problem with ldap search filter with '/'s (front slashes)
I'm trying to set up authentication to a SunOne Directory that requires not only a successful bind with by radius on behalf of the user attempting to authticate to it, but also a specified LDAP search filter to return a result as well. I can't seem to get the freeradius ldap module to return any result when the value of the attribute I'm comparing against contains a '/', as often found in the 'homeDirectory' and 'loginShell' LDAP attributes. From the command line, the search and filter returns correctly: $ ldapsearch -v -H ldaps://ldapserver.domain.com \ -b ou=people,dc=domain,dc=com -x -D \ uid=myuid,ou=people,dc=domain,dc=com -W \ '((uid=myuid)(loginShell=/bin/tcsh))' The corresponding SunOne log: [12/Dec/2006:11:10:24 -0500] conn=4896 op=-1 msgId=-1 - fd=45 slot=45 LDAPS connection from www.xxx.yyy.zzz to xxx.yyy.zzz.www [12/Dec/2006:11:10:24 -0500] conn=4896 op=0 msgId=1 - BIND dn=uid=myuid,ou=people,dc=domain,dc=com method=128 version=3 [12/Dec/2006:11:10:24 -0500] conn=4896 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0 dn=uid=myuid,ou=people,dc=domain,dc=com [12/Dec/2006:11:10:24 -0500] conn=4896 op=1 msgId=2 - SRCH base=ou=people,dc=domain,dc=com scope=2 filter=((uid=myuid)(loginShell=/bin/tcsh)) attrs=ALL[12/Dec/2006:11:10:24 -0500] conn=4896 op=1 msgId=2 - RESULT err=0 tag=101 nentries=1 etime=0 [12/Dec/2006:11:10:24 -0500] conn=4896 op=2 msgId=3 - UNBIND [12/Dec/2006:11:10:24 -0500] conn=4896 op=2 msgId=-1 - closing - U1 [12/Dec/2006:11:10:25 -0500] conn=4896 op=-1 msgId=-1 - closed. A snippet from my radiusd.conf: server = ldapserver.domain.com basedn = ou=people,dc=domain,dc=com filter = ((uid=%u)(loginshell=/bin/tcsh)) The output from running radiusd in debug mode: rlm_ldap: - authorize rlm_ldap: performing user authorization for myuid radius_xlat: '((uid=myuid)(loginShell=/bin/tcsh))' radius_xlat: 'ou=people,dc=domain,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldapserver.domain.com:636, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: setting TLS Require Cert to never rlm_ldap: bind as / to ldapserver.domain.com:636 TLS certificate verification: Error, Unknown error rlm_ldap: waiting for bind result ... request 1 done rlm_ldap: Bind was successful rlm_ldap: performing search in ou=people,dc=domain,dc=com, with filter ((uid=myuid)(loginShell=/bin/tcsh)) request 2 done rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns notfound for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type LDAP auth: type ldap Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_ldap: - authenticate rlm_ldap: login attempt by myuid with password mypasswd radius_xlat: '((uid=myuid)(loginShell=/bin/tcsh))' radius_xlat: 'ou=people,dc=domain,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,dc=domain,dc=com, with filter ((uid=myuid)(loginShell=/bin/tcsh)) request 3 done rlm_ldap: object not found or got ambiguous search result rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authenticate]: module ldap returns notfound for request 0 modcall: leaving group authenticate (returns notfound) for request 0 auth: Failed to validate the user. The corresponding SunOne log: [12/Dec/2006:11:12:33 -0500] conn=4897 op=-1 msgId=-1 - fd=45 slot=45 LDAPS connection from www.xxx.yyy.zzz to xxx.yyy.zzz.www [12/Dec/2006:11:12:33 -0500] conn=4897 op=0 msgId=1 - BIND dn= method=128 version=3 [12/Dec/2006:11:12:33 -0500] conn=4897 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0 dn= [12/Dec/2006:11:12:33 -0500] conn=4897 op=1 msgId=2 - SRCH base=ou=people,dc=domina,dc=com scope=2 filter=((uid=myuid)(loginShell=/bin/tcsh)) attrs=radiusnasipaddress radiusexpiration acctflags ntpassword lmpassword radiuscallingstationid radiuscalledstationid radiussimultaneoususe radiusauthtype radiuscheckitem radiusreplymessage radiusloginlatport radiusportlimit radiusframedappletalkzone radiusframedappletalknetwork radiusframedappletalklink radiusloginlatgroup radiusloginlatnode radiusloginlatservice radiusterminationaction radiusidletimeout radiussessiontimeout radiusclass radiusframedipxnetwork radiuscallbackid radiuscallbacknumber radiuslogintcpport radiusloginservice radiusloginiphost radiusframedcompression radiusframedmtu radiusfilterid radiusframedrouting radiusframedroute radiusframedipnetmask radiusframedipaddress radiusframedprotocol radiusservicetype radiusreplyitem [12/Dec/2006:11:12:33 -0500] conn=4897 op=1 msgId=2 - RESULT err=0 tag=101 nentries=0 etime=0 [12/Dec/2006:11:12:33 -0500] conn=4897 op=2 msgId=3 - SRCH
Re: problem with ldap search filter with '/'s (front slashes)
Mark T. Valites wrote: I'm trying to set up authentication to a SunOne Directory that requires not only a successful bind with by radius on behalf of the user attempting to authticate to it, but also a specified LDAP search filter to return a result as well. I can't seem to get the freeradius ldap module to return any result when the value of the attribute I'm comparing against contains a '/', as often found in the 'homeDirectory' and 'loginShell' LDAP attributes. From the command line, the search and filter returns correctly: $ ldapsearch -v -H ldaps://ldapserver.domain.com \ -b ou=people,dc=domain,dc=com -x -D \ uid=myuid,ou=people,dc=domain,dc=com -W \ '((uid=myuid)(loginShell=/bin/tcsh))' The corresponding SunOne log: [12/Dec/2006:11:10:24 -0500] conn=4896 op=-1 msgId=-1 - fd=45 slot=45 LDAPS connection from www.xxx.yyy.zzz to xxx.yyy.zzz.www [12/Dec/2006:11:10:24 -0500] conn=4896 op=0 msgId=1 - BIND dn=uid=myuid,ou=people,dc=domain,dc=com method=128 version=3 [12/Dec/2006:11:10:24 -0500] conn=4896 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0 dn=uid=myuid,ou=people,dc=domain,dc=com [12/Dec/2006:11:10:24 -0500] conn=4896 op=1 msgId=2 - SRCH base=ou=people,dc=domain,dc=com scope=2 filter=((uid=myuid)(loginShell=/bin/tcsh)) attrs=ALL[12/Dec/2006:11:10:24 -0500] conn=4896 op=1 msgId=2 - RESULT err=0 tag=101 nentries=1 etime=0 [12/Dec/2006:11:10:24 -0500] conn=4896 op=2 msgId=3 - UNBIND [12/Dec/2006:11:10:24 -0500] conn=4896 op=2 msgId=-1 - closing - U1 [12/Dec/2006:11:10:25 -0500] conn=4896 op=-1 msgId=-1 - closed. A snippet from my radiusd.conf: server = ldapserver.domain.com basedn = ou=people,dc=domain,dc=com filter = ((uid=%u)(loginshell=/bin/tcsh)) The output from running radiusd in debug mode: rlm_ldap: - authorize rlm_ldap: performing user authorization for myuid radius_xlat: '((uid=myuid)(loginShell=/bin/tcsh))' radius_xlat: 'ou=people,dc=domain,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldapserver.domain.com:636, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: setting TLS Require Cert to never rlm_ldap: bind as / to ldapserver.domain.com:636 TLS certificate verification: Error, Unknown error rlm_ldap: waiting for bind result ... request 1 done rlm_ldap: Bind