Bug 47347 - FreeRADIUS 3.0 tries to modify the LDAP attribute "description" and fails for non-school users
FreeRADIUS 3.0 tries to modify the LDAP attribute "description" and fails for...
Product: UCS@school
Classification: Unclassified
Component: Radius
UCS@school 4.3
Other other
: P5 normal (vote)
: UCS@school 4.3 v6
Assigned To: Sönke Schwardt-Krummrich
Jürn Brodersen
Depends on:
Blocks: 48105
  Show dependency treegraph
Reported: 2018-07-12 13:18 CEST by Michael Grandjean
Modified: 2018-11-16 11:48 CET (History)
4 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?: 3: Will affect average number of installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.206
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Note You need to log in before you can comment on or make changes to this bug.
Description Michael Grandjean univentionstaff 2018-07-12 13:18:46 CEST

The LDAP module of FreeRADIUS tries to modify the LDAP attribute "description", at least if we use the "post-auth" config section as in https://www.univention.de/2017/10/wlan-fuer-schultraeger-byod-gyod/

This works for users underneath the school-OU, but might not be desired (it would also overwrite other descriptions).
This works NOT for users outside of the school-OU (e.g. Domain Admins underneath cn=users,$ldap_base). In this case the modify fails because auf LDAP-ACLs, as a result the whole Auth-Process auf FreeRADIUS fails and the user can't login via RADIUS.

I suggest to remove the modify-config option from the LDAP module by default.
We might make it available via a UCR switch, e.g. for Debugging or accountibility purposes. We even could introduce a separate LDAP atribute for this, so we do not overwrite "description".

I did not check the non-UCS@school RADIUS App, but I suppose the config is the same there.
Comment 1 Michael Grandjean univentionstaff 2018-09-12 16:04:45 CEST
After patching this UCR template on a lot of schoolservers today, I'd really love to see this fixed.
Comment 2 Sönke Schwardt-Krummrich univentionstaff 2018-11-06 15:02:09 CET
1) reproduce the problem
- copy toolshed/LDAP/diff-ldap-ucr-changes toolshed/LDAP/diff-ldif toolshed/HL*  
  to your test schoolslave
- create a new UCS@school user (e.g. anton9)
- assign internet rule "Unbeschränkt" to the class of user "anton9"

- ssh root@schoolslave
- univention-install ucs-school-radius-802.1x
  (package should be the OLD version that contains the problem!)
- vim /etc/freeradius/3.0/sites-available/default
  remove comment character in line 748  → adding "ldap" to config
- service freeradius stop
- freeradius -Xf
→ switch to new console
- run "diff-ldap-ucr-changes"
→ switch to new console
- radtest -t mschap anton9 univention localhost 1812 testing123
→ switch to console with running "diff-ldap-ucr-changes"
- press "c" + ENTER
- The output should show a changed "description" attribute of user "anton9"
→ problem successfully reproduced

2) test the fixed package
- univention-install ucs-school-radius-802.1x
  (package should be the NEW version without the problem!)
→ switch to console with "freeradius -Xf"
- Ctrl-C
- restart "freeradius -Xf"
→ switch to free console
- radtest -t mschap anton9 univention localhost 1812 testing123
→ switch to console with running "diff-ldap-ucr-changes"
- press "c" + ENTER
- The output (automatically shown by less) should be empty
  → no changes at LDAP objects
→ problem successfully fixed

83aca3cff Bug #47347: add advisory
36d35f8d4 Bug #47347: add changelog entry
f572a190c Bug #47347: do not modify user's attribute description upon login/logout

The LDAP assignment was intentionally disabled and not replaced by a new
UCR variable. Customers are better off with their own site config, as the
individual configuration settings are then better coordinated with each

Package: ucs-school-radius-802.1x
Version: 7.0.1-1A~
Branch: ucs_4.3-0
Scope: ucs-school-4.3
Comment 3 Jürn Brodersen univentionstaff 2018-11-12 09:39:55 CET
Bug fixed: OK
Tests: OK
Comment 4 Sönke Schwardt-Krummrich univentionstaff 2018-11-16 11:48:20 CET
UCS@school 4.3 v6 has been released.


If this error occurs again, please clone this bug.