Authenticating users on LDAP based on Group name
Jose Torres-Berrocal
jetsystemservices at gmail.com
Thu Apr 23 22:24:43 CEST 2015
OK. Lets try again.
I think one coffusion is that Radius has a setting called Groupname
attribute. I am talking about the Group name in Active Directory as Domain
Admins, Administrators, etc. Let say that the AD/LDAP groups are called
Wingroups, and Wingroup name is for instance Domain Admins. In my case I
want to use the Wingroup InternetAccess.
I do not know how to make aside the conffusion on Authorization and
Authentication, but let say that Authentication is having a process where
the username/password combination values that are received in the
connection request is verified against the LDAP and if found it is say to
be Authenticated succesfully otherwise failed. I know there are other
types of Authentications but I want to keep it simple. Now, Authorization
is the process to allow or denied the request to connect. I now there are
branches to this, but for simplicity I would like to keep it in that.
Then, I want to allow connection to requests that have a username/password
combination authenticated succesfully against an LDAP (Windows AD) and
which user belongs to Wingroup InternetAccess.
I have being succesfull allowing connection by username/password or by the
user belonging to Wingroup, but not at the same time. Those are the debugs
I already sent you.
When I set the Group name attribute, groupmembership_filter and
groupmembership_attribute (Which is what I call using group options) I am
succesfull allowing/denied connection by the user belonging to the
Wingroup, but it currently ignores the password. When I comment the Group
name attribute, groupmembership_attribute, etc (Which is what I call not
using group options), I am succesfull allowing/denied connection by the
username/password, but clearly does not work with the Wingroup.
I have being playing with the Users.conf file and I think is really close
for what I need, not sure if it is the correct way.
====================================================
/usr/pbi/freeradius-i386/etc/raddb/users
"test" Cleartext-Password := "squidtest"
DEFAULT Ldap-Group != "InternetAccess", Auth-Type := Reject
Ldap-Group == "InternetAccess", Auth-Type := LDAP
====================================================
Debug output that closely do what I want. Ii is long because is showing on
the same run four (4) tests.
1. Username/password combination found in LDAP but NOT in Wingroup.
2. Username/password combination not found in LDAP but in Wingroup
3. Username/password combination found in LDAP and in Wingroup
4. Username/password combination not found in LDAP and not in Wingroup
basedn = "cn=Users,dc=jetdom,dc=local"
filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
base_filter = "(objectclass=*)"
auto_header = no
access_attr_used_for_allow = yes
groupname_attribute = "cn"
groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"
groupmembership_attribute = "memberOf"
dictionary_mapping = "/usr/pbi/freeradius-i386/etc/raddb/ldap.attrmap"
ldap_debug = 0
ldap_connections_number = 5
compare_check_items = no
do_xlat = yes
set_auth_type = yes
reading pairlist file /usr/pbi/freeradius-i386/etc/raddb/users
[/usr/pbi/freeradius-i386/etc/raddb/users]:5 WARNING! Check item
"Ldap-Group" found in reply item list for user "DEFAULT". This attribute
MUST go on the first line with the other check items
reading pairlist file /usr/pbi/freeradius-i386/etc/raddb/acct_users
reading pairlist file /usr/pbi/freeradius-i386/etc/raddb/preproxy_users
Listening on authentication address 192.168.56.1 port 1812
Listening on accounting address 192.168.56.1 port 1813
Listening on proxy address 192.168.56.1 port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.56.1 port 1140, id=29,
length=65
User-Name = "normal1"
User-Password = "Tramontane10520"
NAS-Port = 111
NAS-Port-Type = Async
NAS-IP-Address = 192.168.56.1
# Executing section authorize from file
/usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "normal1", skipping NULL due to config.
++[suffix] = noop
[ntdomain] No '\' in User-Name = "normal1", skipping NULL due to config.
