LDAP Group Membership

peter.geiser at id.unibe.ch peter.geiser at id.unibe.ch
Fri Apr 25 08:02:53 CEST 2014


When you use AD then the following simple query will do all the hard workŠ

Recursive Group Memberships
(member:1.2.840.113556.1.4.1941:=%{control:Ldap-UserDn})
 
Or as config snipped:

group {
	base_dn = 'dc=foo,dc=bar'
	scope = 'sub'
	name_attribute = cn
	membership_filter =
"(member:1.2.840.113556.1.4.1941:=%{control:Ldap-UserDn})"

	cacheable_name = "yes"
	cacheable_dn = "no"
	}



- Peter




Am 24.04.14 23:13 schrieb "Josh Essar" unter <jessar at kvcc.edu>:

>I have having some problems with ldap group checking. Our students do
>not have a common group that they are a member of. They are all a member
>of a group based on their username (ST_Students for every student that
>has a username that start with st). We then have groups based off each
>letter of the alphabet (S_Students would contain the SA_Students through
>SZ_Students groups). We then have another group called students, that
>has the A_Students through Z_Students groups.
>
>I know this is overly complex, but that is how our administrative
>computing department has set things up. I would like to use the student
>group to allow access to a wireless network. My current rule is as
>follows.
>
>if ((Called-Station-SSID == "Test2) && (LDAP-Group == "students")) {
>      noop
>}
>
>When the test user sexample5555 connects, they get denied because their
>account is a member of the SE_Students group. The SE_Students group is a
>member of the S_Students group, and that group is a member of the
>students group....but the user is not a direct member of the students
>group.
>
>
>Is there an easy solution that I am missing?
>
>
>Here is the full debug output. I know some things are not 100% correct.
>We are still in the testing phase.
>
>freeradius: FreeRADIUS Version 3.0.2, for host x86_64-pc-linux-gnu,
>built on Apr  7 2014 at 08:43:37
>Copyright (C) 1999-2014 The FreeRADIUS server project and contributors
>There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
>PARTICULAR PURPOSE
>You may redistribute copies of FreeRADIUS under the terms of the
>GNU General Public License
>For more information about these matters, see the file named COPYRIGHT
>Starting - reading configuration files ...
>including dictionary file /usr/share/freeradius/dictionary
>including dictionary file /etc/freeradius/dictionary
>including configuration file /etc/freeradius/radiusd.conf
>including configuration file /etc/freeradius/proxy.conf
>including configuration file /etc/freeradius/clients.conf
>including files in directory /etc/freeradius/mods-enabled/
>including configuration file /etc/freeradius/mods-enabled/eap
>including configuration file /etc/freeradius/mods-enabled/preprocess
>including configuration file /etc/freeradius/mods-enabled/expiration
>including configuration file /etc/freeradius/mods-enabled/replicate
>including configuration file /etc/freeradius/mods-enabled/sradutmp
>including configuration file /etc/freeradius/mods-enabled/detail.log
>including configuration file /etc/freeradius/mods-enabled/exec
>including configuration file /etc/freeradius/mods-enabled/realm
>including configuration file /etc/freeradius/mods-enabled/ntlm_auth
>including configuration file /etc/freeradius/mods-enabled/logintime
>including configuration file /etc/freeradius/mods-enabled/attr_filter
>including configuration file /etc/freeradius/mods-enabled/files
>including configuration file /etc/freeradius/mods-enabled/radutmp
>including configuration file /etc/freeradius/mods-enabled/mschap
>including configuration file /etc/freeradius/mods-enabled/cache_eap
>including configuration file /etc/freeradius/mods-enabled/always
>including configuration file /etc/freeradius/mods-enabled/chap
>including configuration file /etc/freeradius/mods-enabled/unpack
>including configuration file /etc/freeradius/mods-enabled/ldap
>including configuration file /etc/freeradius/mods-enabled/detail
>including configuration file /etc/freeradius/mods-enabled/echo
>including configuration file /etc/freeradius/mods-enabled/linelog
>including configuration
>file /etc/freeradius/mods-enabled/dynamic_clients
>including configuration file /etc/freeradius/mods-enabled/utf8
>including files in directory /etc/freeradius/policy.d/
>including configuration file /etc/freeradius/policy.d/eap
>including configuration file /etc/freeradius/policy.d/filter
>including configuration file /etc/freeradius/policy.d/canonicalization
>including configuration file /etc/freeradius/policy.d/operator-name
>including configuration file /etc/freeradius/policy.d/dhcp
>including configuration file /etc/freeradius/policy.d/control
>including configuration file /etc/freeradius/policy.d/accounting
>including configuration file /etc/freeradius/policy.d/cui
>including files in directory /etc/freeradius/sites-enabled/
>including configuration file /etc/freeradius/sites-enabled/wifi
>including configuration file /etc/freeradius/sites-enabled/inner-tunnel
>including configuration file /etc/freeradius/sites-enabled/default
