OpenLDAP Group membership to Filter-ID

Stefan Paetow Stefan.Paetow at ja.net
Wed Aug 13 20:38:13 CEST 2014


Ok… 

If you are not using "scope='sub'" in the ldap module (a full output from 'freeradius -X' is specifically requested for the reason that we can see the complete config), then yes, the nesting could be the problem. 

Stefan

________________________________________
From: freeradius-users-bounces+stefan.paetow=ja.net at lists.freeradius.org [freeradius-users-bounces+stefan.paetow=ja.net at lists.freeradius.org] on behalf of Alex Gregory [alex at c2company.com]
Sent: 13 August 2014 18:38
To: FreeRadius users mailing list
Subject: Re: OpenLDAP Group membership to Filter-ID

Joe User is a part of Corp (which is under Users - could nesting be the problem?):

root at openldap ~# ldapsearch -x -h localhost -p 389 -b "ou=Users,dc=team,dc=company,dc=com" -s sub "cn=joe user"
# extended LDIF
#
# LDAPv3
# base <ou=Users,dc=team,dc=company,dc=com> with scope subtree
# filter: cn=joe user
# requesting: ALL
#

# Joe User, corp, Users, team.company.com
dn: cn=Joe User,ou=corp,ou=Users,dc=team,dc=company,dc=com
givenName: Joe
sn: User
cn: Joe User
uid: joeuser
uidNumber: 1008
gidNumber: 500
homeDirectory: /home/users/joeuser
loginShell: /bin/sh
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Is my entry in the authorize section formatted correctly?

Thanks,

Alex


On Aug 13, 2014, at 2:46 AM, Stefan Paetow <Stefan.Paetow at ja.net> wrote:

> According to the LDAP search, the user is not part of either the Corp or the Dev OUs.
>
> Which one of the two is 'joeuser' part of?
>
> What happens when you try using ldapsearch to search for 'joeuser' in your AD?
>
> Stefan
>
>
> -----Original Message-----
> From: freeradius-users-bounces+stefan.paetow=ja.net at lists.freeradius.org [mailto:freeradius-users-bounces+stefan.paetow=ja.net at lists.freeradius.org] On Behalf Of Alex Gregory
> Sent: 13 August 2014 00:32
> To: FreeRadius users mailing list
> Subject: OpenLDAP Group membership to Filter-ID
>
> Hello-
>
> I would like to make it so that the users in:
>
> ou=corp,ou=Users,dc=team,dc=company,dc=com
>
> Get mapped a Filter-ID of corp and the users in:
>
> ou=dev,ou=Users,dc=team,dc=company,dc=com
>
> Get mapped a Filter-ID of dev.  I can then apply firewall rules to give them access to certain resources and not others.  This will also make it so that if they access the wrong network they should not have the proper access without the correct group membership.
>
> In inner-tunnel I have:
>
> authorize {
> if ( Ldap-Group =~ /ou=corp,ou=Users,dc=team,dc=affirm,dc=com/  ) {
>    update control {
>    Tmp-String-1 := "corp"
>        }
>        }
> if ( Ldap-Group =~ /ou=dev,ou=Users,dc=team,dc=affirm,dc=com/  ) {
>    update control {
>    Tmp-String-1 := "dev"
>        }
>        }
>
> post-auth {
> update reply {
>        Filter-Id := "%{control:Tmp-String-1}"
> }
>
> I can see in the log that its not matching which means I am not matching correctly.  It ends up passing the Filter-ID which is blank.  So I know the post auth section is working correctly.
>
> Here is the relevant log info:
>
> Tue Aug 12 22:50:47 2014 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
> Tue Aug 12 22:50:47 2014 : Info: +- entering group authorize {...}
> Tue Aug 12 22:50:47 2014 : Info: ++? if (Ldap-Group =~ /ou=corp,ou=Users,dc=team,dc=company,dc=com/  )
> Tue Aug 12 22:50:47 2014 : Debug:   [ldap] Entering ldap_groupcmp()
> Tue Aug 12 22:50:47 2014 : Info:      expand: ou=Users,dc=team,dc=company,dc=com -> ou=Users,dc=team,dc=company,dc=com
> Tue Aug 12 22:50:47 2014 : Info:      expand: %{Stripped-User-Name} ->
> Tue Aug 12 22:50:47 2014 : Info:      ... expanding second conditional
> Tue Aug 12 22:50:47 2014 : Info:      expand: %{User-Name} -> joeuser
> Tue Aug 12 22:50:47 2014 : Info:      expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=joeuser)
> Tue Aug 12 22:50:47 2014 : Debug:   [ldap] ldap_get_conn: Checking Id: 0
> Tue Aug 12 22:50:47 2014 : Debug:   [ldap] ldap_get_conn: Got Id: 0
> Tue Aug 12 22:50:47 2014 : Debug:   [ldap] performing search in ou=Users,dc=team,dc=company,dc=com, with filter (uid=joeuser)
> Tue Aug 12 22:50:47 2014 : Debug:   [ldap] ldap_release_conn: Release Id: 0
> Tue Aug 12 22:50:47 2014 : Info:      expand: (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=)))
> Tue Aug 12 22:50:47 2014 : Debug:   [ldap] ldap_get_conn: Checking Id: 0
> Tue Aug 12 22:50:47 2014 : Debug:   [ldap] ldap_get_conn: Got Id: 0
> Tue Aug 12 22:50:47 2014 : Debug:   [ldap] performing search in ou=corp,ou=Users,dc=team,dc=company,dc=com, with filter (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=)))
> Tue Aug 12 22:50:47 2014 : Debug:   [ldap] object not found
> Tue Aug 12 22:50:47 2014 : Debug:   [ldap] ldap_release_conn: Release Id: 0
> Tue Aug 12 22:50:47 2014 : Debug: rlm_ldap::ldap_groupcmp: Group ou=corp,ou=Users,dc=team,dc=company,dc=com not found or user is not a member.
> Tue Aug 12 22:50:47 2014 : Info: ? Evaluating (Ldap-Group =~ /ou=corp,ou=Users,dc=team,dc=company,dc=com/) -> FALSE
> Tue Aug 12 22:50:47 2014 : Info: ++? if (Ldap-Group =~ /ou=corp,ou=Users,dc=team,dc=company,dc=com/  ) -> FALSE
> Tue Aug 12 22:50:47 2014 : Info: ++? if (Ldap-Group =~ /ou=dev,ou=Users,dc=team,dc=company,dc=com/  )
> Tue Aug 12 22:50:47 2014 : Debug:   [ldap] Entering ldap_groupcmp()
> Tue Aug 12 22:50:47 2014 : Info:      expand: ou=Users,dc=team,dc=company,dc=com -> ou=Users,dc=team,dc=company,dc=com
> Tue Aug 12 22:50:47 2014 : Info:      expand: (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=)))
> Tue Aug 12 22:50:47 2014 : Debug:   [ldap] ldap_get_conn: Checking Id: 0
> Tue Aug 12 22:50:47 2014 : Debug:   [ldap] ldap_get_conn: Got Id: 0
> Tue Aug 12 22:50:47 2014 : Debug:   [ldap] performing search in ou=dev,ou=Users,dc=team,dc=company,dc=com, with filter (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=)))
> Tue Aug 12 22:50:47 2014 : Debug:   [ldap] object not found
> Tue Aug 12 22:50:47 2014 : Debug:   [ldap] ldap_release_conn: Release Id: 0
> Tue Aug 12 22:50:47 2014 : Debug: rlm_ldap::ldap_groupcmp: Group ou=dev,ou=Users,dc=team,dc=company,dc=com not found or user is not a member.
> Tue Aug 12 22:50:47 2014 : Info: ? Evaluating (Ldap-Group =~ /ou=dev,ou=Users,dc=team,dc=company,dc=com/) -> FALSE