was successful rlm_ldap: performing search in ou=people,dc=domain,dc=com, with filter ((uid=myuid)(loginShell=/bin/tcsh)) request 2 done rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns notfound for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type LDAP auth: type ldap Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_ldap: - authenticate rlm_ldap: login attempt by myuid with password mypasswd radius_xlat: '((uid=myuid)(loginShell=/bin/tcsh))' radius_xlat: 'ou=people,dc=domain,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,dc=domain,dc=com, with filter ((uid=myuid)(loginShell=/bin/tcsh)) request 3 done rlm_ldap: object not found or got ambiguous search result rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authenticate]: module ldap returns notfound for request 0 modcall: leaving group authenticate (returns notfound) for request 0 auth: Failed to validate the user. The corresponding SunOne log: [12/Dec/2006:11:12:33 -0500] conn=4897 op=-1 msgId=-1 - fd=45 slot=45 LDAPS connection from www.xxx.yyy.zzz to xxx.yyy.zzz.www [12/Dec/2006:11:12:33 -0500] conn=4897 op=0 msgId=1 - BIND dn= method=128 version=3 [12/Dec/2006:11:12:33 -0500] conn=4897 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0 dn= [12/Dec/2006:11:12:33 -0500] conn=4897 op=1 msgId=2 - SRCH base=ou=people,dc=domina,dc=com scope=2 filter=((uid=myuid)(loginShell=/bin/tcsh)) attrs=radiusnasipaddress radiusexpiration acctflags ntpassword lmpassword radiuscallingstationid radiuscalledstationid radiussimultaneoususe radiusauthtype radiuscheckitem radiusreplymessage radiusloginlatport radiusportlimit radiusframedappletalkzone radiusframedappletalknetwork radiusframedappletalklink radiusloginlatgroup radiusloginlatnode radiusloginlatservice radiusterminationaction radiusidletimeout radiussessiontimeout radiusclass radiusframedipxnetwork radiuscallbackid radiuscallbacknumber radiuslogintcpport radiusloginservice radiusloginiphost radiusframedcompression radiusframedmtu radiusfilterid radiusframedrouting radiusframedroute radiusframedipnetmask radiusframedipaddress radiusframedprotocol radiusservicetype radiusreplyitem [12/Dec/2006:11:12:33 -0500] conn=4897 op=1 msgId=2 - RESULT err=0 tag=101 nentries=0 etime=0 [12/Dec/2006:11:12:33 -0500] conn=4897 op=2
Re: problem with ldap search filter with '/'s (front slashes)
On Tue, 12 Dec 2006, Kostas Kalevras wrote: Mark T. Valites wrote: I'm trying to set up authentication to a SunOne Directory that requires not only a successful bind with by radius on behalf of the user attempting to authticate to it, but also a specified LDAP search filter to return a result as well. I can't seem to get the freeradius ldap module to return any result when the value of the attribute I'm comparing against contains a '/', as often found in the 'homeDirectory' and 'loginShell' LDAP attributes. From the command line, the search and filter returns correctly: $ ldapsearch -v -H ldaps://ldapserver.domain.com \ -b ou=people,dc=domain,dc=com -x -D \ uid=myuid,ou=people,dc=domain,dc=com -W \ '((uid=myuid)(loginShell=/bin/tcsh))' The corresponding SunOne log: [12/Dec/2006:11:10:24 -0500] conn=4896 op=-1 msgId=-1 - fd=45 slot=45 LDAPS connection from www.xxx.yyy.zzz to xxx.yyy.zzz.www [12/Dec/2006:11:10:24 -0500] conn=4896 op=0 msgId=1 - BIND dn=uid=myuid,ou=people,dc=domain,dc=com method=128 version=3 [12/Dec/2006:11:10:24 -0500] conn=4896 