Re: Checkval weird issue with LDAP backend and PAM authentication
Alan DeKok
> the idea is to use checkval module to catch the NAS-Identifier parameter that the proftpd module set as "ftp".
Why? The "checkval" module has limited functionality. See "man
unlang" for a much better way to do attribute comparisons.
All of the debug output you provided was mashed together on one like,
making it impossible to read.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
marco
I've not realized that the logs had became a garbage :O( - maybe a webmail realted issue of my ISP.
Now I Bcc myself to see how does it appear to recipients
I tried "man unlang" but got no manual entry - I'm using Freeradius packaged for CentOS - I'll give a look to http://freeradius.org/radiusd/man/unlang.html, I think is the same.
As for the previous post, ... here it is
Hi,
I'm facing this issue in configuring radius: I'm developing a GPLv3 script that will easily setup a whole linux server with lots of usefull services (NTP,DHCP,DNS with DDNS update to DHCP, MIT-Kerberos, OpenLDAP (Kerberized), FreeRadius,
MySQL, Apache, ProFTP, SQUID, Samba (kerberized), Appletalk File Protocol, Postfix and Dovecot (also with public and shared folders), roundcube webmail, LDAP Addressbook, PPTP and L2TP over IPSec VPNs, Egroupware. And it works with
SeLinux enabled.The script is quite mature (it is named ECK - you can download from sourceforge if you want to). It can install almost everything mentioned above, and they could even work ;O) - I've started the development of a GTKmm-
based GUI that will easily administer almost everything (although I have not published the GUI yet - the app is stable, but I've just finished the user manager, so I have a lot of work more to have somthing to publish)
And now the trouble with freeradius: I' d like to have most of the services with Radius Based Authentication - I think this will let me have a better loggiAggiungi un appuntamento per ogging system, expecially to trace sessions. As about
authentication everything works fine.
But I want also to do Authorization: I mean that I want to allow services FTP, VPN, Apache userdirs, Squid proxy, ecc. on per user basisI started with proftpd with mod_radius:
the idea is to use checkval module to catch the NAS-Identifier parameter that the proftpd module set as "ftp".
here is an example requestrad_recv:
Access-Request packet from host 127.0.0.1:9409, id=74, length=93
User-Name = "testuser"
User-Password = "test1Test"
NAS-Identifier = "ftp"
NAS-Port = 21
NAS-Port-Type = Virtual
Calling-Station-Id = "::ffff:127.0.0.1"
Service-Type = 0x0000000100000000
I inserted the following lines in my radiusd.conf:
checkval NAS{
item-name = NAS-Identifier
check-name = NAS-Identifier
data-type = string
notfound-reject=yes
}
and added "NAS" in the authorize sectionauthorize {
...
NAS
...
}
I also updated ldap.attrmap inserting the following line
checkItem NAS-Identifier eckAllowedServices
and obviously extended the LDAP schema (eck.schema)
attributetype ( 1.3.6.1.4.1.26309.1.1.11 NAME 'eckAllowedServices' DESC 'Services the user is allowed to login' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} )
objectClass ( 1.3.6.1.4.1.26309.1.1.1 NAME 'eckGenericObject' AUXILIARY DESC 'an ECK generic object' MAY ( locked $ eckPublicKey $ eckPrivateKey $ userPKCS12 $ allowProxy $ eckAllowedServices))
The script creates 2 users: Administrator - that is actually an administrator, and testuser. In my test environment I added 2 attributes eckAllowedServices to testuser (ftp and httpproxy) and left Administrator without eckAllowedServices
attributeAnd now the weird issue:
checkval is able to realize that testuser has the ftp attribute
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for testuser
radius_xlat: '(uid=testuser)'
radius_xlat: 'DC=marcolinux,DC=local'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 127.0.0.1:389, authentication 0
rlm_ldap: bind as CN=FreeRADIUS,OU=AAA,OU=Services,DC=marcolinux,DC=local/wRtEYnd3sGkEa.Y4 to 127.0.0.1:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in DC=marcolinux,DC=local, with filter (uid=testuser)
rlm_ldap: checking if remote access for testuser is allowed by dialupAccess
rlm_ldap: Added password AB39C1761CF4947661DAB7AF9849A61E in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding eckAllowedServices as NAS-Identifier, value ftp & op=21
rlm_ldap: Adding eckAllowedServices as NAS-Identifier, value httpProxy & op=21
rlm_ldap: Adding sambaAcctFlags as SMB-Account-CTRL-TEXT, value [U ] & op=21
rlm_ldap: Adding sambaNTPassword as NT-Password, value AB39C1761CF4947661DAB7AF9849A61E & op=21
