I would like to ldap bind with username instead of DN

classic Classic list List threaded Threaded
11 messages Options
| Threaded
Open this post in threaded view
|

I would like to ldap bind with username instead of DN

Wessel Louwris
Hi,

I would like to bind with the given username and skip the ldapsearch, so I implemented

        DEFAULT Ldap-UserDN := "%{User-Name}”

in my authorize file (as described on https://wiki.freeradius.org/modules/Rlm_ldap <https://wiki.freeradius.org/modules/Rlm_ldap>).
Unfortunately this seems to be not enough because it’s still binding with the DN:

(6) ldap: Login attempt by "[hidden email] "
(6) ldap: Using user DN from request "uid= user,ou=Users,dc=example,dc=com”    # this is a wrong DN returned by ldapsearch
(6) ldap: Waiting for bind result...
(6) ldap: ERROR: Bind credentials incorrect: Invalid credentials

The reason I want to bind with the given username instead of the DN is that we use Google Secure LDAP with multiple domains.
The LDAP search returns the wrong DN for users with another domain then our main domain.
For users in my main domain everything works fine.

For example an ldapsearch for [hidden email] <mailto:[hidden email]> on the Google LDAP returns:
       
        dn: uid=user,ou=Users,dc=example,dc=com

which results in a failed LDAP bind.
where it should return

        dn: uid=user,dc=company,dc=nl

which would succeed.

I noticed that I can also do a succesful LDAP bind with username:  ldapsearch -W -H googleldapserver  -D [hidden email]  -s sub -b “dc=example,dc=com”
So binding on username  would be a solution for me.

Does anybody now how I can force binding the DEFAULT Ldap-UserDN := "%{User-Name}” and skip the ldapsearch?


Thanks for any help.

Kind regards,  
Wessel



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: I would like to ldap bind with username instead of DN

Adam Bishop-2
On 19 Jun 2020, at 13:11, Wessel Louwris <[hidden email]> wrote:
> DEFAULT Ldap-UserDN := "%{User-Name}”

Do google permit that format?

i.e. if you run ldapsearch from the cli with `-D "username"` does it work?

Adam Bishop

  gpg: E75B 1F92 6407 DFDF 9F1C  BF10 C993 2504 6609 D460

jisc.ac.uk


Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under company number. 05747339, VAT number GB 197 0632 86. Jisc’s registered office is: 4 Portwall Lane, Bristol, BS1 6NB. T 0203 697 5800.


Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 02881024, VAT number GB 197 0632 86. The registered office is: 4 Portwall Lane, Bristol, BS1 6NB. T 0203 697 5800.


Jisc Commercial Limited is a wholly owned Jisc subsidiary and a company limited by shares which is registered in England under company number 09316933, VAT number GB 197 0632 86. The registered office is: 4 Portwall Lane, Bristol, BS1 6NB. T 0203 697 5800.


For more details on how Jisc handles your data see our privacy notice here: https://www.jisc.ac.uk/website/privacy-notice

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: I would like to ldap bind with username instead of DN

Wessel Louwris


> Op 19 jun. 2020, om 15:36 heeft Adam Bishop <[hidden email]> het volgende geschreven:
>
> On 19 Jun 2020, at 13:11, Wessel Louwris <[hidden email]> wrote:
>> DEFAULT Ldap-UserDN := "%{User-Name}”
>
> Do google permit that format?
>
> i.e. if you run ldapsearch from the cli with `-D "username"` does it work?
>
> Adam Bishop


Thanks for you reply! Yes, if I run

  LDAPTLS_CERT=ldap-client.crt LDAPTLS_KEY=ldap-client.key ldapsearch -W -D [hidden email] -H ldaps://ldap.google.com -b dc=example,dc=com '(mail=[hidden email])’

on the container where my freeradius is running I can login with the password from [hidden email]  and get results.

That’s why I hope I can convince freeradius to use that username for binding also.