>main {
> security {
> 	user = "freerad"
> 	group = "freerad"
> 	allow_core_dumps = no
> }
>}
>main {
>	name = "freeradius"
>	prefix = "/usr"
>	localstatedir = "/var"
>	sbindir = "/usr/sbin"
>	logdir = "/var/log/freeradius"
>	run_dir = "/var/run/freeradius"
>	libdir = "/usr/lib/freeradius"
>	radacctdir = "/var/log/freeradius/radacct"
>	hostname_lookups = no
>	max_request_time = 30
>	cleanup_delay = 5
>	max_requests = 1024
>	pidfile = "/var/run/freeradius/freeradius.pid"
>	checkrad = "/usr/sbin/checkrad"
>	debug_level = 0
>	proxy_requests = yes
> log {
> 	stripped_names = no
> 	auth = no
> 	auth_badpass = no
> 	auth_goodpass = no
> 	colourise = yes
> 	msg_denied = "You are already logged in - access denied"
> }
> security {
> 	max_attributes = 200
> 	reject_delay = 1
> 	status_server = yes
> }
>}
>radiusd: #### Loading Realms and Home Servers ####
> proxy server {
> 	retry_delay = 5
> 	retry_count = 3
> 	default_fallback = no
> 	dead_time = 120
> 	wake_all_if_all_dead = no
> }
> home_server localhost {
> 	ipaddr = 127.0.0.1
> 	port = 1812
> 	type = "auth"
> 	secret = <<< secret >>>
> 	response_window = 20
> 	max_outstanding = 65536
> 	zombie_period = 40
> 	status_check = "status-server"
> 	ping_interval = 30
> 	check_interval = 30
> 	num_answers_to_alive = 3
> 	revive_interval = 120
> 	status_check_timeout = 4
>  coa {
>  	irt = 2
>  	mrt = 16
>  	mrc = 5
>  	mrd = 30
>  }
>  limit {
>  	max_connections = 16
>  	max_requests = 0
>  	lifetime = 0
>  	idle_timeout = 0
>  }
> }
> realm LOCAL {
> }
> home_server_pool my_auth_failover {
>	type = fail-over
>	home_server = localhost
> }
>radiusd: #### Loading Clients ####
> client localhost {
> 	ipaddr = 127.0.0.1
> 	require_message_authenticator = no
> 	secret = <<< secret >>>
> 	nas_type = "other"
> 	proto = "*"
>  limit {
>  	max_connections = 16
>  	lifetime = 0
>  	idle_timeout = 30
>  }
> }
> client our-wireless-controller.our.domain {
> 	require_message_authenticator = no
> 	secret = <<< secret >>>
> 	shortname = "ttcbluesocket"
> 	virtual_server = "wifi"
>  limit {
>  	max_connections = 16
>  	lifetime = 0
>  	idle_timeout = 30
>  }
> }
>No 'ipaddr' or 'ipv6addr' field found in client
>our-wireless-controller.our.domain.  Please fix your configuration
>Support for old-style clients will be removed in a future release
>radiusd: #### Instantiating modules ####
> instantiate {
> }
> modules {
>  # Loaded module rlm_eap
>  # Instantiating module "eap" from
>file /etc/freeradius/mods-enabled/eap
>  eap {
>  	default_eap_type = "peap"
>  	timer_expire = 60
>  	ignore_unknown_eap_types = no
>  	mod_accounting_username_bug = no
>  	max_sessions = 4096
>  }
>   # Linked to sub-module rlm_eap_md5
>   # Linked to sub-module rlm_eap_leap
>   # Linked to sub-module rlm_eap_gtc
>   gtc {
>   	challenge = "Password: "
>   	auth_type = "PAP"
>   }
>   # Linked to sub-module rlm_eap_tls
>   tls {
>   	tls = "tls-common"
>   }
>   tls-config tls-common {
>   	rsa_key_exchange = no
>   	dh_key_exchange = yes
>   	rsa_key_length = 512
>   	dh_key_length = 512
>   	verify_depth = 0
>   	ca_path = "/etc/freeradius/certs"
>   	pem_file_type = yes
>   	private_key_file = "/etc/freeradius/certs/server.pem"
>   	certificate_file = "/etc/freeradius/certs/server.pem"
>   	ca_file = "/etc/freeradius/certs/ca.pem"
>   	private_key_password = <<< secret >>>
>   	dh_file = "/etc/freeradius/certs/dh"
>   	fragment_size = 1024
>   	include_length = yes
>   	check_crl = no
>   	cipher_list = "DEFAULT"
>   	ecdh_curve = "prime256v1"
>    cache {
>    	enable = yes
>    	lifetime = 24
>    	max_entries = 255
>    }
>    verify {
>    }
>    ocsp {
>    	enable = no
>    	override_cert_url = yes
>    	url = "http://127.0.0.1/ocsp/"
>    	use_nonce = yes
>    	timeout = 0
>    	softfail = yes
>    }
>   }
>   # Linked to sub-module rlm_eap_ttls
>   ttls {
>   	tls = "tls-common"
>   	default_eap_type = "md5"
>   	copy_request_to_tunnel = yes
>   	use_tunneled_reply = yes
>   	virtual_server = "inner-tunnel"
>   	include_length = yes
>   	require_client_cert = no
>   }
>Using cached TLS configuration from previous invocation
>   # Linked to sub-module rlm_eap_peap
>   peap {
>   	tls = "tls-common"
>   	default_method = "mschapv2"
>   	copy_request_to_tunnel = yes
>   	use_tunneled_reply = yes
>   	proxy_tunneled_request_as_eap = yes
>   	virtual_server = "inner-tunnel"
>   	soh = no
>   	require_client_cert = no
>   }
>Using cached TLS configuration from previous invocation
>   # Linked to sub-module rlm_eap_mschapv2
>   mschapv2 {
>   	with_ntdomain_hack = no
>   	send_error = no
>   }
>  # Loaded module rlm_preprocess
>  # Instantiating module "preprocess" from
>file /etc/freeradius/mods-enabled/preprocess
>  preprocess {
>  	huntgroups = "/etc/freeradius/mods-config/preprocess/huntgroups"
>  	hints = "/etc/freeradius/mods-config/preprocess/hints"
>  	with_ascend_hack = no
>  	ascend_channels_per_line = 23
>  	with_ntdomain_hack = no
>  	with_specialix_jetstream_hack = no
>  	with_cisco_vsa_hack = no
>  	with_alvarion_vsa_hack = no
>  }
