Antw: Re: Additional NDS error messages missing in FR3 ?

Anja Ruckdaeschel Anja.Ruckdaeschel at rz.uni-regensburg.de
Mon Oct 8 16:27:26 CEST 2018 

Hi Arran,

Unfortunately, I'm still having trouble to access all of the error messages.....


Examples with ldap.authenticate and ldap_debug in ldap-Module in post-auth:

An expired Account:
res_errno: 53, res_error: <NDS error: log account expired (-220)>, res_matched: <>
ldap_free_request (origid 6, msgid 6)
ldap_parse_result
ldap_msgfree
(0) ldap: ERROR: Bind was not permitted: Server was unwilling to perform
rlm_ldap (ldap): Released connection (0)

An Account with Intruder Lockout:
res_errno: 53, res_error: <NDS error: login lockout (-197)>, res_matched: <>
ldap_free_request (origid 7, msgid 7)
ldap_parse_result
ldap_msgfree
(22) ldap: ERROR: Bind was not permitted: Server was unwilling to perform
rlm_ldap (ldap): Released connection (7)

----------------------------------------------------------------------------------------

A bad password:
res_errno: 49, res_error: <NDS error: failed authentication (-669)>, res_matched: <>
ldap_free_request (origid 10, msgid 10)
ldap_parse_result
ldap_msgfree
ldap_err2string
(3) ldap: ERROR: Bind credentials incorrect: Invalid credentials
(3) ldap: ERROR: Server said: NDS error: failed authentication (-669).
rlm_ldap (ldap): Released connection (0)


An expired password with no grace logins left:
res_errno: 49, res_error: <NDS error: bad password (-222)>, res_matched: <>
ldap_free_request (origid 6, msgid 6)
ldap_parse_result
ldap_msgfree
ldap_err2string
(0) ldap: ERROR: Bind credentials incorrect: Invalid credentials
(0) ldap: ERROR: Server said: NDS error: bad password (-222).
rlm_ldap (ldap): Released connection (0)

A Station Restriction for the User:
res_errno: 80, res_error: <NDS error: bad station number (-253)>, res_matched: <>
ldap_free_request (origid 10, msgid 10)
ldap_parse_result
ldap_msgfree
ldap_err2string
(3) ldap: ERROR: Bind with XXXX to ldap://xxxxx failed: Other (e.g., implementation specific) error
(3) ldap: ERROR: Server said: NDS error: bad station number (-253).
rlm_ldap (ldap): Released connection (0)


So, if res_errno for example is 49 (LDAP_INVALID_CREDENTIALS) or 80 (LDAP_OTHER) you can access res_error with Module-Failure-Message.
If res_errno is 53 (LDAP_PROC_NOT_PERMTTED) you cannot access res_error with Module-Failure-Message.....

I only can test it with 49, 53 and 80, so I'm not sure if there is more of that kind....


Ciao Anja


 


>>> "Anja Ruckdaeschel" <Anja.Ruckdaeschel at rz.uni-regensburg.de> 03.10.2018 11:32 >>>
Hi Arran, 

I'm so sorry, I wasn't aware this is a stack. 
You are of cause right and the NDS Error message is in there and I can access it.
And my own debugging also only expanded Module-Failure-Message, so I didn't see it. 
Shame on me. 
It works fine now.
Thank you very much again  and have a nice day!

Ciao Anja











Sent from Nine
________________________________
Von: Arran Cudbard-Bell <a.cudbardb at freeradius.org>
Gesendet: Mittwoch, 3. Oktober 2018 08:49
An:
Betreff: Re: Antw: Re: Additional NDS error messages missing in FR3 ?

>>> "Arran Cudbard-Bell" <a.cudbardb at freeradius.org> 10/03/2018 08:49 >>>

>> I have a customized  msg_badpass in FR2 with:
>> %{Module-Failure-Message} and %{reply:Reply-Message}
>> 
>> In  FR2 it is in Module-Failure for ldap, e.g.  [ldap] Bind as user failed
>> and in Reply-Message you can find: NDS error: failed authentication (-669).
> 
>  Yeah, that was wrong.  Reply-Message shouldn't be overloaded like that.

Yeah.

> 
>> I checked it with  FR3 with debug_reply after ldap.authenticate (called in Post-Auth for edir-policy-checking and some intruder-triggering) and it's not in the reply  ....
>> If you run with -X, it looks like this (intruder)... 
>> 
>> Tue Oct  2 15:24:19 2018 : Debug: (10) ldap: Waiting for bind result...
>> Tue Oct  2 15:24:22 2018 : ERROR: (10) ldap: Bind credentials incorrect: Invalid credentials
>> Tue Oct  2 15:24:22 2018 : ERROR: (10) ldap: Server said: NDS error: failed authentication (-669).

OK, so the error message *IS* available in v3 OP just isn't accessing it.

>> Tue Oct  2 15:24:22 2018 : Debug: rlm_ldap (ldap): Released connection (1)
>> 
>> I only want to access this ERROR-Message somehow... it does not have to be in Module-Failure-Message...
> 
>  OK, the error should be in the Module-Failure-Message attribute.

It is.  The OP just isn't accessing the different Module-Failure-Messages.  There's no code issue here, there's nothing that needs to be fixed on our side.

OP use &Module-Failure-Message[0], &Module-Failure-Message[1], &Module-Failure-Message[2], etc... to get the different messages.

IIRC "%{Module-Failure-Message[*]}" will get you a concatenation of all the values.

i.e.

update reply {
	Reply-Message := "%{Module-Failure-Message[*]}"
}

The Module-Failure-Message attributes in v3 form an error stack, with any call to REDEBUG or RERROR pushing additional messages onto the top of the stack.

This lets you get the complete progression of errors.

>> 
>> In the FR2-Code I think it's for example here:
>> https://github.com/FreeRADIUS/freeradius-server/blob/v2.x.x/src/modules/rlm_ldap/rlm_ldap.c#L2101 
>> https://github.com/FreeRADIUS/freeradius-server/blob/v2.x.x/src/modules/rlm_ldap/rlm_ldap.c#L2233 
>> https://github.com/FreeRADIUS/freeradius-server/blob/v2.x.x/src/modules/rlm_ldap/rlm_ldap.c#L2253 
>> 
>> 
>> I'm not quite sure were it is in FR3, perhaps it's starting here (with case error 53)  (is it in extra?):
>> https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/src/modules/rlm_ldap/ldap.c#L748 
> 
>  We'll take a look at adding that back in.

It's already included in v3 and v4.  The error handling and code already deals with this.

-Arran


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html 
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list