checkItem not being checked

Victor Tarhon-Onu lsmituc at gmail.com
Fri Oct 3 13:27:51 CEST 2014 

 	Hello Everyone,

 	Before proceeding further I'm going to describe shortly what I 
want to do and what I did so far.

 	Initially the requirement was to pull some authentication data 
from an LDAP server so that we can make some custom equipments to 
authenticate those LDAP users. These equipments can use only radius for 
authentication. This works just fine.

 	Later the requirement was changed and I was asked to do some 
privilege separation based on the group each LDAP user is in. So it seemed 
to be easier just to map the LDAP gidNumber entry for each user to a 
radius check item:

/etc/raddb/ldap.attrmap:checkItem       Group-ID                        gidNumber
/etc/raddb/dictionary:ATTRIBUTE Group-ID                3000    integer

 	So in /etc/raddb/users I added something like

DEFAULT Auth-Type = LDAP
 	Service-Type = Login,
 	Fall-Through = Yes

DEFAULT Group-ID == 100
 	Service-Type := Shell-User

DEFAULT Group-ID == 101
 	Service-Type := Dialout-Framed-User

 	The problem is that the Service-Type never changes because the 
Group-ID doesn't match any of those checks.
 	It remains set to the value (Login) I've set as default at the 
beginning of the file. However, when running the radius server in debug 
mode, I can see that the Group-ID is set correctly for each authenticated 
user:

rlm_ldap: Adding gidNumber as Group-ID, value 100 & op=21

 	...but I'm not sure if it's exported (or even supposed to be) out 
from rlm_ldap.

 	The freeradius version is 1.1.3 (freeradius-1.1.3-1.6.el5). I am 
inserting below the entire output of the radius server during an 
authentication/authorization attempt:


rad_recv: Access-Request packet from host 127.0.0.1:44291, id=235, length=57
         User-Name = "testuser"
         User-Password = "testpassword"
         NAS-IP-Address = 255.255.255.255
         NAS-Port = 0
   Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
   modcall[authorize]: module "preprocess" returns ok for request 0
   modcall[authorize]: module "chap" returns noop for request 0
   modcall[authorize]: module "mschap" returns noop for request 0
     rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
     rlm_realm: No such realm "NULL"
   modcall[authorize]: module "suffix" returns noop for request 0
   rlm_eap: No EAP-Message, not doing EAP
   modcall[authorize]: module "eap" returns noop for request 0
     users: Matched entry DEFAULT at line 6
   modcall[authorize]: module "files" returns ok for request 0
modcall: entering group redundant  for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for testuser
radius_xlat:  '(&(objectClass=posixAccount)(uid=testuser))'
radius_xlat:  'dc=mydomain,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0 
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldapserver.mydomain.com:389, authentication 0
rlm_ldap: setting TLS CACert File to /usr/share/ssl/certs/mydomain-CA.crt
rlm_ldap: setting TLS CACert Directory to /usr/share/ssl/certs/
rlm_ldap: starting TLS
request done: ld 0xb8b6c708 msgid 1
rlm_ldap: bind as / to ldapserver.mydomain.com:389
rlm_ldap: waiting for bind result ...
request done: ld 0xb8b6c708 msgid 2
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=mydomain,dc=com, with filter (&(objectClass=posixAccount)(uid=testuser))
request done: ld 0xb8b6c708 msgid 3
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding gidNumber as Group-ID, value 504 & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user testuser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
   modcall[authorize]: module "ldap1" returns ok for request 0
modcall: leaving group redundant  (returns ok) for request 0
modcall: leaving group authorize (returns ok) for request 0
   rad_check_password:  Found Auth-Type LDAP
auth: type "LDAP"
   Processing the authenticate section of radiusd.conf 
modcall: entering group LDAP for request 0
modcall: entering group redundant  for request 0
rlm_ldap: - authenticate
rlm_ldap: login attempt by "testuser" with password "testpassword"
rlm_ldap: user DN: uid=testuser,ou=People,dc=mydomain,dc=com
rlm_ldap: (re)connect to ldapserver.mydomain.com:389, authentication 1
rlm_ldap: setting TLS CACert File to /usr/share/ssl/certs/mydomain-CA.crt
rlm_ldap: setting TLS CACert Directory to /usr/share/ssl/certs/
rlm_ldap: starting TLS
request done: ld 0xb8befaa8 msgid 1
rlm_ldap: bind as uid=testuser,ou=People,dc=mydomain,dc=com/testpassword to ldapserver.mydomain.com:389
rlm_ldap: waiting for bind result ...
request done: ld 0xb8befaa8 msgid 2 
rlm_ldap: Bind was successful
rlm_ldap: user testuser authenticated succesfully
   modcall[authenticate]: module "ldap1" returns ok for request 0
modcall: leaving group redundant  (returns ok) for request 0
modcall: leaving group LDAP (returns ok) for request 0
Login OK: [testuser] (from client localhost port 0) 
Sending Access-Accept of id 235 to 127.0.0.1 port 44291
         Service-Type = Login-User
Finished request 0



--

More information about the Freeradius-Users mailing list