Univention Bugzilla – Bug 48105
[UCS4.3] FreeRADIUS 3.0 tries to modify the LDAP attribute "description" and fails for non-school users
Last modified: 2018-11-14 14:40:31 CET
The same problem arises if school customers use the univention-radius package instead of the UCS@school specific one. So I cloned the bug to UCS 4.3. +++ This bug was initially created as a clone of Bug #47347 +++ https://github.com/univention/ucs-school/blob/4.3/ucs-school-radius-802.1x/conffiles/etc/freeradius/3.0/mods-available/ldap#L445 The LDAP module of FreeRADIUS tries to modify the LDAP attribute "description", at least if we use the "post-auth" config section as in https://www.univention.de/2017/10/wlan-fuer-schultraeger-byod-gyod/ This works for users underneath the school-OU, but might not be desired (it would also overwrite other descriptions). This works NOT for users outside of the school-OU (e.g. Domain Admins underneath cn=users,$ldap_base). In this case the modify fails because auf LDAP-ACLs, as a result the whole Auth-Process auf FreeRADIUS fails and the user can't login via RADIUS. I suggest to remove the modify-config option from the LDAP module by default. We might make it available via a UCR switch, e.g. for Debugging or accountibility purposes. We even could introduce a separate LDAP atribute for this, so we do not overwrite "description". I did not check the non-UCS@school RADIUS App, but I suppose the config is the same there.
You can reuse the test instance of bug 47347 and purge ucs-school-radius-802.1x prior to the installation of univention-radius. 1) reproduce the problem - copy toolshed/LDAP/diff-ldap-ucr-changes toolshed/LDAP/diff-ldif toolshed/HL* to your test schoolslave - create a new UCS/UCS@school user (e.g. anton9) - assign internet rule "Unbeschränkt" to the class of user "anton9" - ssh root@schoolslave - univention-install univention-radius (package should be the OLD version that contains the problem!) - vim /etc/freeradius/3.0/sites-available/default remove comment character in line 748 → adding "ldap" to config - service freeradius stop - freeradius -Xf → switch to new console - run "diff-ldap-ucr-changes" → switch to new console - radtest -t mschap anton9 univention localhost 1812 testing123 → switch to console with running "diff-ldap-ucr-changes" - press "c" + ENTER - The output should show a changed "description" attribute of user "anton9" → problem successfully reproduced 2) test the fixed package - univention-install univention-radius (package should be the NEW version without the problem!) → switch to console with "freeradius -Xf" - Ctrl-C - restart "freeradius -Xf" → switch to free console - radtest -t mschap anton9 univention localhost 1812 testing123 → switch to console with running "diff-ldap-ucr-changes" - press "c" + ENTER - The output (automatically shown by less) should be empty → no changes at LDAP objects → problem successfully fixed 45e20950fd Bug #48105: update advisory 481ade27c0 Bug #48105: add advisory c37bd7aa30 Bug #48105: add changelog entry 7c7adf6fbf Bug #48105: do not modify user's attribute description upon login/logout The LDAP assignment was intentionally disabled and not replaced by a new UCR variable. Customers are better off with their own site config, as the individual configuration settings are then better coordinated with each other. Package: univention-radius Version: 5.0.0-9A~4.3.0.201811061521 Branch: ucs_4.3-0 Scope: errata4.3-2
Bug fixed: OK Tests: OK YAML: OK
<http://errata.software-univention.de/ucs/4.3/307.html>