Freeradius + Ldap - Authorise OK but NO dynamic VLANs

Matthew Pulis mpulis at gmail.com
Mon Aug 22 17:53:04 CEST 2016 

Hi Alan

thanks for your suggestion.

I added that snippet in the authorize {} section too. But!!! :

How come it is seeing that it is not a member of SeminaryAdmin when
ldapsearch specifically says it is. I didn't touch the default schema in
OpenLDAP so it should be pretty much straight forward from that side.

Thanks

Mon Aug 22 17:43:18 2016 : Debug: rlm_ldap (ldap): Bind successful
Mon Aug 22 17:43:18 2016 : Debug: (0)     User is not a member of
"SeminaryAdmin" <============================!!!!!!!!!
Mon Aug 22 17:43:18 2016 : Debug: (0)     if (Ldap-Group ==
"SeminaryAdmin")  -> FALSE
Mon Aug 22 17:43:18 2016 : Debug: (0)     modsingle[authorize]: calling
preprocess (rlm_preprocess) for request 0
Mon Aug 22 17:43:18 2016 : Debug: (0)     modsingle[authorize]: returned
from preprocess (rlm_preprocess) for request 0
Mon Aug 22 17:43:18 2016 : Debug: (0)     [preprocess] = ok
Mon Aug 22 17:43:18 2016 : Debug: (0)     modsingle[authorize]: calling
chap (rlm_chap) for request 0
Mon Aug 22 17:43:18 2016 : Debug: (0)     modsingle[authorize]: returned
from chap (rlm_chap) for request 0
Mon Aug 22 17:43:18 2016 : Debug: (0)     [chap] = noop
Mon Aug 22 17:43:18 2016 : Debug: (0)     modsingle[authorize]: calling
mschap (rlm_mschap) for request 0
Mon Aug 22 17:43:18 2016 : Debug: (0)     modsingle[authorize]: returned
from mschap (rlm_mschap) for request 0
Mon Aug 22 17:43:18 2016 : Debug: (0)     [mschap] = noop
Mon Aug 22 17:43:18 2016 : Debug: (0)     modsingle[authorize]: calling
suffix (rlm_realm) for request 0
Mon Aug 22 17:43:18 2016 : Debug: (0) suffix: Checking for suffix after "@"
Mon Aug 22 17:43:18 2016 : Debug: (0) suffix: No '@' in User-Name =
"ttester", looking up realm NULL
Mon Aug 22 17:43:18 2016 : Debug: (0) suffix: No such realm "NULL"
Mon Aug 22 17:43:18 2016 : Debug: (0)     modsingle[authorize]: returned
from suffix (rlm_realm) for request 0
Mon Aug 22 17:43:18 2016 : Debug: (0)     [suffix] = noop
Mon Aug 22 17:43:18 2016 : Debug: (0)     modsingle[authorize]: calling eap
(rlm_eap) for request 0
Mon Aug 22 17:43:18 2016 : Debug: (0) eap: No EAP-Message, not doing EAP
Mon Aug 22 17:43:18 2016 : Debug: (0)     modsingle[authorize]: returned
from eap (rlm_eap) for request 0
Mon Aug 22 17:43:18 2016 : Debug: (0)     [eap] = noop
Mon Aug 22 17:43:18 2016 : Debug: (0)     modsingle[authorize]: calling
files (rlm_files) for request 0
Mon Aug 22 17:43:18 2016 : Debug: (0)     modsingle[authorize]: returned
from files (rlm_files) for request 0
Mon Aug 22 17:43:18 2016 : Debug: (0)     [files] = noop
Mon Aug 22 17:43:18 2016 : Debug: (0)     modsingle[authorize]: calling
ldap (rlm_ldap) for request 0
Mon Aug 22 17:43:18 2016 : Debug: (0) ldap: EXPAND TMPL LITERAL
Mon Aug 22 17:43:18 2016 : Debug: (0) ldap: EXPAND TMPL LITERAL
Mon Aug 22 17:43:18 2016 : Debug: (0) ldap: EXPAND TMPL LITERAL
Mon Aug 22 17:43:18 2016 : Debug: (0) ldap: EXPAND TMPL LITERAL