>reading pairlist file /etc/freeradius/mods-config/preprocess/huntgroups
>reading pairlist file /etc/freeradius/mods-config/preprocess/hints
>  # Loaded module rlm_expiration
>  # Instantiating module "expiration" from
>file /etc/freeradius/mods-enabled/expiration
>  # Loaded module rlm_replicate
>  # Instantiating module "replicate" from
>file /etc/freeradius/mods-enabled/replicate
>  # Loaded module rlm_radutmp
>  # Instantiating module "sradutmp" from
>file /etc/freeradius/mods-enabled/sradutmp
>  radutmp sradutmp {
>  	filename = "/var/log/freeradius/sradutmp"
>  	username = "%{User-Name}"
>  	case_sensitive = yes
>  	check_with_nas = yes
>  	permissions = 420
>  	caller_id = no
>  }
>  # Loaded module rlm_detail
>  # Instantiating module "auth_log" from
>file /etc/freeradius/mods-enabled/detail.log
>  detail auth_log {
>  	filename =
>"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6
>-Address}}/auth-detail-%Y%m%d"
>  	header = "%t"
>  	permissions = 384
>  	dir_permissions = 493
>  	locking = no
>  	log_packet_header = no
>  }
>rlm_detail (auth_log): 'User-Password' suppressed, will not appear in
>detail output
>  # Instantiating module "reply_log" from
>file /etc/freeradius/mods-enabled/detail.log
>  detail reply_log {
>  	filename =
>"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6
>-Address}}/reply-detail-%Y%m%d"
>  	header = "%t"
>  	permissions = 384
>  	dir_permissions = 493
>  	locking = no
>  	log_packet_header = no
>  }
>  # Instantiating module "pre_proxy_log" from
>file /etc/freeradius/mods-enabled/detail.log
>  detail pre_proxy_log {
>  	filename =
>"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6
>-Address}}/pre-proxy-detail-%Y%m%d"
>  	header = "%t"
>  	permissions = 384
>  	dir_permissions = 493
>  	locking = no
>  	log_packet_header = no
>  }
>  # Instantiating module "post_proxy_log" from
>file /etc/freeradius/mods-enabled/detail.log
>  detail post_proxy_log {
>  	filename =
>"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6
>-Address}}/post-proxy-detail-%Y%m%d"
>  	header = "%t"
>  	permissions = 384
>  	dir_permissions = 493
>  	locking = no
>  	log_packet_header = no
>  }
>  # Loaded module rlm_exec
>  # Instantiating module "exec" from
>file /etc/freeradius/mods-enabled/exec
>  exec {
>  	wait = no
>  	input_pairs = "request"
>  	shell_escape = yes
>  	timeout = 10
>  }
>  # Loaded module rlm_realm
>  # Instantiating module "IPASS" from
>file /etc/freeradius/mods-enabled/realm
>  realm IPASS {
>  	format = "prefix"
>  	delimiter = "/"
>  	ignore_default = no
>  	ignore_null = no
>  }
>  # Instantiating module "suffix" from
>file /etc/freeradius/mods-enabled/realm
>  realm suffix {
>  	format = "suffix"
>  	delimiter = "@"
>  	ignore_default = no
>  	ignore_null = no
>  }
>  # Instantiating module "realmpercent" from
>file /etc/freeradius/mods-enabled/realm
>  realm realmpercent {
>  	format = "suffix"
>  	delimiter = "%"
>  	ignore_default = no
>  	ignore_null = no
>  }
>  # Instantiating module "ntdomain" from
>file /etc/freeradius/mods-enabled/realm
>  realm ntdomain {
>  	format = "prefix"
>  	delimiter = "\"
>  	ignore_default = no
>  	ignore_null = no
>  }
>  # Instantiating module "ntlm_auth" from
>file /etc/freeradius/mods-enabled/ntlm_auth
>  exec ntlm_auth {
>  	wait = yes
>  	program = "/usr/bin/ntlm_auth --request-nt-key --domain=our.domain
>--username=%{mschap:User-Name} --password=%{User-Password}"
>  	shell_escape = yes
>  }
>  # Loaded module rlm_logintime
>  # Instantiating module "logintime" from
>file /etc/freeradius/mods-enabled/logintime
>  logintime {
>  	minimum_timeout = 60
>  }
>  # Loaded module rlm_attr_filter
>  # Instantiating module "attr_filter.post-proxy" from
>file /etc/freeradius/mods-enabled/attr_filter
>  attr_filter attr_filter.post-proxy {
>  	filename = "/etc/freeradius/mods-config/attr_filter/post-proxy"
>  	key = "%{Realm}"
>  	relaxed = no
>  }
>reading pairlist file /etc/freeradius/mods-config/attr_filter/post-proxy
>  # Instantiating module "attr_filter.pre-proxy" from
>file /etc/freeradius/mods-enabled/attr_filter
>  attr_filter attr_filter.pre-proxy {
>  	filename = "/etc/freeradius/mods-config/attr_filter/pre-proxy"
>  	key = "%{Realm}"
>  	relaxed = no
>  }
>reading pairlist file /etc/freeradius/mods-config/attr_filter/pre-proxy
>  # Instantiating module "attr_filter.access_reject" from
>file /etc/freeradius/mods-enabled/attr_filter
>  attr_filter attr_filter.access_reject {
>  	filename = "/etc/freeradius/mods-config/attr_filter/access_reject"
>  	key = "%{User-Name}"
>  	relaxed = no
>  }
>reading pairlist
>file /etc/freeradius/mods-config/attr_filter/access_reject
>  # Instantiating module "attr_filter.access_challenge" from
>file /etc/freeradius/mods-enabled/attr_filter
>  attr_filter attr_filter.access_challenge {
>  	filename = "/etc/freeradius/mods-config/attr_filter/access_challenge"
>  	key = "%{User-Name}"
>  	relaxed = no
>  }
>reading pairlist
>file /etc/freeradius/mods-config/attr_filter/access_challenge
>  # Instantiating module "attr_filter.accounting_response" from