++[ntdomain] = noop
[eap] No EAP-Message, not doing EAP
++[eap] = noop
[ldap] Entering ldap_groupcmp()
[files] expand: cn=Users,dc=jetdom,dc=local -> cn=Users,dc=jetdom,dc=local
[files] expand: %{Stripped-User-Name} ->
[files] ... expanding second conditional
[files] expand: %{User-Name} -> normal1
[files] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(sAMAccountName=normal1)
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to jetsms-srv2003.jetdom.local:389, authentication 0
[ldap] setting TLS CACert File to
/usr/pbi/freeradius-i386/etc/raddb/certs/ca_ldap1_cert.pem
[ldap] setting TLS CACert Directory to
/usr/pbi/freeradius-i386/etc/raddb/certs/
[ldap] setting TLS Require Cert to never
[ldap] setting TLS Cert File to
/usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.crt
[ldap] setting TLS Key File to
/usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.key
[ldap] setting TLS Rand File to
/usr/pbi/freeradius-i386/etc/raddb/certs/random
[ldap] bind as cn=pfsense,cn=Users,dc=jetdom,dc=local/Tramontane10520 to
jetsms-srv2003.jetdom.local:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter
(sAMAccountName=normal1)
[ldap] ldap_release_conn: Release Id: 0
[files] expand:
(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))
->
(|(&(objectClass=GroupOfNames)(member=CN\3dNormaluser\2cCN\3dUsers\2cDC\3djetdom\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dNormaluser\2cCN\3dUsers\2cDC\3djetdom\2cDC\3dlocal)))
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter
(&(cn=InternetAccess)(|(&(objectClass=GroupOfNames)(member=CN\3dNormaluser\2cCN\3dUsers\2cDC\3djetdom\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dNormaluser\2cCN\3dUsers\2cDC\3djetdom\2cDC\3dlocal))))
[ldap] object not found
[ldap] ldap_release_conn: Release Id: 0
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in CN=Normaluser,CN=Users,DC=jetdom,DC=local,
with filter (objectclass=*)
rlm_ldap::ldap_groupcmp: ldap_get_values() failed
[ldap] ldap_release_conn: Release Id: 0
[files] users: Matched entry DEFAULT at line 5
++[files] = ok
++policy redundant {
[sql] expand: %{User-Name} -> normal1
[sql] sql_set_user escaped user --> 'normal1'
rlm_sql (sql): Reserving sql socket id: 3
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY
id -> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'normal1' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority -> SELECT
groupname FROM radusergroup WHERE username = 'normal1'
ORDER BY priority
rlm_sql (sql): Released sql socket id: 3
[sql] User normal1 not found
+++[sql] = notfound
++} # policy redundant = notfound
++policy redundant {
[ldap] performing user authorization for normal1
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> normal1
[ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(sAMAccountName=normal1)
[ldap] expand: cn=Users,dc=jetdom,dc=local -> cn=Users,dc=jetdom,dc=local
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter
(sAMAccountName=normal1)
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the
user is configured correctly?
[ldap] ldap_release_conn: Release Id: 0
+++[ldap] = ok
++} # policy redundant = ok
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[daily] = noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[weekly] = noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[monthly] = noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[forever] = noop
rlm_checkval: Could not find item named Calling-Station-Id in request
rlm_checkval: Could not find attribute named Calling-Station-Id in check
pairs
++[checkval] = notfound
++[expiration] = noop
++[logintime] = noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] = noop
+} # group authorize = ok
Found Auth-Type = Reject
Auth-Type = Reject, rejecting user
Failed to authenticate the user.
expand: ->
Login incorrect: [normal1] (from client squid port 111)
Using Post-Auth-Type REJECT
# Executing group from file
/usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default
+group REJECT {
[attr_filter.access_reject] expand: %{User-Name} -> normal1
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 29 to 192.168.56.1 port 1140
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.56.1 port 1140, id=29,
length=65
Sending duplicate reply to client squid port 1140 - ID: 29
Sending Access-Reject of id 29 to 192.168.56.1 port 1140
Waking up in 4.9 seconds.
Cleaning up request 0 ID 29 with timestamp +25
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.56.1 port 1140, id=30,
length=71
User-Name = "administrator"
User-Password = "password"
NAS-Port = 111
NAS-Port-Type = Async
NAS-IP-Address = 192.168.56.1
# Executing section authorize from file
/usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "administrator", skipping NULL due to config.
++[suffix] = noop
[ntdomain] No '\' in User-Name = "administrator", skipping NULL due to
config.
