Hi all, We are running 2.1.3 and we'll upgrade soon for several reasons. Two of them can be the questions I'll explain now.
We need to search the authorize check for users in one place of LDAP tree and the user password must be checked in another place. My config file is as follows: dictionary_mapping=/etc/raddb/ldapmap_vpn.conf ldap_connections_number=10 timeout=10 server="ldap://canela.ti.uam.es"; port=389 identity="cn=uam_voip_admin,cn=users,dc=uam,dc=es" password="#######" base_filter = "(uniquemember=cn=%{User-Name},cn=users,dc=uam,dc=es)" basedn="dc=uam,dc=es" filter="(uid=%{Stripped-User-Name:-%{User-Name}})" default_profile = "cn=ACCESSO_CUDI,cn=Groups,dc=uam,dc=es" access_attr_used_for_allow = yes access_attr = "cn" The non-usual parameters to do what we need are base_filter and default_profile. But the problem is that base_filter doesn't expand. The debug shows us the process and base_filter doesn't expand. rad_recv: Access-Request packet from host 150.244.108.4 port 1025, id=69, length=158 User-Name = "[email protected]" User-Password = "########" NAS-Port = 5259264 Called-Station-Id = "150.244.108.4" Calling-Station-Id = "150.244.2.23" NAS-Port-Type = Virtual Tunnel-Client-Endpoint:0 = "150.244.2.23" NAS-IP-Address = 150.244.108.4 Cisco-AVPair = "ip:source-ip=150.244.2.23" server vpn_auth { +- entering group authorize {...} [suffix] Looking up realm "uam.es" for User-Name = "[email protected]" [suffix] Found realm "uam.es" [suffix] Adding Realm = "uam.es" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [users_vpn] users: Matched entry DEFAULT at line 3 [users_vpn] expand: %{User-Name} -> [email protected] [users_vpn] users: Matched entry [email protected] at line 16 ++[users_vpn] returns ok [uam_vpn] performing user authorization for [email protected] [uam_vpn] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [uam_vpn] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> ([email protected]) [uam_vpn] expand: dc=uam,dc=es -> dc=uam,dc=es rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap://canela.ti.uam.es, authentication 0 rlm_ldap: setting TLS Require Cert to never rlm_ldap: bind as cn=uam_voip_admin,cn=users,dc=uam,dc=es/######## to ldap://canela.ti.uam.es rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=uam,dc=es, with filter ([email protected]) [uam_vpn] checking if remote access for [email protected] is allowed by cn rlm_ldap: performing search in cn=ACCESSO_CUDI,cn=Groups,dc=uam,dc=es, with filter (uniquemember=cn=%{User-Name},cn=users,dc=uam,dc=es) rlm_ldap: object not found or got ambiguous search result [uam_vpn] default_profile/user-profile search failed [uam_vpn] looking for check items in directory... [uam_vpn] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [uam_vpn] user [email protected] authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[uam_vpn] returns ok [eap] No EAP-Message, not doing EAP ++[eap] returns noop Found Auth-Type = UAM_VPN +- entering group UAM_VPN {...} [uam_vpn] login attempt by "[email protected]" with password "#######" [uam_vpn] user DN: [email protected],cn=Users,dc=uam,dc=es rlm_ldap: (re)connect to ldap://canela.ti.uam.es, authentication 1 rlm_ldap: setting TLS Require Cert to never rlm_ldap: bind as [email protected],cn=Users,dc=uam,dc=es/######## to ldap://canela.ti.uam.es rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful [uam_vpn] user [email protected] authenticated succesfully ++[uam_vpn] returns ok Login OK: [[email protected]] (from client asa-vpn port 5259264 cli 150.244.2.23) } # server vpn_auth Sending Access-Accept of id 69 to 150.244.108.4 port 1025 User-Name = "[email protected]" Class = "OU=########" Finished request 0. Is this a failure corrected in any of the versions form 2.1.3? Or am I doing anything wrong? The second question. If I put, ONLY FOR CHECK, the base_filter = "([email protected],cn=users,dc=uam,dc=es)" the LDAP replies with No Such Object. But the radius authorization sends ok. The misconfiguration of LDAP is not the question here. The question here is: documentation says if the parameter not exists the authorization doesn't work. Is the server using the cn string used in the request? Am I doing ANOTHER thing wrong? Thank you very much in advance, Nicolas Nicolás Velazquez Campoy Unidad Técnica de Comunicaciones Tecnologías de la Información. UAM http://rincon.uam.es/dir?cw=389407348632812 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
