ldap group authorization...HELP!!!

Tre Johnston Wed, 03 Mar 2004 11:53:51 -0800

I am having problems with radius grabbing the group memberUid attribute from ldap and 
deny initial access to routers users based on the group they are in.  Below is a copy 
of the ldap configuration I have in my radiusd.conf file, also I have enabled ldap in 
the auth section.  Any help would be gladly appreciated.


ldap {
                server = (Hidden to protect the innocent)
                identity = (Hidden to protect the innocent)
                password =(Hidden to protect the innocent)
                basedn = (Hidden to protect the innocent)
                filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
                base_filter = "(objectclass=radiusprofile)"

                # set this to 'yes' to use TLS encrypted connections
                # to the LDAP database by using the StartTLS extended
                # operation.
                # The StartTLS operation is supposed to be used with normal
                # ldap connections instead of using ldaps (port 689) connections
                start_tls = yes

                tls_cacertfile  = /etc/openldap/ssl/cacert.pem
                # tls_cacertdir         = /path/to/ca/dir/
                # tls_certfile          = /path/to/radius.crt
                # tls_keyfile           = /path/to/radius.key
                # tls_randfile          = /path/to/rnd
                # tls_require_cert      = "demand"

                # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
                profile_attribute = "radiusProfileDn"
                access_attr = "cn"
                #access_group = ops
                # Mapping of RADIUS dictionary attributes to LDAP
                # directory attributes.
                dictionary_mapping = ${raddbdir}/ldap.attrmap

                ldap_connections_number = 5

                #
                # NOTICE: The password_header directive is NOT case insensitive
                #
                password_header = "{SSHA}"
                password_attribute = userPassword
                groupname_attribute = "(|(&(objectClass=%(MemberUid))))
                groupmembership_filter = 
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))ou=Group,ou=Corproate,dc=supplysolution,dc=com"
                groupmembership_attribute = cn

                #
                #  The server can usually figure this out on its own, and pull
                #  the correct User-Password or NT-Password from the database.
                #
                #  Note that NT-Passwords MUST be stored as a 32-digit hex
                #  string, and MUST start off with "0x", such as:
                #
                #       0x000102030405060708090a0b0c0d0e0f
                #
                #  Without the leading "0x", NT-Passwords will not work.
                #  This goes for NT-Passwords stored in SQL, too.
                #
                # password_attribute = userPassword
                # groupname_attribute = cn
                 groupmembership_filter = 
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
                groupmembership_attribute = radiusGroupName
                timeout = 4
                timelimit = 3
                net_timeout = 1
                # compare_check_items = yes
                # do_xlat = yes
                access_attr_used_for_allow = yes
        }






Here is a copy of the log for the request.