>file /etc/freeradius/mods-enabled/attr_filter
>  attr_filter attr_filter.accounting_response {
>  	filename =
>"/etc/freeradius/mods-config/attr_filter/accounting_response"
>  	key = "%{User-Name}"
>  	relaxed = no
>  }
>reading pairlist
>file /etc/freeradius/mods-config/attr_filter/accounting_response
>  # Loaded module rlm_files
>  # Instantiating module "files" from
>file /etc/freeradius/mods-enabled/files
>  files {
>  	filename = "/etc/freeradius/mods-config/files/authorize"
>  	usersfile = "/etc/freeradius/mods-config/files/authorize"
>  	acctusersfile = "/etc/freeradius/mods-config/files/accounting"
>  	preproxy_usersfile = "/etc/freeradius/mods-config/files/pre-proxy"
>  	compat = "no"
>  }
>reading pairlist file /etc/freeradius/mods-config/files/authorize
>reading pairlist file /etc/freeradius/mods-config/files/authorize
>reading pairlist file /etc/freeradius/mods-config/files/accounting
>reading pairlist file /etc/freeradius/mods-config/files/pre-proxy
>  # Instantiating module "radutmp" from
>file /etc/freeradius/mods-enabled/radutmp
>  radutmp {
>  	filename = "/var/log/freeradius/radutmp"
>  	username = "%{User-Name}"
>  	case_sensitive = yes
>  	check_with_nas = yes
>  	permissions = 384
>  	caller_id = yes
>  }
>  # Loaded module rlm_mschap
>  # Instantiating module "mschap" from
>file /etc/freeradius/mods-enabled/mschap
>  mschap {
>  	use_mppe = yes
>  	require_encryption = no
>  	require_strong = no
>  	with_ntdomain_hack = yes
>  	ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=
>%{%{Stripped-User-Name}:-%{%{mschap:User-Name}:-None}} --domain=
>%{%{mschap:NT-Domain}:-our.domain} --challenge=
>%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
>  	ntlm_auth_timeout = 10
>   passchange {
>   }
>  	allow_retry = yes
>  }
>  # Loaded module rlm_cache
>  # Instantiating module "cache_eap" from
>file /etc/freeradius/mods-enabled/cache_eap
>  cache cache_eap {
>  	key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
>  	ttl = 15
>  	max_entries = 16384
>  	epoch = 0
>  	add_stats = no
>  }
>  # Loaded module rlm_always
>  # Instantiating module "reject" from
>file /etc/freeradius/mods-enabled/always
>  always reject {
>  	rcode = "reject"
>  	simulcount = 0
>  	mpp = no
>  }
>  # Instantiating module "fail" from
>file /etc/freeradius/mods-enabled/always
>  always fail {
>  	rcode = "fail"
>  	simulcount = 0
>  	mpp = no
>  }
>  # Instantiating module "ok" from
>file /etc/freeradius/mods-enabled/always
>  always ok {
>  	rcode = "ok"
>  	simulcount = 0
>  	mpp = no
>  }
>  # Instantiating module "handled" from
>file /etc/freeradius/mods-enabled/always
>  always handled {
>  	rcode = "handled"
>  	simulcount = 0
>  	mpp = no
>  }
>  # Instantiating module "invalid" from
>file /etc/freeradius/mods-enabled/always
>  always invalid {
>  	rcode = "invalid"
>  	simulcount = 0
>  	mpp = no
>  }
>  # Instantiating module "userlock" from
>file /etc/freeradius/mods-enabled/always
>  always userlock {
>  	rcode = "userlock"
>  	simulcount = 0
>  	mpp = no
>  }
>  # Instantiating module "notfound" from
>file /etc/freeradius/mods-enabled/always
>  always notfound {
>  	rcode = "notfound"
>  	simulcount = 0
>  	mpp = no
>  }
>  # Instantiating module "noop" from
>file /etc/freeradius/mods-enabled/always
>  always noop {
>  	rcode = "noop"
>  	simulcount = 0
>  	mpp = no
>  }
>  # Instantiating module "updated" from
>file /etc/freeradius/mods-enabled/always
>  always updated {
>  	rcode = "updated"
>  	simulcount = 0
>  	mpp = no
>  }
>  # Loaded module rlm_chap
>  # Instantiating module "chap" from
>file /etc/freeradius/mods-enabled/chap
>  # Loaded module rlm_unpack
>  # Instantiating module "unpack" from
>file /etc/freeradius/mods-enabled/unpack
>  # Loaded module rlm_ldap
>  # Instantiating module "ldap" from
>file /etc/freeradius/mods-enabled/ldap
>  ldap {
>  	server = "server.our.domain"
>  	port = 636
>  	password = <<< secret >>>
>  	identity = "ACCOUNT"
>   user {
>   	filter = "(cn=%{%{mschap:User-Name}:-%{User-Name}})"
>   	scope = "sub"
>   	base_dn = "dc=our,dc=domain"
>   	access_positive = yes
>   }
>   group {
>   	filter = "(objectClass=posixGroup)"
>   	scope = "sub"
>   	base_dn = "dc=our,dc=domain"
>   	name_attribute = "cn"
>   	membership_attribute = "memberOf"
>   	membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=
>%{%{mschap:User-Name}:-%{User-Name}}))"
>   	cacheable_name = no
>   	cacheable_dn = no
>   }
>   client {
>   	filter = "(objectClass=frClient)"
>   	scope = "sub"
>   	base_dn = "dc=our,dc=domain"
>    attribute {
>    	identifier = "radiusClientIdentifier"
>    	shortname = "cn"
>    	secret = "radiusClientSecret"
>    }
>   }
>   profile {
>   	filter = "(&)"
>   }
>   options {
>   	ldap_debug = 40
>   	chase_referrals = yes
>   	rebind = yes
>   	net_timeout = 1
>   	res_timeout = 20
>   	srv_timelimit = 20
>   	idle = 60
>   	probes = 3
>   	interval = 3
>   }
>   tls {
>   	start_tls = no
>   }
>  }
>   accounting {
>   	reference = "%{tolower:type.%{Acct-Status-Type}}"
>   }
>   post-auth {
>   	reference = "."