rlm_ldap: Adding radiusAuthType as Auth-Type, value pam & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding FTPQuotaFilesTransferred as ArticaECK-FTP-Quota-Files-Transferred, value 0 & op=11
rlm_ldap: Adding FTPQuotaFilesOutgoing as ArticaECK-FTP-Quota-Files-Outgoing, value 0 & op=11
rlm_ldap: Adding FTPQuotaFilesIncoming as ArticaECK-FTP-Quota-Files-Incoming, value 50 & op=11
rlm_ldap: Adding FTPQuotaBytesTransferred as ArticaECK-FTP-Quota-Bytes-Transferred, value 0 & op=11
rlm_ldap: Adding FTPQuotaBytesOutgoing as ArticaECK-FTP-Quota-Bytes-Outgoing, value 0 & op=11
rlm_ldap: Adding FTPQuotaBytesIncoming as ArticaECK-FTP-Quota-Bytes-Incoming, value 200 & op=11
rlm_ldap: Adding FTPQuotaIsPerSession as ArticaECK-FTP-Quota-Is-Per-Session, value FALSE & op=11
rlm_ldap: Adding FTPQuotaLimitType as ArticaECK-FTP-Quota-Limit-Type, value soft & op=11
rlm_ldap: Adding loginShell as ArticaECK-FTP-Shell, value /bin/tcsh & op=11
rlm_ldap: Adding homeDirectory as ArticaECK-FTP-Home, value /home/testuser & op=11
rlm_ldap: Adding gidNumber as ArticaECK-FTP-GID, value 100 & op=11
rlm_ldap: Adding uidNumber as ArticaECK-FTP-UID, value 1001 & op=11
rlm_ldap: user testuser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 0
rlm_checkval: Item Name: NAS-Identifier, Value: ftp
rlm_checkval: Value Name: NAS-Identifier, Value: ftp
modcall[authorize]: module "NAS" returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type pam
auth: type "PAM"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
pam_pass: using pamauth string <radiusd> for pam.conf lookup
pam_pass: authentication succeeded for <testuser>
modcall[authenticate]: module "pam" returns ok for request 0
modcall: leaving group authenticate (returns ok) for request 0
Processing the post-auth section of radiusd.conf
and that Administrator doesn't
rlm_ldap: Adding loginShell as ArticaECK-FTP-Shell, value /bin/bash & op=11
rlm_ldap: Adding homeDirectory as ArticaECK-FTP-Home, value /home/Administrator & op=11
rlm_ldap: Adding gidNumber as ArticaECK-FTP-GID, value 100 & op=11
rlm_ldap: Adding uidNumber as ArticaECK-FTP-UID, value 1000 & op=11
rlm_ldap: user Administrator authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 0
rlm_checkval: Item Name: NAS-Identifier, Value: ftp
rlm_checkval: Could not find attribute named NAS-Identifier in check pairs
modcall[authorize]: module "NAS" returns notfound for request 0
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type pam
auth: type "PAM"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
pam_pass: using pamauth string <radiusd> for pam.conf lookup
pam_pass: authentication succeeded for <Administrator>
modcall[authenticate]: module "pam" returns ok for request 0
modcall: leaving group authenticate (returns ok) for request 0
Processing the post-auth section of radiusd.conf
but I always got both of them authorized. How is it possible? What I did wrong? Why freeradius goes to the authentication section altought checkval module module "NAS" returned notfound? I'm sure I did some kind of mistake, but I really am not able to find it. Now are days I'm googling around and getting quite crazy - I hope that someone of you may help meThank you very much
Marco Carcano
Configuration files
########################RADIUSD.CONF###############################
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = /usr/lib
pidfile = ${run_dir}/radiusd.pid
user = radiusd
group = radiusd
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = no
log_auth = no
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf
$INCLUDE ${confdir}/clients.conf
snmp = no
$INCLUDE ${confdir}/snmp.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
pap {
encryption_scheme = crypt
}
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
$INCLUDE ${confdir}/eap.conf
mschap {
use_mppe = yes
require_encryption = yes
require_strong = yes
}
ldap {
server = "127.0.0.1"
identity = "CN=FreeRADIUS,OU=AAA,OU=Services,DC=marcolinux,DC=local"
password = wRtEYnd3sGkEa.Y4
basedn = "DC=marcolinux,DC=local"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
start_tls = no
access_attr = "dialupAccess"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
password_attribute = sambaNTPassword
timeout = 4
timelimit = 3
net_timeout = 1
}
realm IPASS {
format = prefix
delimiter = "/"
ignore_default = no
ignore_null = no
}
realm suffix {
format = suffix
delimiter = "@"
ignore_default = no
ignore_null = no
}
realm realmpercent {
format = suffix
delimiter = "%"
ignore_default = no
ignore_null = no
}
realm ntdomain {
format = prefix
delimiter = "\"
ignore_default = no
ignore_null = no
}
checkval NAS{
item-name = NAS-Identifier