Mon Aug 22 17:43:18 2016 : Debug: (0) ldap: EXPAND TMPL LITERAL
Mon Aug 22 17:43:18 2016 : Debug: (0) ldap: EXPAND TMPL LITERAL
Mon Aug 22 17:43:18 2016 : Debug: (0) ldap: EXPAND TMPL LITERAL
Mon Aug 22 17:43:18 2016 : Debug: (0) ldap: EXPAND TMPL LITERAL
Mon Aug 22 17:43:18 2016 : Debug: rlm_ldap (ldap): Reserved connection (1)
Mon Aug 22 17:43:18 2016 : Debug: (0) ldap: EXPAND TMPL XLAT
Mon Aug 22 17:43:18 2016 : Debug:
(uid=%{%{Stripped-User-Name}:-%{User-Name}})
Mon Aug 22 17:43:18 2016 : Debug: Parsed xlat tree:
Mon Aug 22 17:43:18 2016 : Debug: literal --> (uid=
Mon Aug 22 17:43:18 2016 : Debug: if {
Mon Aug 22 17:43:18 2016 : Debug:       attribute --> Stripped-User-Name
Mon Aug 22 17:43:18 2016 : Debug: }
Mon Aug 22 17:43:18 2016 : Debug: else {
Mon Aug 22 17:43:18 2016 : Debug:       attribute --> User-Name
Mon Aug 22 17:43:18 2016 : Debug: }
Mon Aug 22 17:43:18 2016 : Debug: literal --> )
Mon Aug 22 17:43:18 2016 : Debug: (0) ldap: EXPAND
(uid=%{%{Stripped-User-Name}:-%{User-Name}})
Mon Aug 22 17:43:18 2016 : Debug: (0) ldap:    --> (uid=ttester)
Mon Aug 22 17:43:18 2016 : Debug: (0) ldap: EXPAND TMPL LITERAL
Mon Aug 22 17:43:18 2016 : Debug: (0) ldap: Performing search in
"ou=SeminaryOU,dc=seminary,dc=local" with filter "(uid=ttester)", scope
"sub"
Mon Aug 22 17:43:18 2016 : Debug: (0) ldap: Waiting for search result...
Mon Aug 22 17:43:18 2016 : Debug: (0) ldap: User object found at DN
"cn=ttester,cn=SeminaryAdmin,ou=SeminaryOU,dc=seminary,dc=local"
Mon Aug 22 17:43:18 2016 : Debug: (0) ldap: Processing user attributes
Mon Aug 22 17:43:18 2016 : Debug: (0) ldap: control:Password-With-Header +=
'{SSHA}8IQ1qEkhjMJHRJH0vm7ajuRNcSBw9yrp'
Mon Aug 22 17:43:18 2016 : Debug: (0) ldap: Attribute "radiusReplyMessage"
not found in LDAP object
Mon Aug 22 17:43:18 2016 : Debug: (0) ldap: Attribute "radiusTunnelType"
not found in LDAP object
Mon Aug 22 17:43:18 2016 : Debug: (0) ldap: Attribute
"radiusTunnelMediumType" not found in LDAP object
Mon Aug 22 17:43:18 2016 : Debug: (0) ldap: Attribute
"radiusTunnelPrivategroupId" not found in LDAP object
Mon Aug 22 17:43:18 2016 : Debug: (0) ldap: Attribute
"radiusControlAttribute" not found in LDAP object
Mon Aug 22 17:43:18 2016 : Debug: (0) ldap: Attribute
"radiusRequestAttribute" not found in LDAP object
Mon Aug 22 17:43:18 2016 : Debug: (0) ldap: Attribute
"radiusReplyAttribute" not found in LDAP object
Mon Aug 22 17:43:18 2016 : Debug: rlm_ldap (ldap): Released connection (1)
Mon Aug 22 17:43:18 2016 : Debug: (0)     modsingle[authorize]: returned
from ldap (rlm_ldap) for request 0
Mon Aug 22 17:43:18 2016 : Debug: (0)     [ldap] = updated
Mon Aug 22 17:43:18 2016 : Debug: (0)     modsingle[authorize]: calling
expiration (rlm_expiration) for request 0
Mon Aug 22 17:43:18 2016 : Debug: (0)     modsingle[authorize]: returned
from expiration (rlm_expiration) for request 0
Mon Aug 22 17:43:18 2016 : Debug: (0)     [expiration] = noop
Mon Aug 22 17:43:18 2016 : Debug: (0)     modsingle[authorize]: calling