Kind regards,

Wessel



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: I would like to ldap bind with username instead of DN

Coy Hile


> On Jun 19, 2020, at 9:55 AM, Wessel Louwris <[hidden email]> wrote:
>
>
>
>> Op 19 jun. 2020, om 15:36 heeft Adam Bishop <[hidden email]> het volgende geschreven:
>>
>> On 19 Jun 2020, at 13:11, Wessel Louwris <[hidden email]> wrote:
>>> DEFAULT Ldap-UserDN := "%{User-Name}”
>>
>> Do google permit that format?
>>
>> i.e. if you run ldapsearch from the cli with `-D "username"` does it work?
>>
>> Adam Bishop
>
>
> Thanks for you reply! Yes, if I run
>
>  LDAPTLS_CERT=ldap-client.crt LDAPTLS_KEY=ldap-client.key ldapsearch -W -D [hidden email] -H ldaps://ldap.google.com -b dc=example,dc=com '(mail=[hidden email])’
>
> on the container where my freeradius is running I can login with the password from [hidden email]  and get results.
>
> That’s why I hope I can convince freeradius to use that username for binding also.
>
> Kind regards,
>
> Wessel
>

That makes me think you probably just need to configure the LDAP module to turn what you give it into a DN similarly to how one might customize the queries used by the SQL module.

I haven’t used the LDAP module myself, so I can’t really help you there.

--
Coy Hile
[hidden email]





-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: I would like to ldap bind with username instead of DN

Alan DeKok-2
In reply to this post by Wessel Louwris
On Jun 19, 2020, at 8:11 AM, Wessel Louwris <[hidden email]> wrote:
>
> I would like to bind with the given username and skip the ldapsearch, so I implemented
>
> DEFAULT Ldap-UserDN := "%{User-Name}”
>
> in my authorize file (as described on https://wiki.freeradius.org/modules/Rlm_ldap <https://wiki.freeradius.org/modules/Rlm_ldap>).
> Unfortunately this seems to be not enough because it’s still binding with the DN:
>
> (6) ldap: Login attempt by "[hidden email] "

  It helps to show the FULL debug output.  You've deleted 99% of the output.  That means we don't know what else is going on.

> (6) ldap: Using user DN from request "uid= user,ou=Users,dc=example,dc=com”    # this is a wrong DN returned by ldapsearch
> (6) ldap: Waiting for bind result...
> (6) ldap: ERROR: Bind credentials incorrect: Invalid credentials

  My guess is that you're running the "files" module (which reads the users file) *after* the ldap module.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: I would like to ldap bind with username instead of DN

Wessel Louwris


> Op 19 jun. 2020, om 16:55 heeft Alan DeKok <[hidden email]> het volgende geschreven:
>
> On Jun 19, 2020, at 8:11 AM, Wessel Louwris <[hidden email]> wrote:
>>
>> I would like to bind with the given username and skip the ldapsearch, so I implemented
>>
>> DEFAULT Ldap-UserDN := "%{User-Name}”
>>
>> in my authorize file (as described on https://wiki.freeradius.org/modules/Rlm_ldap <https://wiki.freeradius.org/modules/Rlm_ldap>).
>> Unfortunately this seems to be not enough because it’s still binding with the DN:
>>
>> (6) ldap: Login attempt by "[hidden email] "
>
>  It helps to show the FULL debug output.  You've deleted 99% of the output.  That means we don't know what else is going on.
>
>> (6) ldap: Using user DN from request "uid= user,ou=Users,dc=example,dc=com”    # this is a wrong DN returned by ldapsearch
>> (6) ldap: Waiting for bind result...
>> (6) ldap: ERROR: Bind credentials incorrect: Invalid credentials
>
>  My guess is that you're running the "files" module (which reads the users file) *after* the ldap module.
>
>  Alan DeKok.


If I authenticate with user [hidden email] <mailto:[hidden email]> (which is not our main domain example.nl <http://example.nl/>) I get below log.
With [hidden email] <mailto:[hidden email]> everything works fine (although it still binds with the full DN) and I can authenticatie.

I hoped that DEFAULT Ldap-UserDN := "%{User-Name}” in my /etc/freeradius/mods-config/files/authorize would skip the ldapsearch and go straight to the binding with this username.

I also pasted my ldap, authorize, default file below the logs.

Thanks,
Wessel

## [hidden email]


(97) Received Access-Request Id 35 from 10.164.0.3:37310 to 172.17.0.6:1812 length 591
(97)   User-Name = "[hidden email]"
(97)   NAS-IP-Address = 172.16.16.101
(97)   NAS-Identifier = "4C-B1-CD-4A-B3-A8"
(97)   Called-Station-Id = "4C-B1-CD-4A-B3-A8:example"
(97)   NAS-Port-Type = Wireless-802.11
(97)   Service-Type = Framed-User
(97)   NAS-Port = 1
(97)   Calling-Station-Id = "A4-5E-60-DC-05-CF"
(97)   Location-Data = 0x31304e4c17174d616b657273747265657420446576656c6f706d656e74
(97)   Location-Data = 0x32304e4c1626467265642e526f65736b65737472616174393745203130373645432020416d7374657264616d
(97)   Connect-Info = "CONNECT 802.11"
(97)   Acct-Session-Id = "5EEF7342-0AB3A001"
(97)   Acct-Multi-Session-Id = "A737E56E6E72BF9E"
(97)   WLAN-Pairwise-Cipher = 1027076
(97)   WLAN-Group-Cipher = 1027076
(97)   WLAN-AKM-Suite = 1027073
(97)   Ruckus-SSID = "example"
(97)   Ruckus-BSSID = 0x4cb1cd4ab3a8
(97)   Ruckus-Location = "example"
(97)   Ruckus-VLAN-ID = 1
(97)   Ruckus-SCG-CBlade-IP = 600626236
(97)   Attr-26.25053.155 = 0x41646d696e697374726174696f6e20446f6d61696e
(97)   Ruckus-Zone-Name = "example"
(97)   Ruckus-Wlan-Name = "example"
(97)   EAP-Message = 0x025e003f1580000000351703030030e8e23bf39036dbd45371248590343102796b93bf10fbc8d28cf32ed50809ee15c4d28a12a2eb53c18cf686e0dda17e41
(97)   State = 0x2469b8502137ad1a348bcdde947a8261
(97)   Chargeable-User-Identity = 0x00
(97)   Message-Authenticator = 0xb1d164eef1c5725a9f35050eecb2bde7
(97)   Event-Timestamp = "Jun 21 2020 14:48:35 UTC"
(97)   Proxy-State = 0x3635
(97) Restoring &session-state
(97)   &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(97)   &session-state:TLS-Session-Version = "TLS 1.2"
(97) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(97)   authorize {
(97)     policy filter_username {
(97)       if (&User-Name) {
(97)       if (&User-Name)  -> TRUE
(97)       if (&User-Name)  {
(97)         if (&User-Name =~ / /) {
(97)         if (&User-Name =~ / /)  -> FALSE
(97)         if (&User-Name =~ /@[^@]*@/ ) {
(97)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(97)         if (&User-Name =~ /\.\./ ) {
(97)         if (&User-Name =~ /\.\./ )  -> FALSE
(97)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(97)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(97)         if (&User-Name =~ /\.$/)  {
(97)         if (&User-Name =~ /\.$/)   -> FALSE
(97)         if (&User-Name =~ /@\./)  {
(97)         if (&User-Name =~ /@\./)   -> FALSE
(97)       } # if (&User-Name)  = notfound
(97)     } # policy filter_username = notfound
(97)     [preprocess] = ok
(97)     [digest] = noop
(97) suffix: Checking for suffix after "@"
(97) suffix: Looking up realm "company.nl" for User-Name = "[hidden email]"
(97) suffix: No such realm "company.nl"
(97)     [suffix] = noop
(97) eap: Peer sent EAP Response (code 2) ID 94 length 63
(97) eap: Continuing tunnel setup
(97)     [eap] = ok
(97)   } # authorize = ok
(97) Found Auth-Type = eap
(97) # Executing group from file /etc/freeradius/sites-enabled/default
(97)   authenticate {
(97) eap: Expiring EAP session with state 0x16172ce416162ae1
(97) eap: Finished EAP session with state 0x2469b8502137ad1a
(97) eap: Previous EAP request found for state 0x2469b8502137ad1a, released from the list
(97) eap: Peer sent packet with method EAP TTLS (21)
(97) eap: Calling submodule eap_ttls to process data
(97) eap_ttls: Authenticate
(97) eap_ttls: Continuing EAP-TLS
(97) eap_ttls: Peer indicated complete TLS record size will be 53 bytes
(97) eap_ttls: Got complete TLS record (53 bytes)
(97) eap_ttls: [eaptls verify] = length included
(97) eap_ttls: [eaptls process] = ok
(97) eap_ttls: Session established.  Proceeding to decode tunneled attributes
(97) eap_ttls: Got tunneled request
(97) eap_ttls:   EAP-Message = 0x0201000d06353e643650396179
(97) eap_ttls:   FreeRADIUS-Proxied-To = 127.0.0.1
(97) eap_ttls: Sending tunneled request
(97) Virtual server inner-tunnel received request
(97)   EAP-Message = 0x0201000d06353e643650396179
(97)   FreeRADIUS-Proxied-To = 127.0.0.1
(97)   User-Name = "[hidden email]"
(97)   State = 0x16172ce416162ae179e6db30cac8670e
(97) WARNING: Outer and inner identities are the same.  User privacy is compromised.
(97) server inner-tunnel {
(97)   session-state: No cached attributes
(97)   # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
(97)     authorize {
(97)       policy filter_username {
(97)         if (&User-Name) {
(97)         if (&User-Name)  -> TRUE
(97)         if (&User-Name)  {
(97)           if (&User-Name =~ / /) {
(97)           if (&User-Name =~ / /)  -> FALSE
(97)           if (&User-Name =~ /@[^@]*@/ ) {
(97)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(97)           if (&User-Name =~ /\.\./ ) {
(97)           if (&User-Name =~ /\.\./ )  -> FALSE
(97)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(97)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(97)           if (&User-Name =~ /\.$/)  {
(97)           if (&User-Name =~ /\.$/)   -> FALSE
(97)           if (&User-Name =~ /@\./)  {
(97)           if (&User-Name =~ /@\./)   -> FALSE
(97)         } # if (&User-Name)  = notfound
(97)       } # policy filter_username = notfound
(97) suffix: Checking for suffix after "@"
(97) suffix: Looking up realm "company.nl" for User-Name = "[hidden email]"
(97) suffix: No such realm "company.nl"
(97)       [suffix] = noop
(97)       update control {
(97)         &Proxy-To-Realm := LOCAL
(97)       } # update control = noop
(97) eap: Peer sent EAP Response (code 2) ID 1 length 13
(97) eap: No EAP Start, assuming it's an on-going EAP conversation
(97)       [eap] = updated
rlm_ldap (ldap): Reserved connection (23)
(97) ldap: EXPAND (mail=%{User-Name})
(97) ldap:    --> (mail=[hidden email])
(97) ldap: Performing search in "dc=example,dc=nl" with filter "(mail=[hidden email])", scope "sub"
(97) ldap: Waiting for search result...
(97) ldap: User object found at DN "uid=migr03,ou=Users,dc=example,dc=nl"
(97) ldap: Processing user attributes
(97) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute
(97) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
rlm_ldap (ldap): Released connection (23)
(97)       [ldap] = ok
(97)       [expiration] = noop
(97)       [logintime] = noop
(97)       [pap] = noop
(97)       if (User-Password) {
(97)       if (User-Password)  -> FALSE
(97)     } # authorize = updated
(97)   Found Auth-Type = eap
(97)   # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
(97)     authenticate {
(97) eap: Expiring EAP session with state 0x16172ce416162ae1
(97) eap: Finished EAP session with state 0x16172ce416162ae1
(97) eap: Previous EAP request found for state 0x16172ce416162ae1, released from the list
(97) eap: Peer sent packet with method EAP GTC (6)
(97) eap: Calling submodule eap_gtc to process data
(97) eap_gtc: # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
(97) eap_gtc:   Auth-Type PAP {
rlm_ldap (ldap): Reserved connection (28)
(97) ldap: Login attempt by "[hidden email]"
(97) ldap: Using user DN from request "uid=migr03,ou=Users,dc=example,dc=nl"
(97) ldap: Waiting for bind result...
(97) ldap: ERROR: Bind credentials incorrect: Invalid credentials
(97) ldap: ERROR: Server said: Incorrect password.
rlm_ldap (ldap): Released connection (28)
(97) eap_gtc:     [ldap] = reject
(97) eap_gtc:   } # Auth-Type PAP = reject
(97) eap: ERROR: Failed continuing EAP GTC (6) session.  EAP sub-module failed
(97) eap: Sending EAP Failure (code 4) ID 1 length 4
(97) eap: Failed in EAP select
(97)       [eap] = invalid
(97)     } # authenticate = invalid
(97)   Failed to authenticate the user
(97)   Using Post-Auth-Type Reject
(97)   # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
(97)     Post-Auth-Type REJECT {
(97) attr_filter.access_reject: EXPAND %{User-Name}
(97) attr_filter.access_reject:    --> [hidden email]
(97) attr_filter.access_reject: Matched entry DEFAULT at line 11
(97)       [attr_filter.access_reject] = updated
(97)       update outer.session-state {
(97)         &Module-Failure-Message := &request:Module-Failure-Message -> 'ldap: Bind credentials incorrect: Invalid credentials'
(97)       } # update outer.session-state = noop
(97)     } # Post-Auth-Type REJECT = updated
(97) } # server inner-tunnel
(97) Virtual server sending reply
(97)   EAP-Message = 0x04010004
(97)   Message-Authenticator = 0x00000000000000000000000000000000
(97) eap_ttls: Got tunneled Access-Reject
(97) eap: ERROR: Failed continuing EAP TTLS (21) session.  EAP sub-module failed
(97) eap: Sending EAP Failure (code 4) ID 94 length 4
(97) eap: Failed in EAP select
(97)     [eap] = invalid
(97)   } # authenticate = invalid
(97) Failed to authenticate the user
(97) Using Post-Auth-Type Reject
(97) # Executing group from file /etc/freeradius/sites-enabled/default
(97)   Post-Auth-Type REJECT {
(97) attr_filter.access_reject: EXPAND %{User-Name}
(97) attr_filter.access_reject:    --> [hidden email]
(97) attr_filter.access_reject: Matched entry DEFAULT at line 11
(97)     [attr_filter.access_reject] = updated
(97)     [eap] = noop
(97)     policy remove_reply_message_if_eap {
(97)       if (&reply:EAP-Message && &reply:Reply-Message) {
(97)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(97)       else {
(97)         [noop] = noop
(97)       } # else = noop
(97)     } # policy remove_reply_message_if_eap = noop
(97)   } # Post-Auth-Type REJECT = updated
(97) Delaying response for 1.000000 seconds
Waking up in 0.9 seconds.
(97) Sending delayed response
(97) Sent Access-Reject Id 35 from 172.17.0.6:1812 to 10.164.0.3:37310 length 48
(97)   EAP-Message = 0x045e0004
(97)   Message-Authenticator = 0x00000000000000000000000000000000
(97)   Proxy-State = 0x3635
Waking up in 3.1 seconds.
(91) Cleaning up request packet ID 234 with timestamp +898
(92) Cleaning up request packet ID 242 with timestamp +898
(93) Cleaning up request packet ID 173 with timestamp +898
(94) Cleaning up request packet ID 28 with timestamp +898
(95) Cleaning up request packet ID 24 with timestamp +898
(96) Cleaning up request packet ID 144 with timestamp +898
Waking up in 0.5 seconds.
(97) Cleaning up request packet ID 35 with timestamp +898
Ready to process requests



My ldap config /etc/freeradius/mods-available/ldap:

ldap {
    server = 'ldaps://ldap.google.com'
    port = 636
    identity = 'XX'
    password = XX
    base_dn = 'dc=example,dc=nl'
    sasl {
    }
    update {
        control:Password-With-Header    += 'userPassword'
        control:Cleartext-Password      := 'userPassword'
        control:NT-Password        := 'ntPassword'
        control:            += 'radiusControlAttribute'
        request:            += 'radiusRequestAttribute'
        reply:                += 'radiusReplyAttribute'
    }
    user_dn = "LDAP-UserDn"
    user {
        base_dn = "${..base_dn}"
        filter = "(mail=%{User-Name})"
        sasl {
        }
    }
    group {
        base_dn = "${..base_dn}"
        filter = '(objectClass=posixGroup)'
        membership_attribute = 'memberOf'
    }
    profile {
    }
    client {
        base_dn = "${..base_dn}"
        filter = '(objectClass=radiusClient)'
        template {
   
        }
        attribute {
            ipaddr                = 'radiusClientIdentifier'
            secret                = 'radiusClientSecret'
        }
    }
    accounting {
        reference = "%{tolower:type.%{Acct-Status-Type}}"
        type {
            start {
                update {
                    description := "Online at %S"
                }
            }
            interim-update {
                update {
                    description := "Last seen at %S"
                }
            }
            stop {
                update {
                    description := "Offline at %S"
                }
            }
        }
    }
    post-auth {
        update {
        }
    }
    options {
        chase_referrals = yes
        rebind = yes
        res_timeout = 10
        srv_timelimit = 3
        net_timeout = 1
        idle = 60
        probes = 3
        interval = 3
        ldap_debug = 0x0028
    }
    tls {
        start_tls = no
        certificate_file = /etc/freeradius/certs/ldap-client.crt
        private_key_file = /etc/freeradius/certs/ldap-client.key
          require_cert    = 'allow'
    }
    pool {
        start = ${thread[pool].start_servers}
        min = ${thread[pool].min_spare_servers}
        max = ${thread[pool].max_servers}
        spare = ${thread[pool].max_spare_servers}
        uses = 0
        retry_delay = 30
        lifetime = 0
        idle_timeout = 60
    }
}


my /etc/freeradius/mods-config/files/authorize

DEFAULT Framed-Protocol == PPP
        Framed-Protocol = PPP,
        Framed-Compression = Van-Jacobson-TCP-IP

