I believe this bit of magic can be done based on other configurations
but I can't work out the right "foo" so hopefully someone can help me
out. I have my service manager asking for some additional magic out of
our freeradius servers that handle our wireless WPA enterprise
authentication/authorization.
Situation: LDAP connect/lookup fails (returns 'fail') and I want to
continue processing as if it were "ok". Right now we want to ensure to
err on the side of the customer and continue in the event there is an
LDAP service outage.
Setup: I have the system working correctly with LDAP utilizing
Freeradius 1.1.9. However, I am not sure how to do unlang control in the
event of an LDAP failure. I am handling if an LDAP lookup is not found
however.
Test: What I am attempting to test with is configure the ldap module
with a non-existent LDAP server to fail but continue processing in the
event of an LDAP failure.
I have Googled, read many configuration examples, and got a decent grip
of unlang so hopefully someone can point me in the right direction. I'm
close, but missing a small key component I imagine.
Here are (what I believe to be ) he important configuration sections and
debug output.
authorize {
preprocess
# This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP
authentication.
eap {
ok = return
}
# LDAP: Development where if not found, steer them to group
vlan0316
# This part works as expected when LDAP answers and the user is
not found
gted-lawn-authz
if(notfound) {
update reply {
Tunnel-Type := "VLAN"
Tunnel-Medium-Type := "IEEE-802"
Tunnel-Private-Group-Id := 316
}
notfound = return
}
# Look in an SQL database. The schema of the database is
meant to mirror the "users" file.
sqlwpa
}
The LDAP module configuration is as follows:
ldap gted-lawn-authz {
#
# Note that this needs to match the name in the LDAP
# server certificate, if you're using ldaps.
server = "ldaps://blahserver.gatech.edu"
port = 636
identity = "myBindDNDeletedForPrivacy"
password = "myPasswordDeletedForPrivacy"
basedn = "myBaseDNdeletedForPrivacy"
filter = "myFilterThatWorksNormallyDeleted"
ldap_connections_number = 10
timeout = 4
timelimit = 10
net_timeout = 1
tls {
start_tls = no
tls_mode = no
require_cert = "never"
}
# Mapping of RADIUS dictionary attributes to LDAP directory attributes.
dictionary_mapping = ${confdir}/ldap.attrmap
edir_account_policy_check = no
set_auth_type = no
}
I have tried to handle this in the authorize{} section but not sure how
to override the "fail" returncode from the ldap module in order to continue.
gted-lawn-authz
# want to detect a failure of the above gted-lawn-authz module,
on failure skip to the next section which is "sqlwpa"
if(fail) {
fail = return
}
if(notfound) {
update reply {
Tunnel-Type := "VLAN"
Tunnel-Medium-Type := "IEEE-802"
Tunnel-Private-Group-Id := 316
}
notfound = return
}
# Look in an SQL database. The schema of the database is meant
to mirror the "users" file.
sqlwpa
Running it in debug mode I see it never hits the if(fail) section. My
guess (but I haven't found any concrete info on how to continue) would
be to have something in the gted-lawn-authz ldap module configuration as
it looks like it breaks out of the loop there.
+- entering group authorize {...}
++[preprocess] returns ok
[eap] EAP packet type response id 0 length 10
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[gted-lawn-authz] performing user authorization for test-account
[gted-lawn-authz] expand: (filterDeleted)
[gted-lawn-authz] expand: (baseDeleted)
[gted-lawn-authz] ldap_get_conn: Checking Id: 0
[gted-lawn-authz] ldap_get_conn: Got Id: 0
[gted-lawn-authz] attempting LDAP reconnection
[gted-lawn-authz] (re)connect to ldaps://bleh.gatech.edu,
authentication 0
[gted-lawn-authz] setting TLS Require Cert to never
[gted-lawn-authz] bind as uid=deletedForPrivacy
[gted-lawn-authz] uid=deletedForPrivacy
[gted-lawn-authz] (re)connection attempt failed
[gted-lawn-authz] search failed
[gted-lawn-authz] ldap_release_conn: Release Id: 0
++[gted-lawn-authz] returns fail
Invalid user: [jd187/<via Auth-Type = EAP>] (from client localhost port
0 cli 02-00-00-00-00-01)
} # server wpa
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> jd187
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Thanks in advance,
- John Douglass, Georgia Institute of Technology
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
