Re: Problem in freeradius 2.1.10, ldap and huntgroups
Hi,
Any news for this problem?
Br,
Ville
5.8.2013 19:08, vi...@leinonen.org kirjoitti:
Here:
rad_recv: Access-Request packet from host 172.150.0.62 port 25196, id=194,
length=63
User-Name = testu...@.fi
User-Password = testpass
NAS-IP-Address = 172.150.0.62
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -
/var/log/freeradius/radacct/172.150.0.62/auth-detail-20130805
[auth_log]
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/172.150.0.62/auth-detail-20130805
[auth_log] expand: %t - Mon Aug 5 19:03:20 2013
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] Looking up realm .fi for User-Name = testu...@.fi
[suffix] No such realm .fi
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[ldap] Entering ldap_groupcmp()
[files] expand: dc=demonet,dc=local - dc=demonet,dc=local
[files] expand: %{Stripped-User-Name} -
[files] ... expanding second conditional
[files] expand: %{User-Name} - testu...@.fi
[files] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -
(uid=testu...@.fi)
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=demonet,dc=local, with filter
(uid=testu...@.fi)
[ldap] ldap_release_conn: Release Id: 0
[files] expand:
(|((objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))
- (|((objectClass=GroupOfNames)(member=cn\3dTauno
Testaaja\2cou\3d\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal))((objectClass=GroupOfUniqueNames)(uniquemember=cn\3dTauno
Testaaja\2cou\3d\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal)))
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=demonet,dc=local, with filter
((cn=)(|((objectClass=GroupOfNames)(member=cn\3dTauno
Testaaja\2cou\3d\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal))((objectClass=GroupOfUniqueNames)(uniquemember=cn\3dTauno
Testaaja\2cou\3d\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal
[ldap] object not found
[ldap] ldap_release_conn: Release Id: 0
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in cn=Tauno
Testaaja,ou=,ou=Customers,dc=demonet,dc=local, with filter
(objectclass=*)
rlm_ldap::ldap_groupcmp: User found in group
[ldap] ldap_release_conn: Release Id: 0
[ldap] Entering ldap_groupcmp()
[files] expand: dc=demonet,dc=local - dc=demonet,dc=local
[files] expand:
(|((objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))
- (|((objectClass=GroupOfNames)(member=cn\3dTauno
Testaaja\2cou\3d\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal))((objectClass=GroupOfUniqueNames)(uniquemember=cn\3dTauno
Testaaja\2cou\3d\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal)))
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=demonet,dc=local, with filter
((cn=disabled)(|((objectClass=GroupOfNames)(member=cn\3dTauno
Testaaja\2cou\3d\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal))((objectClass=GroupOfUniqueNames)(uniquemember=cn\3dTauno
Testaaja\2cou\3d\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal
[ldap] object not found
[ldap] ldap_release_conn: Release Id: 0
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in cn=Tauno
Testaaja,ou=,ou=Customers,dc=demonet,dc=local, with filter
(objectclass=*)
rlm_ldap::groupcmp: Group disabled not found or user not a member
[ldap] ldap_release_conn: Release Id: 0
++[files] returns noop
[ldap] performing user authorization for testu...@.fi
[ldap] expand: %{Stripped-User-Name} -
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} - testu...@.fi
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -
(uid=testu...@.fi)
[ldap] expand: dc=demonet,dc=local - dc=demonet,dc=local
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=demonet,dc=local, with filter
(uid=testu...@.fi)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] userPassword - Password-With-Header ==
{SSHA}g5PDm9CrOOQu+XjbMGHTPnY43mifXND0
[ldap] looking for reply items in directory...
