UserDN escape problem and Group membership checking in 3.0.3

Winders, Timothy A twinders at southplainscollege.edu
Wed Nov 19 22:48:09 CET 2014 

On 11/19/14, 2:49 PM, "Winders, Timothy A"
<twinders at southplainscollege.edu> wrote:


>On 11/19/14, 1:35 PM, "Arran Cudbard-Bell" <a.cudbardb at freeradius.org>
>wrote:
>
>
>>
>>> On 19 Nov 2014, at 13:17, Winders, Timothy A
>>><twinders at southplainscollege.edu> wrote:
>>> 
>>> I have FreeRadius 3.0.3 installed on Ubuntu 14.0.4 (free radius
>>> 3.0.3-ppa1~trustry package)
>>> 
>>> I have everything setup with Active Directory for user authentication.
>>> This is working correctly, but I am having a problem with Active
>>>Directory
>>> group membership checking. It appears the problem is with the way
>>> FreeRadius escapes the UserDN when doing the query.
>>
>>Yeah pairparsevalue was molesting the DN string before writing it to the
>>DN attribute.
>>
>>It shouldn't really have been de-escaping \, as it's not something we
>>escape normally, and the LDAP code shouldn't of been calling a function
>>that used pairparsevalue anyway.
>>
>>So i've fixed both those issues. The fix will go in 3.0.5 which'll be
>>released very soon. If you could build from v3.0.x HEAD and check it's
>>resolved, that'd be helpful.
>
>
>
>OK.  I think I have done this correctlyŠ
>
>I saved my existing /etc/freeradius configuration files and then removed
>all the freeradius-3.0.3 packages from the system.
>
>I downloaded the v3.0.x.zip file from
>https://github.com/FreeRADIUS/freeradius-server/archive/v3.0.x.zip
>
>I unzipped the file to /usr/local/src and ran ./configure from the
>directory, looked through the output and corrected all relevant WARNING
>messages, installing a TON of -dev packages to the system.  Finally ran
>make and make install.
>
>I saved the new /usr/local/etc/raddb files and moved my previous
>/etc/freeradius/* files to /usr/local/etc/raddb/*
>
>/usr/local/sbin/radiusd -v reports FreeRADIUS Version 3.0.5, for host
>x86_64-unknown-linux-gnu
>
>I ran /usr/local/sbin/radiusd -XC to check configured files.  Fixed the
>problems with clients.conf (ipaddr format changes between 3.0.3 and
>3.0.5?) and finally ran /usr/local/sbin/radiusd -X and connected with my
>client.
>
>I got the same badly escaped DN as before.
>
>
>(12)       if (LDAP-Group == "CN=Students Security Group,OU=Standard
>Groups,OU=Groups,OU=SPC,DC=southplainscollege,DC=edu") {
>(12)       Searching for user in group "CN=Students Security
>Group,OU=Standard Groups,OU=Groups,OU=SPC,DC=southplainscollege,DC=edu"
>rlm_ldap (ldap): Reserved connection (2)
>(12)       Using user DN from request "CN=Winders\, Tim
>(0552),OU=Students,OU=SPC,DC=southplainscollege,DC=edu"
>(12)       Checking for user in group objects
>(12)       EXPAND (&(objectClass=group)(member=%{control:Ldap-UserDn}))
>(12)          --> (&(objectClass=group)(member=CN\3dWinders\5c\5c\2c Tim
>\280552\29\2cOU\3dStudents\2cOU\3dSPC\2cDC\3dsouthplainscollege\2cDC\3dedu
>)
>)
>(12)       Performing search in 'CN=Students Security Group,OU=Standard
>Groups,OU=Groups,OU=SPC,DC=southplainscollege,DC=edu' with filter
>'(&(objectClass=group)(member=CN\3dWinders\5c\5c\2c Tim
>\280552\29\2cOU\3dStudents\2cOU\3dSPC\2cDC\3dsouthplainscollege\2cDC\3dedu
>)
>)', scope 'sub'
>(12)       Waiting for search result...
>(12)       Search returned no results
>(12)       Search returned not found
>
>
>
>
>Either I downloaded the wrong source files, or the change you thought you
>corrected didn¹t fix the problem...


I saw Alan replied, but I’ll reply here to keep the previous message
thread in tact…

To Alan - I’ll look for the instructions on building the deb packages for
the 3.0.5 release and decide if that makes sense for me.

I realized in my test above, I only tested the group membership_filter
attribute (giving the escape problem above), but did not test test the
membership_attribute = "memberOf".  I removed the membership_filter and
added the membership_attribute and IT WORKS!

I’ve snipped some of the debug for clarity, but you can see the unfiltered
search is now using the unescaped UserDn!

(12) if (LDAP-Group == "CN=Students Security Group,OU=Standard
Groups,OU=Groups,OU=SPC,DC=southplainscollege,DC=edu") {
(12) Searching for user in group "CN=Students Security Group,OU=Standard
Groups,OU=Groups,OU=SPC,DC=southplainscollege,DC=edu"

(12)       Using user DN from request "CN=Winders\, Tim
(0552),OU=Students,OU=SPC,DC=southplainscollege,DC=edu"
(12)       Checking user object membership (memberOf) attributes
(12)       Performing unfiltered search in 'CN=Winders\, Tim
(0552),OU=Students,OU=SPC,DC=southplainscollege,DC=edu', scope 'base'
(12)       Waiting for search result...
(12)       Processing group membership value "CN=Students Security
Group,OU=Standard Groups,OU=Groups,OU=SPC,DC=southplainscollege,DC=edu"
(12)       User found. Comparison between membership: dn, check: dn
(12)       if (LDAP-Group == "CN=Students Security Group,OU=Standard
Groups,OU=Groups,OU=SPC,DC=southplainscollege,DC=edu")  -> TRUE




So, at least part of the code is correct.

-- 
Tim Winders

Associate Dean of Information Technology
South Plains College
(806) 716-2369



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5856 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20141119/bec8c50c/attachment.bin>

More information about the Freeradius-Users mailing list