Authenticating users on LDAP based on Group name
Jose Torres-Berrocal
jetsystemservices at gmail.com
Wed Apr 22 18:08:26 CEST 2015
Here is the Debug output differences with some context lines.
As I said on previous email, when using group options I can see on the
debug that is not authenticating only authorizing, while not using group
options is indeed authenticating. I can see that there is also something
different about PAP.
=============================================================================================================================
Debug diff sections using group options with some context lines:
=============================================================================================================================
basedn = "cn=Users,dc=jetdom,dc=local"
filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
base_filter = "(objectclass=*)"
auto_header = no
access_attr_used_for_allow = yes
groupname_attribute = "cn"
groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"
groupmembership_attribute = "memberOf"
dictionary_mapping = "/usr/pbi/freeradius-i386/etc/raddb/ldap.attrmap"
ldap_debug = 0
ldap_connections_number = 5
compare_check_items = no
do_xlat = yes
[ldap] Bind was successful
[ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter
(sAMAccountName=administrator)
[ldap] ldap_release_conn: Release Id: 0
[files] expand:
(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))
->
(|(&(objectClass=GroupOfNames)(member=CN\3dAdministrator\2cCN\3dUsers\2cDC\3djetdom\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dAdministrator\2cCN\3dUsers\2cDC\3djetdom\2cDC\3dlocal)))
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter
(&(cn=InternetAccess)(|(&(objectClass=GroupOfNames)(member=CN\3dAdministrator\2cCN\3dUsers\2cDC\3djetdom\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dAdministrator\2cCN\3dUsers\2cDC\3djetdom\2cDC\3dlocal))))
[ldap] object not found
[ldap] ldap_release_conn: Release Id: 0
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in CN=Administrator,CN=Users,DC=jetdom,DC=local,
with filter (objectclass=*)
[ldap] performing search in
CN=InternetAccess,CN=Users,DC=jetdom,DC=local, with filter
(cn=InternetAccess)
rlm_ldap::ldap_groupcmp: User found in group InternetAccess
[ldap] ldap_release_conn: Release Id: 0
[files] users: Matched entry DEFAULT at line 5
++[files] = ok
++policy redundant {
[sql] expand: %{User-Name} -> administrator
[sql] sql_set_user escaped user --> 'administrator'
rlm_sql (sql): Reserving sql socket id: 3
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY
id -> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'administrator' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority -> SELECT
groupname FROM radusergroup WHERE username =
'administrator' ORDER BY priority
rlm_sql (sql): Released sql socket id: 3
[sql] User administrator not found
+++[sql] = notfound
++} # policy redundant = notfound
++policy redundant {
[ldap] performing user authorization for administrator
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> administrator
[ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(sAMAccountName=administrator)
[ldap] expand: cn=Users,dc=jetdom,dc=local -> cn=Users,dc=jetdom,dc=local
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter
(sAMAccountName=administrator)
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the
user is configured correctly?
[ldap] ldap_release_conn: Release Id: 0
+++[ldap] = ok
++} # policy redundant = ok
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[daily] = noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[weekly] = noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[monthly] = noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[forever] = noop
rlm_checkval: Could not find item named Calling-Station-Id in request
rlm_checkval: Could not find attribute named Calling-Station-Id in check
pairs
++[checkval] = notfound
++[expiration] = noop
++[logintime] = noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] = noop
+} # group authorize = ok
Found Auth-Type = Accept
Auth-Type = Accept, accepting the user
expand: ->
Login OK: [administrator] (from client squid port 111)
# Executing section post-auth from file
/usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default
+group post-auth {
++policy redundant {
[sql] expand: %{User-Name} -> administrator
[sql] sql_set_user escaped user --> 'administrator'
[sql] expand: %{User-Password} -> jet10520b
[sql] expand: INSERT INTO radpostauth (username,
pass, reply, authdate) VALUES (
'%{User-Name}',
'%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth
(username, pass, reply, authdate) VALUES
( 'administrator',
'jet10520b', 'Access-Accept', '2015-04-21
23:06:58')
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth
(username, pass, reply, authdate)
VALUES ( 'administrator',
'jet10520b', 'Access-Accept', '2015-04-21
23:06:58')
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql (sql): Released sql socket id: 2
+++[sql] = ok
++} # policy redundant = ok
++[exec] = noop
+} # group post-auth = ok
Sending Access-Accept of id 1 to 192.168.56.1 port 5829
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 1 with timestamp +71
Ready to process requests.
