Problem with two ldap connections
Jörn Volkhausen
volkhausen.joern at gmx.de
Tue Mar 14 12:09:12 CET 2017
Just for information of other people who have the same problem.
Issue:
The two ldap configurations are interacting in an undocumented way.
Twe configuration of the first module is touching the second module
configuration and instance.
Solution:
For me it helped to just define the basedn and filter in one of the two
ldap configurations.
The other configuration worked also, because i use them only in pair
with xlat. There is the possibility to define another dn and filter.
I dont know, but could it be that this is not desired operating?
Thanks and hope it helps
Jörn Volkhausen
Am 14.03.2017 um 07:56 schrieb Jörn Volkhausen:
> Hello at all
>
> i have a small problem an dhope anyone can help me.
> First my configuration and the debug output:
>
> --- sites-available/radius-staging --- (is also linked in sites-enabled)
> authorize {
> if ("%{User-Name}" =~ /^(.*)#(.*)@domain.de$/) {
> update request {
> Group-Name := "%{1}"
> Stripped-User-Name := "%{2}"
> }
> }
> else {
> reject
> }
> #"%{exec:/usr/bin/printenv}"
> ldap-kap-costumertype
> if
> ("%{ldap-kap-costumertype:ldap:///dc=domain,dc=de?businessCategory?one?ou=%{Group-Name}}"
> == unmanaged) {
> update control {
> Proxy-to-Realm := unmanagedCostumers
> }
> # updated
> }
> else {
> ldap-kap-staging
> # updated
> }
> }
>
> authenticate {
> Auth-Type PAP {
> pap
> }
> Auth-Type LDAP {
> ldap-kap-staging
> }
> }
>
> --- modules/ldap-kap-staging ---
> ldap ldap-kap-staging {
> server := "test"
> identity := "cn=radiusbinduser,ou=admins,dc=domain,dc=de"
> password := "XXXXXXX"
> basedn := "ou=%{Group-Name},dc=domain,dc=de"
> filter := "(&(uid=%{Stripped-User-Name})(userEnabled=true))"
>
> dictionary_mapping = ${confdir}/ldap.attrmap
> set_auth_type = yes
> }
>
> --- modules/ldap-kap-costumertype ---
> ldap ldap-kap-costumertype {
> server := "test"
> identity := "cn=radiusbinduser,ou=admins,dc=domain,dc=de"
> password := "XXXXX"
> basedn := "dc=domain,dc=de"
> filter := "ou=%{Group-Name}"
>
> dictionary_mapping = ${confdir}/ldap.attrmap
> set_auth_type = no
> }
>
> --- debug output from freeradius ---
> Ready to process requests.
> rad_recv: Access-Request packet from host 10.10.20.100 port 55835, id=1,
> length=131
> User-Name = "rplus.dt#test at domain.de"
> Acct-Session-Id = "1489473128K1snz"
> NAS-IP-Address = 127.0.0.1
> NAS-Identifier = "Localhost"
> NAS-Port = 0
> Calling-Station-Id = "1115551212"
> User-Password = "testpass"
> Message-Authenticator = 0xb33a7beab35041d5b1c179deef4d6376
> server radius-staging {
> # Executing section authorize from file
> /etc/freeradius/sites-enabled/radius-staging
> +group authorize {
> ++? if ("%{User-Name}" =~ /^(.*)#(.*)@domain.de$/)
> expand: %{User-Name} -> rplus.dt#test at domain.de
> ? Evaluating ("%{User-Name}" =~ /^(.*)#(.*)@domain.de$/) -> TRUE
> ++? if ("%{User-Name}" =~ /^(.*)#(.*)@domain.de$/) -> TRUE
> ++if ("%{User-Name}" =~ /^(.*)#(.*)@domain.de$/) {
> +++update request {
> expand: %{1} -> domain.dt
> expand: %{2} -> test
> +++} # update request = noop
> ++} # if ("%{User-Name}" =~ /^(.*)#(.*)@domain.de$/) = noop
> ++ ... skipping else for request 0: Preceding "if" was taken
> [ldap-kap-costumertype] performing user authorization for test
> [ldap-kap-costumertype] expand: ou=%{Group-Name} -> ou=rplus.dt
> [ldap-kap-costumertype] expand: dc=domain,dc=de -> dc=domain,dc=de
> [ldap-kap-costumertype] ldap_get_conn: Checking Id: 0
> [ldap-kap-costumertype] ldap_get_conn: Got Id: 0
> [ldap-kap-costumertype] attempting LDAP reconnection
> [ldap-kap-costumertype] (re)connect to test:636, authentication 0
> [ldap-kap-costumertype] setting TLS mode to 1
> [ldap-kap-costumertype] bind as
> cn=radiusbinduser,ou=admins,dc=domain,dc=de/XXXXX to test:636
> [ldap-kap-costumertype] waiting for bind result ...
> [ldap-kap-costumertype] Bind was successful
> [ldap-kap-costumertype] performing search in dc=domain,dc=de, with
> filter ou=rplus.dt
> [ldap-kap-costumertype] No default NMAS login sequence
> [ldap-kap-costumertype] looking for check items in directory...
