Use rlm_ldap reply for the next authorization module

JUND , Aurélien Wed, 16 Jun 2010 05:36:16 -0700

Hello,

In order to allow a user to access the service (send a Access-Accept) I need to 
validate several things:


First the password must be OK:


 *   The User-name and password are stored in cleartext in a ldap (I use Chap), 
I must get another ldap attribute wich specify the crm Id matching the username.

The user must be allowed to use the service:


 *   Daily I get a files matching a crm Id and a status (can access, cant 
access) => I can't have a matching between user-name / Status. The crm don't 
know the user-name, and the ldap don't know the client's status (only the Crm 
ID)


I have no trouble to check the User-Name/Password using ldap and chap modules. 
But I can't figure out how to use the ldap reply to request the local mysql 
where is store the match between crm Id and status.
I don't know how to use a reply of a authorization module (ldap) in an another 
one (sql).

Since I didn't find out how to do this, I tried to add the crmID in a unused 
radius attribute: Callback-Number:

In the ldap attrmap configuration file I added:

replyItem       Callback-Number                 SFRrelationLoginService

And in the sql configuration:

sql_user_name = "%{Callback-Number}"


Unfortunately as expected the replyItem is only add when the reply is generate. 
I also tried with a checkItem without more success...

Is it possible to configure the ldap module in order to store a ldapattribute 
in a variable usable by the mysql module ? Or to replace/add a radius attribute 
in the request, base on the ldap reply before the next module is compute?



Examples :

Goal case:

echo "User-Name= toto,Chap-Password=111111", | sudo radclient -x 
172.16.0.135:1812 auth secret
Sending Access-Request of id 202 to 172.16.0.135 port 1812
        User-Name = "toto"
        CHAP-Password = 0xcab5c3da9c9ebb891608c1991c2e37bea3
rad_recv: Access-Reject packet from host 172.16.0.135 port 1812, id=202, 
length=20


log:

Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: Waking up in 0.9 seconds.
Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: rlm_ldap: waiting for bind 
result ...
Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: rlm_ldap: Bind was successful
Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: rlm_ldap: performing search 
in ou=EndUser,dc=USER,dc=fr, with filter (USERlogin=toto*)
Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: [ldapClear] No default NMAS 
login sequence
Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: [ldapClear] looking for 
check items in directory...
Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: rlm_ldap: 
USERrelationLoginService -> Callback-Number == "siebelsIdFortoto"
Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: rlm_ldap: USERuserPassword 
-> Cleartext-Password == "111111"
Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: rlm_ldap: USERlogin -> 
User-Name == "toto"
Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: [ldapClear] looking for 
reply items in directory...
Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: [ldapClear] user toto 
authorized to use remote access
Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: rlm_ldap: ldap_release_conn: 
Release Id: 0
Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: ++[ldapClear] returns ok
Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: [sql_crm_abv] #011expand: 
%{Callback-Number} ->
Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: [sql_crm_abv] sql_set_user 
escaped user --> ''
Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: rlm_sql (sql_crm_abv): 
Reserving sql socket id: 1
Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: [sql_crm_abv] #011expand: 
SELECT Identifiant, Status           FROM siebel           WHERE Identifiant = 
'%{Callback-Number}' AND Status='1' -> SELECT Identifiant, Status           
FROM siebel           WHERE Identifiant = '' AND Status='1'
Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: rlm_sql_mysql: query:  
SELECT Identifiant, Status           FROM siebel           WHERE Identifiant = 
'' AND Status='1'
Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: rlm_sql (sql_crm_abv): 
Released sql socket id: 1
Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: [sql_crm_abv] User  not found
Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: ++[sql_crm_abv] returns 
notfound
Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: [chap] Setting 'Auth-Type := 
CHAP'
Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: ++[chap] returns ok
Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: ++[expiration] returns noop
Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: ++[logintime] returns noop
Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: [pap] Found existing 
Auth-Type, not changing it.
Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: ++[pap] returns noop
Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: rlm_sqlcounter: Entering 
module authorize code
Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: rlm_sqlcounter: Could not 
find Key value pair
Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: ++[scratchcounter_lyo] 
returns noop
Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: Found Auth-Type = CHAP
Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: +- entering group CHAP {...}
Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: [chap] login attempt by 
"toto" with CHAP password
Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: [chap] Using clear text 
password "111111" for user toto authentication.
Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: [chap] chap user toto 
authenticated succesfully
Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: ++[chap] returns ok
Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: Login OK: 
[toto/<CHAP-Password>] (from client ext port 0)
Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: +- entering group post-auth 
{...}
Jun 16 12:42:30 radius-wifi1-aub freeradius[7106]: ++[reply_log] returns ok




Test addin the crmId in the request before computing => not possible in real 
situation, but to test everything else

 echo "User-Name= toto,Chap-Password=111111",Callback-Number='siebelsIdFortoto' 
| sudo radclient -x 172.16.0.135:1812 auth secret
Sending Access-Request of id 159 to 172.16.0.135 port 1812
        User-Name = "toto"
        CHAP-Password = 0x9fb08ff7f454d0c9998fc5dd72479940cd
        Callback-Number = "siebelsIdFortoto"
rad_recv: Access-Accept packet from host 172.16.0.135 port 1812, id=159, 
length=20


log:


Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: Thread 4 got semaphore
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: Thread 4 handling request 0, 
(1 handled so far)
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: +- entering group authorize 
{...}
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: ++[preprocess] returns ok
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: ++[mschap] returns noop
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [IPASS] No '/' in User-Name 
= "toto", looking up realm NULL
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [IPASS] No such realm "NULL"
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: ++[IPASS] returns noop
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [suffix] No '@' in User-Name 
= "toto", looking up realm NULL
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [suffix] No such realm "NULL"
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: ++[suffix] returns noop
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: ++[files] returns noop
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [ldapClear] performing user 
authorization for toto
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [ldapClear] #011expand: 
%{Stripped-User-Name} ->
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [ldapClear] #011expand: 
%{User-Name} -> toto
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [ldapClear] #011expand: 
(USERlogin=%{%{Stripped-User-Name}:-%{User-Name}}*) -> (USERlogin=toto*)
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [ldapClear] #011expand: 
ou=EndUser,dc=USER,dc=fr -> ou=EndUser,dc=USER,dc=fr
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: rlm_ldap: ldap_get_conn: 
Checking Id: 0
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: rlm_ldap: ldap_get_conn: Got 
Id: 0
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: rlm_ldap: attempting LDAP 
reconnection
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: rlm_ldap: (re)connect to 
10.33.245.241:389, authentication 0
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: rlm_ldap: bind as cn=Radius 
Gp,ou=Application,dc=USER,dc=fr/radiusgp to 10.33.245.241:389
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: Threads: total/active/spare 
threads = 5/1/4
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: Waking up in 0.9 seconds.
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: rlm_ldap: waiting for bind 
result ...
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: rlm_ldap: Bind was successful
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: rlm_ldap: performing search 
in ou=EndUser,dc=USER,dc=fr, with filter (USERlogin=toto*)
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [ldapClear] No default NMAS 
login sequence
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [ldapClear] looking for 
check items in directory...
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: rlm_ldap: 
USERrelationLoginService -> Callback-Number == "siebelsIdFortoto"
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: rlm_ldap: USERuserPassword 
-> Cleartext-Password == "111111"
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: rlm_ldap: USERlogin -> 
User-Name == "toto"
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [ldapClear] looking for 
reply items in directory...
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [ldapClear] user toto 
authorized to use remote access
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: rlm_ldap: ldap_release_conn: 
Release Id: 0
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: ++[ldapClear] returns ok
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [sql_crm_abv] #011expand: 
%{Callback-Number} -> siebelsIdFortoto
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [sql_crm_abv] sql_set_user 
escaped user --> 'siebelsIdFortoto'
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: rlm_sql (sql_crm_abv): 
Reserving sql socket id: 1
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [sql_crm_abv] #011expand: 
SELECT Identifiant, Status           FROM siebel           WHERE Identifiant = 
'%{Callback-Number}' AND Status='1' -> SELECT Identifiant, Status           
FROM siebel           WHERE Identifiant = 'siebelsIdFortoto' AND Status='1'
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: rlm_sql_mysql: query:  
SELECT Identifiant, Status           FROM siebel           WHERE Identifiant = 
'=siebelsIdFortoto' AND Status='1'
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: rlm_sql (sql_crm_abv): 
Released sql socket id: 1
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [sql_crm_abv] User 
siebelsIdFortoto not found
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: ++[sql_crm_abv] returns 
notfound
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [chap] Setting 'Auth-Type := 
CHAP'
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: ++[chap] returns ok
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: ++[expiration] returns noop
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: ++[logintime] returns noop
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [pap] Found existing 
Auth-Type, not changing it.
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: ++[pap] returns noop
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: rlm_sqlcounter: Entering 
module authorize code
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: rlm_sqlcounter: Could not 
find Key value pair
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: Found Auth-Type = CHAP
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: +- entering group CHAP {...}
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [chap] login attempt by 
"toto" with CHAP password
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [chap] Using clear text 
password "111111" for user toto authentication.
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: [chap] chap user toto 
authenticated succesfully
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: ++[chap] returns ok
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: Login OK: 
[toto/<CHAP-Password>] (from client ext port 0)
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: +- entering group post-auth 
{...}
JJun 16 12:33:29 radius-wifi1-aub freeradius[7106]: Finished request 0.
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: Going to the next request
Jun 16 12:33:29 radius-wifi1-aub freeradius[7106]: Thread 4 waiting to be 
assigned a request
Jun 16 12:33:30 radius-wifi1-aub freeradius[7106]: Waking up in 4.0 seconds.
Jun 16 12:33:34 radius-wifi1-aub freeradius[7106]: Cleaning up request 0 ID 159 
with timestamp +4
Jun 16 12:33:34 radius-wifi1-aub freeradius[7106]: Ready to process requests.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Use rlm_ldap reply for the next authorization module

Reply via email to