check-name = NAS-Identifier
data-type = string
notfound-reject=yes
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
preproxy_usersfile = ${confdir}/preproxy_users
compat = no
}
detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
}
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}
$INCLUDE ${confdir}/sql.conf
radutmp {
filename = ${logdir}/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
perm = 0600
callerid = "yes"
}
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = "no"
}
attr_filter {
attrsfile = ${confdir}/attrs
}
counter daily {
filename = ${raddbdir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
sqlcounter dailycounter {
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
sqlmod-inst = sql
key = User-Name
reset = daily
query = "SELECT SUM(AcctSessionTime - GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
}
sqlcounter monthlycounter {
counter-name = Monthly-Session-Time
check-name = Max-Monthly-Session
sqlmod-inst = sql
key = User-Name
reset = monthly
query = "SELECT SUM(AcctSessionTime - GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
}
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
expr {
}
digest {
}
exec {
wait = yes
input_pairs = request
}
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = request
output_pairs = reply
}
ippool main_pool {
range-start = 192.168.1.150
range-stop = 192.168.1.199
netmask = 255.255.255.0
cache-size = 800
session-db = ${localstatedir}/lib/raddb/db.ippool
ip-index = ${localstatedir}/lib/raddb/db.ipindex
override = no
maximum-timeout = 0
}
}
instantiate {
exec
expr
}
authorize {
preprocess
chap
mschap
suffix
eap
ldap
NAS
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
pam
eap
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
detail
radutmp
main_pool
sql
}
session {
radutmp
}
post-auth {
main_pool
}
pre-proxy {
}
post-proxy {
eap
}
##########################USERS################################
DEFAULT Auth-Type = pam
Fall-Through = 1
DEFAULT Service-Type == Framed-User
Framed-MTU = 576,
Service-Type = Framed-User,
Fall-Through = Yes
DEFAULT Pool-Name := main_pool
Fall-Through = Yes
DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "CSLIP"
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "SLIP"
Framed-Protocol = SLIP
##################radiusd -X -f output ##############
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/eap.conf
Config: including file: /etc/raddb/sql.conf
main: prefix = "/usr"
main: localstatedir = "/var"
main: logdir = "/var/log/radius"
main: libdir = "/usr/lib"
main: radacctdir = "/var/log/radius/radacct"
main: hostname_lookups = no
main: snmp = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/var/log/radius/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/var/run/radiusd/radiusd.pid"
main: user = "radiusd"
main: group = "radiusd"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = yes
mschap: require_strong = yes
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded Pam
pam: pam_auth = "radiusd"
Module: Instantiated pam (pam)
Module: Loaded eap
eap: default_eap_type = "md5"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = "Password: "
gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/etc/raddb/huntgroups"
preprocess: hints = "/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
preprocess: with_alvarion_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded LDAP
ldap: server = "127.0.0.1"
ldap: port = 389
ldap: net_timeout = 1
ldap: timeout = 4
ldap: timelimit = 3
ldap: identity = "CN=FreeRADIUS,OU=AAA,OU=Services,DC=marcolinux,DC=local"
ldap: tls_mode = no
ldap: start_tls = no
ldap: tls_cacertfile = "(null)"
ldap: tls_cacertdir = "(null)"
ldap: tls_certfile = "(null)"
ldap: tls_keyfile = "(null)"
ldap: tls_randfile = "(null)"
ldap: tls_require_cert = "allow"
ldap: password = "wRtEYnd3sGkEa.Y4"
ldap: basedn = "DC=marcolinux,DC=local"
ldap: filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
ldap: base_filter = "(objectclass=radiusprofile)"
ldap: default_profile = "(null)"
ldap: profile_attribute = "(null)"
ldap: password_header = "(null)"
ldap: password_attribute = "sambaNTPassword"
ldap: access_attr = "dialupAccess"
ldap: groupname_attribute = "cn"
ldap: groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
ldap: groupmembership_attribute = "(null)"
ldap: dictionary_mapping = "/etc/raddb/ldap.attrmap"
ldap: ldap_debug = 0
ldap: ldap_connections_number = 5
ldap: compare_check_items = no
ldap: access_attr_used_for_allow = yes
ldap: do_xlat = yes
ldap: set_auth_type = yes
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: Over-riding set_auth_type, as we're not listed in the "authenticate" section.
rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP sambaLMPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP sambaNTPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP sambaAcctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP eckAllowedServices mapped to RADIUS NAS-Identifier
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
rlm_ldap: LDAP uidNumber mapped to RADIUS ArticaECK-FTP-UID
rlm_ldap: LDAP gidNumber mapped to RADIUS ArticaECK-FTP-GID
rlm_ldap: LDAP homeDirectory mapped to RADIUS ArticaECK-FTP-Home
rlm_ldap: LDAP loginShell mapped to RADIUS ArticaECK-FTP-Shell
rlm_ldap: LDAP FTPQuotaLimitType mapped to RADIUS ArticaECK-FTP-Quota-Limit-Type
rlm_ldap: LDAP FTPQuotaIsPerSession mapped to RADIUS ArticaECK-FTP-Quota-Is-Per-Session
rlm_ldap: LDAP FTPQuotaBytesIncoming mapped to RADIUS ArticaECK-FTP-Quota-Bytes-Incoming
rlm_ldap: LDAP FTPQuotaBytesOutgoing mapped to RADIUS ArticaECK-FTP-Quota-Bytes-Outgoing
rlm_ldap: LDAP FTPQuotaBytesTransferred mapped to RADIUS ArticaECK-FTP-Quota-Bytes-Transferred
rlm_ldap: LDAP FTPQuotaFilesIncoming mapped to RADIUS ArticaECK-FTP-Quota-Files-Incoming
rlm_ldap: LDAP FTPQuotaFilesOutgoing mapped to RADIUS ArticaECK-FTP-Quota-Files-Outgoing
rlm_ldap: LDAP FTPQuotaFilesTransferred mapped to RADIUS ArticaECK-FTP-Quota-Files-Transferred
conns: 0x2ba4857109b0
Module: Instantiated ldap (ldap)
Module: Loaded checkval
checkval: item-name = "NAS-Identifier"
checkval: check-name = "NAS-Identifier"
checkval: data-type = "string"
checkval: notfound-reject = yes
rlm_checkval: Registered name NAS-Identifier for attribute 32
Module: Instantiated checkval (NAS)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded files
files: usersfile = "/etc/raddb/users"
files: acctusersfile = "/etc/raddb/acct_users"
files: preproxy_usersfile = "/etc/raddb/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded detail
detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/var/log/radius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Module: Loaded IPPOOL
ippool: session-db = "/var/lib/raddb/db.ippool"
ippool: ip-index = "/var/lib/raddb/db.ipindex"
ippool: range-start = 192.168.1.150 IP address [192.168.1.150]
ippool: range-stop = 192.168.1.199 IP address [192.168.1.199]
ippool: netmask = 255.255.255.0 IP address [255.255.255.0]
ippool: cache-size = 800
ippool: override = no
ippool: maximum-timeout = 0
Module: Instantiated ippool (main_pool)
Module: Loaded SQL
sql: driver = "rlm_sql_mysql"
sql: server = "localhost"
sql: port = ""
sql: login = "FreeRADIUS"
sql: password = "wRtEYnd3sGkEa.Y4"
sql: radius_db = "radius"
sql: nas_table = "nas"
sql: sqltrace = no
sql: sqltracefile = "/var/log/radius/sqltrace.sql"
sql: readclients = no
sql: deletestalesessions = yes
sql: num_sql_socks = 5
sql: sql_user_name = "%{User-Name}"
sql: default_user_profile = ""
sql: query_on_not_found = no
sql: authorize_check_query = "SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id"
sql: authorize_reply_query = "SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id"
sql: authorize_group_check_query = "SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id"
sql: authorize_group_reply_query = "SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id"
sql: accounting_onoff_query = "UPDATE radacct SET AcctStopTime='%S', AcctSessionTime=unix_timestamp('%S') - unix_timestamp(AcctStartTime), AcctTerminateCause='%{Acct-Terminate-Cause}', AcctStopDelay = '%{Acct-Delay-Time}' WHERE AcctSessionTime=0 AND AcctStopTime=0 AND NASIPAddress= '%{NAS-IP-Address}' AND AcctStartTime <= '%S'"
sql: accounting_update_query = "UPDATE radacct SET FramedIPAddress = '%{Framed-IP-Address}', AcctSessionTime = '%{Acct-Session-Time}', AcctInputOctets = '%{Acct-Input-Octets}', AcctOutputOctets = '%{Acct-Output-Octets}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress= '%{NAS-IP-Address}'"
sql: accounting_update_query_alt = "INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S',INTERVAL (%{Acct-Session-Time:-0} + %{Acct-Delay-Time:-0}) SECOND), '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Acct-Input-Octets}', '%{Acct-Output-Octets}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0')"
sql: accounting_start_query = "INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', '0', '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{Acct-Delay-Time}', '0')"
sql: accounting_start_query_alt = "UPDATE radacct SET AcctStartTime = '%S', AcctStartDelay = '%{Acct-Delay-Time}', ConnectInfo_start = '%{Connect-Info}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}'"