>   }
>rlm_ldap (ldap): Initialising connection pool
>   pool {
>   	start = 5
>   	min = 4
>   	max = 32
>   	spare = 3
>   	uses = 0
>   	lifetime = 0
>   	cleanup_interval = 30
>   	idle_timeout = 60
>   	retry_delay = 1
>   	spread = no
>   }
>rlm_ldap (ldap): Opening additional connection (0)
>rlm_ldap (ldap): Connecting to server.our.domain:636
>rlm_ldap (ldap): Waiting for bind result...
>rlm_ldap (ldap): Bind successful
>rlm_ldap (ldap): Opening additional connection (1)
>rlm_ldap (ldap): Connecting to server.our.domain:636
>rlm_ldap (ldap): Waiting for bind result...
>rlm_ldap (ldap): Bind successful
>rlm_ldap (ldap): Opening additional connection (2)
>rlm_ldap (ldap): Connecting to server.our.domain:636
>rlm_ldap (ldap): Waiting for bind result...
>rlm_ldap (ldap): Bind successful
>rlm_ldap (ldap): Opening additional connection (3)
>rlm_ldap (ldap): Connecting to server.our.domain:636
>rlm_ldap (ldap): Waiting for bind result...
>rlm_ldap (ldap): Bind successful
>rlm_ldap (ldap): Opening additional connection (4)
>rlm_ldap (ldap): Connecting to server.our.domain:636
>rlm_ldap (ldap): Waiting for bind result...
>rlm_ldap (ldap): Bind successful
>  # Instantiating module "detail" from
>file /etc/freeradius/mods-enabled/detail
>  detail {
>  	filename =
>"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6
>-Address}}/detail-%Y%m%d"
>  	header = "%t"
>  	permissions = 384
>  	dir_permissions = 493
>  	locking = no
>  	log_packet_header = no
>  }
>  # Instantiating module "echo" from
>file /etc/freeradius/mods-enabled/echo
>  exec echo {
>  	wait = yes
>  	program = "/bin/echo %{User-Name}"
>  	input_pairs = "request"
>  	output_pairs = "reply"
>  	shell_escape = yes
>  }
>  # Loaded module rlm_linelog
>  # Instantiating module "linelog" from
>file /etc/freeradius/mods-enabled/linelog
>  linelog {
>  	filename = "/var/log/freeradius/linelog"
>  	permissions = 384
>  	format = "This is a log message for %{User-Name}"
>  	reference = "%{%{Packet-Type}:-format}"
>  }
>  # Loaded module rlm_dynamic_clients
>  # Instantiating module "dynamic_clients" from
>file /etc/freeradius/mods-enabled/dynamic_clients
>  # Loaded module rlm_utf8
>  # Instantiating module "utf8" from
>file /etc/freeradius/mods-enabled/utf8
> } # modules
>radiusd: #### Loading Virtual Servers ####
>server { # from file /etc/freeradius/radiusd.conf
>} # server
>server wifi { # from file /etc/freeradius/sites-enabled/wifi
> # Loading authenticate {...}
> # Loading authorize {...}
> # Loading preacct {...}
> # Loading accounting {...}
> # Loading post-proxy {...}
> # Loading post-auth {...}
>} # server wifi
>server inner-tunnel { # from
>file /etc/freeradius/sites-enabled/inner-tunnel
> # Creating Auth-Type = LDAP
> # Loading authenticate {...}
> # Loading authorize {...}
> # Loading session {...}
> # Loading post-proxy {...}
> # Loading post-auth {...}
>} # server inner-tunnel
>server default { # from file /etc/freeradius/sites-enabled/default
> # Loading authenticate {...}
> # Loading authorize {...}
> # Loading preacct {...}
> # Loading accounting {...}
> # Loading post-proxy {...}
> # Loading post-auth {...}
>} # server default
>radiusd: #### Opening IP addresses and Ports ####
>listen {
>  	type = "auth"
>  	ipaddr = *
>  	port = 1912
>   limit {
>   	max_connections = 26
>   	lifetime = 0
>   	idle_timeout = 30
>   }
>}
>listen {
>  	type = "acct"
>  	ipaddr = *
>  	port = 0
>   limit {
>   	max_connections = 16
>   	lifetime = 0
>   	idle_timeout = 30
>   }
>}
>listen {
>  	type = "auth"
>  	ipaddr = 127.0.0.1
>  	port = 18120
>}
>listen {
>  	type = "auth"
>  	ipaddr = *
>  	port = 1812
>   limit {
>   	max_connections = 26
>   	lifetime = 0
>   	idle_timeout = 30
>   }
>}
>listen {
>  	type = "acct"
>  	ipaddr = *
>  	port = 0
>   limit {
>   	max_connections = 16
>   	lifetime = 0
>   	idle_timeout = 30
>   }
>}
>Listening on auth address * port 1912 as server wifi
>Listening on acct address * port 1813 as server wifi
>Listening on auth address 127.0.0.1 port 18120 as server inner-tunnel
>Listening on auth address * port 1812 as server default
>Listening on acct address * port 1813 as server default
>Opening new proxy socket 'proxy address * port 0'
>Listening on proxy address * port 33306
>Ready to process requests.
