On Tue, 12 Dec 2006, Kostas Kalevras wrote:
Mark T. Valites wrote:
I'm trying to set up authentication to a SunOne Directory that requires not
only a successful bind with by radius on behalf of the user attempting to
authticate to it, but also a specified LDAP search filter to return a
result as well. I can't seem to get the freeradius ldap module to return
any result when the value of the attribute I'm comparing against contains a
'/', as often found in the 'homeDirectory' and 'loginShell' LDAP
attributes.
From the command line, the search and filter returns correctly:
$ ldapsearch -v -H ldaps://ldapserver.domain.com \
-b ou=people,dc=domain,dc=com -x -D \
"uid=myuid,ou=people,dc=domain,dc=com" -W \
'(&(uid=myuid)(loginShell=/bin/tcsh))'
The corresponding SunOne log:
[12/Dec/2006:11:10:24 -0500] conn=4896 op=-1 msgId=-1 - fd=45 slot=45 LDAPS
connection from www.xxx.yyy.zzz to xxx.yyy.zzz.www
[12/Dec/2006:11:10:24 -0500] conn=4896 op=0 msgId=1 - BIND
dn="uid=myuid,ou=people,dc=domain,dc=com" method=128 version=3
[12/Dec/2006:11:10:24 -0500] conn=4896 op=0 msgId=1 - RESULT err=0 tag=97
nentries=0 etime=0 dn="uid=myuid,ou=people,dc=domain,dc=com"
[12/Dec/2006:11:10:24 -0500] conn=4896 op=1 msgId=2 - SRCH
base="ou=people,dc=domain,dc=com" scope=2
filter="(&(uid=myuid)(loginShell=/bin/tcsh))"
attrs=ALL[12/Dec/2006:11:10:24 -0500] conn=4896 op=1 msgId=2 - RESULT err=0
tag=101 nentries=1 etime=0
[12/Dec/2006:11:10:24 -0500] conn=4896 op=2 msgId=3 - UNBIND
[12/Dec/2006:11:10:24 -0500] conn=4896 op=2 msgId=-1 - closing - U1
[12/Dec/2006:11:10:25 -0500] conn=4896 op=-1 msgId=-1 - closed.
A snippet from my radiusd.conf:
server = "ldapserver.domain.com"
basedn = "ou=people,dc=domain,dc=com"
filter = "(&(uid=%u)(loginshell=/bin/tcsh))"
The output from running radiusd in debug mode:
rlm_ldap: - authorize
rlm_ldap: performing user authorization for myuid
radius_xlat: '(&(uid=myuid)(loginShell=/bin/tcsh))'
radius_xlat: 'ou=people,dc=domain,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldapserver.domain.com:636, authentication 0
rlm_ldap: setting TLS mode to 1
rlm_ldap: setting TLS Require Cert to never
rlm_ldap: bind as / to ldapserver.domain.com:636
TLS certificate verification: Error, Unknown error
rlm_ldap: waiting for bind result ...
request 1 done
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=people,dc=domain,dc=com, with filter
(&(uid=myuid)(loginShell=/bin/tcsh))
request 2 done
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns notfound for request 0
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type LDAP
auth: type "ldap"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_ldap: - authenticate
rlm_ldap: login attempt by "myuid" with password "mypasswd"
radius_xlat: '(&(uid=myuid)(loginShell=/bin/tcsh))'
radius_xlat: 'ou=people,dc=domain,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=people,dc=domain,dc=com, with filter
(&(uid=myuid)(loginShell=/bin/tcsh))
request 3 done
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authenticate]: module "ldap" returns notfound for request 0
modcall: leaving group authenticate (returns notfound) for request 0
auth: Failed to validate the user.
The corresponding SunOne log:
[12/Dec/2006:11:12:33 -0500] conn=4897 op=-1 msgId=-1 - fd=45 slot=45 LDAPS
connection from www.xxx.yyy.zzz to xxx.yyy.zzz.www
[12/Dec/2006:11:12:33 -0500] conn=4897 op=0 msgId=1 - BIND dn="" method=128
version=3
[12/Dec/2006:11:12:33 -0500] conn=4897 op=0 msgId=1 - RESULT err=0 tag=97
nentries=0 etime=0 dn=""
[12/Dec/2006:11:12:33 -0500] conn=4897 op=1 msgId=2 - SRCH
base="ou=people,dc=domina,dc=com" scope=2
filter="(&(uid=myuid)(loginShell=/bin/tcsh))" attrs="radiusnasipaddress
radiusexpiration acctflags ntpassword lmpassword radiuscallingstationid
radiuscalledstationid radiussimultaneoususe radiusauthtype radiuscheckitem
radiusreplymessage radiusloginlatport radiusportlimit
radiusframedappletalkzone radiusframedappletalknetwork
radiusframedappletalklink radiusloginlatgroup radiusloginlatnode
radiusloginlatservice radiusterminationaction radiusidletimeout
radiussessiontimeout radiusclass radiusframedipxnetwork radiuscallbackid
radiuscallbacknumber ra