Problem with two ldap connections

Jörn Volkhausen volkhausen.joern at gmx.de
Tue Mar 14 07:56:55 CET 2017


Hello at all

i have a small problem an dhope anyone can help me.
First my configuration and the debug output:

--- sites-available/radius-staging --- (is also linked in sites-enabled)
authorize {
    if ("%{User-Name}" =~ /^(.*)#(.*)@domain.de$/) {
                update request {
                        Group-Name := "%{1}"
                        Stripped-User-Name := "%{2}"
                }
        }
        else {
                reject
        }
        #"%{exec:/usr/bin/printenv}"
        ldap-kap-costumertype
        if
("%{ldap-kap-costumertype:ldap:///dc=domain,dc=de?businessCategory?one?ou=%{Group-Name}}"
== unmanaged) {
                update control {
                        Proxy-to-Realm := unmanagedCostumers
                }
        #       updated
        }
        else {
                ldap-kap-staging
        #       updated
        }
}

authenticate {
    Auth-Type PAP {
                pap
    }
    Auth-Type LDAP {
                ldap-kap-staging
    }
}
   
--- modules/ldap-kap-staging ---
ldap ldap-kap-staging {
    server := "test"
        identity := "cn=radiusbinduser,ou=admins,dc=domain,dc=de"
        password := "XXXXXXX"
        basedn := "ou=%{Group-Name},dc=domain,dc=de"
        filter := "(&(uid=%{Stripped-User-Name})(userEnabled=true))"

    dictionary_mapping = ${confdir}/ldap.attrmap
    set_auth_type = yes
}

--- modules/ldap-kap-costumertype ---
ldap ldap-kap-costumertype {
    server := "test"
        identity := "cn=radiusbinduser,ou=admins,dc=domain,dc=de"
        password := "XXXXX"
        basedn := "dc=domain,dc=de"
        filter := "ou=%{Group-Name}"

