Univention Bugzilla – Bug 47347
FreeRADIUS 3.0 tries to modify the LDAP attribute "description" and fails for non-school users
Last modified: 2018-11-16 11:48:20 CET
https://github.com/univention/ucs-school/blob/4.3/ucs-school-radius-802.1x/conffiles/etc/freeradius/3.0/mods-available/ldap#L445 The LDAP module of FreeRADIUS tries to modify the LDAP attribute "description", at least if we use the "post-auth" config section as in https://www.univention.de/2017/10/wlan-fuer-schultraeger-byod-gyod/ This works for users underneath the school-OU, but might not be desired (it would also overwrite other descriptions). This works NOT for users outside of the school-OU (e.g. Domain Admins underneath cn=users,$ldap_base). In this case the modify fails because auf LDAP-ACLs, as a result the whole Auth-Process auf FreeRADIUS fails and the user can't login via RADIUS. I suggest to remove the modify-config option from the LDAP module by default. We might make it available via a UCR switch, e.g. for Debugging or accountibility purposes. We even could introduce a separate LDAP atribute for this, so we do not overwrite "description". I did not check the non-UCS@school RADIUS App, but I suppose the config is the same there.
After patching this UCR template on a lot of schoolservers today, I'd really love to see this fixed.
1) reproduce the problem - copy toolshed/LDAP/diff-ldap-ucr-changes toolshed/LDAP/diff-ldif toolshed/HL* to your test schoolslave - create a new UCS@school user (e.g. anton9) - assign internet rule "Unbeschränkt" to the class of user "anton9" - ssh root@schoolslave - univention-install ucs-school-radius-802.1x (package should be the OLD version that contains the problem!) - vim /etc/freeradius/3.0/sites-available/default remove comment character in line 748 → adding "ldap" to config - service freeradius stop - freeradius -Xf → switch to new console - run "diff-ldap-ucr-changes" → switch to new console - radtest -t mschap anton9 univention localhost 1812 testing123 → switch to console with running "diff-ldap-ucr-changes" - press "c" + ENTER - The output should show a changed "description" attribute of user "anton9" → problem successfully reproduced 2) test the fixed package - univention-install ucs-school-radius-802.1x (package should be the NEW version without the problem!) → switch to console with "freeradius -Xf" - Ctrl-C - restart "freeradius -Xf" → switch to free console - radtest -t mschap anton9 univention localhost 1812 testing123 → switch to console with running "diff-ldap-ucr-changes" - press "c" + ENTER - The output (automatically shown by less) should be empty → no changes at LDAP objects → problem successfully fixed 83aca3cff Bug #47347: add advisory 36d35f8d4 Bug #47347: add changelog entry f572a190c Bug #47347: do not modify user's attribute description upon login/logout The LDAP assignment was intentionally disabled and not replaced by a new UCR variable. Customers are better off with their own site config, as the individual configuration settings are then better coordinated with each other. Package: ucs-school-radius-802.1x Version: 7.0.1-1A~4.3.0.201811061419 Branch: ucs_4.3-0 Scope: ucs-school-4.3
Bug fixed: OK Tests: OK YAML: OK
UCS@school 4.3 v6 has been released. https://docs.software-univention.de/changelog-ucsschool-4.3v6-de.html If this error occurs again, please clone this bug.