Freeradius 3 with LDAP Authentication Bind as User
Jason Leiby
leibyj at gmail.com
Mon Jun 1 16:23:27 CEST 2020
Hi Alan,
Thank you for the link to Network Radius. I was unaware that there was an
issue with redhat and the standard freeradius packages. I have upgraded to
3.0.21 after adding the repositories in your link. This has fixed the
chase_referrals issue, but I am still not binding as the user to LDAP.
When performing a wireshark capture, the bind user shows as "<ROOT>
simple". Do I need to set the ldap attributes to provide the user and
password to the far end?
Here is the latest output after upgrade and repository addtiion:
(3) Received Access-Request Id 1 from 1.1.1.201:65445 to 1.1.1.190:1812
length 58
(3) NAS-IP-Address = 0.0.0.0
(3) User-Name = "testuser"
(3) User-Password = "testpasswd123\000]\n"
(3) NAS-Port = 0
(3) # Executing section authorize from file /etc/raddb/sites-enabled/default
(3) authorize {
(3) policy filter_username {
(3) if (&User-Name) {
(3) if (&User-Name) -> TRUE
(3) if (&User-Name) {
(3) if (&User-Name =~ / /) {
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@[^@]*@/ ) {
(3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(3) if (&User-Name =~ /\.\./ ) {
(3) if (&User-Name =~ /\.\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(3) if (&User-Name =~ /\.$/) {
(3) if (&User-Name =~ /\.$/) -> FALSE
(3) if (&User-Name =~ /@\./) {
(3) if (&User-Name =~ /@\./) -> FALSE
(3) } # if (&User-Name) = notfound
(3) } # policy filter_username = notfound
(3) policy filter_password {
(3) if (&User-Password && (&User-Password !=
"%{string:User-Password}")) {
(3) EXPAND %{string:User-Password}
(3) --> testpasswd123
(3) if (&User-Password && (&User-Password !=
"%{string:User-Password}")) -> TRUE
(3) if (&User-Password && (&User-Password !=
"%{string:User-Password}")) {
(3) update request {
(3) EXPAND %{string:User-Password}
(3) --> testpasswd123
(3) &Tmp-String-0 := testpasswd123
(3) EXPAND %{string:Tmp-String-0}
(3) --> testpasswd123
(3) &User-Password := testpasswd123
(3) } # update request = noop
(3) } # if (&User-Password && (&User-Password !=
"%{string:User-Password}")) = noop
(3) } # policy filter_password = noop
(3) [preprocess] = ok
(3) [chap] = noop
(3) [mschap] = noop
(3) [digest] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: No '@' in User-Name = "testuser", looking up realm NULL
(3) suffix: No such realm "NULL"
(3) [suffix] = noop
(3) eap: No EAP-Message, not doing EAP
(3) [eap] = noop
(3) [files] = noop
(3) sql: EXPAND %{User-Name}
(3) sql: --> testuser
(3) sql: SQL-User-Name set to 'testuser'
rlm_sql (sql): Closing connection (11): Hit idle_timeout, was idle for 96
seconds
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (12): Hit idle_timeout, was idle for 96
seconds
rlm_sql (sql): You probably need to lower "min"
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (10): Hit idle_timeout, was idle for 95
seconds
rlm_sql (sql): You probably need to lower "min"
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (13): Hit idle_timeout, was idle for 95
seconds
rlm_sql (sql): You probably need to lower "min"
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): 0 of 0 connections in use. You may need to increase "spare"
rlm_sql (sql): Opening additional connection (14), 1 of 32 pending slots
used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket,
server version 5.5.65-MariaDB, protocol version 10
rlm_sql (sql): Reserved connection (14)
(3) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck
WHERE username = '%{SQL-User-Name}' ORDER BY id
(3) sql: --> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'testuser' ORDER BY id
(3) sql: Executing select query: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = 'testuser' ORDER BY id
(3) sql: User found in radcheck table
(3) sql: Conditional check items matched, merging assignment check items
(3) sql: Auth-Type := PAP
(3) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply
WHERE username = '%{SQL-User-Name}' ORDER BY id
(3) sql: --> SELECT id, username, attribute, value, op FROM radreply
WHERE username = 'testuser' ORDER BY id
(3) sql: Executing select query: SELECT id, username, attribute, value, op
FROM radreply WHERE username = 'testuser' ORDER BY id
rlm_sql (sql): 1 of 1 connections in use. You may need to increase "spare"
rlm_sql (sql): Opening additional connection (15), 1 of 31 pending slots
used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket,
server version 5.5.65-MariaDB, protocol version 10
rlm_sql (sql): Reserved connection (15)
rlm_sql (sql): Released connection (15)
Need 1 more connections to reach min connections (3)
rlm_sql (sql): Opening additional connection (16), 1 of 30 pending slots
used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket,
