freeradius 2.2.0 stop authorization
Wedel Blake
BWedel at cr.k12.ia.us
Tue Jan 22 20:10:28 CET 2013
I setup a centos 6.2 server that has freeradius 2.2.0 running on it. I have the mysql module running. Based on simple mac authentication with the username and password the mac address of the computer it appears to be working fine. What I want to do is setup ldap to authenticate against our Windows 2010 server where the computers are a part of the domain. I would like for it to query mysql first and then query ldap if it didn't find the computer in mysql.
If I remove ldap for the defaults file I get an Access-Accept reply as expected. It just that if there is anything after sql in the defaults file then it will continue on to try and authenticate against another module.
Below you can see a simple query with 'blake' being sent as both the user-name and password. It queries the db and finds it (as expected). However it continues to go to ldap and tries to find it to which I get an error. I understand that I don't have ldap working properly right now. However, first I just want to get the logic setup to where after finding a name in mysql it will stop and reply back with an Access-Accept and not query ldap. Is there a setting you have to put in a conf file?
rad_recv: Access-Request packet from host 10.220.1.107 port 52258, id=10, length=45
User-Name = "blake"
User-Password = "blake"
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[suffix] No '@' in User-Name = "blake", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[sql] expand: %{Stripped-User-Name} ->
[sql] ... expanding second conditional
[sql] expand: %{User-Name} -> blake
[sql] expand: %{%{User-Name}:-DEFAULT} -> blake
[sql] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> blake
[sql] sql_set_user escaped user --> 'blake'
rlm_sql (sql): Reserving sql socket id: 4
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'blake' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'blake' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'blake' ORDER BY priority
[sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'blakegroup' ORDER BY id
[sql] User found in group blakegroup
[sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'blakegroup' ORDER BY id
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
[ldap] performing user authorization for blake
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> blake
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=blake)
[ldap] expand: o=My Org,c=UA -> o=My Org,c=UA
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to 10.193.0.90:389, authentication 0
[ldap] bind as CN=srvacct,OU=misc,OU=TechAdmin,OU=District,OU=Staff,DC=crcsd,DC=abc/ to 10.193.0.90:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] performing search in o=My Org,c=UA, with filter (uid=blake)
[ldap] ldap_search() failed: Operations error
[ldap] search failed
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns fail
Using Post-Auth-Type REJECT
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> blake
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.7 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 10 to 10.220.1.107 port 52258
Waking up in 4.9 seconds.
Cleaning up request 0 ID 10 with timestamp +3
Ready to process requests.
Thanks in advance!
-b
More information about the Freeradius-Users
mailing list