sql: accounting_stop_query = "UPDATE radacct SET AcctStopTime = '%S', AcctSessionTime = '%{Acct-Session-Time}', AcctInputOctets = '%{Acct-Input-Octets}', AcctOutputOctets = '%{Acct-Output-Octets}', AcctTerminateCause = '%{Acct-Terminate-Cause}', AcctStopDelay = '%{Acct-Delay-Time}', ConnectInfo_stop = '%{Connect-Info}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}'"
sql: accounting_stop_query_alt = "INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{Acct-Session-Time:-0} + %{Acct-Delay-Time:-0}) SECOND), '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Connect-Info}', '%{Acct-Input-Octets}', '%{Acct-Output-Octets}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Acct-Terminate-Cause}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{Acct-Delay-Time}')"
sql: group_membership_query = "SELECT GroupName FROM usergroup WHERE UserName='%{SQL-User-Name}'"
sql: connect_failure_retry_delay = 60
sql: simul_count_query = ""
sql: simul_verify_query = "SELECT RadAcctId, AcctSessionId, UserName, NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, FramedProtocol FROM radacct WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0"
sql: postauth_query = "INSERT into radpostauth (id, user, pass, reply, date) values ('', '%{User-Name}', '%{User-Password:-Chap-Password}', '%{reply:Packet-Type}', NOW())"
sql: safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
rlm_sql (sql): Attempting to connect to FreeRADIUS@localhost:/radius
rlm_sql (sql): starting 0
rlm_sql (sql): Attempting to connect rlm_sql_mysql #0
rlm_sql_mysql: Starting connect to MySQL server for #0
rlm_sql (sql): Connected new DB handle, #0
rlm_sql (sql): starting 1
rlm_sql (sql): Attempting to connect rlm_sql_mysql #1
rlm_sql_mysql: Starting connect to MySQL server for #1
rlm_sql (sql): Connected new DB handle, #1
rlm_sql (sql): starting 2
rlm_sql (sql): Attempting to connect rlm_sql_mysql #2
rlm_sql_mysql: Starting connect to MySQL server for #2
rlm_sql (sql): Connected new DB handle, #2
rlm_sql (sql): starting 3
rlm_sql (sql): Attempting to connect rlm_sql_mysql #3
rlm_sql_mysql: Starting connect to MySQL server for #3
rlm_sql (sql): Connected new DB handle, #3
rlm_sql (sql): starting 4
rlm_sql (sql): Attempting to connect rlm_sql_mysql #4
rlm_sql_mysql: Starting connect to MySQL server for #4
rlm_sql (sql): Connected new DB handle, #4
Module: Instantiated sql (sql)
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.
Alan DeKok
> Sorry Alan
>
> I've not realized that the logs had became a garbage :O( - maybe a webmail realted issue of my ISP.
> Now I Bcc myself to see how does it appear to recipients
>
> I tried "man unlang" but got no manual entry - I'm using Freeradius packaged for CentOS - I'll give a look to http://freeradius.org/radiusd/man/unlang.html, I think is the same.
<shrug> Upgrade to 2.1.10. You're using a very old version of the
server.
Alan DeKok.
John Dennis
> marco wrote:
>> Sorry Alan
>>
>> I've not realized that the logs had became a garbage :O( - maybe a webmail realted issue of my ISP.
>> Now I Bcc myself to see how does it appear to recipients
>>
>> I tried "man unlang" but got no manual entry - I'm using Freeradius packaged for CentOS - I'll give a look to http://freeradius.org/radiusd/man/unlang.html, I think is the same.
>
> <shrug> Upgrade to 2.1.10. You're using a very old version of the
> server.
The 2.x versions of FreeRADIUS on CentOS are under the package name
freeradius2, not freeradius.
--
John Dennis <jde...@redhat.com>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
Marco Carcano
thank you very much for the reply - I haven't noticed that exists a
freeradius2 rpm package
I tried, and after a lot of arrangement on the config files -
freeradius2 splits a lot radiusd.conf - I got it working
but I have to point out this thing - that I hope you - Red Hat - will
fix: /etc/pam.d/radiusd is wrong (maybe the issue is only in CentOS
package):
this is the content of the original file
#%PAM-1.0
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
session include password-auth
it is wrong: it causes PAM auth to fail with a really strange error
pam_pass: using pamauth string <radiusd> for pam.conf lookup
pam_pass: function pam_authenticate FAILED for <testuser>. Reason:
Module is unknown
++[pam] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
this error caused me a little headache because initially I tough it
was a mine misconfiguration of freeradius.
the fix is to replace the contents of /etc/pam.d/radiusd with
#%PAM-1.0
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
session include system-auth
PAM is usefull in situations like the my Easy Configuration Kit - ECK:
I built an AAA system that relies on Freeradius that do Accounting in
MySQL, Authorization with OpenLDAP and Authentication by Kerberos -
the LDAP directory is Kerberized. I think that PAM and SASL are the
good way to accomplish this - In ECK it works.