> [ldap-kap-costumertype] looking for reply items in directory...
> WARNING: No "known good" password was found in LDAP. Are you sure that
> the user is configured correctly?
> [ldap-kap-costumertype] ldap_release_conn: Release Id: 0
> ++[ldap-kap-costumertype] = ok
> ++? if
> ("%{ldap-kap-costumertype:ldap:///dc=domain,dc=de?businessCategory?one?ou=%{Group-Name}}"
> == unmanaged)
> [ldap-kap-costumertype] - ldap_xlat
> expand:
> ldap:///dc=domain,dc=de?businessCategory?one?ou=%{Group-Name} ->
> ldap:///dc=domain,dc=de?businessCategory?one?ou=rplus.dt
> [ldap-kap-costumertype] ldap_get_conn: Checking Id: 0
> [ldap-kap-costumertype] ldap_get_conn: Got Id: 0
> [ldap-kap-costumertype] performing search in dc=domain,dc=de, with
> filter ou=rplus.dt
> [ldap-kap-costumertype] Adding attribute businessCategory, value: managed
> [ldap-kap-costumertype] ldap_release_conn: Release Id: 0
> [ldap-kap-costumertype] - ldap_xlat end
> expand:
> %{ldap-kap-costumertype:ldap:///dc=domain,dc=de?businessCategory?one?ou=%{Group-Name}}
> -> managed
> ? Evaluating
> ("%{ldap-kap-costumertype:ldap:///dc=domain,dc=de?businessCategory?one?ou=%{Group-Name}}"
> == unmanaged) -> FALSE
> ++? if
> ("%{ldap-kap-costumertype:ldap:///dc=domain,dc=de?businessCategory?one?ou=%{Group-Name}}"
> == unmanaged) -> FALSE
> ++else else {
> [ldap-kap-staging] performing user authorization for test
> [ldap-kap-staging] expand:
> (&(uid=%{Stripped-User-Name})(userEnabled=true)) ->
> (&(uid=test)(userEnabled=true))
> <---------------------------------------
> [ldap-kap-staging] expand: ou=%{Group-Name},dc=domain,dc=de ->
> ou=rplus.dt,dc=domain,dc=de <---------------------------------------
> [ldap-kap-staging] ldap_get_conn: Checking Id: 0
> [ldap-kap-staging] ldap_get_conn: Got Id: 0
> [ldap-kap-staging] attempting LDAP reconnection
> [ldap-kap-staging] (re)connect to test:636, authentication 0
> [ldap-kap-staging] setting TLS mode to 1
> [ldap-kap-staging] bind as
> cn=radiusbinduser,ou=admins,dc=domain,dc=de/XXXXX to test:636
> [ldap-kap-staging] waiting for bind result ...
> [ldap-kap-staging] Bind was successful
> [ldap-kap-staging] performing search in ou=rplus.dt,dc=domain,dc=de,
> with filter (&(uid=test)(userEnabled=true))
> [ldap-kap-staging] No default NMAS login sequence
> [ldap-kap-staging] looking for check items in directory...
> [ldap-kap-staging] userPassword -> Password-With-Header ==
> "{SSHA}ac2cE0LcZb04Hr9mGf5RIvfeoDlDkT5BaEB4tw=="
> [ldap-kap-staging] looking for reply items in directory...
> [ldap-kap-staging] Setting Auth-Type = LDAP
> [ldap-kap-staging] ldap_release_conn: Release Id: 0
> +++[ldap-kap-staging] = ok
> ++} # else else = ok
> +} # group authorize = ok
> Found Auth-Type = LDAP
> # Executing group from file /etc/freeradius/sites-enabled/radius-staging
> +group LDAP {
> [ldap-kap-staging] login attempt by "test" with password "testpass"
> [ldap-kap-staging] user DN: ou=rplus.dt,dc=domain,dc=de
> <---------------------------------------
> [ldap-kap-staging] (re)connect to test:636, authentication 1
> [ldap-kap-staging] setting TLS mode to 1
> [ldap-kap-staging] bind as ou=rplus.dt,dc=telekom,dc=de/testpass to
> test:636 <---------------------------------------
> [ldap-kap-staging] waiting for bind result ...
> [ldap-kap-staging] Bind failed with invalid credentials
> ++[ldap-kap-staging] = reject
> +} # group LDAP = reject
> Failed to authenticate the user.
> } # server radius-staging
> Using Post-Auth-Type Reject
> # Executing group from file /etc/freeradius/sites-enabled/radius-staging
> +group REJECT {
> [attr_filter.access_reject] expand: %{User-Name} ->
> rplus.dt#test at domain.de
> attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] = updated
> +} # group REJECT = updated
> Delaying reject of request 0 for 1 seconds
>
>
> Can anyone explain me why freeradius use two different userdn's for the
> same ldap configuration [ldap-kap-staging]?
> That he is authorizing the user is good, but why is freeradius using the
> wrong dn at the authenticate stage for the same ldapconfig?
>
> Thank you very much
> Jörn Volkhausen
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list