ldap module for user and mac authentication

Dave Macias davama at gmail.com
Thu Aug 9 14:23:51 CEST 2018 

>
>  Yes, I had thought of something to the effect of (suggestions welcomed) :
>
> * if
> (!"%{ldap:ldap://master1/ou=%{client:shortname},ou=macs,dc=myorg,dc=net?cn?sub?(*
> *&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}") {*
> * if
> (!"%{ldap:ldap://master2/ou=%{client:shortname},ou=macs,dc=myorg,dc=net?c*
> *n?sub?(&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}")
> {*
> * reject*
> * }*
> * }*
> * update {*
> * control:Auth-Type := Accept*
> * }*
>
> But this does not account for the scenario of openldap being dead.
> The 1st "if" statement will be always be FALSE and never attempt the next
> "if" statement and therefore 'Accept'
>

I believe i misspoke here...
But interesting observations.

if i use the below code AND have multiple ldap servers configured in my
ldap module, radius '%{ldap:ldap:///...}' will automatically go to the one
that is alive; assuming one is at least alive. IF i have just one ldap
server configured in my ldap module, (which is dead), then the 'if' will
FAIL and reject as it should.

*if
(!"%{ldap:ldap:///ou=%{client:shortname},ou=macs,dc=datacom,dc=net?cn?sub?(&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}")
{*
*reject*
*}*
*else {*
*update {*
*control:Auth-Type := Accept*
*}*
*}*

Same results as above (ldap module will use the live ldap server, not the
dead one)
*if
(!"%{ldap:ldap://dead-ldap-server/ou=%{client:shortname},ou=macs,dc=datacom,dc=net?cn?sub?(&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}")*
*...*
*...*

So what did i learn?
you dont need to use the SRV record for failover, as long as you have all
the ldap servers in your ldap module.

I think it makes sense since '%{ldap:...}" is using the ldap module,
technically, but i would have thought that "ldap:///" or
"ldap://dead-ldap-server/" meant localhost/dead-ldap-server not
"live.ldap.the-module-found'

Or maybe im just completely off...
Hope that makes, sense.

(1)     if (&NAS-Port-Type == "Ethernet" && &Calling-Station-Id) {
(1)     if (&NAS-Port-Type == "Ethernet" && &Calling-Station-Id)  -> TRUE
(1)     if (&NAS-Port-Type == "Ethernet" && &Calling-Station-Id)  {
(1)       policy rewrite_calling_station_id {
(1)         if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(1)         if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
-> TRUE
(1)         if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(1)           update request {
(1)             EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(1)                --> 00-04-F2-DD-98-C6
(1)             &Calling-Station-Id := 00-04-F2-DD-98-C6
(1)           } # update request = noop
(1)           [updated] = updated
(1)         } # if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
= updated
(1)         ... skipping else: Preceding "if" was taken
(1)       } # policy rewrite_calling_station_id = updated
(1)       if
(!"%{ldap:ldap:///ou=%{client:shortname},ou=macs,dc=datacom,dc=net?cn?sub?(&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}")
{
rlm_ldap (ldap): Reserved connection (0)
(1)       Performing search in "ou=sub-macs,ou=macs,dc=myorg,dc=net" with
filter "(&(objectClass=ieee802Device)(macAddress=00-04-F2-DD-98-C6))",
scope "sub"
(1)       Waiting for search result...
rlm_ldap (ldap): Released connection (0)
Need 5 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots
used
rlm_ldap (ldap): Connecting to ldap://localhost:389 ldap://ldap2:389
TLSMC: MozNSS compatibility interception begins.
tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration is
present.
tlsmc_intercept_initialization: INFO: successfully intercepted TLS
initialization. Continuing with OpenSSL only.
TLSMC: MozNSS compatibility interception ends.
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(1)       EXPAND
%{ldap:ldap:///ou=%{client:shortname},ou=macs,dc=datacom,dc=net?cn?sub?(&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}
(1)          --> 0004f2dd98c6
(1)       if
(!"%{ldap:ldap:///ou=%{client:shortname},ou=macs,dc=datacom,dc=net?cn?sub?(&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}")
-> FALSE
(1)       else {
(1)         update {
(1)           control:Auth-Type := Accept
(1)         } # update = noop
(1)       } # else = noop
(1)     } # if (&NAS-Port-Type == "Ethernet" && &Calling-Station-Id)  =
updated
(1)     ... skipping else: Preceding "if" was taken
(1)     [expiration] = noop
(1)     [logintime] = noop
(1) pap: WARNING: Auth-Type already set.  Not setting to PAP
(1)     [pap] = noop
(1)   } # authorize = updated
(1) Found Auth-Type = Accept

More information about the Freeradius-Users mailing list