DEFAULT Hint == "CSLIP"
        Framed-Protocol = SLIP,
        Framed-Compression = Van-Jacobson-TCP-IP

DEFAULT Hint == "SLIP"
        Framed-Protocol = SLIP

DEFAULT Ldap-UserDN := "%{User-Name}"


my /etc/freeradius/sites-available/default:

server default {
listen {
    type = auth
    ipaddr = *
    port = 0
    limit {
          max_connections = 16
          lifetime = 0
          idle_timeout = 30
    }
}
listen {
    ipaddr = *
    port = 0
    type = acct
    limit {
    }
}
listen {
    type = auth
    ipv6addr = ::    
    port = 0
    limit {
          max_connections = 16
          lifetime = 0
          idle_timeout = 30
    }
}
listen {
    ipv6addr = ::
    port = 0
    type = acct
    limit {
    }
}
authorize {
    filter_username
    preprocess
    digest
    suffix
    eap {
        ok = return
    }
    files
    -sql
    ldap
    expiration
    logintime
    pap
        if (User-Password) {
            update control {
                   Auth-Type := ldap
            }
        }
}
authenticate {
    Auth-Type PAP {
        ldap
    }
    Auth-Type CHAP {
        chap
    }
    Auth-Type MS-CHAP {
        mschap
    }
    mschap
    digest
        ldap
    eap
}
preacct {
    preprocess
    acct_unique
    suffix
    files
}
accounting {
    detail
    unix
    -sql
    exec
    attr_filter.accounting_response
}
session {
}
post-auth {
    if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) {
        update reply {
            &User-Name !* ANY
        }
    }
    update {
        &reply: += &session-state:
    }
    -sql
    exec
    remove_reply_message_if_eap
    Post-Auth-Type REJECT {
        -sql
        attr_filter.access_reject
        eap
        remove_reply_message_if_eap
    }
    Post-Auth-Type Challenge {
    }
}
pre-proxy {
}
post-proxy {
    eap
}
}

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: I would like to ldap bind with username instead of DN

Alan DeKok-2
wOn Jun 21, 2020, at 11:08 AM, Wessel Louwris <[hidden email]> wrote:
>
> If I authenticate with user [hidden email] <mailto:[hidden email]> (which is not our main domain example.nl <http://example.nl/>) I get below log.
> With [hidden email] <mailto:[hidden email]> everything works fine (although it still binds with the full DN) and I can authenticatie.
>
> I hoped that DEFAULT Ldap-UserDN := "%{User-Name}” in my /etc/freeradius/mods-config/files/authorize would skip the ldapsearch and go straight to the binding with this username.
>
> I also pasted my ldap, authorize, default file below the logs.

  Don't do that.  Read the docs: http://wiki.freeradius.org/list-help

> (97) Received Access-Request Id 35 from 10.164.0.3:37310 to 172.17.0.6:1812 length 591
> (97)   User-Name = "[hidden email]"

  You're still not posting the FULL debug output.  I asked you to do that.

  The reason you're having issues is simple:  You're not reading the documentation, and you're not following instructions.

  I asked you to post the FULL debug output.  You didn't do that.  The documentation says DON'T post configuration files.  You did that.

  If you simply read the documentation and follow instructions, you can get the issue fixed.  Quickly.  The more you fight, the longer it will take to fix the issue.

...

> (97) # Executing section authorize from file /etc/freeradius/sites-enabled/default
> (97)   authorize {
> (97)     policy filter_username {
> (97)       if (&User-Name) {
> (97)       if (&User-Name)  -> TRUE
> (97)       if (&User-Name)  {
> (97)         if (&User-Name =~ / /) {
> (97)         if (&User-Name =~ / /)  -> FALSE
> (97)         if (&User-Name =~ /@[^@]*@/ ) {
> (97)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
> (97)         if (&User-Name =~ /\.\./ ) {
> (97)         if (&User-Name =~ /\.\./ )  -> FALSE
> (97)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
> (97)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
> (97)         if (&User-Name =~ /\.$/)  {
> (97)         if (&User-Name =~ /\.$/)   -> FALSE
> (97)         if (&User-Name =~ /@\./)  {
> (97)         if (&User-Name =~ /@\./)   -> FALSE
> (97)       } # if (&User-Name)  = notfound
> (97)     } # policy filter_username = notfound
> (97)     [preprocess] = ok
> (97)     [digest] = noop
> (97) suffix: Checking for suffix after "@"
> (97) suffix: Looking up realm "company.nl" for User-Name = "[hidden email]"
> (97) suffix: No such realm "company.nl"
> (97)     [suffix] = noop
> (97) eap: Peer sent EAP Response (code 2) ID 94 length 63
> (97) eap: Continuing tunnel setup
> (97)     [eap] = ok
> (97)   } # authorize = ok

  And no mention of the "files" module

  i..e you edited the default configuration and broke it.  Don't do that.