logintime (rlm_logintime) for request 0
Mon Aug 22 17:43:18 2016 : Debug: (0)     modsingle[authorize]: returned
from logintime (rlm_logintime) for request 0
Mon Aug 22 17:43:18 2016 : Debug: (0)     [logintime] = noop
Mon Aug 22 17:43:18 2016 : Debug: (0)     modsingle[authorize]: calling pap
(rlm_pap) for request 0
Mon Aug 22 17:43:18 2016 : Debug: (0) pap: Converted: Password-With-Header
= '{SSHA}8IQ1qEkhjMJHRJH0vm7ajuRNcSBw9yrp' -> SSHA1-Password =
'0x3849513171456b686a4d4a48524a4830766d37616a75524e6353427739797270'
Mon Aug 22 17:43:18 2016 : Debug: (0) pap: Removing
&control:Password-With-Header
Mon Aug 22 17:43:18 2016 : Debug: (0) pap: Normalizing SSHA1-Password from
base64 encoding, 32 bytes -> 24 bytes
Mon Aug 22 17:43:18 2016 : Debug: (0)     modsingle[authorize]: returned
from pap (rlm_pap) for request 0
Mon Aug 22 17:43:18 2016 : Debug: (0)     [pap] = updated
Mon Aug 22 17:43:18 2016 : Debug: (0)   } # authorize = updated
Mon Aug 22 17:43:18 2016 : Debug: (0) Found Auth-Type = PAP
Mon Aug 22 17:43:18 2016 : Debug: (0) # Executing group from file
/etc/freeradius/sites-enabled/default
Mon Aug 22 17:43:18 2016 : Debug: (0)   Auth-Type PAP {
Mon Aug 22 17:43:18 2016 : Debug: (0)     modsingle[authenticate]: calling
pap (rlm_pap) for request 0
Mon Aug 22 17:43:18 2016 : Debug: (0) pap: Login attempt with password
"openldap" (8)
Mon Aug 22 17:43:18 2016 : Debug: (0) pap: Comparing with "known-good"
SSHA-Password
Mon Aug 22 17:43:18 2016 : Debug: (0) pap: User authenticated successfully
Mon Aug 22 17:43:18 2016 : Debug: (0)     modsingle[authenticate]: returned
from pap (rlm_pap) for request 0
Mon Aug 22 17:43:18 2016 : Debug: (0)     [pap] = ok
Mon Aug 22 17:43:18 2016 : Debug: (0)   } # Auth-Type PAP = ok
Mon Aug 22 17:43:18 2016 : Debug: (0) # Executing section post-auth from
file /etc/freeradius/sites-enabled/default
Mon Aug 22 17:43:18 2016 : Debug: (0)   post-auth {
Mon Aug 22 17:43:18 2016 : Debug: (0)     update {
Mon Aug 22 17:43:18 2016 : Debug: (0)       No attributes updated
Mon Aug 22 17:43:18 2016 : Debug: (0)     } # update = noop
Mon Aug 22 17:43:18 2016 : Debug: (0)     if (Ldap-Group ==
"SeminaryAdmin") {
Mon Aug 22 17:43:18 2016 : Debug: (0)     Searching for user in group
"SeminaryAdmin"
Mon Aug 22 17:43:18 2016 : Debug: rlm_ldap (ldap): Reserved connection (2)
Mon Aug 22 17:43:18 2016 : Debug: (0)     Using user DN from request
"cn=ttester,cn=SeminaryAdmin,ou=SeminaryOU,dc=seminary,dc=local"
Mon Aug 22 17:43:18 2016 : Debug: (0)     Checking user object's memberOf
attributes
Mon Aug 22 17:43:18 2016 : Debug: (0)       Performing unfiltered search in
"cn=ttester,cn=SeminaryAdmin,ou=SeminaryOU,dc=seminary,dc=local", scope
"base"
Mon Aug 22 17:43:18 2016 : Debug: (0)       Waiting for search result...
Mon Aug 22 17:43:18 2016 : Debug: (0)     No group membership attribute(s)
found in user object
Mon Aug 22 17:43:18 2016 : Debug: rlm_ldap (ldap): Released connection (2)
Mon Aug 22 17:43:18 2016 : Debug: (0)     User is not a member of