=============================================================================================================================
Debug diff sections NOT using group options with some context lines:
=============================================================================================================================
basedn = "cn=Users,dc=jetdom,dc=local"
filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
base_filter = "(objectclass=*)"
auto_header = no
access_attr_used_for_allow = yes
groupname_attribute = "cn"
groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
dictionary_mapping = "/usr/pbi/freeradius-i386/etc/raddb/ldap.attrmap"
ldap_debug = 0
ldap_connections_number = 5
compare_check_items = no
do_xlat = yes
[ldap] Bind was successful
[ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter
(sAMAccountName=administrator)
[ldap] ldap_release_conn: Release Id: 0
[files] expand:
(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
->
(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=)))
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter
(&(cn=InternetAccess)(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))))
[ldap] object not found
[ldap] ldap_release_conn: Release Id: 0
rlm_ldap::ldap_groupcmp: Group InternetAccess not found or user is not a
member.
[ldap] Entering ldap_groupcmp()
[files] expand: cn=Users,dc=jetdom,dc=local -> cn=Users,dc=jetdom,dc=local
[files] expand:
(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
->
(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=)))
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter
(&(cn=InternetAccess)(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))))
[ldap] object not found
[ldap] ldap_release_conn: Release Id: 0
rlm_ldap::ldap_groupcmp: Group InternetAccess not found or user is not a
member.
++[files] = noop
++policy redundant {
[sql] expand: %{User-Name} -> administrator
[sql] sql_set_user escaped user --> 'administrator'
rlm_sql (sql): Reserving sql socket id: 3
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY
id -> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'administrator' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority -> SELECT
groupname FROM radusergroup WHERE username =
'administrator' ORDER BY priority
rlm_sql (sql): Released sql socket id: 3
[sql] User administrator not found
+++[sql] = notfound
++} # policy redundant = notfound
++policy redundant {
[ldap] performing user authorization for administrator
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> administrator
[ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(sAMAccountName=administrator)
[ldap] expand: cn=Users,dc=jetdom,dc=local -> cn=Users,dc=jetdom,dc=local
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter
(sAMAccountName=administrator)
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the
user is configured correctly?
[ldap] Setting Auth-Type = LDAP
[ldap] ldap_release_conn: Release Id: 0
+++[ldap] = ok
++} # policy redundant = ok
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[daily] = noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[weekly] = noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[monthly] = noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[forever] = noop
rlm_checkval: Could not find item named Calling-Station-Id in request
rlm_checkval: Could not find attribute named Calling-Station-Id in check
pairs
++[checkval] = notfound
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] = noop
+} # group authorize = ok
Found Auth-Type = LDAP
# Executing group from file
/usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default
+group LDAP {
[ldap] login attempt by "administrator" with password "jet10520b"
[ldap] user DN: CN=Administrator,CN=Users,DC=jetdom,DC=local
[ldap] (re)connect to jetsms-srv2003.jetdom.local:389, authentication 1
[ldap] setting TLS CACert File to
/usr/pbi/freeradius-i386/etc/raddb/certs/ca_ldap1_cert.pem
[ldap] setting TLS CACert Directory to
/usr/pbi/freeradius-i386/etc/raddb/certs/
[ldap] setting TLS Require Cert to never
[ldap] setting TLS Cert File to
/usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.crt
[ldap] setting TLS Key File to
/usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.key
[ldap] setting TLS Rand File to
/usr/pbi/freeradius-i386/etc/raddb/certs/random
[ldap] bind as CN=Administrator,CN=Users,DC=jetdom,DC=local/jet10520b to
jetsms-srv2003.jetdom.local:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] user administrator authenticated succesfully
++[ldap] = ok
+} # group LDAP = ok
expand: ->
Login OK: [administrator] (from client squid port 111)
# Executing section post-auth from file
/usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default
+group post-auth {
++policy redundant {
[sql] expand: %{User-Name} -> administrator
[sql] sql_set_user escaped user --> 'administrator'
[sql] expand: %{User-Password} -> jet10520b
[sql] expand: INSERT INTO radpostauth (username,
pass, reply, authdate) VALUES (
'%{User-Name}',
'%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth
(username, pass, reply, authdate) VALUES
( 'administrator',
'jet10520b', 'Access-Accept', '2015-04-21
23:26:00')
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth
(username, pass, reply, authdate)
VALUES ( 'administrator',
'jet10520b', 'Access-Accept', '2015-04-21
23:26:00')
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql (sql): Released sql socket id: 2
+++[sql] = ok
++} # policy redundant = ok
++[exec] = noop
+} # group post-auth = ok
Sending Access-Accept of id 3 to 192.168.56.1 port 5829
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 3 with timestamp +47
Ready to process requests.
On Wed, Apr 22, 2015 at 6:51 AM, Alan DeKok <aland at deployingradius.com>
wrote:
> On Apr 21, 2015, at 11:31 PM, Jose Torres-Berrocal <
> jetsystemservices at gmail.com> wrote:
> > Debug output using group options:
>
> While posting the debug output is nice, it would help for *you* to look
> at them, too. Just dumping them here and expecting us to do all the work
> is... not nice.
>
> You can use tools like "diff" to see what the differences are. Then,
> post the *differences* here, and ask for clarification.
>
> i.e. if you're not going to read the debug output, we're not going to
> read it, either.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list