[ldap] Setting Auth-Type = LDAP
[ldap] user testu...@.fi authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap]
Problem in freeradius 2.1.10, ldap and huntgroups
Hi, I have installed fr 2.1.10 w openldap and I can authenticate users against ldap. I have also added groups in ldap and allowed ldap module to search groups and it also works fine. Now the problem is that is huntgroups wont work. I need to restrict access to NAS for specific groups. I can see that groups match rlm_ldap::ldap_groupcmp: User found in group , huntgroup match wont work. file huntgroups: NAS-IP-Address == 172.150.0.1 file users: DEFAULT Ldap-Group == Huntgroup-Name == I am very glad for any help and if someone have better solution for this i'm happy to hear it. There is about 600 NAS (sw's and routers) for different customers and we need to provide mgmt access to customers and our NOC staff, so i think we need to use huntgroups w groups and if someone have example for this one I'm very glad for that also. Best regards, Ville Leinonen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem in freeradius 2.1.10, ldap and huntgroups
Hi, file users: DEFAULT Ldap-Group == Huntgroup-Name == multiple lines? the first line is CHECK items. other lines are REPY items alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem in freeradius 2.1.10, ldap and huntgroups
Hi, Thank you for your reply. It was my mistake, when i was testing. Corrected DEFAULT Ldap-Group == , Huntgroup-Name == Still not working as i want. Br, Ville Hi, file users: DEFAULT Ldap-Group == Huntgroup-Name == multiple lines? the first line is CHECK items. other lines are REPY items alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem in freeradius 2.1.10, ldap and huntgroups
Hi, It was my mistake, when i was testing. Corrected DEFAULT Ldap-Group == , Huntgroup-Name == Still not working as i want. output? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem in freeradius 2.1.10, ldap and huntgroups
Here comes: rlm_ldap::ldap_groupcmp: User found in group and user still access in. I noticed that if i disable ldap and put user in users file like this: vi...@.fi Cleartext-Password := , Huntgroup-Name == it works and i can filter users based on huntgroup. Br, Ville Hi, It was my mistake, when i was testing. Corrected DEFAULT Ldap-Group == , Huntgroup-Name == Still not working as i want. output? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem in freeradius 2.1.10, ldap and huntgroups
Hi, Here comes: rlm_ldap::ldap_groupcmp: User found in group radiusd -X its what the docs say. for a reason alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem in freeradius 2.1.10, ldap and huntgroups
Here:
rad_recv: Access-Request packet from host 172.150.0.62 port 25196, id=194,
length=63
User-Name = testu...@.fi
User-Password = testpass
NAS-IP-Address = 172.150.0.62
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -
/var/log/freeradius/radacct/172.150.0.62/auth-detail-20130805
[auth_log]
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/172.150.0.62/auth-detail-20130805
[auth_log] expand: %t - Mon Aug 5 19:03:20 2013
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] Looking up realm .fi for User-Name = testu...@.fi
[suffix] No such realm .fi
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[ldap] Entering ldap_groupcmp()
[files] expand: dc=demonet,dc=local - dc=demonet,dc=local
[files] expand: %{Stripped-User-Name} -
[files] ... expanding second conditional
[files] expand: %{User-Name} - testu...@.fi
[files] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -
(uid=testu...@.fi)
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=demonet,dc=local, with filter
(uid=testu...@.fi)
[ldap] ldap_release_conn: Release Id: 0
[files] expand:
(|((objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))
- (|((objectClass=GroupOfNames)(member=cn\3dTauno
Testaaja\2cou\3d\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal))((objectClass=GroupOfUniqueNames)(uniquemember=cn\3dTauno
Testaaja\2cou\3d\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal)))
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=demonet,dc=local, with filter
((cn=)(|((objectClass=GroupOfNames)(member=cn\3dTauno
Testaaja\2cou\3d\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal))((objectClass=GroupOfUniqueNames)(uniquemember=cn\3dTauno
Testaaja\2cou\3d\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal
[ldap] object not found
[ldap] ldap_release_conn: Release Id: 0
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in cn=Tauno
Testaaja,ou=,ou=Customers,dc=demonet,dc=local, with filter
(objectclass=*)
rlm_ldap::ldap_groupcmp: User found in group
[ldap] ldap_release_conn: Release Id: 0
[ldap] Entering ldap_groupcmp()
[files] expand: dc=demonet,dc=local - dc=demonet,dc=local
[files] expand:
(|((objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))
- (|((objectClass=GroupOfNames)(member=cn\3dTauno
Testaaja\2cou\3d\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal))((objectClass=GroupOfUniqueNames)(uniquemember=cn\3dTauno
Testaaja\2cou\3d\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal)))
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=demonet,dc=local, with filter
((cn=disabled)(|((objectClass=GroupOfNames)(member=cn\3dTauno
Testaaja\2cou\3d\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal))((objectClass=GroupOfUniqueNames)(uniquemember=cn\3dTauno
Testaaja\2cou\3d\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal
[ldap] object not found
[ldap] ldap_release_conn: Release Id: 0
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in cn=Tauno
Testaaja,ou=,ou=Customers,dc=demonet,dc=local, with filter
(objectclass=*)
rlm_ldap::groupcmp: Group disabled not found or user not a member
[ldap] ldap_release_conn: Release Id: 0
++[files] returns noop
[ldap] performing user authorization for testu...@.fi
[ldap] expand: %{Stripped-User-Name} -
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} - testu...@.fi
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -
(uid=testu...@.fi)
[ldap] expand: dc=demonet,dc=local - dc=demonet,dc=local
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=demonet,dc=local, with filter
(uid=testu...@.fi)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] userPassword - Password-With-Header ==
{SSHA}g5PDm9CrOOQu+XjbMGHTPnY43mifXND0
[ldap] looking for reply items in directory...
[ldap] Setting Auth-Type = LDAP
[ldap] user testu...@.fi authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing SSHA1-Password from base64 encoding
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns
