Groups in active directory and checks in MySQL
Atomikramp
atomikramp at email.it
Mon Aug 26 10:04:41 CEST 2013
Hello,
sorry for the top quoting but i'm using a webmail for replying
which is really crap.
accordingly i'm posting here the debug log of a radtest.
the authentication gets rejected because the group matches in the
raddb/users with the following expression:
DEFAULT Ldap-Group == "fax", Auth-Type := Reject
i've tried commenting it out and adding this to mysql in the table
radgroupcheck:
table: radgroupcheck
Groupname: fax
Attribute: Auth-Type
op: :=
Value: Reject
but it's not giving the same result, the check against sql is ignored and
the user is authed successfully.
here is the debug log:
rad_recv: Access-Request packet from host 127.0.0.1 port 45195, id=232,
length=57
User-Name = "sogo1"
User-Password = "userpassword"
NAS-IP-Address = 192.168.4.82
NAS-Port = 80
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/freeradius/radacct/127.0.0.1/auth-detail-20130826
[auth_log]
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands
to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20130826
[auth_log] expand: %t -> Mon Aug 26 07:56:19 2013
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "sogo1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[ldap] Entering ldap_groupcmp()
[files] expand: dc=plutone,dc=local -> dc=plutone,dc=local
[files] WARNING: Deprecated conditional expansion ":-". See "man
unlang" for details
[files] ... expanding second conditional
[files] expand: %{User-Name} -> sogo1
[files] expand: (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) ->
(sAMAccountName=sogo1)
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=plutone,dc=local, with filter
(sAMAccountName=sogo1)
[ldap] ldap_release_conn: Release Id: 0
[files] expand:
(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
->
(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=)))
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=plutone,dc=local, with filter
(&(cn=fax)(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))))
[ldap] object not found
[ldap] ldap_release_conn: Release Id: 0
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in CN=sogo1,CN=Users,DC=plutone,DC=local,
with filter (objectclass=*)
[ldap] performing search in CN=Fax,CN=Users,DC=plutone,DC=local, with
filter (cn=fax)
rlm_ldap::ldap_groupcmp: User found in group fax
[ldap] ldap_release_conn: Release Id: 0
[files] users: Matched entry DEFAULT at line 205
++[files] returns ok
[ldap] performing user authorization for sogo1
[ldap] WARNING: Deprecated conditional expansion ":-". See "man
unlang" for details
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> sogo1
[ldap] expand: (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) ->
(sAMAccountName=sogo1)
[ldap] expand: dc=plutone,dc=local -> dc=plutone,dc=local
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=plutone,dc=local, with filter
(sAMAccountName=sogo1)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that
the user is configured correctly?
[ldap] user sogo1 authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
[sql] expand: %{User-Name} -> sogo1
[sql] sql_set_user escaped user --> 'sogo1'
rlm_sql (sql): Reserving sql socket id: 1
[sql] expand: SELECT id, username, attribute, value, op
FROM radcheck WHERE
username = '%{SQL-User-Name}' ORDER BY id
-> SELECT id, username, attribute, value, op
FROM radcheck WHERE username =
'sogo1' ORDER BY id
[sql] expand: SELECT groupname FROM
radusergroup WHERE username =
'%{SQL-User-Name}' ORDER BY priority
-> SELECT groupname FROM radusergroup
WHERE username = 'sogo1'
ORDER BY priority
rlm_sql (sql): Released sql socket id: 1
[sql] User sogo1 not found
++[sql] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[dailycounter] returns noop
Found Auth-Type = Reject
Auth-Type = Reject, rejecting user
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> sogo1
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 7 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 7
Sending Access-Reject of id 232 to 127.0.0.1 port 45195
Reply-Message = "Not Allowed."
Waking up in 4.9 seconds.
Cleaning up request 7 ID 232 with timestamp +585
Ready to process requests.
I've noticed that in the rlm_sql debugging no query is performed against
radgroupcheck
could it be that i missed something in my configuration? yet i can't figure
out what, i ran through my config files many times..
thanks.
Francesco
--------- Original Message --------
Da: "Alan DeKok" <aland at deployingradius.com>
To: "FreeRadius users mailing list"
<freeradius-users at lists.freeradius.org>
Oggetto: Re: Groups in active directory and checks in MySQL
Data: 23/08/13 21:32
Atomikramp wrote:
> I'm in a situation now where i can successfully retrieve group
> membership of users in the active directory LDAP tree using rlm_ldap,
> and check them against files.
OK.
> so if i have a user with "memberOf" attribute set to groupA
> and i set in the raddb/users the following entry:
>
> DEFAULTLdap-Group == "groupA", Auth-Type := Reject
> Reply-Message = "Not Allowed."
>
> i successfully deny access to that user.
That should map directly to the SQL tables.
> Since i'm already using MySQL for storing accounting informations i
was
> really interested in being able to use the same backend (mysql) also
for
> performing checks against groups.
>
> If i perform checks against usernames using the table radcheck they
work
> properly (users retrieved from the LDAP backend), i've tried setting a
> radcheck like the following:
> userA Max-Daily-Session := 7200
>
> and after 2 hours the user is unable to authenticate to the NAS
because
> the time allowed has expired.
>
>
> But i cant seem to be able to do the same thing with the groups.
Post the debug output. And what do you have in SQL?
> i've configured sites-enabled/default like this:
Note that the FAQ, README, "man" pages, and web pages ALL say to post
the debug output. We really don't care about the configuration. It
doesn't show what happens when the server receives a request.
Alan DeKok.
--
Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP
autenticato? GRATIS solo con Email.it: http://www.email.it/f
Sponsor:
PEPPA PIG: Acquista Peluche, Gadget e Abbigliamento Originale su
mistercupido.com
Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=12897&d=20130826
--
Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP autenticato? GRATIS solo con Email.it http://www.email.it/f
Sponsor:
PEPPA PIG: Acquista Peluche, Gadget e Abbigliamento Originale su mistercupido.com
Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=12897&d=26-8
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130826/486f27e6/attachment.html>
More information about the Freeradius-Users
mailing list