> (97) server inner-tunnel {
> (97)   session-state: No cached attributes
> (97)   # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
> (97)     authorize {
> (97)       policy filter_username {
> (97)         if (&User-Name) {
> (97)         if (&User-Name)  -> TRUE
> (97)         if (&User-Name)  {
> (97)           if (&User-Name =~ / /) {
> (97)           if (&User-Name =~ / /)  -> FALSE
> (97)           if (&User-Name =~ /@[^@]*@/ ) {
> (97)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
> (97)           if (&User-Name =~ /\.\./ ) {
> (97)           if (&User-Name =~ /\.\./ )  -> FALSE
> (97)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
> (97)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
> (97)           if (&User-Name =~ /\.$/)  {
> (97)           if (&User-Name =~ /\.$/)   -> FALSE
> (97)           if (&User-Name =~ /@\./)  {
> (97)           if (&User-Name =~ /@\./)   -> FALSE
> (97)         } # if (&User-Name)  = notfound
> (97)       } # policy filter_username = notfound
> (97) suffix: Checking for suffix after "@"
> (97) suffix: Looking up realm "company.nl" for User-Name = "[hidden email]"
> (97) suffix: No such realm "company.nl"
> (97)       [suffix] = noop
> (97)       update control {
> (97)         &Proxy-To-Realm := LOCAL
> (97)       } # update control = noop
> (97) eap: Peer sent EAP Response (code 2) ID 1 length 13
> (97) eap: No EAP Start, assuming it's an on-going EAP conversation
> (97)       [eap] = updated
> rlm_ldap (ldap): Reserved connection (23)
> (97) ldap: EXPAND (mail=%{User-Name})
> (97) ldap:    --> (mail=[hidden email])
> (97) ldap: Performing search in "dc=example,dc=nl" with filter "(mail=[hidden email])", scope "sub"
> (97) ldap: Waiting for search result...
> (97) ldap: User object found at DN "uid=migr03,ou=Users,dc=example,dc=nl"
> (97) ldap: Processing user attributes
> (97) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute
> (97) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
> rlm_ldap (ldap): Released connection (23)
> (97)       [ldap] = ok
> (97)       [expiration] = noop
> (97)       [logintime] = noop
> (97)       [pap] = noop
> (97)       if (User-Password) {
> (97)       if (User-Password)  -> FALSE
> (97)     } # authorize = updated

  And no mention of the "files" module here, either.

  It's a complete mystery to me why people delete things from the configuration, and are then surprised that it doesn't work.

  If you tell the server to NOT use the "files" module, then it won't use the "files" module.  And anything you put into mods-config/files/authorize will be ignored.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: I would like to ldap bind with username instead of DN

Wessel Louwris


> Op 21 jun. 2020, om 17:24 heeft Alan DeKok <[hidden email]> het volgende geschreven:
>
> wOn Jun 21, 2020, at 11:08 AM, Wessel Louwris <[hidden email]> wrote:
>>
>> If I authenticate with user [hidden email] <mailto:[hidden email]> (which is not our main domain example.nl <http://example.nl/>) I get below log.
>> With [hidden email] <mailto:[hidden email]> everything works fine (although it still binds with the full DN) and I can authenticatie.
>>
>> I hoped that DEFAULT Ldap-UserDN := "%{User-Name}” in my /etc/freeradius/mods-config/files/authorize would skip the ldapsearch and go straight to the binding with this username.
>>
>> I also pasted my ldap, authorize, default file below the logs.
>
>  Don't do that.  Read the docs: http://wiki.freeradius.org/list-help
>
>> (97) Received Access-Request Id 35 from 10.164.0.3:37310 to 172.17.0.6:1812 length 591
>> (97)   User-Name = "[hidden email]"
>
>  You're still not posting the FULL debug output.  I asked you to do that.
>
>  The reason you're having issues is simple:  You're not reading the documentation, and you're not following instructions.
>
>  I asked you to post the FULL debug output.  You didn't do that.  The documentation says DON'T post configuration files.  You did that.

