap] user testuser at xxxx.fi authenticated succesfully
> ++[ldap] returns ok
> Login OK: [testuser at xxxx.fi/testpass] (from client demonet-VPN01 port 0)
> # Executing section post-auth from file /etc/freeradius/sites-enabled/default
> +- entering group post-auth {...}
> ++[exec] returns noop
> Sending Access-Accept of id 194 to 172.150.0.62 port 25196
> Finished request 6.
> Going to the next request
> Waking up in 4.9 seconds.
> Cleaning up request 6 ID 194 with timestamp +42
> Ready to process requests.
>
> Br,
>
> Ville
>
>> Hi,
>>> Here comes:
>>>
>>> rlm_ldap::ldap_groupcmp: User found in group xxxx
>> radiusd -X
>>
>>
>> its what the docs say. for a reason
>>
>> alan
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>



More information about the Freeradius-Users mailing list