> Tue Aug 12 22:50:47 2014 : Info: ++? if (Ldap-Group =~ /ou=dev,ou=Users,dc=team,dc=company,dc=com/  ) -> FALSE
> Tue Aug 12 22:50:47 2014 : Info: ++[chap] returns noop
> Tue Aug 12 22:50:47 2014 : Info: ++[mschap] returns noop
> Tue Aug 12 22:50:47 2014 : Info: [suffix] No '@' in User-Name = "joeuser", looking up realm NULL
> Tue Aug 12 22:50:47 2014 : Info: [suffix] No such realm "NULL"
> Tue Aug 12 22:50:47 2014 : Info: ++[suffix] returns noop
> Tue Aug 12 22:50:47 2014 : Info: ++[control] returns noop
> Tue Aug 12 22:50:47 2014 : Info: [eap] No EAP-Message, not doing EAP
> Tue Aug 12 22:50:47 2014 : Info: ++[eap] returns noop
> Tue Aug 12 22:50:47 2014 : Info: ++[files] returns noop
> Tue Aug 12 22:50:47 2014 : Info: [ldap] performing user authorization for joeuser
> Tue Aug 12 22:50:47 2014 : Info: [ldap]       expand: %{Stripped-User-Name} ->
> Tue Aug 12 22:50:47 2014 : Info: [ldap]       ... expanding second conditional
> Tue Aug 12 22:50:47 2014 : Info: [ldap]       expand: %{User-Name} -> joeuser
> Tue Aug 12 22:50:47 2014 : Info: [ldap]       expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=joeuser)
> Tue Aug 12 22:50:47 2014 : Info: [ldap]       expand: ou=Users,dc=team,dc=company,dc=com -> ou=Users,dc=team,dc=company,dc=com
> Tue Aug 12 22:50:47 2014 : Debug:   [ldap] ldap_get_conn: Checking Id: 0
> Tue Aug 12 22:50:47 2014 : Debug:   [ldap] ldap_get_conn: Got Id: 0
> Tue Aug 12 22:50:47 2014 : Debug:   [ldap] performing search in ou=Users,dc=team,dc=company,dc=com, with filter (uid=joeuser)
> Tue Aug 12 22:50:47 2014 : Info: [ldap] No default NMAS login sequence
> Tue Aug 12 22:50:47 2014 : Info: [ldap] looking for check items in directory...
> Tue Aug 12 22:50:47 2014 : Debug:   [ldap] userPassword -> Password-With-Header == "{MD5}hashreplaced"
> Tue Aug 12 22:50:47 2014 : Info: [ldap] looking for reply items in directory...
> Tue Aug 12 22:50:47 2014 : Info: [ldap] user joeuser authorized to use remote access
> Tue Aug 12 22:50:47 2014 : Debug:   [ldap] ldap_release_conn: Release Id: 0
> Tue Aug 12 22:50:47 2014 : Info: ++[ldap] returns ok
> Tue Aug 12 22:50:47 2014 : Info: ++[expiration] returns noop
> Tue Aug 12 22:50:47 2014 : Info: ++[logintime] returns noop
> Tue Aug 12 22:50:47 2014 : Info: ++[pap] returns updated
> Tue Aug 12 22:50:47 2014 : Info: Found Auth-Type = PAP
> Tue Aug 12 22:50:47 2014 : Info: # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
> Tue Aug 12 22:50:47 2014 : Info: +- entering group PAP {...}
> Tue Aug 12 22:50:47 2014 : Info: [pap] login attempt with password "password"
> Tue Aug 12 22:50:47 2014 : Info: [pap] Using MD5 encryption.
> Tue Aug 12 22:50:47 2014 : Info: [pap] Normalizing MD5-Password from base64 encoding
> Tue Aug 12 22:50:47 2014 : Info: [pap] User authenticated successfully
> Tue Aug 12 22:50:47 2014 : Info: ++[pap] returns ok
> Tue Aug 12 22:50:47 2014 : Info: # Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel
> Tue Aug 12 22:50:47 2014 : Info: +- entering group post-auth {...}
> Tue Aug 12 22:50:47 2014 : Info:      expand: %{control:Tmp-String-1} ->
> Tue Aug 12 22:50:47 2014 : Info: ++[reply] returns noop
> } # server inner-tunnel
> Tue Aug 12 22:50:47 2014 : Info: [ttls] Got tunneled reply code 2
>       Filter-Id = ""
> Tue Aug 12 22:50:47 2014 : Info: [ttls] Got tunneled Access-Accept
> Tue Aug 12 22:50:47 2014 : Info: [eap] Freeing handler
> Tue Aug 12 22:50:47 2014 : Info: ++[eap] returns ok
> Tue Aug 12 22:50:47 2014 : Info: # Executing section post-auth from file /etc/freeradius/sites-enabled/default
> Tue Aug 12 22:50:47 2014 : Info: +- entering group post-auth {...}
> Tue Aug 12 22:50:47 2014 : Info: ++[exec] returns noop
> Sending Access-Accept of id 16 to xxx.xxx.xxx.xxx port 32768
>       Filter-Id = ""
>       MS-MPPE-Recv-Key = 0x85725d86e7ab1448510e48ba9b900cd3cbf3d7436f36f9b391dab4d35b3d69b1
>       MS-MPPE-Send-Key = 0x191e9e59df4f7108ac1542e48434330db030957911f7a3fb75ae40456057bf1f
>       EAP-Message = 0x03050004
>       Message-Authenticator = 0x00000000000000000000000000000000
>       User-Name = "joeuser"
> Tue Aug 12 22:50:47 2014 : Info: Finished request 9.
>
> Thank you for the help.  I appreciate it.  BTW if this does't make sense I can provide more details as to what I am trying to do.  I figured I would spare that unless needed.
>
> Thanks,
>
> Alex
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
> Janet(UK) is a trading name of Jisc Collections and Janet Limited, a
> not-for-profit company which is registered in England under No. 2881024
> and whose Registered Office is at Lumen House, Library Avenue,
> Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Janet(UK) is a trading name of Jisc Collections and Janet Limited, a 
not-for-profit company which is registered in England under No. 2881024 
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238



More information about the Freeradius-Users mailing list