Multi-valued LDAP attribute configuration

Srinivasa R srinivasa.r at icts.res.in
Thu Sep 14 09:49:26 CEST 2017


Hi Mathew,

I have tried the option you had suggested but no luck.

Hi All,

I have gone through the Freeradius logs and found that Freeradius is able
to find the user id i.e macaddress which is multi value field from LDAP but
the problem is with the password. Freeradius is retrieving all the
three macaddress values for the password from the LDAP, but for some
reasons, it is trying to match with the first value all the time. I am
posting the detailed log. I am getting the Accept-Accept reply for the very
first value in the multivalued field. Could someone help me please?

*Freeradius configuration:*
*LDAP conf file config:*
update {
                control:Password-With-Header    += 'macAddress'
}

 user {
               filter =
"(macAddress=%{%{Stripped-User-Name}:-%{User-Name}})"
}

*Freeradius log:*

Received Access-Request Id 22 from 172.16.XX.XX:35697 to 172.16.XX.XXX:1812
length 103
User-Name = 'e4:a4:71:a3:88:6f'
User-Password = 'e4:a4:71:a3:88:6f'
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Message-Authenticator = 0x866364dcab9fba69fd2508e111d730da
(2) Received Access-Request packet from host 172.16.XX.XX port 35697,
id=22, length=103
(2) User-Name = 'e4:a4:71:a3:88:6f'
(2) User-Password = 'e4:a4:71:a3:88:6f'
(2) NAS-IP-Address = 127.0.1.1
(2) NAS-Port = 0
(2) Message-Authenticator = 0x866364dcab9fba69fd2508e111d730da
(2) # Executing section authorize from file /etc/raddb/sites-enabled/default
(2)   authorize {
(2)   filter_username filter_username {
(2)     if (!&User-Name)
(2)     if (!&User-Name)  -> FALSE
(2)     if (&User-Name =~ / /)
(2)     if (&User-Name =~ / /)  -> FALSE
(2)     if (&User-Name =~ /@.*@/ )
(2)     if (&User-Name =~ /@.*@/ )  -> FALSE
(2)     if (&User-Name =~ /\\.\\./ )
(2)     if (&User-Name =~ /\\.\\./ )  -> FALSE
(2)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(2)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))   ->
FALSE
(2)     if (&User-Name =~ /\\.$/)
(2)     if (&User-Name =~ /\\.$/)   -> FALSE
(2)     if (&User-Name =~ /@\\./)
(2)     if (&User-Name =~ /@\\./)   -> FALSE
(2)   } # filter_username filter_username = notfound
(2)   [preprocess] = ok
(2)   [chap] = noop
(2)   [mschap] = noop
(2)   [digest] = noop
(2)  suffix : Checking for suffix after "@"
(2)  suffix : No '@' in User-Name = "e4:a4:71:a3:88:6f", looking up realm
NULL
(2)  suffix : No such realm "NULL"
(2)   [suffix] = noop
(2)  eap : No EAP-Message, not doing EAP
(2)   [eap] = noop
(2)   [files] = noop
rlm_ldap (ldap): Reserved connection (4)
(2)  ldap : EXPAND (macAddress=%{%{Stripped-User-Name}:-%{User-Name}})
(2)  ldap :    --> (macAddress=e4:a4:71:a3:88:6f)
(2)  ldap : EXPAND ou=People,dc=icts,dc=res,dc=in
(2)  ldap :    --> ou=People,dc=icts,dc=res,dc=in
(2)  ldap : Performing search in 'ou=People,dc=icts,dc=res,dc=in' with
filter '(macAddress=e4:a4:71:a3:88:6f)', scope 'sub'
(2)  ldap : Waiting for search result...
(2)  ldap : User object found at DN "cn=it
section,ou=People,dc=icts,dc=res,dc=in"
(2)  ldap : Processing user attributes
(2)  ldap : control:Password-With-Header += '28:f1:0e:2a:c1:ac'
(2)  ldap : control:Password-With-Header += 'e4:a4:71:a3:88:6f'
(2)  ldap : control:Password-With-Header += '0c:c4:7a:22:63:23'
rlm_ldap (ldap): Released connection (4)
(2)   [ldap] = ok
(2)   [expiration] = noop
(2)   [logintime] = noop
(2)  pap : No {...} in Password-With-Header, re-writing to
Cleartext-Password
(2)  WARNING: pap : Config already contains "known good" password.
Ignoring Password-With-Header
(2)  WARNING: pap : Config already contains "known good" password.
Ignoring Password-With-Header
(2)   [pap] = updated
(2)  } #  authorize = updated
(2) Found Auth-Type = PAP
(2) # Executing group from file /etc/raddb/sites-enabled/default
(2)  Auth-Type PAP {
(2)  pap : Login attempt with password
(2)  ERROR: pap : Cleartext password does not match "known good" password
(2)  pap : Passwords don't match
(2)   [pap] = reject
(2)  } # Auth-Type PAP = reject
(2) Failed to authenticate the user
(2) Using Post-Auth-Type Reject
(2) # Executing group from file /etc/raddb/sites-enabled/default
(2)  Post-Auth-Type REJECT {
(2)  attr_filter.access_reject : EXPAND %{User-Name}
(2)  attr_filter.access_reject :    --> e4:a4:71:a3:88:6f
(2)  attr_filter.access_reject : Matched entry DEFAULT at line 11
(2)   [attr_filter.access_reject] = updated
(2)  eap : Request didn't contain an EAP-Message, not inserting EAP-Failure
(2)   [eap] = noop
(2)   remove_reply_message_if_eap remove_reply_message_if_eap {
(2)     if (&reply:EAP-Message && &reply:Reply-Message)
(2)     if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(2)    else else {
(2)     [noop] = noop
(2)    } # else else = noop
(2)   } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(2)  } # Post-Auth-Type REJECT = updated
(2) Delaying response for 1 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(2) Sending delayed response
(2) Sending Access-Reject packet to host 172.16.XX.XX port 35697, id=22,
length=0
Sending Access-Reject Id 22 from 172.16.XX.XXX:1812 to 172.16.XX.XX:35697
Waking up in 3.9 seconds.
(2) Cleaning up request packet ID 22 with timestamp +24

On Thu, Sep 14, 2017 at 1:42 AM, Matthew Newton <mcn at freeradius.org> wrote:

> On Wed, 2017-09-13 at 22:51 +0530, Srinivasa R wrote:
> > # it section, People, icts.res.in
> > dn: cn=it section,ou=People,dc=XXXX,dc=XXX,dc=XX
> > objectClass: posixAccount
> > objectClass: inetOrgPerson
> > objectClass: organizationalPerson
> > objectClass: person
> > objectClass: top
> > objectClass: ieee802Device
> > homeDirectory: /home/it
> > loginShell: /bin/bash
> > uid: it
> > cn: it section
> > uidNumber: 10001
> > gidNumber: 10000
> > sn: section
> > givenName: it
> > telephoneNumber:
> > mobile:
> > macAddress: 28:f1:0e:2a:c1:ac
> > macAddress: e4:a4:71:a3:88:6f
> > macAddress: 0c:c4:7a:22:63:23
>
> I'm probably missing something here, but can't you just get your LDAP
> server to do the searching for you? i.e. update the ldap filter to
> something like
>
> filter = "(&(uid=%{%{Stripped-User-Name}:-%{User-
> Name}})(macAddress=%{Calling-Station-Id}))"
>
> If that returns ok, both User-Name and Calling-Station-Id matched. If
> not, then one or other or both didn't.
>
> --
> Matthew
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>


Regards,
-- 

Srinivas R


More information about the Freeradius-Users mailing list