>rad_recv: Access-Request packet from host WIFI-CONTROLLER-IP port 1034,
>id=39, length=174
>	User-Name = 'DOMAIN\\sexample5555'
>	NAS-Port = 0
>	Called-Station-Id = '00-19-92-04-7E-81:Test2'
>	Calling-Station-Id = '00-26-5E-31-33-3B'
>	Framed-MTU = 1400
>	Attr-26 = 0x000026ef030302
>	NAS-Port-Type = Wireless-802.11
>	Connect-Info = 'CONNECT 0Mbps 802.11'
>	EAP-Message = 0x025c0016014b5643435c736578616d706c6535353535
>	Message-Authenticator = 0x8c275779e337acf4e7eaccbf78cad923
>(0) # Executing section authorize from
>file /etc/freeradius/sites-enabled/wifi
>(0)   authorize {
>(0)    if (Called-Station-Id
>=~ 
>/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?(
>[0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i)
>(0)    if (Called-Station-Id
>=~ 
>/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?(
>[0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) -> TRUE
>(0)   if (Called-Station-Id
>=~ 
>/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?(
>[0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) {
>(0)    update request {
>(0) EXPAND %{7}
>(0)    --> Test2
>(0) 	Called-Station-SSID := "Test2"
>(0)    } # update request = noop
>(0)   } # if (Called-Station-Id
>=~ 
>/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?(
>[0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) = noop
>(0)    if ((Called-Station-SSID == "Test2") && (LDAP-Group ==
>"students")) 
>(0) Searching for user in group "students"
>rlm_ldap (ldap): Reserved connection (4)
>(0) EXPAND (cn=%{%{mschap:User-Name}:-%{User-Name}})
>(0)    --> (cn=sexample5555)
>(0) EXPAND dc=our,dc=domain
>(0)    --> dc=our,dc=domain
>(0) Performing search in 'dc=our,dc=domain' with filter
>'(cn=sexample5555)', scope 'sub'
>(0) Waiting for search result...
>rlm_ldap (ldap): Rebinding to URL
>ldaps://ForestDnsZones.our.domain/DC=ForestDnsZones,DC=our,DC=domain
>rlm_ldap (ldap): Waiting for bind result...
>rlm_ldap (ldap): Rebinding to URL
>ldaps://domainainDnsZones.our.domain/DC=DomainDnsZones,DC=our,DC=domain
>rlm_ldap (ldap): Waiting for bind result...
>rlm_ldap (ldap): Rebinding to URL
>ldaps://our.domain/CN=Configuration,DC=our,DC=domain
>rlm_ldap (ldap): Waiting for bind result...
>rlm_ldap (ldap): Bind successful
>rlm_ldap (ldap): Bind successful
>rlm_ldap (ldap): Bind successful
>User object found at DN
>"CN=sexample5555,OU=OUR-OU,OU=OUR-OU,OU=OUR-OU,OU=people,DC=our,DC=domain"
>(0) Checking for user in group objects
>(0) EXPAND (&(cn=students)(objectClass=posixGroup)(|(member=
>%{control:Ldap-UserDn})(memberUid=
>%{%{mschap:User-Name}:-%{User-Name}})))
>(0)    --> (&(cn=students)(objectClass=posixGroup)(|(member=CN
>\3dsexample5555\2cOU\3dse_students\2cOU\3dS_students\2cOU\3dstudents
>\2cOU\3dpeople\2cDC\3dour\2cDC\3ddom)(memberUid=sexample5555)))
>(0) EXPAND dc=our,dc=domain
>(0)    --> dc=our,dc=domain
>(0) Waiting for bind result...
>(0) Bind successful
>(0) Performing search in 'dc=our,dc=domain' with filter
>'(&(cn=students)(objectClass=posixGroup)(|(member=CN\3dsexample5555\2cOU
>\3dse_students\2cOU\3dS_students\2cOU\3dstudents\2cOU\3dpeople\2cDC
>\3dour\2cDC\3ddom)(memberUid=sexample5555)))', scope 'sub'
>(0) Waiting for search result...
>rlm_ldap (ldap): Rebinding to URL
>ldaps://ForestDnsZones.our.domain/DC=ForestDnsZones,DC=our,DC=domain
>rlm_ldap (ldap): Waiting for bind result...
>rlm_ldap (ldap): Rebinding to URL
>ldaps://DomainDnsZones.our.domain/DC=DomainDnsZones,DC=our,DC=domain
>rlm_ldap (ldap): Waiting for bind result...
>rlm_ldap (ldap): Rebinding to URL
>ldaps://our.dom/CN=Configuration,DC=our,DC=domain
>rlm_ldap (ldap): Waiting for bind result...
>rlm_ldap (ldap): Bind successful
>rlm_ldap (ldap): Bind successful
>rlm_ldap (ldap): Bind successful
>(0) Search returned no results
>(0) Search returned not found
>(0) Checking user object membership (memberOf) attributes
>(0) Waiting for bind result...
>(0) Bind successful
>(0) Performing unfiltered search in
>'CN=sexample5555,OU=se_students,OU=S_students,OU=students,OU=people,DC=our
>,DC=domain', scope 'base'
>(0) Waiting for search result...
>(0) Processing group membership value
>"CN=GROUP1,OU=_Section-Groups,OU=students,OU=people,DC=our,DC=domain"
>(0) Converting group DN to group Name
>(0) Performing unfiltered search in
>'CN=GROUP1,OU=_Section-Groups,OU=students,OU=people,DC=our,DC=domain',
>scope 'base'
>(0) Waiting for search result...
>(0) Group name is "GROUP1"
>(0) Processing group membership value
>"CN=GROUP2,OU=groups,DC=our,DC=domain"
>(0) Converting group DN to group Name
>(0) Performing unfiltered search in
>'CN=GROUP2,OU=groups,DC=our,DC=domain', scope 'base'
>(0) Waiting for search result...
>(0) Group name is "GROUP2"
>(0) Processing group membership value
>"CN=SE_students,OU=se_students,OU=S_students,OU=students,OU=people,DC=our,
>DC=domain"
>(0) Converting group DN to group Name
>(0) Performing unfiltered search in
>'CN=SE_students,OU=se_students,OU=S_students,OU=students,OU=people,DC=our,
>DC=domain', scope 'base'
>(0) Waiting for search result...