Maybe you already know about this issue - I hope this post can help
anybody will get this strange error - until the package got fixed
as for my checkval issue, .... have not been able to fix it! I tried
to learn unlang, but the only thing I have now in my head is a lot of
confusion, ... but I'll answer directly to Alan reply in order not to
post the same message twice
thank you again, you bring me on the right way
Marco Carcano
Il giorno 23/nov/10, alle ore 16:25, John Dennis ha scritto:
Marco Carcano
I RTM unlang, but I have to admit I only got confused - The only thing
I have understood is to write a simple statement like this (in
authorize section)
if (NAS-Identifier == "ftp" ) {
ok
}
else {
reject
}
and I think is even wrong because returns always OK :(((((
I noticed on some posts people using a syntax like if (NAS-Identifier
== %{sql: SELECT ... BLA BLA} )
but I have not been able to see a working example using ldap, ... may
you provide an example, please? I've not been able to figure out how
to write it down.
my situation is this: eckAllowedServices is a multistring attribute
that contains a NAS-Identifier per line. I use service names as NAS-
Identifiers in order to perform users authorization to services - eg
authorize ftp access on a per users basis
this is what happen when I do a ldapsearch
ldapsearch -LLL -b cn=testuser,ou=Users,dc=marcolinux,dc=local
eckAllowedServices -x -D
"CN=FreeRADIUS,OU=AAA,OU=Services,DC=marcolinux,DC=local" -w
wRtEYnd3sGkEa.Y4
dn: cn=testuser,ou=Users,dc=marcolinux,dc=local
eckAllowedServices: ftp
eckAllowedServices: httpProxy
that shows that the DN used by freeradius is able to read
eckAllowedServices attribute
as I wrote in the previous post, I updated ldap.attrmap inserting the
following line
checkItem NAS-Identifier eckAllowedServices
in order to do the "binding" between radius and LDAP
and this is the extension of the LDAP schema (eck.schema)
attributetype ( 1.3.6.1.4.1.26309.1.1.11 NAME 'eckAllowedServices'
DESC 'Services the user is allowed to login' EQUALITY
caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.26{128} )
objectClass ( 1.3.6.1.4.1.26309.1.1.1 NAME 'eckGenericObject'
AUXILIARY DESC 'an ECK generic object' MAY ( locked $
eckPublicKey $ eckPrivateKey $ userPKCS12 $ allowProxy $
eckAllowedServices))
thinking at the %{sql:SELECT ...} example I tough I syntax almost like
this
if (NAS-Identifier == "ldap:cn=%{User-
Name},ou=Users,dc=marcolinux,dc=local (eckAllowedServices)" ) {
ok
}
else {
reject
}
the aim is to check if NAS-Identifier supplied by the NAS is equal to
one of the multivalue strings of eckAllowedServices
but I always got this message - it doesnt matter if the user has got
or hasn't the eckAllowedServices attribute:
if (NAS-Identifier == "ldap:cn=%{User-
Name},ou=Users,dc=marcolinux,dc=local (eckAllowedServices)" )
expand: ldap:cn=%{User-Name},ou=Users,dc=marcolinux,dc=local
(eckAllowedServices) ->
ldap:cn=testuser,ou=Users,dc=marcolinux,dc=local (eckAllowedServices)
? Evaluating (NAS-Identifier == "ldap:cn=%{User-
Name},ou=Users,dc=marcolinux,dc=local (eckAllowedServices)" ) -> FALSE
++? if (NAS-Identifier == "ldap:cn=%{User-
Name},ou=Users,dc=marcolinux,dc=local (eckAllowedServices)" ) -> FALSE
++- entering else else {...}
+++[reject] returns reject
I gave a look to ldap.log - with verbose debugging, ... I found
references to eckAllowedServices, but not as a request for only one
attribute - as I was expecting for the unlang expression I wrote: I
got it mixed with lots of other attributes - that is the previous ldap
lookup of the ldap module of the authorization section: in other words
- I think the unlang expression above is useless and is not processed
with a query to the ldap server . I certainly mis-typed the syntax,
but I'm not able to figure a syntax :(((
Alan, may you provide an example unlang for LDAP? Maybe I am slow
learner, but I think it could help me (and I hope others) a lot
Ah - I use freeradius2-2.1.7-7.el5 - that is the "official" from
RedHat/CentOS - please, don't tell me I have to repackage it to 2.1.10
- I had done this with quite a lot of other packages in ECK
Il giorno 23/nov/10, alle ore 14:33, Alan DeKok ha scritto:
> marco wrote:
>> Sorry Alan
>>
>> I've not realized that the logs had became a garbage :O( - maybe a
>> webmail realted issue of my ISP.
>> Now I Bcc myself to see how does it appear to recipients
>>
>> I tried "man unlang" but got no manual entry - I'm using Freeradius
>> packaged for CentOS - I'll give a look to http://freeradius.org/radiusd/man/unlang.html
>> , I think is the same.
>
> <shrug> Upgrade to 2.1.10. You're using a very old version of the
> server.
>
> Alan DeKok.
Alan DeKok
> I RTM unlang, but I have to admit I only got confused - The only thing I
> have understood is to write a simple statement like this (in authorize
> section)
>
> if (NAS-Identifier == "ftp" ) {
> ok
> }
> else {
> reject
> }
>
> and I think is even wrong because returns always OK :(((((
And.... what does debug mode say?
> I noticed on some posts people using a syntax like if (NAS-Identifier ==
> %{sql: SELECT ... BLA BLA} )
See "man unlang". This is documented.
