LDAP-UserDn not populated? (Was: Re: Radius, LDAP and Openvpn)

Andres Septer andres.septer at gmail.com
Fri Nov 1 14:11:56 CET 2013


Logs
LDAP search fail, because LDAP-UserDN empty
Fri Nov  1 15:08:24 2013 : Info: +- entering group post-auth {...}
Fri Nov  1 15:08:24 2013 : Info: ++? if (LDAP-Group == "WIFI")
Fri Nov  1 15:08:24 2013 : Debug: rlm_ldap: Entering ldap_groupcmp()
Fri Nov  1 15:08:24 2013 : Info:        expand: o=evrcargo -> o=evrcargo
Fri Nov  1 15:08:24 2013 : Info:        expand:
(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
->
(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=)))
Fri Nov  1 15:08:24 2013 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0
Fri Nov  1 15:08:24 2013 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0
Fri Nov  1 15:08:24 2013 : Debug: rlm_ldap: performing search in
o=evrcargo, with filter
(&(cn=WIFI)(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))))
Fri Nov  1 15:08:24 2013 : Debug: rlm_ldap: object not found or got
ambiguous search result
Fri Nov  1 15:08:24 2013 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0
Fri Nov  1 15:08:24 2013 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0
Fri Nov  1 15:08:24 2013 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0
Fri Nov  1 15:08:24 2013 : Debug: rlm_ldap: performing search in
cn=Toomas,o=EVRCargo, with filter (objectclass=*)
Fri Nov  1 15:08:24 2013 : Debug: rlm_ldap::ldap_groupcmp:
ldap_get_values() failed
Fri Nov  1 15:08:24 2013 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0
Fri Nov  1 15:08:24 2013 : Info: ++? elsif (LDAP-Group == "OPENVPN")
Fri Nov  1 15:08:24 2013 : Debug: rlm_ldap: Entering ldap_groupcmp()
Fri Nov  1 15:08:24 2013 : Info:        expand: o=evrcargo -> o=evrcargo
Fri Nov  1 15:08:24 2013 : Info:        expand:
(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
->
(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=)))
Fri Nov  1 15:08:24 2013 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0
Fri Nov  1 15:08:24 2013 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0
Fri Nov  1 15:08:24 2013 : Debug: rlm_ldap: performing search in
o=evrcargo, with filter
(&(cn=OPENVPN)(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))))
Fri Nov  1 15:08:24 2013 : Debug: rlm_ldap: object not found or got
ambiguous search result
Fri Nov  1 15:08:24 2013 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0
Fri Nov  1 15:08:24 2013 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0
Fri Nov  1 15:08:24 2013 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0
Fri Nov  1 15:08:24 2013 : Debug: rlm_ldap: performing search in
cn=Toomas,o=EVRCargo, with filter (objectclass=*)
Fri Nov  1 15:08:24 2013 : Debug: rlm_ldap::ldap_groupcmp:
ldap_get_values() failed
Fri Nov  1 15:08:24 2013 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0
Fri Nov  1 15:08:24 2013 : Info: ++- entering else else {...}
Fri Nov  1 15:08:24 2013 : Info: +++[reject] returns reject
Fri Nov  1 15:08:24 2013 : Info: ++- else else returns reject
Fri Nov  1 15:08:24 2013 : Info: Using Post-Auth-Type Reject
Fri Nov  1 15:08:24 2013 : Info: +- entering group REJECT {...}

LDAP Bind

Fri Nov  1 15:08:24 2013 : Info: [ldap] performing user authorization for
toomas
Fri Nov  1 15:08:24 2013 : Info: [ldap] WARNING: Deprecated conditional
expansion ":-".  See "man unlang" for details
Fri Nov  1 15:08:24 2013 : Info: [ldap]         expand:
(uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=toomas)
Fri Nov  1 15:08:24 2013 : Info: [ldap]         expand: o=evrcargo ->
o=evrcargo
Fri Nov  1 15:08:24 2013 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0
Fri Nov  1 15:08:24 2013 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0
Fri Nov  1 15:08:24 2013 : Debug: rlm_ldap: attempting LDAP reconnection
Fri Nov  1 15:08:24 2013 : Debug: rlm_ldap: (re)connect to 192.168.99.60:636,
authentication 0
Fri Nov  1 15:08:24 2013 : Debug: rlm_ldap: setting TLS mode to 1
Fri Nov  1 15:08:24 2013 : Debug: rlm_ldap: setting TLS CACert File to
/etc/raddb/certs/evrc-ou.pam
Fri Nov  1 15:08:24 2013 : Debug: rlm_ldap: setting TLS Require Cert to
demand
Fri Nov  1 15:08:24 2013 : Debug: rlm_ldap: bind as
cn=anz,o=evrcargo/whatis to 192.168.99.60:636
Fri Nov  1 15:08:24 2013 : Debug: rlm_ldap: waiting for bind result ...
Fri Nov  1 15:08:24 2013 : Debug: rlm_ldap: Bind was successful
Fri Nov  1 15:08:24 2013 : Debug: rlm_ldap: performing search in
o=evrcargo, with filter (uid=toomas)
Fri Nov  1 15:08:24 2013 : Info: [ldap] checking if remote access for
toomas is allowed by rADIUSEnableDialAccess
Fri Nov  1 15:08:24 2013 : Info: [ldap] Added the eDirectory password
XXXXXXXXXXXX in check items as Cleartext-Password
Fri Nov  1 15:08:24 2013 : Info: [ldap] No default NMAS login sequence
Fri Nov  1 15:08:24 2013 : Info: [ldap] looking for check items in
directory...
Fri Nov  1 15:08:24 2013 : Info: [ldap] looking for reply items in
directory...
Fri Nov  1 15:08:24 2013 : Info: [ldap] user toomas authorized to use
remote access
Fri Nov  1 15:08:24 2013 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0
Fri Nov  1 15:08:24 2013 : Info: ++[ldap] returns ok



2013/11/1 Phil Mayers <p.mayers at imperial.ac.uk>

> On 01/11/13 12:11, Andres Septer wrote:
>
>>
>>        You need to read the documentation, and *understand* how FreeRADIUS
>>     works.  The alternative is random changes, confusion, upset users, and
>>     *more* work and pain.
>>
>>
>> Skipped the idea to use different LDAP attributes for WiFi and OpenVPN
>> altogether and turned to the LDAP groups.
>>
>> But my Ldap-UserDn attribute wont get populated (even though user is
>> successfully authenticated in LDAP). So group search obviously fails
>>
>> When I manually insert my test users DN, everything works as expected.
>>
>> read the rlm_ldap manual but i still do not understand why my
>> LDAP-UserDn is not populated.
>>
>
> Sigh. Debug please, as gathered with "radiusd -X". We're not psychic.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/**
> list/users.html <http://www.freeradius.org/list/users.html>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20131101/7bb89ae8/attachment-0001.html>


More information about the Freeradius-Users mailing list