using previous DN in DEFAULT

[Rohaizam Abu Bakar]

Hi..

Freeradius 1.1.2
OS : FreeBSD 6.1
Referring to below debug logs and config.. I'm planning to have 2 DEFAULT 
entries in users.. One that read LDAP tree ou=DIALUP & one ou=RADIUS

but 1st DEFAULT entry will only be matched if it contain attribute 
"jaringService = REAL" in ou=DIALUP.. Other than that it will match 2nd 
entry...

But the problem is that although first DEFAULT is NOT matched, and matched 
2nd DEFAULT (Auth & Autz Type LDAP), it will still bind using ou=DIALUP 
(from 1st DEFAULT) to LDAP....

rlm_ldap: user DN: 
uniqueIdentifier=10614,ou=DIALUP,ou=AAA,ou=People,dc=jaring,dc=my

The problem happen when both LDAP tree has entry with same uid...   but 
different password and belong to different person.


users:-
====

## NEW Dialup (REAL TIME)
DEFAULT         ldapdialup1-Ldap-Group == "REAL", Autz-Type := DIALUP, 
Auth-Type :=DIALUP

## NORMAL DIALUP
DEFAULT         Autz-Type := LDAP, Auth-Type := LDAP


radiusd.conf
========

       ldap ldap1 {
               basedn = "ou=RADIUS,ou=People,dc=jaring,dc=my"
               groupname_attribute = jaringConnectionType
               groupmembership_filter = 
"(&(uid=%{Stripped-User-Name:-%{User-Name}})(objectclass=radiusprofile))"
               }
       ldap ldap2 {
               basedn = "ou=RADIUS,ou=People,dc=jaring,dc=my"
               groupname_attribute = jaringConnectionType
               groupmembership_filter = 
"(&(uid=%{Stripped-User-Name:-%{User-Name}})(objectclass=radiusprofile))"
     }
       ldap ldapdialup1 {
               basedn = "ou=DIALUP,ou=AAA,ou=People,dc=jaring,dc=my"
               groupname_attribute = jaringService
               groupmembership_filter = 
"(&(uid=%{Stripped-User-Name:-%{User-Name}})(objectclass=radiusprofile))"
       }
       ldap ldapdialup2 {
               basedn = "ou=DIALUP,ou=AAA,ou=People,dc=jaring,dc=my"
               groupname_attribute = jaringService
               groupmembership_filter = 
"(&(uid=%{Stripped-User-Name:-%{User-Name}})(objectclass=radiusprofile))"
       }

       Autz-Type LDAP {
               redundant {
                       ldap1
                       ldap2
               }
       }
       Autz-Type DIALUP {
               redundant {
                       ldapdialup1
                       ldapdialup2
               }
       }

       Auth-Type LDAP {
               redundant {
                       ldap1
                       ldap2
               }
       }
       Auth-Type DIALUP {
               redundant {
                       ldapdialup1
                       ldapdialup2
               }
       }


debug:-
=====

rad_recv: Access-Request packet from host xxxxxxxxxxxxxxx:60005, id=41, 
length=46
       User-Name = "bacang"
       User-Password = "xxxxxx"
rad_rmspace_pair:  User-Name now 'bacang'
 Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
 modcall[authorize]: module "preprocess" returns ok for request 0
 modcall[authorize]: module "chap" returns noop for request 0
 modcall[authorize]: module "mschap" returns noop for request 0
   rlm_realm: No '/' in User-Name = "bacang", skipping NULL due to config.
 modcall[authorize]: module "IPASS" returns noop for request 0
   rlm_realm: No '@' in User-Name = "bacang", looking up realm NULL
   rlm_realm: Found realm "NULL"
   rlm_realm: Adding Stripped-User-Name = "bacang"
   rlm_realm: Proxying request from user bacang to realm NULL
   rlm_realm: Adding Realm = "NULL"
   rlm_realm: Authentication realm is LOCAL.
 modcall[authorize]: module "suffix" returns noop for request 0
 rlm_eap: No EAP-Message, not doing EAP
 modcall[authorize]: module "eap" returns noop for request 0
rlm_ldap: Entering ldap_groupcmp()
radius_xlat:  'ou=DIALUP,ou=AAA,ou=People,dc=jaring,dc=my'
radius_xlat:  '(uid=bacang)'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to xxxxxxxxx:389, authentication 0
rlm_ldap: bind as cn=xxxxxxxxx,ou=Applications,dc=jaring,dc=my/xxxxxxxxxxx 
to xxxxxxxxx:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=DIALUP,ou=AAA,ou=People,dc=jaring,dc=my, 
with filter (uid=bacang)
rlm_ldap: ldap_release_conn: Release Id: 0
radius_xlat:  '(&(uid=bacang)(objectclass=radiusprofile))'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=DIALUP,ou=AAA,ou=People,dc=jaring,dc=my, 
with filter 
(&(jaringService=REAL)(&(uid=bacang)(objectclass=radiusprofile)))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap::ldap_groupcmp: Group REAL not found or user is not a member.
   users: Matched entry DEFAULT at line 23
 modcall[authorize]: module "files" returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
 Found Autz-Type LDAP
 Processing the authorize section of radiusd.conf
modcall: entering group LDAP for request 0
modcall: entering group redundant  for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for bacang
radius_xlat:  '(uid=bacang)'
radius_xlat:  'ou=RADIUS,ou=People,dc=jaring,dc=my'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to xxxxxxxxxx:389, authentication 0
rlm_ldap: bind as cn=xxxxxxxxx,ou=Applications,dc=jaring,dc=my/xxxxxxxxxxx 
to xxxxxxxxxxxx:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=RADIUS,ou=People,dc=jaring,dc=my, with 
filter (uid=bacang)
rlm_ldap: checking if remote access for bacang is allowed by dialupAccess
rlm_ldap: Added password {CRYPT}Y3EhshegMNPxA in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusFramedCompression as Framed-Compression, value 
Van-Jacobson-TCP-IP & op=11
rlm_ldap: Adding radiusFramedMTU as Framed-MTU, value 1500 & op=11
rlm_ldap: Adding radiusFramedProtocol as Framed-Protocol, value PPP & op=11
rlm_ldap: Adding radiusServiceType as Service-Type, value Framed-User & 
op=11
rlm_ldap: user bacang authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
 modcall[authorize]: module "ldap1" returns ok for request 0
modcall: leaving group redundant  (returns ok) for request 0
modcall: leaving group LDAP (returns ok) for request 0
 rad_check_password:  Found Auth-Type LDAP
auth: type "LDAP"
 Processing the authenticate section of radiusd.conf
modcall: entering group LDAP for request 0
modcall: entering group redundant  for request 0
rlm_ldap: - authenticate
rlm_ldap: login attempt by "bacang" with password "xxxxxxxx"
rlm_ldap: user DN: 
uniqueIdentifier=10614,ou=DIALUP,ou=AAA,ou=People,dc=jaring,dc=my
rlm_ldap: (re)connect to xxxxxxxxxxxxxx:389, authentication 1
rlm_ldap: bind as 
uniqueIdentifier=10614,ou=DIALUP,ou=AAA,ou=People,dc=jaring,dc=my/xxxxxxxxx 
to xxxxxxxxxxxx:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind failed with invalid credentials
 modcall[authenticate]: module "ldap1" returns reject for request 0
modcall: leaving group redundant  (returns reject) for request 0
modcall: leaving group LDAP (returns reject) for request 0
auth: Failed to validate the user.
Login incorrect (rlm_ldap: Bind as user failed): [bacang] (from client 
sysadmin port 0)



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html