    dictionary_mapping = ${confdir}/ldap.attrmap
    set_auth_type = no
}

--- debug output from freeradius ---
Ready to process requests.
rad_recv: Access-Request packet from host 10.10.20.100 port 55835, id=1,
length=131
    User-Name = "rplus.dt#test at domain.de"
    Acct-Session-Id = "1489473128K1snz"
    NAS-IP-Address = 127.0.0.1
    NAS-Identifier = "Localhost"
    NAS-Port = 0
    Calling-Station-Id = "1115551212"
    User-Password = "testpass"
    Message-Authenticator = 0xb33a7beab35041d5b1c179deef4d6376
server radius-staging {
# Executing section authorize from file
/etc/freeradius/sites-enabled/radius-staging
+group authorize {
++? if ("%{User-Name}" =~ /^(.*)#(.*)@domain.de$/)
    expand: %{User-Name} -> rplus.dt#test at domain.de
? Evaluating ("%{User-Name}" =~ /^(.*)#(.*)@domain.de$/) -> TRUE
++? if ("%{User-Name}" =~ /^(.*)#(.*)@domain.de$/) -> TRUE
++if ("%{User-Name}" =~ /^(.*)#(.*)@domain.de$/) {
+++update request {
    expand: %{1} -> domain.dt
    expand: %{2} -> test
+++} # update request = noop
++} # if ("%{User-Name}" =~ /^(.*)#(.*)@domain.de$/) = noop
++ ... skipping else for request 0: Preceding "if" was taken
[ldap-kap-costumertype] performing user authorization for test
[ldap-kap-costumertype]     expand: ou=%{Group-Name} -> ou=rplus.dt
[ldap-kap-costumertype]     expand: dc=domain,dc=de -> dc=domain,dc=de
  [ldap-kap-costumertype] ldap_get_conn: Checking Id: 0
  [ldap-kap-costumertype] ldap_get_conn: Got Id: 0
  [ldap-kap-costumertype] attempting LDAP reconnection
  [ldap-kap-costumertype] (re)connect to test:636, authentication 0
  [ldap-kap-costumertype] setting TLS mode to 1
  [ldap-kap-costumertype] bind as
cn=radiusbinduser,ou=admins,dc=domain,dc=de/XXXXX to test:636
  [ldap-kap-costumertype] waiting for bind result ...
  [ldap-kap-costumertype] Bind was successful
  [ldap-kap-costumertype] performing search in dc=domain,dc=de, with
filter ou=rplus.dt
[ldap-kap-costumertype] No default NMAS login sequence
[ldap-kap-costumertype] looking for check items in directory...
[ldap-kap-costumertype] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that
the user is configured correctly?
  [ldap-kap-costumertype] ldap_release_conn: Release Id: 0
++[ldap-kap-costumertype] = ok
++? if
("%{ldap-kap-costumertype:ldap:///dc=domain,dc=de?businessCategory?one?ou=%{Group-Name}}"
== unmanaged)
  [ldap-kap-costumertype] - ldap_xlat
    expand:
ldap:///dc=domain,dc=de?businessCategory?one?ou=%{Group-Name} ->
ldap:///dc=domain,dc=de?businessCategory?one?ou=rplus.dt
  [ldap-kap-costumertype] ldap_get_conn: Checking Id: 0
  [ldap-kap-costumertype] ldap_get_conn: Got Id: 0
  [ldap-kap-costumertype] performing search in dc=domain,dc=de, with
filter ou=rplus.dt
  [ldap-kap-costumertype] Adding attribute businessCategory, value: managed
  [ldap-kap-costumertype] ldap_release_conn: Release Id: 0
  [ldap-kap-costumertype] - ldap_xlat end
    expand:
%{ldap-kap-costumertype:ldap:///dc=domain,dc=de?businessCategory?one?ou=%{Group-Name}}
-> managed
? Evaluating
("%{ldap-kap-costumertype:ldap:///dc=domain,dc=de?businessCategory?one?ou=%{Group-Name}}"
== unmanaged) -> FALSE
++? if
("%{ldap-kap-costumertype:ldap:///dc=domain,dc=de?businessCategory?one?ou=%{Group-Name}}"
== unmanaged) -> FALSE
++else else {
[ldap-kap-staging] performing user authorization for test
[ldap-kap-staging]     expand:
(&(uid=%{Stripped-User-Name})(userEnabled=true)) ->
(&(uid=test)(userEnabled=true))     
<---------------------------------------
[ldap-kap-staging]     expand: ou=%{Group-Name},dc=domain,dc=de ->
ou=rplus.dt,dc=domain,dc=de    <---------------------------------------
  [ldap-kap-staging] ldap_get_conn: Checking Id: 0
  [ldap-kap-staging] ldap_get_conn: Got Id: 0
  [ldap-kap-staging] attempting LDAP reconnection
  [ldap-kap-staging] (re)connect to test:636, authentication 0
  [ldap-kap-staging] setting TLS mode to 1
  [ldap-kap-staging] bind as
cn=radiusbinduser,ou=admins,dc=domain,dc=de/XXXXX to test:636
  [ldap-kap-staging] waiting for bind result ...
  [ldap-kap-staging] Bind was successful
  [ldap-kap-staging] performing search in ou=rplus.dt,dc=domain,dc=de,
with filter (&(uid=test)(userEnabled=true))
[ldap-kap-staging] No default NMAS login sequence
[ldap-kap-staging] looking for check items in directory...
  [ldap-kap-staging] userPassword -> Password-With-Header ==
"{SSHA}ac2cE0LcZb04Hr9mGf5RIvfeoDlDkT5BaEB4tw=="
[ldap-kap-staging] looking for reply items in directory...
[ldap-kap-staging] Setting Auth-Type = LDAP
  [ldap-kap-staging] ldap_release_conn: Release Id: 0
+++[ldap-kap-staging] = ok
++} # else else = ok
+} # group authorize = ok
Found Auth-Type = LDAP
# Executing group from file /etc/freeradius/sites-enabled/radius-staging
+group LDAP {
[ldap-kap-staging] login attempt by "test" with password "testpass"
[ldap-kap-staging] user DN: ou=rplus.dt,dc=domain,dc=de       
<---------------------------------------
  [ldap-kap-staging] (re)connect to test:636, authentication 1
  [ldap-kap-staging] setting TLS mode to 1
  [ldap-kap-staging] bind as ou=rplus.dt,dc=telekom,dc=de/testpass to
test:636 <---------------------------------------
  [ldap-kap-staging] waiting for bind result ...
  [ldap-kap-staging] Bind failed with invalid credentials    
++[ldap-kap-staging] = reject
+} # group LDAP = reject
Failed to authenticate the user.
} # server radius-staging
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/radius-staging
+group REJECT {
[attr_filter.access_reject]     expand: %{User-Name} ->
rplus.dt#test at domain.de
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 0 for 1 seconds


Can anyone explain me why freeradius use two different userdn's for the
same ldap configuration [ldap-kap-staging]?
That he is authorizing the user is good, but why is freeradius using the
wrong dn at the authenticate stage for the same ldapconfig?

Thank you very much
Jörn Volkhausen


More information about the Freeradius-Users mailing list