This is the output from freeradius -f -X


>  If you simply read the documentation and follow instructions, you can get the issue fixed.  Quickly.  The more you fight, the longer it will take to fix the issue.

I started from https://github.com/hacor/unifi-freeradius-ldap <https://github.com/hacor/unifi-freeradius-ldap> because that was kind of my use case.
I will try to start from scratch and see what happens then.

Thanks again.

Wessel



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: I would like to ldap bind with username instead of DN

Matthew Newton-3


On 21/06/2020 16:34, Wessel Louwris wrote:
>>   I asked you to post the FULL debug output.  You didn't do that.  The documentation says DON'T post configuration files.  You did that.
>
> This is the output from freeradius -f -X

We got so fed up with people posting small chunks of debug output with
useful information missing that we created a wiki page with information
on what to post and how to get it. And, in so many cases, even after
having been given a link to that very page the wrong information is posted.

There's even a heading "Full server debug output" and important things
highlighted in bold, and a section "Getting debug output" which tells
you how to get everything and what to post, and an example of what's good.

Not really sure how much clearer it could be? What should be updated on
that page to make it easier to understand? (Legitimate question - if
it's not clear, it needs updating so that people understand it.)

--
Matthew
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: I would like to ldap bind with username instead of DN

Wessel Louwris

> On 21/06/2020 16:34, Wessel Louwris wrote:
>>>  I asked you to post the FULL debug output.  You didn't do that.  The documentation says DON'T post configuration files.  You did that.
>> This is the output from freeradius -f -X
>
> We got so fed up with people posting small chunks of debug output with useful information missing that we created a wiki page with information on what to post and how to get it. And, in so many cases, even after having been given a link to that very page the wrong information is posted.
>
> There's even a heading "Full server debug output" and important things highlighted in bold, and a section "Getting debug output" which tells you how to get everything and what to post, and an example of what's good.
>
> Not really sure how much clearer it could be? What should be updated on that page to make it easier to understand? (Legitimate question - if it's not clear, it needs updating so that people understand it.)


Well, from this wiki:  "start the server in debugging mode: radiusd -X”
which is what I did.

And: “If you get stuck, ask for help on the freeradius-users mailing list. Include a description of what you are trying to do, and the entire debugging output, especially output showing the server receiving and processing test packets.”

Maybe I understand things wrong, but the “especially” statement is kind of saying “not the whole process of starting up the server” .
So I posted only my output showing the server receiving and processing test packets. At least, I think I did that.
But for Alan’s response I think start up is the part he’s missing?

Anyway… I have an idea where I should be looking at: only using LDAP for authenticate and using the files part for authorization. I’m diving into the docs etc now.

Regards, Wessel

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: I would like to ldap bind with username instead of DN

Alan DeKok-2
On Jun 21, 2020, at 4:26 PM, Wessel Louwris <[hidden email]> wrote:
> Well, from this wiki:  "start the server in debugging mode: radiusd -X”
> which is what I did.
>
> And: “If you get stuck, ask for help on the freeradius-users mailing list. Include a description of what you are trying to do, and the entire debugging output, especially output showing the server receiving and processing test packets.”
>
> Maybe I understand things wrong, but the “especially” statement is kind of saying “not the whole process of starting up the server” .

  "Especially" in this case means "please include packet processing".  It doesn't mean "delete everything else".

  And why do we say "please include packet processing"?  Because when we just said "post the debug output", we had an endless stream of people posting the debug output where the server started up... and didn't process packets.  How they expected to debug packet processing that way, I have zero clue.

  So the message is pretty clear: no matter what we say, people will interpret it as the *opposite* of what we said.

> So I posted only my output showing the server receiving and processing test packets. At least, I think I did that.
> But for Alan’s response I think start up is the part he’s missing?

  The wiki page shows a FULL debug output.  Starting up, AND packet processing.  You were told to NOT edit the debug output, and instead post the FULL debug output.  So... an edited debug output was posted.

> Anyway… I have an idea where I should be looking at: only using LDAP for authenticate and using the files part for authorization. I’m diving into the docs etc now.

  That would be nice.

  What I *don't* like is hiding information.  If you use some random docker image to run FreeRADIUS, then you need to SAY SO in the first message to the list.  Or, you need to contact the author of that image, and ask him why his image doesn't work.  When you ask us to debug someone else's broken configuration, it's annoying.

  Our software works.  Our documentation is pretty good.  To the point where a high percentage of messages on this list are "PLEASE FOR THE LOVE OF GOD READ THE DOCS".

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html