server version 5.5.65-MariaDB, protocol version 10
(3) sql: EXPAND SELECT groupname FROM radusergroup WHERE username =
'%{SQL-User-Name}' ORDER BY priority
(3) sql: --> SELECT groupname FROM radusergroup WHERE username =
'testuser' ORDER BY priority
(3) sql: Executing select query: SELECT groupname FROM radusergroup WHERE
username = 'testuser' ORDER BY priority
(3) sql: User found in the group table
(3) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM
radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id
(3) sql: --> SELECT id, groupname, attribute, Value, op FROM
radgroupcheck WHERE groupname = 'sonus-admin' ORDER BY id
(3) sql: Executing select query: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = 'sonus-admin' ORDER BY id
(3) sql: Group "sonus-admin": Conditional check items matched
(3) sql: Group "sonus-admin": Merging assignment check items
(3) sql: EXPAND SELECT id, groupname, attribute, value, op FROM
radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id
(3) sql: --> SELECT id, groupname, attribute, value, op FROM
radgroupreply WHERE groupname = 'sonus-admin' ORDER BY id
(3) sql: Executing select query: SELECT id, groupname, attribute, value, op
FROM radgroupreply WHERE groupname = 'sonus-admin' ORDER BY id
(3) sql: Group "sonus-admin": Merging reply items
(3) sql: GroupName := "Administrator"
rlm_sql (sql): Released connection (14)
(3) [sql] = ok
rlm_ldap (ldap): Closing connection (8): Hit idle_timeout, was idle for 95
seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): Closing connection (9): Hit idle_timeout, was idle for 95
seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): 0 of 0 connections in use. You may need to increase
"spare"
rlm_ldap (ldap): Opening additional connection (10), 1 of 32 pending slots
used
rlm_ldap (ldap): Connecting to ldap://ldap.example.com:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Reserved connection (10)
(3) ldap: EXPAND (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})
(3) ldap: --> (samaccountname=testuser)
(3) ldap: Performing search in "OU=Employees,OU=Domain
Users,DC=example,DC=com" with filter "(samaccountname=testuser)", scope
"sub"
(3) ldap: Waiting for search result...
(3) ldap: ERROR: Failed performing search: Operations error with LDAP
database. Please see the LDAP server configuration / documentation for
more information.
(3) ldap: ERROR: Server said: 000004DC: LdapErr: DSID-0C0907E1, comment: In
order to perform this operation a successful bind must be completed on the
connection., data 0, v2580.
rlm_ldap (ldap): Released connection (10)
Need 2 more connections to reach min connections (3)
rlm_ldap (ldap): Opening additional connection (11), 1 of 31 pending slots
used
rlm_ldap (ldap): Connecting to ldap://ldap.example.com:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(3) [ldap] = fail
(3) } # authorize = fail
(3) Invalid user (ldap: Failed performing search: Operations error with
LDAP database. Please see the LDAP server configuration / documentation
for more information.): [testuser] (from client 1.1.1.201 port 0)
(3) Using Post-Auth-Type Reject
(3) # Executing group from file /etc/raddb/sites-enabled/default
(3) Post-Auth-Type REJECT {
(3) sql: EXPAND .query
(3) sql: --> .query
(3) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (14)
(3) sql: EXPAND %{User-Name}
(3) sql: --> testuser
(3) sql: SQL-User-Name set to 'testuser'
(3) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate)
VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S.%M')
(3) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate)
VALUES ( 'testuser', 'testpasswd123', 'Access-Reject', '2020-06-01
08:48:57.890570')
(3) sql: Executing query: INSERT INTO radpostauth (username, pass, reply,
authdate) VALUES ( 'testuser', 'testpasswd123', 'Access-Reject',
'2020-06-01 08:48:57.890570')
(3) sql: SQL query returned: success
(3) sql: 1 record(s) updated
rlm_sql (sql): Released connection (14)
Need 7 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (17), 1 of 29 pending slots
used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket,
server version 5.5.65-MariaDB, protocol version 10
(3) [sql] = ok
(3) attr_filter.access_reject: EXPAND %{User-Name}
(3) attr_filter.access_reject: --> testuser
(3) attr_filter.access_reject: Matched entry DEFAULT at line 11
(3) [attr_filter.access_reject] = updated
(3) [eap] = noop
(3) policy remove_reply_message_if_eap {
(3) if (&reply:EAP-Message && &reply:Reply-Message) {
(3) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(3) else {
(3) [noop] = noop
(3) } # else = noop
(3) } # policy remove_reply_message_if_eap = noop
(3) } # Post-Auth-Type REJECT = updated
(3) Delaying response for 1.000000 seconds
Waking up in 0.9 seconds.
(3) (3) Discarding duplicate request from client 1.1.1.201 port 65445 - ID:
1 due to delayed response
Waking up in 0.3 seconds.
(3) Sending delayed response
(3) Sent Access-Reject Id 1 from 1.1.1.190:1812 to 1.1.1.201:65445 length 20
Waking up in 3.9 seconds.
(3) Cleaning up request packet ID 1 with timestamp +1251
Ready to process requests
On Fri, May 29, 2020 at 3:19 PM Alan DeKok <aland at deployingradius.com>
wrote:
> On May 29, 2020, at 3:06 PM, Jason Leiby <leibyj at gmail.com> wrote:
> >
> > I placed the auth-type update control snippet in the authenticate section
>
> No... you have to update Auth-Type *before* the authenticate section, in
> the authorize section.
>
> When you set Auth-Type, you're telling the server which "authenticate"
> sub-section to use. So putting an "update control" in the authenticate
> section does nothing.
>
> > and I still get the same error message of:
> >
> > (1) ldap: ERROR: Failed performing search: Please set
> 'chase_referrals=yes'
> > and 'rebind=yes'. See the ldap module configuration for details.
> > (1) ldap: ERROR: Server said: 000004DC: LdapErr: DSID-0C0907E1, comment:
> In
> > order to perform this operation a successful bind must be completed on
> the
> > connection., data 0, v2580.
> >
> > What is also strange is that the first error about chase_referrals and
> > rebind should be gone as I have those flags uncommented in the ldap
> module
>
> Those settings are still commented out. If "chase_referrals" was set,
> the error would be:
>
> Operations error with LDAP database. Please see the LDAP server
> configuration / documentation for more information.
>
>
> > Here is the full output from radiusd -X
>
> If you read the *rest* of the debug output, you will see it printing out
> the configuration for the LDAP module. And "chase_referrals" won't be set.
>
> > ...
> > rlm_ldap (ldap): Connecting to ldap://ldap.example.com:389
> > TLSMC: MozNSS compatibility interception begins.
> > tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration
> is
> > present.
> > tlsmc_intercept_initialization: INFO: successfully intercepted TLS
> > initialization. Continuing with OpenSSL only.
>
> Arg. You're using RedHat, which (in there infinite wisdom) decided to
> switch libldap to something which isn't compatible with OpenSSL.
>
> FreeRADIUS uses OpenSSL. I suspect this incompatibility will cause
> issues. For more details, see http://packages.networkradius.com
>
> We provide *working* packages, and documentation on how to fix issues
> created by OS vendors.
>
> > TLSMC: MozNSS compatibility interception ends.
> > rlm_ldap (ldap): Waiting for bind result...
> > rlm_ldap (ldap): Bind successful
> > rlm_ldap (ldap): Reserved connection (6)
> > (1) ldap: EXPAND (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})
> > (1) ldap: --> (samaccountname=testuser)
> > (1) ldap: Performing search in "OU=Employees,OU=Domain
> > Users,DC=example,DC=com" with filter "(samaccountname=testuser)", scope
> > "sub"
> > (1) ldap: Waiting for search result...
> > (1) ldap: ERROR: Failed performing search: Please set
> 'chase_referrals=yes'
> > and 'rebind=yes'. See the ldap module configuration for details.
>
> You don't have "chase_referrals = yes".
>
> Fix that first, Then try switching to a different FreeRADIUS package.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list