>(0) Group name is "SE_students"
>(0) Processing group membership value
>"CN=GROUP4,OU=_Dept-Groups,OU=students,OU=people,DC=our,DC=domain"
>(0) Converting group DN to group Name
>(0) Performing unfiltered search in
>'CN=GROUP4,OU=_Dept-Groups,OU=students,OU=people,DC=our,DC=domain',
>scope 'base'
>(0) Waiting for search result...
>(0) Group name is "GROUP4"
>(0) Processing group membership value
>"CN=GROUP5,OU=staff,OU=people,DC=our,DC=domain"
>(0) Converting group DN to group Name
>(0) Performing unfiltered search in
>'CN=GROUP5,OU=staff,OU=people,DC=our,DC=domain', scope 'base'
>(0) Waiting for search result...
>(0) Group name is "GROUP5"
>rlm_ (ldap): Deleting connection (4)
>(0) User is not a member of specified group
>(0)    if ((Called-Station-SSID == "Test2") && (LDAP-Group ==
>"students"))  -> FALSE
>(0)   else else {
>(0)    [reject] = reject
>(0)   } # else else = reject
>(0)  } #  authorize = reject
>(0) Using Post-Auth-Type Reject
>(0) # Executing group from file /etc/freeradius/sites-enabled/wifi
>(0)  Post-Auth-Type REJECT {
>(0) attr_filter.access_reject : EXPAND %{User-Name}
>(0) attr_filter.access_reject :    --> DOMAIN\sexample5555
>(0) attr_filter.access_reject : Matched entry DEFAULT at line 11
>(0)   [attr_filter.access_reject] = updated
>(0) eap : Request was previously rejected, inserting EAP-Failure
>(0)   [eap] = updated
>(0)   remove_reply_message_if_eap remove_reply_message_if_eap {
>(0)     if (reply:EAP-Message && reply:Reply-Message)
>(0)     if (reply:EAP-Message && reply:Reply-Message)  -> FALSE
>(0)    else else {
>(0)     [noop] = noop
>(0)    } # else else = noop
>(0)   } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
>(0)  } # Post-Auth-Type REJECT = updated
>(0) Delaying reject of request 0 for 1 seconds
>Waking up in 0.2 seconds.
>Waking up in 0.7 seconds.
>(0) Sending delayed reject
>Sending Access-Reject of id 39 from Radius-Server port 1912 to
>WIFI-CONTROLLER-IP port 1034
>	EAP-Message = 0x045c0004
>	Message-Authenticator = 0x00000000000000000000000000000000
>Waking up in 3.9 seconds.
>rad_recv: Access-Request packet from host WIFI-CONTROLLER-IP port 1034,
>id=40, length=174
>	User-Name = 'our\\sexample5555'
>	NAS-Port = 0
>	Called-Station-Id = '00-19-92-04-7E-81:Test2'
>	Calling-Station-Id = '00-26-5E-31-33-3B'
>	Framed-MTU = 1400
>	Attr-26 = 0x000026ef030302
>	NAS-Port-Type = Wireless-802.11
>	Connect-Info = 'CONNECT 0Mbps 802.11'
>	EAP-Message = 0x02b00016014b5643435c736578616d706c6535353535
>	Message-Authenticator = 0xfc98b83654758f9d0071ba123c21ca2e
>(1) # Executing section authorize from
>file /etc/freeradius/sites-enabled/wifi
>(1)   authorize {
>(1)    if (Called-Station-Id
>=~ 
>/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?(
>[0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i)
>(1)    if (Called-Station-Id
>=~ 
>/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?(
>[0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) -> TRUE
>(1)   if (Called-Station-Id
>=~ 
>/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?(
>[0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) {
>(1)    update request {
>(1) EXPAND %{7}
>(1)    --> Test2
>(1) 	Called-Station-SSID := "Test2"
>(1)    } # update request = noop
>(1)   } # if (Called-Station-Id
>=~ 
>/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?(
>[0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) = noop
>(1)    if ((Called-Station-SSID == "Test2") && (LDAP-Group ==
>"students")) 
>(1) Searching for user in group "students"
>rlm_ldap (ldap): Reserved connection (3)
>(1) EXPAND (cn=%{%{mschap:User-Name}:-%{User-Name}})
>(1)    --> (cn=sexample5555)
>(1) EXPAND dc=our,dc=domain
>(1)    --> dc=our,dc=domain
>(1) Performing search in 'dc=our,dc=domain' with filter
>'(cn=sexample5555)', scope 'sub'
>(1) Waiting for search result...
>rlm_ldap (ldap): Rebinding to URL
>ldaps://ForestDnsZones.our.domain/DC=ForestDnsZones,DC=our,DC=domain
>rlm_ldap (ldap): Waiting for bind result...
>rlm_ldap (ldap): Rebinding to URL
>ldaps://DomainDnsZones.our.domain/DC=DomainDnsZones,DC=our,DC=domain
>rlm_ldap (ldap): Waiting for bind result...
>rlm_ldap (ldap): Rebinding to URL
>ldaps://our.domain/CN=Configuration,DC=our,DC=domain
>rlm_ldap (ldap): Waiting for bind result...
>rlm_ldap (ldap): Bind successful
>rlm_ldap (ldap): Bind successful
>rlm_ldap (ldap): Bind successful
>(1) User object found at DN
>"CN=sexample5555,OU=OUR-OU,OU=OUR-OU,OU=OUR-OU,OU=people,DC=our,DC=domain"
>(1) Checking for user in group objects
>(1) EXPAND (&(cn=students)(objectClass=posixGroup)(|(member=
>%{control:Ldap-UserDn})(memberUid=
>%{%{mschap:User-Name}:-%{User-Name}})))
>(1)    --> (&(cn=students)(objectClass=posixGroup)(|(member=CN
>\3dsexample5555\2cOU\3dse_students\2cOU\3dS_students\2cOU\3dstudents
>\2cOU\3dpeople\2cDC\3dour\2cDC\3ddom)(memberUid=sexample5555)))
>(1) EXPAND dc=our,dc=domain
>(1)    --> dc=our,dc=domain
>(1) Waiting for bind result...
