Antw: Re: Additional NDS error messages missing in FR3 ?

Anja Ruckdaeschel Anja.Ruckdaeschel at rz.uni-regensburg.de
Tue Oct 2 20:08:48 CEST 2018 

Hi Alan and Arran,

that sounds great.
Thank you very much and  have a nice day.

Ciao Anja


Sent from Nine
________________________________
Von: Alan DeKok <aland at deployingradius.com>
Gesendet: Dienstag, 2. Oktober 2018 19:47
An:
Betreff: Re: Antw: Re: Additional NDS error messages missing in FR3 ?

>>> "Alan DeKok" <aland at deployingradius.com> 10/02/2018 19:47 >>>
On Oct 2, 2018, at 10:44 AM, Anja Ruckdaeschel <Anja.Ruckdaeschel at rz.uni-regensburg.de> wrote:
> I don't know what you exactly mean with  "multiple instances of Module-Failure-Message"....
> But if you mean fail, userlock, reeject, ...., than it's not there....

  That's mainly in v3.

> I have a customized  msg_badpass in FR2 with:
> %{Module-Failure-Message} and %{reply:Reply-Message}
> 
> In  FR2 it is in Module-Failure for ldap, e.g.  [ldap] Bind as user failed
> and in Reply-Message you can find: NDS error: failed authentication (-669).

  Yeah, that was wrong.  Reply-Message shouldn't be overloaded like that.

> I checked it with  FR3 with debug_reply after ldap.authenticate (called in Post-Auth for edir-policy-checking and some intruder-triggering) and it's not in the reply  ....
> If you run with -X, it looks like this (intruder)... 
> 
> Tue Oct  2 15:24:19 2018 : Debug: (10) ldap: Waiting for bind result...
> Tue Oct  2 15:24:22 2018 : ERROR: (10) ldap: Bind credentials incorrect: Invalid credentials
> Tue Oct  2 15:24:22 2018 : ERROR: (10) ldap: Server said: NDS error: failed authentication (-669).
> Tue Oct  2 15:24:22 2018 : Debug: rlm_ldap (ldap): Released connection (1)
> 
> I only want to access this ERROR-Message somehow... it does not have to be in Module-Failure-Message...

  OK, the error should be in the Module-Failure-Message attribute.

> 
> In the FR2-Code I think it's for example here:
> https://github.com/FreeRADIUS/freeradius-server/blob/v2.x.x/src/modules/rlm_ldap/rlm_ldap.c#L2101
> https://github.com/FreeRADIUS/freeradius-server/blob/v2.x.x/src/modules/rlm_ldap/rlm_ldap.c#L2233 
> https://github.com/FreeRADIUS/freeradius-server/blob/v2.x.x/src/modules/rlm_ldap/rlm_ldap.c#L2253 
> 
> 
> I'm not quite sure were it is in FR3, perhaps it's starting here (with case error 53)  (is it in extra?):
> https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/src/modules/rlm_ldap/ldap.c#L748 

  We'll take a look at adding that back in.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list