++[ntdomain] = noop
[eap] No EAP-Message, not doing EAP
++[eap] = noop
[ldap] Entering ldap_groupcmp()
[files] expand: cn=Users,dc=jetdom,dc=local -> cn=Users,dc=jetdom,dc=local
[files] expand: %{Stripped-User-Name} ->
[files] ... expanding second conditional
[files] expand: %{User-Name} -> administrator
[files] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(sAMAccountName=administrator)
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter
(sAMAccountName=administrator)
[ldap] ldap_release_conn: Release Id: 0
[files] expand:
(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))
->
(|(&(objectClass=GroupOfNames)(member=CN\3dAdministrator\2cCN\3dUsers\2cDC\3djetdom\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dAdministrator\2cCN\3dUsers\2cDC\3djetdom\2cDC\3dlocal)))
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter
(&(cn=InternetAccess)(|(&(objectClass=GroupOfNames)(member=CN\3dAdministrator\2cCN\3dUsers\2cDC\3djetdom\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dAdministrator\2cCN\3dUsers\2cDC\3djetdom\2cDC\3dlocal))))
[ldap] object not found
[ldap] ldap_release_conn: Release Id: 0
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in CN=Administrator,CN=Users,DC=jetdom,DC=local,
with filter (objectclass=*)
[ldap] performing search in
CN=InternetAccess,CN=Users,DC=jetdom,DC=local, with filter
(cn=InternetAccess)
rlm_ldap::ldap_groupcmp: User found in group InternetAccess
[ldap] ldap_release_conn: Release Id: 0
++[files] = noop
++policy redundant {
[sql] expand: %{User-Name} -> administrator
[sql] sql_set_user escaped user --> 'administrator'
rlm_sql (sql): Reserving sql socket id: 2
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY
id -> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'administrator' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority -> SELECT
groupname FROM radusergroup WHERE username =
'administrator' ORDER BY priority
rlm_sql (sql): Released sql socket id: 2
[sql] User administrator not found
+++[sql] = notfound
++} # policy redundant = notfound
++policy redundant {
[ldap] performing user authorization for administrator
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> administrator
[ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(sAMAccountName=administrator)
[ldap] expand: cn=Users,dc=jetdom,dc=local -> cn=Users,dc=jetdom,dc=local
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter
(sAMAccountName=administrator)
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the
user is configured correctly?
[ldap] Setting Auth-Type = LDAP
[ldap] ldap_release_conn: Release Id: 0
+++[ldap] = ok
++} # policy redundant = ok
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[daily] = noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[weekly] = noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[monthly] = noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[forever] = noop
rlm_checkval: Could not find item named Calling-Station-Id in request
rlm_checkval: Could not find attribute named Calling-Station-Id in check
pairs
++[checkval] = notfound
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] = noop
+} # group authorize = ok
Found Auth-Type = LDAP
# Executing group from file
/usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default
+group LDAP {
[ldap] login attempt by "administrator" with password "password"
[ldap] user DN: CN=Administrator,CN=Users,DC=jetdom,DC=local
[ldap] (re)connect to jetsms-srv2003.jetdom.local:389, authentication 1
[ldap] setting TLS CACert File to
/usr/pbi/freeradius-i386/etc/raddb/certs/ca_ldap1_cert.pem
[ldap] setting TLS CACert Directory to
/usr/pbi/freeradius-i386/etc/raddb/certs/
[ldap] setting TLS Require Cert to never
[ldap] setting TLS Cert File to
/usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.crt
[ldap] setting TLS Key File to
/usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.key
[ldap] setting TLS Rand File to
/usr/pbi/freeradius-i386/etc/raddb/certs/random
[ldap] bind as CN=Administrator,CN=Users,DC=jetdom,DC=local/password to
jetsms-srv2003.jetdom.local:389
[ldap] waiting for bind result ...
[ldap] Bind failed with invalid credentials
++[ldap] = reject
+} # group LDAP = reject
Failed to authenticate the user.
expand: ->
Login incorrect ( [ldap] Bind as user failed): [administrator] (from
client squid port 111)
Using Post-Auth-Type REJECT
# Executing group from file
/usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default
+group REJECT {
[attr_filter.access_reject] expand: %{User-Name} -> administrator
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 1 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 1
Sending Access-Reject of id 30 to 192.168.56.1 port 1140
rad_recv: Access-Request packet from host 192.168.56.1 port 1140, id=30,
length=71
Sending duplicate reply to client squid port 1140 - ID: 30
Sending Access-Reject of id 30 to 192.168.56.1 port 1140
Waking up in 4.9 seconds.
