LDAP group check not working with SQL expansion
Klara Mall
klara.mall at kit.edu
Mon Jul 24 23:03:08 CEST 2017
Hi,
I'm using FreeRADIUS Version 3.0.12.
I'm doing EAP-TTLS/PAP and I have the following policy in the
authorize section of the inner tunnel virtual server (same behaviour
when it's in post-auth):
w2vgroupcheck {
if("%{Stripped-User-Domain}" =~ /^([^\.]+)\.w2v\.kit\.edu$/) {
if ("%{sql:SELECT COUNT(*) FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}" > 0) {
if (LDAP-Group == "%{sql:SELECT group_name FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}") {
update reply {
Tunnel-Private-Group-Id := "%{sql:SELECT vlan_id FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}"
Tunnel-Type := VLAN
Tunnel-Medium-Type := IEEE-802
}
}
else {
reject
}
}
}
}
Which results in:
(8) policy w2vgroupcheck {
(8) if ("%{Stripped-User-Domain}" =~ /^([^\.]+)\.w2v\.kit\.edu$/) {
(8) EXPAND %{Stripped-User-Domain}
(8) --> vlan-1.w2v.kit.edu
(8) if ("%{Stripped-User-Domain}" =~ /^([^\.]+)\.w2v\.kit\.edu$/) -> TRUE
(8) if ("%{Stripped-User-Domain}" =~ /^([^\.]+)\.w2v\.kit\.edu$/) {
(8) if ("%{sql:SELECT COUNT(*) FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}" > 0) {
rlm_sql (sql): Reserved connection (0)
(8) Executing select query: SELECT COUNT(*) FROM w2v WHERE vlan_name=regexp_replace('vlan-1.w2v.kit.edu', '\.w2v\.kit\.edu$', '')
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 1
rlm_sql (sql): Released connection (0)
(8) EXPAND %{sql:SELECT COUNT(*) FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}
(8) --> 1
(8) if ("%{sql:SELECT COUNT(*) FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}" > 0) -> TRUE
(8) if ("%{sql:SELECT COUNT(*) FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}" > 0) {
(8) if (LDAP-Group == "%{sql:SELECT group_name FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}") {
rlm_sql (sql): Reserved connection (1)
(8) Executing select query: SELECT group_name FROM w2v WHERE vlan_name=regexp_replace('vlan-1.w2v.kit.edu', '\.w2v\.kit\.edu$', '')
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 1
rlm_sql (sql): Released connection (1)
(8) EXPAND %{sql:SELECT group_name FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}
(8) --> KIT-Group-1
(8) if (LDAP-Group == "%{sql:SELECT group_name FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}") -> FALSE
(8) else {
(8) [reject] = reject
(8) } # else = reject
(8) } # if ("%{sql:SELECT COUNT(*) FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}" > 0) = reject
(8) } # if ("%{Stripped-User-Domain}" =~ /^([^\.]+)\.w2v\.kit\.edu$/) = reject
(8) } # policy w2vgroupcheck = reject
I don't understand it because the SQL expansion works but then
there is no try to do the LDAP group check. It just says FALSE
and rejects. When I replace
(LDAP-Group == "%{sql:SELECT group_name FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}")
with
(LDAP-Group == "KIT-Group-1")
it works:
(8) policy w2vgroupcheck { [50/1950]
(8) if ("%{Stripped-User-Domain}" =~ /^([^\.]+)\.w2v\.kit\.edu$/) {
(8) EXPAND %{Stripped-User-Domain}
(8) --> vlan-1.w2v.kit.edu
(8) if ("%{Stripped-User-Domain}" =~ /^([^\.]+)\.w2v\.kit\.edu$/) -> TRUE
(8) if ("%{Stripped-User-Domain}" =~ /^([^\.]+)\.w2v\.kit\.edu$/) {
(8) if ("%{sql:SELECT COUNT(*) FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}" > 0) {
rlm_sql (sql): Reserved connection (0)
(8) Executing select query: SELECT COUNT(*) FROM w2v WHERE vlan_name=regexp_replace('vlan-1.w2v.kit.edu', '\.w2v\.kit\.edu$', '')
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 1
rlm_sql (sql): Released connection (0)
(8) EXPAND %{sql:SELECT COUNT(*) FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}
(8) --> 1
(8) if ("%{sql:SELECT COUNT(*) FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}" > 0) -> TRUE
(8) if ("%{sql:SELECT COUNT(*) FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}" > 0) {
(8) if (LDAP-Group == "KIT-Group-1") {
(8) Searching for user in group "KIT-Group-1"
rlm_ldap (ldap): Reserved connection (1)
(8) Using user DN from request "uid=abc123,ou=People,ou=unix,ou=IDM,dc=kit,dc=edu"
(8) Checking for user in group objects
(8) EXPAND (&(cn=KIT-Group-1)(objectClass=posixGroup)(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))
(8) --> (&(cn=KIT-Group-1)(objectClass=posixGroup)(memberUid=abc123))
(8) Performing search in "ou=unix,ou=IDM,dc=kit,dc=edu" with filter "(&(cn=KIT-Group-1)(objectClass=posixGroup)(memberUid=abc123))", scope "sub"
(8) Waiting for search result...
(8) User found in group object "ou=unix,ou=IDM,dc=kit,dc=edu"
rlm_ldap (ldap): Released connection (1)
(8) if (LDAP-Group == "KIT-Group-1") -> TRUE
(8) if (LDAP-Group == "KIT-Group-1") {
(8) update reply {
rlm_sql (sql): Reserved connection (1)
(8) Executing select query: SELECT vlan_id FROM w2v WHERE vlan_name=regexp_replace('vlan-1.w2v.kit.edu', '\.w2v\.kit\.edu$', '')
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 1
rlm_sql (sql): Released connection (1)
(8) EXPAND %{sql:SELECT vlan_id FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}
(8) --> 22
(8) Tunnel-Private-Group-Id := 22
(8) Tunnel-Type := VLAN
(8) Tunnel-Medium-Type := IEEE-802
(8) } # update reply = noop
(8) } # if (LDAP-Group == "KIT-Group-1") = noop
(8) ... skipping else: Preceding "if" was taken
(8) } # if ("%{sql:SELECT COUNT(*) FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}" > 0) = noop
(8) } # if ("%{Stripped-User-Domain}" =~ /^([^\.]+)\.w2v\.kit\.edu$/) = noop
(8) } # policy w2vgroupcheck = noop
Thanks in advance
Klara
More information about the Freeradius-Users
mailing list