rad_recv: Access-Request packet from host (Hidden to protect the innocent), id=38, 
length=86
        User-Name = "dev"
        Reply-Message = "Password: "
        User-Password = "(Hidden to protect the innocent)"
        NAS-Port = 66
        NAS-Port-Type = Virtual
        Calling-Station-Id = "(Hidden to protect the innocent)"
        NAS-IP-Address = (Hidden to protect the innocent)
Wed Mar  3 11:27:23 2004 : Debug: rad_lowerpair:  User-Name now 'dev'
Wed Mar  3 11:27:23 2004 : Debug: modcall: entering group authorize for request
0
Wed Mar  3 11:27:23 2004 : Debug:   modsingle[authorize]: calling preprocess (rl
m_preprocess) for request 0
Wed Mar  3 11:27:23 2004 : Debug:   modsingle[authorize]: returned from preproce
ss (rlm_preprocess) for request 0
Wed Mar  3 11:27:23 2004 : Debug:   modcall[authorize]: module "preprocess" retu
rns ok for request 0
Wed Mar  3 11:27:23 2004 : Debug:   modsingle[authorize]: calling ldap (rlm_ldap
) for request 0
Wed Mar  3 11:27:23 2004 : Debug: rlm_ldap: - authorize
Wed Mar  3 11:27:23 2004 : Debug: rlm_ldap: performing user authorization for de
v
Wed Mar  3 11:27:23 2004 : Debug: radius_xlat:  '(uid=dev)'
Wed Mar  3 11:27:23 2004 : Debug: radius_xlat:  (Hidden to protect the innocent)
Wed Mar  3 11:27:23 2004 : Debug: ldap_get_conn: Got Id: 0
Wed Mar  3 11:27:23 2004 : Debug: rlm_ldap: attempting LDAP reconnection
Wed Mar  3 11:27:23 2004 : Debug: rlm_ldap: (re)connect to management1.pleas.sup
plysolution.com:389, authentication 0
Wed Mar  3 11:27:23 2004 : Debug: rlm_ldap: starting TLS
Wed Mar  3 11:27:23 2004 : Debug: rlm_ldap: bind as (Hidden to protect the innocent)
Wed Mar  3 11:27:23 2004 : Debug: rlm_ldap: waiting for bind result ...
Wed Mar  3 11:27:23 2004 : Debug: rlm_ldap: performing search in (Hidden to protect 
the innocent), with filter (uid=dev)
Wed Mar  3 11:27:23 2004 : Debug: rlm_ldap: checking if remote access for dev is
 allowed by cn
Wed Mar  3 11:27:23 2004 : Debug: rlm_ldap: Added password umFYzyfnmhVQdQC+Lleys
j8RFv7g+TE+ in check items
Wed Mar  3 11:27:23 2004 : Debug: rlm_ldap: looking for check items in directory
...
Wed Mar  3 11:27:23 2004 : Debug: rlm_ldap: looking for reply items in directory
...
Wed Mar  3 11:27:23 2004 : Debug: rlm_ldap: user dev authorized to use remote ac
cess
Wed Mar  3 11:27:23 2004 : Debug: ldap_release_conn: Release Id: 0
Wed Mar  3 11:27:23 2004 : Debug:   modsingle[authorize]: returned from ldap (rl
m_ldap) for request 0
Wed Mar  3 11:27:23 2004 : Debug:   modcall[authorize]: module "ldap" returns ok
 for request 0
Wed Mar  3 11:27:23 2004 : Debug: modcall: group authorize returns ok for reques
t 0
Wed Mar  3 11:27:23 2004 : Debug:   rad_check_password:  Found Auth-Type LDAP
Wed Mar  3 11:27:23 2004 : Debug: auth: type "LDAP"
Wed Mar  3 11:27:23 2004 : Debug: modcall: entering group Auth-Type for request
0
Wed Mar  3 11:27:23 2004 : Debug:   modsingle[authenticate]: calling ldap (rlm_l
dap) for request 0
Wed Mar  3 11:27:23 2004 : Debug: rlm_ldap: - authenticate
Wed Mar  3 11:27:23 2004 : Debug: rlm_ldap: login attempt by "dev" with password
 "changeme"
Wed Mar  3 11:27:23 2004 : Debug: rlm_ldap: user DN: uid=dev,(Hidden to protect the 
innocent)
Wed Mar  3 11:27:23 2004 : Debug: rlm_ldap: (re)connect to (Hidden to protect the 
innocent) authentication 1
Wed Mar  3 11:27:23 2004 : Debug: rlm_ldap: starting TLS
Wed Mar  3 11:27:23 2004 : Debug: rlm_ldap: bind as uid=dev,(Hidden to protect the 
innocent)
Wed Mar  3 11:27:23 2004 : Debug: rlm_ldap: waiting for bind result ...
Wed Mar  3 11:27:23 2004 : Debug: rlm_ldap: user dev authenticated succesfully
Wed Mar  3 11:27:23 2004 : Debug:   modsingle[authenticate]: returned from ldap
(rlm_ldap) for request 0
Wed Mar  3 11:27:23 2004 : Debug:   modcall[authenticate]: module "ldap" returns
 ok for request 0
Wed Mar  3 11:27:23 2004 : Debug: modcall: group Auth-Type returns ok for reques
t 0
Wed Mar  3 11:27:23 2004 : Auth: Login OK: [dev] (from client router port
66 cli (hidden))
Sending Access-Accept of id 38 to 67.29.144.130:1645
Wed Mar  3 11:27:23 2004 : Debug: Finished request 0
Wed Mar  3 11:27:23 2004 : Debug: Going to the next request
Wed Mar  3 11:27:23 2004 : Debug: --- Walking the entire request list ---
Wed Mar  3 11:27:23 2004 : Debug: Waking up in 6 seconds...
Warning: Remote host denied X11 forwarding.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

ldap group authorization...HELP!!!

Reply via email to