I would like to ldap bind with username instead of DN
Wessel Louwris
wessel at stutit.nl
Sun Jun 21 17:08:57 CEST 2020
> Op 19 jun. 2020, om 16:55 heeft Alan DeKok <aland at deployingradius.com> het volgende geschreven:
>
> On Jun 19, 2020, at 8:11 AM, Wessel Louwris <wessel at stutit.nl> wrote:
>>
>> I would like to bind with the given username and skip the ldapsearch, so I implemented
>>
>> DEFAULT Ldap-UserDN := "%{User-Name}”
>>
>> in my authorize file (as described on https://wiki.freeradius.org/modules/Rlm_ldap <https://wiki.freeradius.org/modules/Rlm_ldap>).
>> Unfortunately this seems to be not enough because it’s still binding with the DN:
>>
>> (6) ldap: Login attempt by "user at company.nl "
>
> It helps to show the FULL debug output. You've deleted 99% of the output. That means we don't know what else is going on.
>
>> (6) ldap: Using user DN from request "uid= user,ou=Users,dc=example,dc=com” # this is a wrong DN returned by ldapsearch
>> (6) ldap: Waiting for bind result...
>> (6) ldap: ERROR: Bind credentials incorrect: Invalid credentials
>
> My guess is that you're running the "files" module (which reads the users file) *after* the ldap module.
>
> Alan DeKok.
If I authenticate with user migr03 at company.nl <mailto:migr03 at company.nl> (which is not our main domain example.nl <http://example.nl/>) I get below log.
With mig01 at example.nl <mailto:mig01 at example.nl> everything works fine (although it still binds with the full DN) and I can authenticatie.
I hoped that DEFAULT Ldap-UserDN := "%{User-Name}” in my /etc/freeradius/mods-config/files/authorize would skip the ldapsearch and go straight to the binding with this username.
I also pasted my ldap, authorize, default file below the logs.
Thanks,
Wessel
## migr03 at company.nl
(97) Received Access-Request Id 35 from 10.164.0.3:37310 to 172.17.0.6:1812 length 591
(97) User-Name = "migr03 at company.nl"
(97) NAS-IP-Address = 172.16.16.101
(97) NAS-Identifier = "4C-B1-CD-4A-B3-A8"
(97) Called-Station-Id = "4C-B1-CD-4A-B3-A8:example"
(97) NAS-Port-Type = Wireless-802.11
(97) Service-Type = Framed-User
(97) NAS-Port = 1
(97) Calling-Station-Id = "A4-5E-60-DC-05-CF"
(97) Location-Data = 0x31304e4c17174d616b657273747265657420446576656c6f706d656e74
(97) Location-Data = 0x32304e4c1626467265642e526f65736b65737472616174393745203130373645432020416d7374657264616d
(97) Connect-Info = "CONNECT 802.11"
(97) Acct-Session-Id = "5EEF7342-0AB3A001"
(97) Acct-Multi-Session-Id = "A737E56E6E72BF9E"
(97) WLAN-Pairwise-Cipher = 1027076
(97) WLAN-Group-Cipher = 1027076
(97) WLAN-AKM-Suite = 1027073
(97) Ruckus-SSID = "example"
(97) Ruckus-BSSID = 0x4cb1cd4ab3a8
(97) Ruckus-Location = "example"
(97) Ruckus-VLAN-ID = 1
(97) Ruckus-SCG-CBlade-IP = 600626236
(97) Attr-26.25053.155 = 0x41646d696e697374726174696f6e20446f6d61696e
(97) Ruckus-Zone-Name = "example"
(97) Ruckus-Wlan-Name = "example"
(97) EAP-Message = 0x025e003f1580000000351703030030e8e23bf39036dbd45371248590343102796b93bf10fbc8d28cf32ed50809ee15c4d28a12a2eb53c18cf686e0dda17e41
(97) State = 0x2469b8502137ad1a348bcdde947a8261
(97) Chargeable-User-Identity = 0x00
(97) Message-Authenticator = 0xb1d164eef1c5725a9f35050eecb2bde7
(97) Event-Timestamp = "Jun 21 2020 14:48:35 UTC"
(97) Proxy-State = 0x3635
(97) Restoring &session-state
(97) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(97) &session-state:TLS-Session-Version = "TLS 1.2"
(97) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(97) authorize {
(97) policy filter_username {
(97) if (&User-Name) {
(97) if (&User-Name) -> TRUE
(97) if (&User-Name) {
(97) if (&User-Name =~ / /) {
(97) if (&User-Name =~ / /) -> FALSE
