Porting ldap module configuration from 2.2.9 to 3.0.15

Olivier Olivier.Nicole at cs.ait.ac.th
Wed Sep 20 07:11:20 CEST 2017


"Fajar A. Nugraha" <list at fajar.net> writes:

> The last part shouldn't be there, since you should've had an entry that
> adds Ldap-UserDN.
>
> It should print something like this
> (0)   authorize {
> (0) files: EXPAND uid=%{User-Name},ou=people,dc=company,dc=com
> (0) files:    --> uid=testuser,ou=people,dc=company,dc=com
> (0) files: users: Matched entry DEFAULT at line 1
> ...
> (0)     [files] = ok
>
> Did you edit the correct file? The default (in ubuntu)
> is /etc/freeradius/users (or /etc/raddb/users in most other distros), which
> is a symlink to mods-config/files/authorize

I found my mistake. When setting the chroot, I copied all raddb with
cp(1) and the symlinks got overwritten by plain files. raddb/users was
not a symlink anymore.

Now I get the correct result for authorize/files. I removed any
reference to ldap in the authorize section of sites-enable/default.

Now I get the error "ERROR: No Auth-Type found: rejecting the user via
Post-Auth-Type = Reject"

With the full messages being:

Ready to process requests
(0) Received Access-Request Id 162 from 192.41.170.3:19766 to 192.41.170.3:1812 length 72
(0)   User-Name = "on"
(0)   User-Password = "***** password redeacted"
(0)   NAS-IP-Address = 192.41.170.6
(0)   NAS-Port = 0
(0)   Message-Authenticator = 0x768ce2f6e2d22042c783973be35af3b8
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(0)   authorize {
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = notfound
(0)     } # policy filter_username = notfound
(0)     policy filter_password {
(0)       if (&User-Password &&            (&User-Password != "%{string:User-Password}")) {
(0)       EXPAND %{string:User-Password}
(0)          --> ***** password redeacted
(0)       if (&User-Password &&            (&User-Password != "%{string:User-Password}"))  -> FALSE
(0)     } # policy filter_password = notfound
(0)     [preprocess] = ok
(0) auth_log: EXPAND /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(0) auth_log:    --> /var/log/radacct/192.41.170.3/auth-detail-20170920
(0) auth_log: /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radacct/192.41.170.3/auth-detail-20170920
(0) auth_log: EXPAND %t
(0) auth_log:    --> Wed Sep 20 04:48:30 2017
(0)     [auth_log] = ok
(0)     [mschap] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "on", looking up realm NULL
(0) suffix: No such realm "NULL"
(0)     [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0)     [eap] = noop
(0) files: EXPAND %{Client-IP-Address}
(0) files:    --> 192.41.170.3
(0) files: users: Matched entry DEFAULT at line 222
(0) files: EXPAND uid=%{User-Name},ou=People,ou=csim,dc=cs,dc=ait,dc=ac,dc=th
(0) files:    --> uid=on,ou=People,ou=csim,dc=cs,dc=ait,dc=ac,dc=th
(0)     [files] = ok
(0)     [expiration] = noop
(0)     [logintime] = noop
(0)   } # authorize = ok
(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) Post-Auth-Type sub-section not found.  Ignoring.
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject): [on/***** password redeacted] (from client fbsd35.cs.ait.ac.th port 0)

Thank you,

Olivier
-- 


More information about the Freeradius-Users mailing list