Cleaning up request 1 ID 30 with timestamp +35
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.56.1 port 1140, id=31,
length=71
User-Name = "administrator"
User-Password = "jet10520b"
NAS-Port = 111
NAS-Port-Type = Async
NAS-IP-Address = 192.168.56.1
# Executing section authorize from file
/usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "administrator", skipping NULL due to config.
++[suffix] = noop
[ntdomain] No '\' in User-Name = "administrator", skipping NULL due to
config.
++[ntdomain] = noop
[eap] No EAP-Message, not doing EAP
++[eap] = noop
[ldap] Entering ldap_groupcmp()
[files] expand: cn=Users,dc=jetdom,dc=local -> cn=Users,dc=jetdom,dc=local
[files] expand: %{Stripped-User-Name} ->
[files] ... expanding second conditional
[files] expand: %{User-Name} -> administrator
[files] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(sAMAccountName=administrator)
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter
(sAMAccountName=administrator)
[ldap] ldap_release_conn: Release Id: 0
[files] expand:
(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))
->
(|(&(objectClass=GroupOfNames)(member=CN\3dAdministrator\2cCN\3dUsers\2cDC\3djetdom\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dAdministrator\2cCN\3dUsers\2cDC\3djetdom\2cDC\3dlocal)))
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter
(&(cn=InternetAccess)(|(&(objectClass=GroupOfNames)(member=CN\3dAdministrator\2cCN\3dUsers\2cDC\3djetdom\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dAdministrator\2cCN\3dUsers\2cDC\3djetdom\2cDC\3dlocal))))
[ldap] object not found
[ldap] ldap_release_conn: Release Id: 0
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in CN=Administrator,CN=Users,DC=jetdom,DC=local,
with filter (objectclass=*)
[ldap] performing search in
CN=InternetAccess,CN=Users,DC=jetdom,DC=local, with filter
(cn=InternetAccess)
rlm_ldap::ldap_groupcmp: User found in group InternetAccess
[ldap] ldap_release_conn: Release Id: 0
++[files] = noop
++policy redundant {
[sql] expand: %{User-Name} -> administrator
[sql] sql_set_user escaped user --> 'administrator'
rlm_sql (sql): Reserving sql socket id: 1
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY
id -> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'administrator' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority -> SELECT
groupname FROM radusergroup WHERE username =
'administrator' ORDER BY priority
rlm_sql (sql): Released sql socket id: 1
[sql] User administrator not found
+++[sql] = notfound
++} # policy redundant = notfound
++policy redundant {
[ldap] performing user authorization for administrator
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> administrator
[ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(sAMAccountName=administrator)
[ldap] expand: cn=Users,dc=jetdom,dc=local -> cn=Users,dc=jetdom,dc=local
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter
(sAMAccountName=administrator)
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the
user is configured correctly?
[ldap] Setting Auth-Type = LDAP
[ldap] ldap_release_conn: Release Id: 0
+++[ldap] = ok
++} # policy redundant = ok
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[daily] = noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[weekly] = noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[monthly] = noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[forever] = noop
rlm_checkval: Could not find item named Calling-Station-Id in request
rlm_checkval: Could not find attribute named Calling-Station-Id in check
pairs
++[checkval] = notfound
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] = noop
+} # group authorize = ok
Found Auth-Type = LDAP
# Executing group from file
/usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default
+group LDAP {
[ldap] login attempt by "administrator" with password "jet10520b"
[ldap] user DN: CN=Administrator,CN=Users,DC=jetdom,DC=local
[ldap] (re)connect to jetsms-srv2003.jetdom.local:389, authentication 1
[ldap] setting TLS CACert File to
/usr/pbi/freeradius-i386/etc/raddb/certs/ca_ldap1_cert.pem
[ldap] setting TLS CACert Directory to
/usr/pbi/freeradius-i386/etc/raddb/certs/
[ldap] setting TLS Require Cert to never
[ldap] setting TLS Cert File to
/usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.crt
[ldap] setting TLS Key File to
/usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.key
[ldap] setting TLS Rand File to
/usr/pbi/freeradius-i386/etc/raddb/certs/random
[ldap] bind as CN=Administrator,CN=Users,DC=jetdom,DC=local/jet10520b to
jetsms-srv2003.jetdom.local:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] user administrator authenticated succesfully
++[ldap] = ok
+} # group LDAP = ok
expand: ->
Login OK: [administrator] (from client squid port 111)
# Executing section post-auth from file
/usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default
+group post-auth {
++policy redundant {
[sql] expand: %{User-Name} -> administrator
[sql] sql_set_user escaped user --> 'administrator'
[sql] expand: %{User-Password} -> jet10520b
[sql] expand: INSERT INTO radpostauth (username,
pass, reply, authdate) VALUES (
'%{User-Name}',
'%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth
(username, pass, reply, authdate) VALUES
( 'administrator',
'jet10520b', 'Access-Accept', '2015-04-22
17:13:08')
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth
(username, pass, reply, authdate)
VALUES ( 'administrator',
'jet10520b', 'Access-Accept', '2015-04-22
17:13:08')
rlm_sql (sql): Reserving sql socket id: 0
rlm_sql (sql): Released sql socket id: 0
+++[sql] = ok
++} # policy redundant = ok
++[exec] = noop
+} # group post-auth = ok
Sending Access-Accept of id 31 to 192.168.56.1 port 1140
Finished request 2.
