unlang mapping different users to different authentication source
James Chen
chenjiang at microshield.com.cn
Tue Feb 2 15:23:54 CET 2016
Hi! Experts
Sorry for wide distributing, we want to use unlang to mapping different
users to different authentication module. For example, mapping all users
from SSID gold to LDAP module and mapping all users from SSID silver to
SQL module.
Below is our simple test unlang configuration:
if ("%{request:Aruba-Essid-Name}" == "microshield-test" ) {
ldap
}
else {
sql
}
But from the "radius -X” debug message we found the freeREDIUS will still
go through both LDAP and SQL module:
# Executing section authorize from file /etc/raddb/sites-enabled/default
+group authorize {
++? if ("%{request:Aruba-Essid-Name}" == "microshield-test" )
expand: %{request:Aruba-Essid-Name} ->
? Evaluating ("%{request:Aruba-Essid-Name}" == "microshield-test" ) ->
FALSE
++? if ("%{request:Aruba-Essid-Name}" == "microshield-test" ) -> FALSE
++else else {
[sql] expand: %{User-Name} -> test
[sql] sql_set_user escaped user --> 'test'
rlm_sql (sql): Reserving sql socket id: 3
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY
id -> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'test' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER BY
id -> SELECT id, username, attribute, value, op FROM radreply
WHERE username = 'test' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup
WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT
groupname FROM radusergroup WHERE username = 'test'
ORDER BY priority
[sql] expand: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = '%{Sql-Group}'
ORDER BY id -> SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = '娴?璇?ㄦ?风'
ORDER BY id
[sql] User found in group 娴?璇?ㄦ?风
[sql] expand: SELECT id, groupname, attribute, value, op
FROM radgroupreply WHERE groupname = '%{Sql-Group}'
ORDER BY id -> SELECT id, groupname, attribute, value, op
FROM radgroupreply WHERE groupname = '娴?璇?ㄦ?风'
ORDER BY id
rlm_sql (sql): Released sql socket id: 3
+++[sql] = ok
++} # else else = ok
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] No EAP-Message, not doing EAP
++[eap] = noop
++[files] = noop
[sql] expand: %{User-Name} -> test
[sql] sql_set_user escaped user --> 'test'
rlm_sql (sql): Reserving sql socket id: 2
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY
id -> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'test' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER BY
id -> SELECT id, username, attribute, value, op FROM radreply
WHERE username = 'test' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup
WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT
groupname FROM radusergroup WHERE username = 'test'
ORDER BY priority
[sql] expand: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = '%{Sql-Group}'
ORDER BY id -> SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = '娴?璇?ㄦ?风'
ORDER BY id
[sql] User found in group 娴?璇?ㄦ?风
[sql] expand: SELECT id, groupname, attribute, value, op
FROM radgroupreply WHERE groupname = '%{Sql-Group}'
ORDER BY id -> SELECT id, groupname, attribute, value, op
FROM radgroupreply WHERE groupname = '娴?璇?ㄦ?风'
ORDER BY id
rlm_sql (sql): Released sql socket id: 2
++[sql] = ok
[ldap] performing user authorization for test
[ldap] expand: (sAMAccountName=%{User-Name}) -> (sAMAccountName=test)
[ldap] expand: dc=ms,dc=local -> dc=ms,dc=local
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to 192.168.254.102:389, authentication 0
[ldap] bind as cn=Administrator,cn=Users,dc=ms,dc=local/1qaz!QAZ to
192.168.254.102:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] performing search in dc=ms,dc=local, with filter
(sAMAccountName=test)
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
[ldap] Setting Auth-Type = LDAP
[ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] = noop
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[monthlytrafficcounter] = noop
rlm_sqlcounter: Entering module authorize code
WARNING: Please replace '%k' with '${key}'
sqlcounter_expand: 'SELECT SUM(acctsessiontime -
GREATEST((1454256000 - UNIX_TIMESTAMP(acctstarttime)), 0))
FROM radacct WHERE username='%{User-Name}' AND
UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '1454256000''
[monthlycounter] expand: SELECT SUM(acctsessiontime -
GREATEST((1454256000 - UNIX_TIMESTAMP(acctstarttime)), 0))
FROM radacct WHERE username='%{User-Name}' AND
UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '1454256000' -> SELECT
SUM(acctsessiontime - GREATEST((1454256000 -
UNIX_TIMESTAMP(acctstarttime)), 0)) FROM radacct WHERE
username='test' AND UNIX_TIMESTAMP(acctstarttime) +
acctsessiontime > '1454256000'
WARNING: Please replace '%S' with '${sqlmod-inst}'
sqlcounter_expand: '%{sql:SELECT SUM(acctsessiontime -
GREATEST((1454256000 - UNIX_TIMESTAMP(acctstarttime)), 0))
FROM radacct WHERE username='test' AND
UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '1454256000'}'
[monthlycounter] sql_xlat
[monthlycounter] expand: %{User-Name} -> test
[monthlycounter] sql_set_user escaped user --> 'test'
[monthlycounter] expand: SELECT SUM(acctsessiontime -
GREATEST((1454256000 - UNIX_TIMESTAMP(acctstarttime)), 0))
FROM radacct WHERE username='test' AND
UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '1454256000' -> SELECT
SUM(acctsessiontime - GREATEST((1454256000 -
UNIX_TIMESTAMP(acctstarttime)), 0)) FROM radacct WHERE
username='test' AND UNIX_TIMESTAMP(acctstarttime) +
acctsessiontime > '1454256000'
rlm_sql (sql): Reserving sql socket id: 1
[monthlycounter] row[0] returned NULL
rlm_sql (sql): Released sql socket id: 1
[monthlycounter] expand: %{sql:SELECT SUM(acctsessiontime -
GREATEST((1454256000 - UNIX_TIMESTAMP(acctstarttime)), 0))
FROM radacct WHERE username='test' AND
UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '1454256000'} ->
rlm_sqlcounter: No integer found in string ""
++[monthlycounter] = noop
+} # group authorize = ok
Found Auth-Type = LDAP
# Executing group from file /etc/raddb/sites-enabled/default
+group LDAP {
[ldap] login attempt by "test" with password "123456"
[ldap] user DN: CN=test,CN=Users,DC=ms,DC=local
[ldap] (re)connect to 192.168.254.102:389, authentication 1
[ldap] bind as CN=test,CN=Users,DC=ms,DC=local/123456 to
192.168.254.102:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] user test authenticated succesfully
++[ldap] = ok
+} # group LDAP = ok
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+group post-auth {
++? if (control:Auth-Type == 'LDAP')
? Evaluating (control:Auth-Type == 'LDAP') -> TRUE
++? if (control:Auth-Type == 'LDAP') -> TRUE
++if (control:Auth-Type == 'LDAP') {
+++update reply {
expand: We are using %{control:Auth-Type} authentication -> We are
using LDAP authentication
+++} # update reply = noop
++} # if (control:Auth-Type == 'LDAP') = noop
+} # group post-auth = noop
Sending Access-Accept of id 73 to 127.0.0.1 port 51620
Reply-Message = "We are using LDAP authentication"
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 73 with timestamp +4
Ready to process requests.
Is this the expected behavior? We want to use only one module depend on
request attribute, is this achievable?
Thanks for your help!
BR!
Chen Jiang
Microshield Technology Co., Ltd
北京市海淀区西三环北路50号豪柏大厦C2座18-19层 100048
(86)10-88518768
(86)18612696123
More information about the Freeradius-Users
mailing list