LDAP Groups to Freeradius and then Ruckus Wireless?

Enrique Sainz Baixauli enriquesainz.beca at intef.educacion.es
Thu May 29 13:40:06 CEST 2014 

>That is odd. Arran's debug log does not have that line. Are you SURE you set group.cache_attribute correctly>
> 
>(0)   foreach &control:LDAP-Cached-Membership {
>(0)   } # foreach &control:LDAP-Cached-Membership = noop
>
>What happens when you change it now to foreach &control:LDAP-Group (matching the debug output above)?
>
>-- 
>Fajar

That's it. I was never sure what LDAP-Cached-Membership did, but changing it to LDAP-Group did make FR add the attribute to the reply and now my users are known to be part of their group in the Ruckus device. However, in the debug output those two lines are still there (saying LDAP-Group instead of LDAP-Cached-Membership) with that big noop that I hadn't noticed before but there is a new line after Sending Access-Accept that says Ruckus-User-Groups += ... :D

@Alan: I did know what noop meant without reading the unlang manpage (not even knowing that it existed), but I hadn't noticed that line. However, I don't know where that noop is configured and I have just realized it doesn't really affect this issue.

Thank you guys very much. Really. I will now move forward to configuring EAP-PEAP, PAP was just a test :)
And, for the record, this is the current (working) debug output:

Received Access-Request Id 6 from 192.168.60.1:1024 to 192.168.50.62:1812 length 82
        User-Name = 'juan'
        User-Password = 'juan'
        NAS-IP-Address = 192.168.60.1
        Service-Type = Login-User
        NAS-Port-Type = Wireless-802.11
        Message-Authenticator = 0x5318e58e295f70f8c44c0dc21c2a919b
(0) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(0)   authorize {
(0)   filter_username filter_username {
(0)     if (User-Name != "%{tolower:%{User-Name}}")
(0) EXPAND %{tolower:%{User-Name}}
(0)    --> juan
(0)     if (User-Name != "%{tolower:%{User-Name}}")  -> FALSE
(0)     if (User-Name =~ / /)
(0)     if (User-Name =~ / /)  -> FALSE
(0)     if (User-Name =~ /@.*@/ )
(0)     if (User-Name =~ /@.*@/ )  -> FALSE
(0)     if (User-Name =~ /\\.\\./ )
(0)     if (User-Name =~ /\\.\\./ )  -> FALSE
(0)     if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(0)     if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))   -> FALSE
(0)     if (User-Name =~ /\\.$/)
(0)     if (User-Name =~ /\\.$/)   -> FALSE
(0)     if (User-Name =~ /@\\./)
(0)     if (User-Name =~ /@\\./)   -> FALSE
(0)   } # filter_username filter_username = notfound
(0)   [preprocess] = ok
(0)   [chap] = noop
(0)   [mschap] = noop
(0)   [digest] = noop
(0) suffix : No '@' in User-Name = "juan", looking up realm NULL
(0) suffix : No such realm "NULL"
(0)   [suffix] = noop
(0) eap : No EAP-Message, not doing EAP
(0)   [eap] = noop
(0)   [files] = noop
rlm_ldap (ldap): Reserved connection (4)
(0) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(0) ldap :    --> (uid=juan)
(0) ldap : EXPAND dc=ejemplo,dc=org
(0) ldap :    --> dc=ejemplo,dc=org
(0) ldap : Performing search in 'dc=ejemplo,dc=org' with filter '(uid=juan)', scope 'sub'
(0) ldap : Waiting for search result...
(0) ldap : User object found at DN "uid=juan,ou=usuarios,dc=ejemplo,dc=org"
(0) ldap : No cacheable group memberships found in user object
(0) ldap : EXPAND (&(objectClass=groupOfNames)(member=%{control:Ldap-UserDn}))
(0) ldap :    --> (&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejemplo\2cdc\3dorg))
(0) ldap : EXPAND dc=ejemplo,dc=org
(0) ldap :    --> dc=ejemplo,dc=org
(0) ldap : Performing search in 'dc=ejemplo,dc=org' with filter '(&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejemplo\2cdc\3dorg))', scope 'sub'
(0) ldap : Waiting for search result...
(0) ldap : Added control:Ldap-Group with value "profesores"
(0) ldap : Processing user attributes
(0) ldap :      control:Password-With-Header += ''{SSHA}YvCZkmiUfoRuncod2Vm3Bnwr1ueIg3ew''
rlm_ldap (ldap): Released connection (4)
(0)   [ldap] = ok
(0)   foreach &control:LDAP-Group
(0)    update reply {
(0) EXPAND %{Foreach-Variable-0}
(0)    --> profesores
(0)     &Ruckus-User-Groups += '"profesores"'
(0)    } # update reply = noop
(0)   } # foreach &control:LDAP-Group = noop
(0)   [expiration] = noop
(0)   [logintime] = noop
(0)   [pap] = updated
(0)  } #  authorize = updated
(0) Found Auth-Type = PAP
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0)  Auth-Type PAP {
(0) pap : Login attempt with password
(0) pap : Comparing with "known-good" SSHA-Password
(0) pap : Normalizing SSHA1-Password from base64 encoding, 32 bytes -> 24 bytes
(0) pap : User authenticated successfully
(0)   [pap] = ok
(0)  } # Auth-Type PAP = ok
(0) # Executing section post-auth from file /etc/freeradius/sites-enabled/default
(0)   post-auth {
(0)   [exec] = noop
(0)   remove_reply_message_if_eap remove_reply_message_if_eap {
(0)     if (reply:EAP-Message && reply:Reply-Message)
(0)     if (reply:EAP-Message && reply:Reply-Message)  -> FALSE
(0)    else else {
(0)     [noop] = noop
(0)    } # else else = noop
(0)   } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(0)  } #  post-auth = noop
Sending Access-Accept Id 6 from 192.168.50.62:1812 to 192.168.60.1:1024
        Ruckus-User-Groups += 'profesores'
(0) Finished request

More information about the Freeradius-Users mailing list