Going to the next request
Waking up in 4.8 seconds.
Cleaning up request 2 ID 31 with timestamp +46
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.56.1 port 1140, id=32,
length=64
User-Name = "carlos"
User-Password = "casas"
NAS-Port = 111
NAS-Port-Type = Async
NAS-IP-Address = 192.168.56.1
# Executing section authorize from file
/usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "carlos", skipping NULL due to config.
++[suffix] = noop
[ntdomain] No '\' in User-Name = "carlos", skipping NULL due to config.
++[ntdomain] = noop
[eap] No EAP-Message, not doing EAP
++[eap] = noop
[ldap] Entering ldap_groupcmp()
[files] expand: cn=Users,dc=jetdom,dc=local -> cn=Users,dc=jetdom,dc=local
[files] expand: %{Stripped-User-Name} ->
[files] ... expanding second conditional
[files] expand: %{User-Name} -> carlos
[files] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(sAMAccountName=carlos)
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter
(sAMAccountName=carlos)
[ldap] object not found
rlm_ldap::ldap_groupcmp: search failed
[ldap] ldap_release_conn: Release Id: 0
[files] users: Matched entry DEFAULT at line 5
++[files] = ok
++policy redundant {
[sql] expand: %{User-Name} -> carlos
[sql] sql_set_user escaped user --> 'carlos'
rlm_sql (sql): Reserving sql socket id: 4
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY
id -> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'carlos' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER BY
id -> SELECT id, username, attribute, value, op FROM radreply
WHERE username = 'carlos' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority -> SELECT
groupname FROM radusergroup WHERE username = 'carlos'
ORDER BY priority
rlm_sql (sql): Released sql socket id: 4
+++[sql] = ok
++} # policy redundant = ok
++policy redundant {
[ldap] performing user authorization for carlos
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> carlos
[ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(sAMAccountName=carlos)
[ldap] expand: cn=Users,dc=jetdom,dc=local -> cn=Users,dc=jetdom,dc=local
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter
(sAMAccountName=carlos)
[ldap] object not found
[ldap] search failed
[ldap] ldap_release_conn: Release Id: 0
+++[ldap] = notfound
++} # policy redundant = notfound
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[daily] = noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[weekly] = noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[monthly] = noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[forever] = noop
rlm_checkval: Could not find item named Calling-Station-Id in request
rlm_checkval: Could not find attribute named Calling-Station-Id in check
pairs
++[checkval] = notfound
++[expiration] = noop
++[logintime] = noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] = noop
+} # group authorize = ok
Found Auth-Type = Reject
Auth-Type = Reject, rejecting user
Failed to authenticate the user.
expand: ->
Login incorrect ( [ldap] User not found): [carlos] (from client squid port
111)
Using Post-Auth-Type REJECT
# Executing group from file
/usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default
+group REJECT {
[attr_filter.access_reject] expand: %{User-Name} -> carlos
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 3 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 3
Sending Access-Reject of id 32 to 192.168.56.1 port 1140
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.56.1 port 1140, id=32,
length=64
Sending duplicate reply to client squid port 1140 - ID: 32
Sending Access-Reject of id 32 to 192.168.56.1 port 1140
Waking up in 4.9 seconds.
Cleaning up request 3 ID 32 with timestamp +74
Ready to process requests.
More information about the Freeradius-Users
mailing list