force exit on instanciated ldap module
Ramon Escriba
escriba at cells.es
Thu Nov 3 12:24:04 CET 2016
Hi Alan,
>> Actually, all ldap instancies are asked for every "uid=mac" in order sequence, so if there's a match, the attributes are updated from the ldap.
>The recommended approach is to figure out which LDAP server the user belongs to, and query just that one. Querying all of them is inefficient, and wastes time. It's also more complex.
We only use one Ldap server. Each vlan has one subtree with all macs allowed to connect there. So a Ldap query, "the instance", does a mac search in only this vlan subtree.
Maybe is not the use 'ldap instances' were designed to.
>> My goal is somehow to stop ldap executing the next instances(vlan2,vlan3...N) if the actual one(vlan 1) got the jackpot, to avoid so many ldap queries.
>Why not figure out which LDAP server the user belongs to, and query just that one?
>i.e. have one mapping table of MAC to LDAP server, and the query just that one?
So a kind off multi evaluated field, it makes sense, but, how can I extract/use each of those individual fields via ldap?
>> Right now I'm forced to use a inverse priority ( the last match got the jackpot), that is not the right solution.
>> Any clues, or advice?
> The config you posted should work. If the information is found in ldap server 1, it returns, and doesn't check ldap server 2.
It worked fine in old v 1.1, but not in v3.0.
Now, with v3.0.10, all ldap subtrees are checked anyway.
# radtest 010101010101 010101010101 127.0.0.1 0 testpassword
Sent Access-Request Id 159 from 0.0.0.0:58449 to 127.0.0.1:1812 length 82
User-Name = "010101010101"
User-Password = "010101010101"
NAS-IP-Address = XXX.XXX.XXX.XXX
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "010101010101"
Received Access-Accept Id 159 from 127.0.0.1:1812 to 0.0.0.0:0 length 116
Tunnel-Private-Group-Id:0 = "3003"
Extreme-CLI-Authorization = Disabled
Extreme-Netlogin-Only = Enabled
Extreme-Netlogin-Vlan = "VLAN03"
Termination-Action = RADIUS-Request
Session-Timeout = 7200
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
#radius -X
(...)
(0) VLAN01 EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(0) VLAN01 --> (uid=010101010101)
(0) VLAN01 Performing search in "ou=VLAN01,ou=VLANS,dc=acme,dc=com" with filter "(uid=010101010101)", scope "sub"
(0) VLAN01 Waiting for search result...
(0) VLAN01 User object found at DN "uid=010101010101,ou=VLAN01,ou=VLANS,dc=acme,dc=com"
(0) VLAN01 Processing user attributes
(0) VLAN01 control:Password-With-Header += '010101010101'
(0) VLAN01 reply:Reply-Message := 'Welcome-to-VLAN01.ldap'
(0) VLAN01 reply:Tunnel-Private-Group-ID := '3001'
(0) VLAN01 reply::Extreme-CLI-Authorization := Disabled
(0) VLAN01 reply::Extreme-Netlogin-Only := Enabled
(0) VLAN01 reply::Extreme-Netlogin-Vlan := 'VLAN01'
(0) VLAN01 reply:Termination-Action := RADIUS-Request
(0) VLAN01 reply:Session-Timeout := 7200
rlm_ldap (BL01): Released connection (0)
rlm_ldap (BL01): Need 5 more connections to reach 10 spares
rlm_ldap (BL01): Opening additional connection (5), 1 of 27 pending slots used
rlm_ldap (BL01): Connecting to ldap://127.0.0.1:389
rlm_ldap (BL01): Waiting for bind result...
rlm_ldap (BL01): Bind successful
(0) [BL01] = updated
(.....)
rlm_ldap (VLAN02): Reserved connection (0)
(0) VLAN02: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(0) VLAN02: --> (uid=010101010101)
(0) VLAN02: Performing search in "ou=VLAN02,ou=VLANS,dc=acme,dc=com" with filter "(uid=010101010101)", scope "sub"
(0) VLAN02: Waiting for search result...
(0) VLAN02: Search returned no results
rlm_ldap (VLAN02): Released connection (0)
rlm_ldap (VLAN02): Need 5 more connections to reach 10 spares
rlm_ldap (VLAN02): Opening additional connection (5), 1 of 27 pending slots used
rlm_ldap (VLAN02): Connecting to ldap://127.0.0.1:389
rlm_ldap (VLAN02): Waiting for bind result...
rlm_ldap (VLAN02): Bind successful
(0) [VLAN02] = notfound
rlm_ldap (VLAN03): Reserved connection (0)
(0) VLAN03: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(0) VLAN03: --> (uid=010101010101)
(0) VLAN03: Performing search in "ou=VLAN03,ou=VLANS,dc=acme,dc=com" with filter "(uid=010101010101)", scope "sub"
(0) VLAN03: Waiting for search result...
(0) VLAN03: User object found at DN "uid=010101010101,ou=VLAN03,ou=VLANS,dc=acme,dc=com"
(0) VLAN03: Processing user attributes
(0) VLAN03: control:Password-With-Header += '010101010101'
(0) VLAN03: reply:Tunnel-Private-Group-ID := '3003'
(0) VLAN03: reply::Extreme-CLI-Authorization := Disabled
(0) VLAN03: reply::Extreme-Netlogin-Only := Enabled
(0) VLAN03: reply::Extreme-Netlogin-Vlan := 'VLAN03'
(0) VLAN03: reply:Termination-Action := RADIUS-Request
(0) VLAN03: reply:Session-Timeout := 7200
rlm_ldap (VLAN03): Released connection (0)
rlm_ldap (VLAN03): Need 5 more connections to reach 10 spares
rlm_ldap (VLAN03): Opening additional connection (5), 1 of 27 pending slots used
rlm_ldap (VLAN03): Connecting to ldap://127.0.0.1:389
rlm_ldap (VLAN03): Waiting for bind result...
rlm_ldap (VLAN03): Bind successful
(0) [VLAN03] = updated
>> Alan DeKok.
Regards.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list