LDAP Query: Not Found
Scott Pickles
scottpickles at yahoo.com
Tue Jul 28 22:17:52 CEST 2015
sAMAccountName is what resolved that issue. I am using unlang to have AD check my user's group membership and then I want to use ntlm_auth to authenticate. Almost there, just a bit stuck:
Received Access-Request Id 48 from 172.18.1.2:1025 to 172.18.2.100:1812 length 66
User-Name = 'spickles'
User-Password = '****'
NAS-IP-Address = 172.18.1.2
NAS-Port = 48
NAS-Port-Type = Virtual
(0) Received Access-Request packet from host 172.18.1.2 port 1025, id=48, length=66
(0) User-Name = 'spickles'
(0) User-Password = '****'
(0) NAS-IP-Address = 172.18.1.2
(0) NAS-Port = 48
(0) NAS-Port-Type = Virtual
>>/etc/raddb/clients.conf configuration points my NAS to the site file 'cisco_asa' via virtual_server = cisco_asa
>>(0) # Executing section authorize from file /etc/raddb/sites-enabled/cisco_asa
(0) authorize {
(0) [preprocess] = ok
(0) [mschap] = noop
(0) [files] = noop
rlm_ldap (ldap): Reserved connection (4)
(0) ldap : EXPAND (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})
(0) ldap : --> (sAMAccountName=spickles)
(0) ldap : EXPAND DC=myDomain,DC=com
(0) ldap : --> DC=myDomain,DC=com
(0) ldap : Performing search in 'DC=myDomain,DC=com' with filter '(sAMAccountName=spickles)', scope 'sub'
(0) ldap : Waiting for search result...
>>This is good
>>(0) ldap : User object found at DN "CN=Scott Pickles,CN=Users,DC=myDomain,DC=com"
(0) ldap : Processing user attributes
>>This is expected because I'm just using LDAP to check group membership
>>(0) WARNING: ldap : No "known good" password added. Ensure the admin user has permission to read the password attribute
>>(0) WARNING: ldap : PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
rlm_ldap (ldap): Released connection (4)
(0) [ldap] = ok
(0) if (Ldap-Group == "VPN-Internal")
(0) Searching for user in group "VPN-Internal"
rlm_ldap (ldap): Reserved connection (4)
(0) Using user DN from request "CN=Scott Pickles,CN=Users,DC=myDomain,DC=com"
(0) Checking for user in group objects
(0) EXPAND (&(cn=VPN-Internal)(objectClass=posixGroup)(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}})))
(0) --> (&(cn=VPN-Internal)(objectClass=posixGroup)(|(member=CN\3dScott Pickles\2cCN\3dUsers\2cDC\3dmyDomain\2cDC\3dcom)(memberUid=spickles)))
(0) EXPAND DC=myDomain,DC=com
(0) --> DC=myDomain,DC=com
(0) Performing search in 'DC=myDomain,DC=com' with filter '(&(cn=VPN-Internal)(objectClass=posixGroup)(|(member=CN\3dScott Pickles\2cCN\3dUsers\2cDC\3dmyDomain\2cDC\3dcom)(memberUid=spickles)))', scope 'sub'
(0) Waiting for search result...
>>How come search fails first time
>>(0) Search returned no results
>>(0) Search returned not found
(0) Checking user object membership (memberOf) attributes
(0) Performing unfiltered search in 'CN=Scott Pickles,CN=Users,DC=myDomain,DC=com', scope 'base'
(0) Waiting for search result...
(0) Processing group membership value "CN=VPN-Internal,OU=VPN,OU=Groups,DC=myDomain,DC=com"
(0) Converting group DN to group Name
(0) Performing unfiltered search in 'CN=VPN-Internal,OU=VPN,OU=Groups,DC=myDomain,DC=com', scope 'base'
(0) Waiting for search result...
>>But works the second time?
>>(0) Group name is "VPN-Internal"
>>(0) User found. Comparison between membership: name (resolved from DN), check: name
rlm_ldap (ldap): Released connection (4)
(0) if (Ldap-Group == "VPN-Internal") -> TRUE
(0) if (Ldap-Group == "VPN-Internal") {
(0) [ok] = ok
(0) } # if (Ldap-Group == "VPN-Internal") = ok
(0) ... skipping else for request 0: Preceding "if" was taken
(0) } # authorize = ok
>>To fix this, do I add Auth-Type to my unlang statement?
>>(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
>>server cisco_asa {
>> authorize {
>> preprocess
>> mschap
>> files
>> ldap
>> if(Ldap-Group == "VPN-Internal") {
>> #Setting 'Auth-Type := ntlm_auth' here fails
>> # Loading authorize {...}
>> #/etc/raddb/sites-enabled/cisco_asa[8] Invalid return code assigment inside of a if section
>> #/etc/raddb/sites-enabled/cisco_asa[2]: Errors parsing authorize section.
>>
>> #setting 'ntlm_auth' here doesn't seem to be necessary?
>> ok
>> }
>> else {
>> reject
>> }
>> }
>>authenticate {
>> Auth-Type PAP {
>> pap
>> }
>> Auth-Type CHAP {
>> chap
>> }
>> Auth-Type MS-CHAP {
>> mschap
>> }
>> ntlm_auth
>> }
>>}
>>This is obviously where it's failing, but authenticate also has ntlm_auth as I thought it should? Seems like I just need to tweak the authorize/authenticate sections?
>>(0) Failed to authenticate the user
>>(0) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject): [spickles/****] (from client ROCH_FIREWALL port 48)
>>(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/raddb/sites-enabled/cisco_asa
(0) Post-Auth-Type REJECT {
(0) attr_filter.access_reject : EXPAND %{User-Name}
(0) attr_filter.access_reject : --> spickles
(0) attr_filter.access_reject : Matched entry DEFAULT at line 11
(0) [attr_filter.access_reject] = updated
(0) } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1 seconds
Waking up in 0.6 seconds.
Waking up in 0.3 seconds.
(0) Sending delayed response
(0) Sending Access-Reject packet to host 172.18.1.2 port 1025, id=48, length=0
Sending Access-Reject Id 48 from 172.18.2.100:1812 to 172.18.1.2:1025
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 48 with timestamp +7
Ready to process requests
On Tuesday, July 28, 2015 12:43 PM, Alan Buxey <A.L.M.Buxey at lboro.ac.uk> wrote:
You are not getting any results. The same with ldapsearch
So use an ldap explorer tool or talk to the ldap/AD expert at your site to get info about the schema. Openlap is uid, AD is usually eg sAMAccountName
Once you've got the right tag and paths it'll all work
alan
More information about the Freeradius-Users
mailing list