>(1) Bind successful
>(1) Performing search in 'dc=our,dc=domain' with filter
>'(&(cn=students)(objectClass=posixGroup)(|(member=CN\3dsexample5555\2cOU
>\3dse_students\2cOU\3dS_students\2cOU\3dstudents\2cOU\3dpeople\2cDC
>\3dour\2cDC\3ddom)(memberUid=sexample5555)))', scope 'sub'
>(1) Waiting for search result...
>rlm_ldap (ldap): Rebinding to URL
>ldaps://ForestDnsZones.our.domain/DC=ForestDnsZones,DC=our,DC=domain
>rlm_ldap (ldap): Waiting for bind result...
>rlm_ldap (ldap): Rebinding to URL
>ldaps://DomainDnsZones.our.domain/DC=DomainDnsZones,DC=our,DC=domain
>rlm_ldap (ldap): Waiting for bind result...
>rlm_ldap (ldap): Rebinding to URL
>ldaps://our.domain/CN=Configuration,DC=our,DC=domain
>rlm_ldap (ldap): Waiting for bind result...
>rlm_ldap (ldap): Bind successful
>rlm_ldap (ldap): Bind successful
>rlm_ldap (ldap): Bind successful
>(1) Search returned no results
>(1) Search returned not found
>(1) Checking user object membership (memberOf) attributes
>(1) Waiting for bind result...
>(1) Bind successful
>(1) Performing unfiltered search in
>'CN=sexample5555,OU=se_students,OU=S_students,OU=students,OU=people,DC=our
>,DC=domain', scope 'base'
>(1) Waiting for search result...
>(1) Processing group membership value
>"CN=GROUP1,OU=_Section-Groups,OU=students,OU=people,DC=our,DC=domain"
>(1) Converting group DN to group Name
>(1) Performing unfiltered search in
>'CN=GROUP1,OU=_Section-Groups,OU=students,OU=people,DC=our,DC=domain',
>scope 'base'
>(1) Waiting for search result...
>(1) Group name is "GROUP1"
>(1) Processing group membership value
>"CN=GROUP2,OU=groups,DC=our,DC=domain"
>(1) Converting group DN to group Name
>(1) Performing unfiltered search in
>'CN=GROUP2,OU=groups,DC=our,DC=domain', scope 'base'
>(1) Waiting for search result...
>(1) Group name is "GROUP2"
>(1) Processing group membership value
>"CN=SE_students,OU=se_students,OU=S_students,OU=students,OU=people,DC=our,
>DC=domain"
>(1) Converting group DN to group Name
>(1) Performing unfiltered search in
>'CN=SE_students,OU=se_students,OU=S_students,OU=students,OU=people,DC=our,
>DC=domain', scope 'base'
>(1) Waiting for search result...
>(1) Group name is "SE_students"
>(1) Processing group membership value
>"CN=GROUP4,OU=_Dept-Groups,OU=students,OU=people,DC=our,DC=domain"
>(1) Converting group DN to group Name
>(1) Performing unfiltered search in
>'CN=GROUP4,OU=_Dept-Groups,OU=students,OU=people,DC=our,DC=domain',
>scope 'base'
>(1) Waiting for search result...
>(1) Group name is "GROUP4"
>(1) Processing group membership value
>"CN=GROUP5,OU=staff,OU=people,DC=our,DC=domain"
>(1) Converting group DN to group Name
>(1) Performing unfiltered search in
>'CN=GROUP5,OU=staff,OU=people,DC=our,DC=domain', scope 'base'
>(1) Waiting for search result...
>(1) Group name is "GROUP5"
>rlm_ldap (ldap): Deleting connection (3)
>(1) User is not a member of specified group
>(1)    if ((Called-Station-SSID == "Test2") && (LDAP-Group ==
>"students"))  -> FALSE
>(1)   else else {
>(1)    [reject] = reject
>(1)   } # else else = reject
>(1)  } #  authorize = reject
>(1) Using Post-Auth-Type Reject
>(1) # Executing group from file /etc/freeradius/sites-enabled/wifi
>(1)  Post-Auth-Type REJECT {
>(1) attr_filter.access_reject : EXPAND %{User-Name}
>(1) attr_filter.access_reject :    --> DOMAIN\sexample5555
>(1) attr_filter.access_reject : Matched entry DEFAULT at line 11
>(1)   [attr_filter.access_reject] = updated
>(1) eap : Request was previously rejected, inserting EAP-Failure
>(1)   [eap] = updated
>(1)   remove_reply_message_if_eap remove_reply_message_if_eap {
>(1)     if (reply:EAP-Message && reply:Reply-Message) 
>(1)     if (reply:EAP-Message && reply:Reply-Message)  -> FALSE
>(1)    else else {
>(1)     [noop] = noop
>(1)    } # else else = noop
>(1)   } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
>(1)  } # Post-Auth-Type REJECT = updated
>(1) Delaying reject of request 1 for 1 seconds
>Waking up in 0.2 seconds.
>Waking up in 0.7 seconds.
>(1) Sending delayed reject
>Sending Access-Reject of id 40 from SERVER-IP port 1912 to
>WIFI-CONTROLLER-IP port 1034
>	EAP-Message = 0x04b00004
>	Message-Authenticator = 0x00000000000000000000000000000000
>Waking up in 1.3 seconds.
>(0) Cleaning up request packet ID 39 with timestamp +6
>Waking up in 2.6 seconds.
>
>
>
>
>Thanks!
>-Josh
>
>-
>List info/subscribe/unsubscribe? See 
>http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list