Porting ldap module configuration from 2.2.9 to 3.0.15

Olivier Olivier.Nicole at cs.ait.ac.th
Thu Sep 21 09:03:47 CEST 2017 

Thank you Stefan,

> Have a look in your authorize section... You should have this in your
> authorize section too (*after* the 'pap' line, which should be active):
>
> if (&request:User-Password) {
>   update control {
>     Auth-Type = ldap
>   }
> }

I used

	if ((&request:User-Password) && (Client-IP-Address == "192.41.170.3")) {
	  update control {
	      Auth-Type = LDAPFIREWALL
	      Ldap-UserDN = "uid=%{User-Name},ou=People,ou=csim,dc=cs,dc=ait,dc=ac,dc=th"
	   }
	}

instead, and it works fine. I can customize it by client IP (having
different instances of the ldap module, with different filters).

It seems to work even is authorize pap has been disabled...

>
> Note that the operator is '=', not ':='. This means that an Auth-Type is
> only set when none exists.
>
> The message about the server no longer authenticating cleartext passwords
> in the User-Password attribute only refers to entries in the 'users' file
> or other backends (such as databases). AFAIK, RADIUS protocol will always
> continue to send User-Password, which the PAP module (and others) will
> decode based on what they find in it.
>
> Given that your Access-Request packet does contain User-Password, I
> suspect it's the fact that you don't set an Auth-Type with unlang that it
> fails.
>
> V3 is much more powerful and flexible (but stricter).

Indeed.

I am left with a warning:

(0)     [ldap_firewall] = ok
(0)   } # Auth-Type LDAPFIREWALL = ok
(0) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
(0)   post-auth {
(0)     update {
(0)       No attributes updated
(0)     } # update = noop
(0) reply_log: EXPAND /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
(0) reply_log:    --> /var/log/radacct/192.41.170.3/reply-detail-20170921
(0) reply_log: /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d expands to /var/log/radacct/192.41.170.3/reply-detail-20170921
(0) reply_log: WARNING: Skipping empty packet
(0)     [reply_log] = ok

I am not sure how to eliminate this "WARNING: Skipping empty packet".

Best regards,

Olivier

More information about the Freeradius-Users mailing list