First Last Prev Next    This bug is not in your last search results.
Bug 53264 - LDAP-Lookups fail when using auth-type ttls
LDAP-Lookups fail when using auth-type ttls
Status: NEW
Product: UCS
Classification: Unclassified
Component: Radius
UCS 4.4
Other Linux
: P5 normal (vote)
: ---
Assigned To: UCS maintainers
UCS maintainers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-05-17 09:19 CEST by Raoul Borenius
Modified: 2022-01-27 14:48 CET (History)
2 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?: 1: Will affect a very few installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.051
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:
requate: Patch_Available+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Raoul Borenius 2021-05-17 09:19:52 CEST 
Setting

ucr set freeradius/conf/auth-type/mschap=no
ucr set freeradius/conf/auth-type/ttls=yes

does not lead to a working ldap filter:

Auth: (1) Invalid user (ldap: Unable to create filter): [radius_check-rgbtest-tub] (from client mon3 port 0 cli 70-6F-6C-69-73-68)

Debug-Mode shows the Problem:

rlm_ldap (ldap): Reserved connection (0)
(1) ldap: ERROR: (uid=%{Stripped-User-Name:-%{User-Name}})
(1) ldap: ERROR:        ^ Unknown module
(1) ldap: ERROR: Unable to create filter


Fix:

--- /etc/univention/templates/files//etc/freeradius/3.0/mods-available/ldap.orig        2021-05-16 16:46:34.186637385 +0200
+++ /etc/univention/templates/files//etc/freeradius/3.0/mods-available/ldap     2021-05-16 16:38:43.225770786 +0200
        #  Unless overridden in another section, the dn from which all
@@ -185,10 +186,9 @@
 auth_type = configRegistry.get('freeradius/conf/auth-type/mschap', 'FALSE')
 
 if auth_type and 'TRUE' == auth_type.upper() or 'YES' == auth_type.upper():
-       filter = 'mschap:User-Name'
+       print('\t\tfilter = "(uid=%%{mschap:User-Name:-%%{User-Name}})"')
 else:
-       filter = 'Stripped-User-Name'
-print('\t\tfilter = "(uid=%%{%s:-%%{User-Name}})"' % filter)
+       print('\t\tfilter = "(uid=%%{%%{Stripped-User-Name}:-%%{User-Name}})"')
 @!@
 
                #  SASL parameters to use for user binds
First Last Prev Next    This bug is not in your last search results.