> but I have not been able to see a working example using ldap,
if (NAS-Identifier == "%{ldap: ... ldap stuff ... }") {
> thinking at the %{sql:SELECT ...} example I tough I syntax almost like this
>
> if (NAS-Identifier ==
> "ldap:cn=%{User-Name},ou=Users,dc=marcolinux,dc=local
> (eckAllowedServices)" ) {
You didn't use the same form as the SQL example. The brackets have
*meaning*: %{}
See "man unlang".
Marco Carcano
>
>> but I have not been able to see a working example using ldap,
>
> if (NAS-Identifier == "%{ldap: ... ldap stuff ... }") {
>
>
>> thinking at the %{sql:SELECT ...} example I tough I syntax almost
>> like this
>>
>> if (NAS-Identifier ==
>> "ldap:cn=%{User-Name},ou=Users,dc=marcolinux,dc=local
>> (eckAllowedServices)" ) {
>
> You didn't use the same form as the SQL example. The brackets have
> *meaning*: %{}
if (NAS-Identifier == {ldap:cn=%{User-
Name},ou=Users,dc=marcolinux,dc=local (eckAllowedServices)} ) {
ok
}
when start radiusd in debug mode I got:
Expected string or numbers at: ldap:cn=%{User-
Name},ou=Users,dc=marcolinux,dc=local (eckAllowedServices)} )
/etc/raddb/sites-enabled/default[62]: Errors parsing authorize section.
is for that reason I did not use brackets - I got a syntax error, so I
tought it was wrong to use them in this way
if I modify to the following in
if (NAS-Identifier == "{ldap:cn=%{User-
Name},ou=Users,dc=marcolinux,dc=local (eckAllowedServices)}" ) {
ok
}
radiusd starts well, but when tring to authenticate I got the
following message:
++? if (NAS-Identifier == "{ldap:cn=%{User-
Name},ou=Users,dc=marcolinux,dc=local (eckAllowedServices)}" )
expand: {ldap:cn=%{User-Name},ou=Users,dc=marcolinux,dc=local
(eckAllowedServices)} ->
{ldap:cn=testuser,ou=Users,dc=marcolinux,dc=local (eckAllowedServices)}
? Evaluating (NAS-Identifier == "{ldap:cn=%{User-
Name},ou=Users,dc=marcolinux,dc=local (eckAllowedServices)}" ) -> FALSE
++? if (NAS-Identifier == "{ldap:cn=%{User-
Name},ou=Users,dc=marcolinux,dc=local (eckAllowedServices)}" ) -> FALSE
++- entering else else {...}
+++[reject] returns reject
++- else else returns reject
Using Post-Auth-Type Reject
%{User-Name} is expanded right, ... is my syntax that is certainly
wrong so that unlang see is just like a string to compare
Alan, ... why you don't just provide a working example - I'm working
on a GPL'ed app - ECK, if you give a look to sourceforge you can find
it - and now are almost two years I spent many of my nights - I have
to work during the day - and part of my weekends in a project that I
think somebody could find usefull. Maybe one day many people will use
it to build their base system and simply do not write to this list
asking ho to have freeradius working with PAM, LDAP and so on because
thanks to ECK they'll got a working environment in less than an hour.
Maybe they'll stress you just on how to improve it
you work on freeradius because you belive in your project, I work on
mine because I belive in mine. I belive in your project and put it
into mine. We both work without beeing paid by anybody, just for passion
Now I'm at the final race, ... I really do not understand why you
cannot provide just an example - maybe I am a stupid, but I re-read
more times unlang manual without beeing able to figure the right syntax
Marco
Marco Carcano
just to let you know:
if (NAS-Identifier == "%{ldap:cn=%{User-
Name},ou=Users,dc=marcolinux,dc=local (eckAllowedServices)}" ) {
ok
}
message:
++? if (NAS-Identifier == "%{ldap:cn=%{User-
Name},ou=Users,dc=marcolinux,dc=local (eckAllowedServices)}" )
rlm_ldap: - ldap_xlat
expand: cn=%{User-Name},ou=Users,dc=marcolinux,dc=local
(eckAllowedServices) -> cn=testuser,ou=Users,dc=marcolinux,dc=local
(eckAllowedServices)
rlm_ldap: String passed does not look like an LDAP URL.
expand: %{ldap:cn=%{User-
Name},ou=Users,dc=marcolinux,dc=local (eckAllowedServices)} ->
it seems to me that it "fires" the ldap module but it don't like my
syntax.
the same is for
if (NAS-Identifier == "%{ldap:cn=%{User-
Name},ou=Users,dc=marcolinux,dc=local}" ) {
ok
}
++? if (NAS-Identifier == "%{ldap:cn=%{User-
Name},ou=Users,dc=marcolinux,dc=local}" )
rlm_ldap: - ldap_xlat
expand: cn=%{User-Name},ou=Users,dc=marcolinux,dc=local ->
cn=testuser,ou=Users,dc=marcolinux,dc=local
rlm_ldap: String passed does not look like an LDAP URL.
