At 14:19 +0200 Alan DeKok wrote:
I have run into another bug: if I instantiate rlm_ldap in my servers
"dcs-inner" and "maths-inner", it seems to use the base DN for
"maths-inner" (instantiated second) for queries from "dcs-inner".
As always, debug mode.
By this point we've correctly walked from default -> dcs -> dcs-inner.
But.. as dcs-inner invokes rlm_ldap, it's using the wrong ldap instance:
server dcs-inner {
+- entering group authorize {...}
[dcs-inner-preprocess] hints: Matched DEFAULT at 1
++[dcs-inner-preprocess] returns ok
++? if ("%{User-Name}" =~ /^([EMAIL PROTECTED])(@([-[:alnum:].]+))?$/)
expand: %{User-Name} -> mb
? Evaluating ("%{User-Name}" =~ /^([EMAIL PROTECTED])(@([-[:alnum:].]+))?$/) ->
TRUE
++? if ("%{User-Name}" =~ /^([EMAIL PROTECTED])(@([-[:alnum:].]+))?$/) -> TRUE
++- entering if ("%{User-Name}" =~ /^([EMAIL PROTECTED])(@([-[:alnum:].]+))?$/)
{...}
expand: %{1} -> mb
+++[request] returns ok
++- if ("%{User-Name}" =~ /^([EMAIL PROTECTED])(@([-[:alnum:].]+))?$/) returns
ok
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
[dcs-inner-eap] No EAP-Message, not doing EAP
++[dcs-inner-eap] returns noop
rlm_ldap: Entering ldap_groupcmp()
[dcs-inner-files] expand: dc=maths,dc=qmul,dc=ac,dc=uk ->
dc=maths,dc=qmul,dc=ac,dc=uk
[dcs-inner-files] expand: (uid=%{Stripped-User-Name}) -> (uid=mb)
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldapserver.maths.qmul.ac.uk:389, authentication 0
rlm_ldap: setting TLS Require Cert to never
rlm_ldap: starting TLS
rlm_ldap: bind as cn=radiusd,dc=maths,dc=qmul,dc=ac,dc=uk/xxxxxxxx to
ldapserver.maths.qmul.ac.uk:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=maths,dc=qmul,dc=ac,dc=uk, with filter
(uid=mb)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap::ldap_groupcmp: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
My radius.conf includes:
modules {
$INCLUDE ${confdir}/modules/
$INCLUDE ${confdir}/dcs/modules.conf
$INCLUDE ${confdir}/maths/modules.conf
}
instantiate {
}
$INCLUDE ${confdir}/dcs/server
$INCLUDE ${confdir}/maths/server
NB x/modules.conf includes x/inner/modules.conf and x/server includes
x/inner/server for x in {dcs, maths}. The "server" files, modulo these
includes, only contain server{} blocks.
If I transpose the $INCLUDE ${confdir}/x/server lines, then it uses the
dcs LDAP instance, AFAICT:
server dcs-inner {
+- entering group authorize {...}
[dcs-inner-preprocess] hints: Matched DEFAULT at 1
++[dcs-inner-preprocess] returns ok
++? if ("%{User-Name}" =~ /^([EMAIL PROTECTED])(@([-[:alnum:].]+))?$/)
expand: %{User-Name} -> mb
? Evaluating ("%{User-Name}" =~ /^([EMAIL PROTECTED])(@([-[:alnum:].]+))?$/) ->
TRUE
++? if ("%{User-Name}" =~ /^([EMAIL PROTECTED])(@([-[:alnum:].]+))?$/) -> TRUE
++- entering if ("%{User-Name}" =~ /^([EMAIL PROTECTED])(@([-[:alnum:].]+))?$/)
{...}
expand: %{1} -> mb
+++[request] returns ok
++- if ("%{User-Name}" =~ /^([EMAIL PROTECTED])(@([-[:alnum:].]+))?$/) returns
ok
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
[dcs-inner-eap] No EAP-Message, not doing EAP
++[dcs-inner-eap] returns noop
rlm_ldap: Entering ldap_groupcmp()
[dcs-inner-files] expand: dc=dcs,dc=qmul,dc=ac,dc=uk ->
dc=dcs,dc=qmul,dc=ac,dc=uk
[dcs-inner-files] expand: %{Stripped-User-Name} -> mb
[dcs-inner-files] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(uid=mb)
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to mortar.dcs.qmul.ac.uk:389, authentication 0
rlm_ldap: setting TLS CACert File to /etc/raddb/dcs/certs/DCS_CA_cert.pem
rlm_ldap: setting TLS Require Cert to demand
rlm_ldap: starting TLS
rlm_ldap: bind as
cn=radiusd,ou=Infrastructure,dc=dcs,dc=qmul,dc=ac,dc=uk/xxxxxxxxxx to
mortar.dcs.qmul.ac.uk:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=dcs,dc=qmul,dc=ac,dc=uk, with filter (uid=mb)
rlm_ldap: ldap_release_conn: Release Id: 0
${confdir}/dcs/inner/server references ${confdir}/dcs/inner/ldap.common
which contains
identity = "cn=radiusd,ou=Infrastructure,dc=dcs,dc=qmul,dc=ac,dc=uk"
basedn = "dc=dcs,dc=qmul,dc=ac,dc=uk"
etc. whereas ${confdir}/maths/inner/server references
${confdir}/maths/inner/ldap.common which contains
identity = "cn=radiusd,dc=maths,dc=qmul,dc=ac,dc=uk"
basedn = "dc=maths,dc=qmul,dc=ac,dc=uk"
and so on.
I'm guessing that such parameters aren't scoped locally enough.
HTH
Matt
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