"SeminaryAdmin"
Mon Aug 22 17:43:18 2016 : Debug: (0)     if (Ldap-Group ==
"SeminaryAdmin")  -> FALSE
Mon Aug 22 17:43:18 2016 : Debug: (0)     modsingle[post-auth]: calling
ldap (rlm_ldap) for request 0
Mon Aug 22 17:43:18 2016 : Debug: .
Mon Aug 22 17:43:18 2016 : Debug: Parsed xlat tree:
Mon Aug 22 17:43:18 2016 : Debug: literal --> .
Mon Aug 22 17:43:18 2016 : Debug: (0) ldap: EXPAND .
Mon Aug 22 17:43:18 2016 : Debug: (0) ldap:    --> .
Mon Aug 22 17:43:18 2016 : Debug: Authenticated at %S
Mon Aug 22 17:43:18 2016 : Debug: Parsed xlat tree:
Mon Aug 22 17:43:18 2016 : Debug: literal --> Authenticated at
Mon Aug 22 17:43:18 2016 : Debug: percent --> S
Mon Aug 22 17:43:18 2016 : Debug: (0) ldap: EXPAND Authenticated at %S
Mon Aug 22 17:43:18 2016 : Debug: (0) ldap:    --> Authenticated at
2016-08-22 17:43:18
Mon Aug 22 17:43:18 2016 : Debug: rlm_ldap (ldap): Reserved connection (3)
Mon Aug 22 17:43:18 2016 : Debug: (0) ldap: Using user DN from request
"cn=ttester,cn=SeminaryAdmin,ou=SeminaryOU,dc=seminary,dc=local"
Mon Aug 22 17:43:18 2016 : Debug: (0) ldap: Modifying object with DN
"cn=ttester,cn=SeminaryAdmin,ou=SeminaryOU,dc=seminary,dc=local"
Mon Aug 22 17:43:18 2016 : Debug: (0) ldap: Waiting for modify result...
Mon Aug 22 17:43:18 2016 : Debug: rlm_ldap (ldap): Released connection (3)
Mon Aug 22 17:43:18 2016 : Debug: (0)     modsingle[post-auth]: returned
from ldap (rlm_ldap) for request 0
Mon Aug 22 17:43:18 2016 : Debug: (0)     [ldap] = ok
Mon Aug 22 17:43:18 2016 : Debug: (0)     modsingle[post-auth]: calling
exec (rlm_exec) for request 0
Mon Aug 22 17:43:18 2016 : Debug: (0)     modsingle[post-auth]: returned
from exec (rlm_exec) for request 0
Mon Aug 22 17:43:18 2016 : Debug: (0)     [exec] = noop
Mon Aug 22 17:43:18 2016 : Debug: (0)     policy
remove_reply_message_if_eap {
Mon Aug 22 17:43:18 2016 : Debug: (0)       if (&reply:EAP-Message &&
&reply:Reply-Message) {
Mon Aug 22 17:43:18 2016 : Debug: (0)       if (&reply:EAP-Message &&
&reply:Reply-Message)  -> FALSE
Mon Aug 22 17:43:18 2016 : Debug: (0)       else {
Mon Aug 22 17:43:18 2016 : Debug: (0)         modsingle[post-auth]: calling
noop (rlm_always) for request 0
Mon Aug 22 17:43:18 2016 : Debug: (0)         modsingle[post-auth]:
returned from noop (rlm_always) for request 0
Mon Aug 22 17:43:18 2016 : Debug: (0)         [noop] = noop
Mon Aug 22 17:43:18 2016 : Debug: (0)       } # else = noop
Mon Aug 22 17:43:18 2016 : Debug: (0)     } # policy
remove_reply_message_if_eap = noop
Mon Aug 22 17:43:18 2016 : Debug: (0)   } # post-auth = ok
Mon Aug 22 17:43:18 2016 : Debug: (0) Sent Access-Accept Id 100 from
127.0.0.1:1812 to 127.0.0.1:41765 length 0
Mon Aug 22 17:43:18 2016 : Debug: (0) Finished request
Mon Aug 22 17:43:18 2016 : Debug: Waking up in 4.9 seconds.
Mon Aug 22 17:43:23 2016 : Debug: (0) Cleaning up request packet ID 100
with timestamp +4
Mon Aug 22 17:43:23 2016 : Info: Ready to process requests

More information about the Freeradius-Users mailing list