I do not understand why the message complains about LDAP URL - ldap
URL is the address of the server - what I provided is an LDAP DN
I tought it is not necessary to supply the LDAP URL because they are
already provided in modules/ldap file
Now I'm sure I have undestood absolutely nothing about this module
Marco Carcano
OK - Got working - did a look at rlm_ldap.c, and ldap.h
(ldap_is_ldap_url and ldap_url_parse fuctions) - altough I have one
issue more, ... se below
if ("%{ldap:ldap://127.0.0.1/CN=%{User-
Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices}" == "%{NAS-
Identifier}" ) {
ok
}
else {
reject
}
debug is
++? if ("%{ldap:ldap://127.0.0.1/CN=%{User-
Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices}" == "%{NAS-
Identifier}" )
rlm_ldap: - ldap_xlat
expand: ldap://127.0.0.1/CN=%{User-
Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices -> ldap://
127.0.0.1/CN=testuser,OU=Users,DC=marcolinux,DC=local?eckAllowedServices
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in
CN=testuser,OU=Users,DC=marcolinux,DC=local, with filter (null)
rlm_ldap: Adding attribute eckAllowedServices, value: ftp
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: - ldap_xlat end
expand: %{ldap:ldap://127.0.0.1/CN=%{User-
Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices} -> ftp
expand: %{NAS-Identifier} -> ftp
? Evaluating ("%{ldap:ldap://127.0.0.1/CN=%{User-
Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices}" == "%{NAS-
Identifier}" ) -> TRUE
++? if ("%{ldap:ldap://127.0.0.1/CN=%{User-
Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices}" == "%{NAS-
Identifier}" ) -> TRUE
++- entering if ("%{ldap:ldap://127.0.0.1/CN=%{User-
Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices}" == "%{NAS-
Identifier}" ) {...}
+++[ok] returns ok
++- if ("%{ldap:ldap://127.0.0.1/CN=%{User-
Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices}" == "%{NAS-
Identifier}" ) returns ok
++ ... skipping else for request 0: Preceding "if" was taken
Found Auth-Type = PAM
but it works only if eckAllowedServices has only one value.
eckAllowedServices is a multi-string attribute, that is for example
eckAllowedServices[0]=httpProxy
eckAllowedServices[1]=ftp
eckAllowedServices[2]=VPN
ecc
it works only for the first element of the array, ... so in the
preceding example only if eckAllowedServices[0]=ftp
is there a way to have it recursively process all the elements of the
array to do the comparison?
I tried
if ("%{ldap:ldap://127.0.0.1/CN=%{User-
Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices[*]}" == "%
{NAS-Identifier}" )
and
if ("%{ldap:ldap://127.0.0.1/CN=%{User-
Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices}[*]" == "%
{NAS-Identifier}" )
but had no luck
Marco Carcano
just for info (for other users that may read this post in the future):
I was wondering if it performed an anonymous bind to the directory -
LDAP URL does not contain credentials, so I raised up ldap server
verbosity and gave a look to the log, ....
it works authenticated as in modules/ldap - I think this is really
important: in my server I prohibited anonymous binding also from
localhost
Il giorno 26/nov/10, alle ore 09:31, Alan DeKok ha scritto:
> Marco Carcano wrote:
>> I RTM unlang, but I have to admit I only got confused - The only
>> thing I
>> have understood is to write a simple statement like this (in
>> authorize
>> section)
>>
>> if (NAS-Identifier == "ftp" ) {
>> ok
>> }
>> else {
>> reject
>> }
>>
>> and I think is even wrong because returns always OK :(((((
>
> And.... what does debug mode say?
>
>> I noticed on some posts people using a syntax like if (NAS-
>> Identifier ==
>> %{sql: SELECT ... BLA BLA} )
>
> See "man unlang". This is documented.
>
>> but I have not been able to see a working example using ldap,
>
> if (NAS-Identifier == "%{ldap: ... ldap stuff ... }") {
>
>
>
>> thinking at the %{sql:SELECT ...} example I tough I syntax almost
>> like this
>>
>> if (NAS-Identifier ==
>> "ldap:cn=%{User-Name},ou=Users,dc=marcolinux,dc=local
>> (eckAllowedServices)" ) {
>
> You didn't use the same form as the SQL example. The brackets have
> *meaning*: %{}
>
> See "man unlang".
>
> Alan DeKok.
Marco Carcano
got E V E R Y T H I N G working
if ("%{ldap:ldap://127.0.0.1/CN=%{User-
Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices?base?
eckAllowedServices=%{NAS-Identifier}}") {
ok
}
else {
reject
}
thank you anyway - you put me on the right way
Within a few days I'll publish a new version of ECK with freeradius2
(the actual uses freeradius, and that let a granular service
authorization by LDAP), ...
thank you for all the time you spent and you are spending on
freeradius project, ... I know what it mean
Good luck
Marco Carcano