(97) if (&User-Name =~ /@[^@]*@/ ) {
(97) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(97) if (&User-Name =~ /\.\./ ) {
(97) if (&User-Name =~ /\.\./ ) -> FALSE
(97) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(97) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(97) if (&User-Name =~ /\.$/) {
(97) if (&User-Name =~ /\.$/) -> FALSE
(97) if (&User-Name =~ /@\./) {
(97) if (&User-Name =~ /@\./) -> FALSE
(97) } # if (&User-Name) = notfound
(97) } # policy filter_username = notfound
(97) [preprocess] = ok
(97) [digest] = noop
(97) suffix: Checking for suffix after "@"
(97) suffix: Looking up realm "company.nl" for User-Name = "migr03 at company.nl"
(97) suffix: No such realm "company.nl"
(97) [suffix] = noop
(97) eap: Peer sent EAP Response (code 2) ID 94 length 63
(97) eap: Continuing tunnel setup
(97) [eap] = ok
(97) } # authorize = ok
(97) Found Auth-Type = eap
(97) # Executing group from file /etc/freeradius/sites-enabled/default
(97) authenticate {
(97) eap: Expiring EAP session with state 0x16172ce416162ae1
(97) eap: Finished EAP session with state 0x2469b8502137ad1a
(97) eap: Previous EAP request found for state 0x2469b8502137ad1a, released from the list
(97) eap: Peer sent packet with method EAP TTLS (21)
(97) eap: Calling submodule eap_ttls to process data
(97) eap_ttls: Authenticate
(97) eap_ttls: Continuing EAP-TLS
(97) eap_ttls: Peer indicated complete TLS record size will be 53 bytes
(97) eap_ttls: Got complete TLS record (53 bytes)
(97) eap_ttls: [eaptls verify] = length included
(97) eap_ttls: [eaptls process] = ok
(97) eap_ttls: Session established. Proceeding to decode tunneled attributes
(97) eap_ttls: Got tunneled request
(97) eap_ttls: EAP-Message = 0x0201000d06353e643650396179
(97) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1
(97) eap_ttls: Sending tunneled request
(97) Virtual server inner-tunnel received request
(97) EAP-Message = 0x0201000d06353e643650396179
(97) FreeRADIUS-Proxied-To = 127.0.0.1
(97) User-Name = "migr03 at company.nl"
(97) State = 0x16172ce416162ae179e6db30cac8670e
(97) WARNING: Outer and inner identities are the same. User privacy is compromised.
(97) server inner-tunnel {
(97) session-state: No cached attributes
(97) # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
(97) authorize {
(97) policy filter_username {
(97) if (&User-Name) {
(97) if (&User-Name) -> TRUE
(97) if (&User-Name) {
(97) if (&User-Name =~ / /) {
(97) if (&User-Name =~ / /) -> FALSE
(97) if (&User-Name =~ /@[^@]*@/ ) {
(97) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(97) if (&User-Name =~ /\.\./ ) {
(97) if (&User-Name =~ /\.\./ ) -> FALSE
(97) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(97) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(97) if (&User-Name =~ /\.$/) {
(97) if (&User-Name =~ /\.$/) -> FALSE
(97) if (&User-Name =~ /@\./) {
(97) if (&User-Name =~ /@\./) -> FALSE
(97) } # if (&User-Name) = notfound
(97) } # policy filter_username = notfound
(97) suffix: Checking for suffix after "@"
(97) suffix: Looking up realm "company.nl" for User-Name = "migr03 at company.nl"
(97) suffix: No such realm "company.nl"
(97) [suffix] = noop
(97) update control {
(97) &Proxy-To-Realm := LOCAL
(97) } # update control = noop
(97) eap: Peer sent EAP Response (code 2) ID 1 length 13
(97) eap: No EAP Start, assuming it's an on-going EAP conversation
(97) [eap] = updated
rlm_ldap (ldap): Reserved connection (23)
(97) ldap: EXPAND (mail=%{User-Name})
(97) ldap: --> (mail=migr03 at company.nl)
(97) ldap: Performing search in "dc=example,dc=nl" with filter "(mail=migr03 at company.nl)", scope "sub"
(97) ldap: Waiting for search result...