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0 dn=uid=myuid,ou=people,dc=domain,dc=com [12/Dec/2006:11:10:24 -0500] conn=4896 op=1 msgId=2 - SRCH base=ou=people,dc=domain,dc=com scope=2 filter=((uid=myuid)(loginShell=/bin/tcsh)) attrs=ALL[12/Dec/2006:11:10:24 -0500] conn=4896 op=1 msgId=2 - RESULT err=0 tag=101 nentries=1 etime=0 [12/Dec/2006:11:10:24 -0500] conn=4896 op=2 msgId=3 - UNBIND [12/Dec/2006:11:10:24 -0500] conn=4896 op=2 msgId=-1 - closing - U1 [12/Dec/2006:11:10:25 -0500] conn=4896 op=-1 msgId=-1 - closed. A snippet from my radiusd.conf: server = ldapserver.domain.com basedn = ou=people,dc=domain,dc=com filter = ((uid=%u)(loginshell=/bin/tcsh)) The output from running radiusd in debug mode: rlm_ldap: - authorize rlm_ldap: performing user authorization for myuid radius_xlat: '((uid=myuid)(loginShell=/bin/tcsh))' radius_xlat: 'ou=people,dc=domain,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldapserver.domain.com:636, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: setting TLS Require Cert to never rlm_ldap: bind as / to ldapserver.domain.com:636 TLS certificate verification: Error, Unknown error rlm_ldap: waiting for bind result ... request 1 done rlm_ldap: Bind was successful rlm_ldap: performing search in ou=people,dc=domain,dc=com, with filter ((uid=myuid)(loginShell=/bin/tcsh)) request 2 done rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns notfound for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type LDAP auth: type ldap Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_ldap: - authenticate rlm_ldap: login attempt by myuid with password mypasswd radius_xlat: '((uid=myuid)(loginShell=/bin/tcsh))' radius_xlat: 'ou=people,dc=domain,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,dc=domain,dc=com, with filter ((uid=myuid)(loginShell=/bin/tcsh)) request 3 done rlm_ldap: object not found or got ambiguous search result rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authenticate]: module ldap returns notfound for request 0 modcall: leaving group authenticate (returns notfound) for request 0 auth: Failed to validate the user. The corresponding SunOne log: [12/Dec/2006:11:12:33 -0500] conn=4897 op=-1 msgId=-1 - fd=45 slot=45 LDAPS connection from www.xxx.yyy.zzz to xxx.yyy.zzz.www [12/Dec/2006:11:12:33 -0500] conn=4897 op=0 msgId=1 - BIND dn= method=128 version=3 [12/Dec/2006:11:12:33 -0500] conn=4897 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0 dn= [12/Dec/2006:11:12:33 -0500] conn=4897 op=1 msgId=2 - SRCH base=ou=people,dc=domina,dc=com scope=2 filter=((uid=myuid)(loginShell=/bin/tcsh)) attrs=radiusnasipaddress radiusexpiration acctflags ntpassword lmpassword radiuscallingstationid radiuscalledstationid radiussimultaneoususe radiusauthtype radiuscheckitem radiusreplymessage radiusloginlatport radiusportlimit radiusframedappletalkzone radiusframedappletalknetwork radiusframedappletalklink radiusloginlatgroup radiusloginlatnode radiusloginlatservice radiusterminationaction radiusidletimeout radiussessiontimeout radiusclass radiusframedipxnetwork radiuscallbackid radiuscallbacknumber radiuslogintcpport radiusloginservice radiusloginiphost radiusframedcompression radiusframedmtu radiusfilterid radiusframedrouting radiusframedroute radiusframedipnetmask radiusframedipaddress radiusframedprotocol radiusservicetype radiusreplyitem [12/Dec/2006:11:12:33 -0500] conn=4897 op=1 msgId=2 - RESULT err=0 tag=101 nentries=0 etime=0