(97) ldap: User object found at DN "uid=migr03,ou=Users,dc=example,dc=nl"
(97) ldap: Processing user attributes
(97) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute
(97) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
rlm_ldap (ldap): Released connection (23)
(97) [ldap] = ok
(97) [expiration] = noop
(97) [logintime] = noop
(97) [pap] = noop
(97) if (User-Password) {
(97) if (User-Password) -> FALSE
(97) } # authorize = updated
(97) Found Auth-Type = eap
(97) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
(97) authenticate {
(97) eap: Expiring EAP session with state 0x16172ce416162ae1
(97) eap: Finished EAP session with state 0x16172ce416162ae1
(97) eap: Previous EAP request found for state 0x16172ce416162ae1, released from the list
(97) eap: Peer sent packet with method EAP GTC (6)
(97) eap: Calling submodule eap_gtc to process data
(97) eap_gtc: # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
(97) eap_gtc: Auth-Type PAP {
rlm_ldap (ldap): Reserved connection (28)
(97) ldap: Login attempt by "migr03 at company.nl"
(97) ldap: Using user DN from request "uid=migr03,ou=Users,dc=example,dc=nl"
(97) ldap: Waiting for bind result...
(97) ldap: ERROR: Bind credentials incorrect: Invalid credentials
(97) ldap: ERROR: Server said: Incorrect password.
rlm_ldap (ldap): Released connection (28)
(97) eap_gtc: [ldap] = reject
(97) eap_gtc: } # Auth-Type PAP = reject
(97) eap: ERROR: Failed continuing EAP GTC (6) session. EAP sub-module failed
(97) eap: Sending EAP Failure (code 4) ID 1 length 4
(97) eap: Failed in EAP select
(97) [eap] = invalid
(97) } # authenticate = invalid
(97) Failed to authenticate the user
(97) Using Post-Auth-Type Reject
(97) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
(97) Post-Auth-Type REJECT {
(97) attr_filter.access_reject: EXPAND %{User-Name}
(97) attr_filter.access_reject: --> migr03 at company.nl
(97) attr_filter.access_reject: Matched entry DEFAULT at line 11
(97) [attr_filter.access_reject] = updated
(97) update outer.session-state {
(97) &Module-Failure-Message := &request:Module-Failure-Message -> 'ldap: Bind credentials incorrect: Invalid credentials'
(97) } # update outer.session-state = noop
(97) } # Post-Auth-Type REJECT = updated
(97) } # server inner-tunnel
(97) Virtual server sending reply
(97) EAP-Message = 0x04010004
(97) Message-Authenticator = 0x00000000000000000000000000000000
(97) eap_ttls: Got tunneled Access-Reject
(97) eap: ERROR: Failed continuing EAP TTLS (21) session. EAP sub-module failed
(97) eap: Sending EAP Failure (code 4) ID 94 length 4
(97) eap: Failed in EAP select
(97) [eap] = invalid
(97) } # authenticate = invalid
(97) Failed to authenticate the user
(97) Using Post-Auth-Type Reject
(97) # Executing group from file /etc/freeradius/sites-enabled/default
(97) Post-Auth-Type REJECT {
(97) attr_filter.access_reject: EXPAND %{User-Name}
(97) attr_filter.access_reject: --> migr03 at company.nl
(97) attr_filter.access_reject: Matched entry DEFAULT at line 11
(97) [attr_filter.access_reject] = updated
(97) [eap] = noop
(97) policy remove_reply_message_if_eap {
(97) if (&reply:EAP-Message && &reply:Reply-Message) {
(97) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(97) else {
(97) [noop] = noop
(97) } # else = noop
(97) } # policy remove_reply_message_if_eap = noop
(97) } # Post-Auth-Type REJECT = updated
(97) Delaying response for 1.000000 seconds
Waking up in 0.9 seconds.
(97) Sending delayed response
(97) Sent Access-Reject Id 35 from 172.17.0.6:1812 to 10.164.0.3:37310 length 48
(97) EAP-Message = 0x045e0004
(97) Message-Authenticator = 0x00000000000000000000000000000000
(97) Proxy-State = 0x3635
Waking up in 3.1 seconds.
(91) Cleaning up request packet ID 234 with timestamp +898
(92) Cleaning up request packet ID 242 with timestamp +898
(93) Cleaning up request packet ID 173 with timestamp +898
(94) Cleaning up request packet ID 28 with timestamp +898
(95) Cleaning up request packet ID 24 with timestamp +898
(96) Cleaning up request packet ID 144 with timestamp +898
Waking up in 0.5 seconds.
(97) Cleaning up request packet ID 35 with timestamp +898
Ready to process requests
My ldap config /etc/freeradius/mods-available/ldap:
ldap {
server = 'ldaps://ldap.google.com'
port = 636
identity = 'XX'
password = XX
base_dn = 'dc=example,dc=nl'
sasl {
}
update {
control:Password-With-Header += 'userPassword'
control:Cleartext-Password := 'userPassword'
control:NT-Password := 'ntPassword'
control: += 'radiusControlAttribute'
request: += 'radiusRequestAttribute'
reply: += 'radiusReplyAttribute'
}
user_dn = "LDAP-UserDn"
user {
base_dn = "${..base_dn}"
filter = "(mail=%{User-Name})"
sasl {
}
}
group {
base_dn = "${..base_dn}"
filter = '(objectClass=posixGroup)'
membership_attribute = 'memberOf'
}
profile {
}
client {
base_dn = "${..base_dn}"
filter = '(objectClass=radiusClient)'
template {
}
attribute {
ipaddr = 'radiusClientIdentifier'
secret = 'radiusClientSecret'
}
}
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}}"
type {
start {
update {
description := "Online at %S"
}
}
interim-update {
update {
description := "Last seen at %S"
}
}
stop {
update {
description := "Offline at %S"
}
}
}
}
post-auth {
update {
}
}
options {
chase_referrals = yes
rebind = yes
res_timeout = 10
srv_timelimit = 3
net_timeout = 1
idle = 60
probes = 3
interval = 3
ldap_debug = 0x0028
}
tls {
start_tls = no
certificate_file = /etc/freeradius/certs/ldap-client.crt
private_key_file = /etc/freeradius/certs/ldap-client.key
require_cert = 'allow'
}
pool {
start = ${thread[pool].start_servers}
min = ${thread[pool].min_spare_servers}
max = ${thread[pool].max_servers}
spare = ${thread[pool].max_spare_servers}
uses = 0
retry_delay = 30
lifetime = 0
idle_timeout = 60
}
}
my /etc/freeradius/mods-config/files/authorize
DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "CSLIP"
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "SLIP"
Framed-Protocol = SLIP
DEFAULT Ldap-UserDN := "%{User-Name}"
my /etc/freeradius/sites-available/default:
server default {
listen {
type = auth
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
ipaddr = *
port = 0
type = acct
limit {
}
}
listen {
type = auth
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
ipv6addr = ::
port = 0
type = acct
limit {
}
}
authorize {
filter_username
preprocess
digest
suffix
eap {
ok = return
}
files
-sql
ldap
expiration
logintime
pap
if (User-Password) {
update control {
Auth-Type := ldap
}
}
}
authenticate {
Auth-Type PAP {
ldap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
mschap
digest
ldap
eap
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
detail
unix
-sql
exec
attr_filter.accounting_response
}
session {
}
post-auth {
if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) {
update reply {
&User-Name !* ANY
}
}
update {
&reply: += &session-state:
}
-sql
exec
remove_reply_message_if_eap
Post-Auth-Type REJECT {
-sql
attr_filter.access_reject
eap
remove_reply_message_if_eap
}
Post-Auth-Type Challenge {
}
}
pre-proxy {
}
post-proxy {
eap
}
}
More information about the Freeradius-Users
mailing list