On Fri, 26 Mar 2004, Casey Forbes wrote:
> Hello,
>
> I'm having a lot of trouble getting my freeradius (CVS snap 20040323)
> to Allow/Deny access based on membership in LDAP groups (where the
> group names are associated with huntgroups). rlm_ldap docs and the mailing
> list archive didn't help me much..
>
> I'd like to do something like this:
>
> huntgroups:
> .....
> dialup NAS-IP-Address == 172.16.0.12
> wireless NAS-IP-Address == 172.16.0.13
>
>
> users:
> .....
> DEFAULT Huntgroup-Name == dialup,
> Ldap-Group == "cn=Dialup,ou=Remote Access,dc=kensfoods,dc=com"
> Fall-Through = yes
> DEFAULT Huntgroup-Name == wireless,
> Ldap-Group == "cn=Wireless,ou=Remote Access,dc=kensfoods,dc=com"
> Fall-Through = yes
>
>
> ldif:
> .....
> dn: cn=Dialup,ou=Remote Access, dc=kensfoods,dc=com
> objectClass: groupOfUniqueNames
> objectClass: top
> uniqueMember: cn=John Smith,ou=Users,dc=kensfoods,dc=com
> cn: Dialup
>
> dn: cn=Wireless,ou=Remote Access, dc=kensfoods,dc=com
> objectClass: groupOfUniqueNames
> objectClass: top
> uniqueMember: cn=Robert Kelley,ou=Users,dc=kensfoods,dc=com
> cn: Wireless
>
>
> radiusd.conf
> .....
> modules {
> ...
>
> ldap {
> server = "ldap.kensfoods.com"
> identity = "cn=FreeRADIUS,ou=Daemon,dc=kensfoods,dc=com"
> password = ******
> basedn = "ou=Users,dc=kensfoods,dc=com"
> filter = "(uid=%u)"
>
> start_tls = no
> ldap_connections_number = 5
> dictionary_mapping = ${raddbdir}/ldap.attrmap
>
> password_header = "{SHA}"
> password_attribute = userPassword
>
> groupname_attribute = cn
> groupmembership_filter =
> "(&(objectClass=groupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
>
> timeout = 4
> timelimit = 3
> net_timeout = 1
> compare_check_items = no
> }
> }
> authorize {
> preprocess
> chap
> mschap
> suffix
> eap
> files
> ldap
> }
>
> authenticate {
> Auth-Type PAP {
> pap
> }
> Auth-Type CHAP {
> chap
> }
> Auth-Type MS-CHAP {
> mschap
> }
> Auth-Type LDAP {
> ldap
> }
> eap
> }
>
>
>
>
>
> With the above configuration, no group checks are happening....
>
> radiusd -X
> .....
> rad_recv: Access-Request packet from host 127.0.0.1:40092, id=100,
> length=59
> User-Name = "cforbes"
> User-Password =
> NAS-IP-Address = 255.255.255.255
Huntgroup matching with this value for NAS-IP-Address will never work.
> NAS-Port = 1
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 0
> modcall[authorize]: module "preprocess" returns ok for request 0
> modcall[authorize]: module "chap" returns noop for request 0
> modcall[authorize]: module "mschap" returns noop for request 0
> rlm_realm: No '@' in User-Name = "cforbes", looking up realm NULL
> rlm_realm: No such realm "NULL"
> modcall[authorize]: module "suffix" returns noop for request 0
> rlm_eap: No EAP-Message, not doing EAP
> modcall[authorize]: module "eap" returns noop for request 0
> modcall[authorize]: module "files" returns notfound for request 0
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for cforbes
> radius_xlat: '(uid=cforbes)'
> radius_xlat: 'ou=Users,dc=kensfoods,dc=com'
> ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to ldap.kensfoods.com:389, authentication 0
> rlm_ldap: bind as cn=FreeRADIUS,ou=Daemon,dc=kensfoods,dc=com
> to ldap.kensfoods.com:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: performing search in ou=Users,dc=kensfoods,dc=com, with filter
> (uid=cforbes)
> rlm_ldap: looking for check items in directory...
> rlm_ldap: Adding acctFlags as SMB-Account-CTRL-TEXT
> rlm_ldap: Adding ntPassword as NT-Password
> rlm_ldap: Adding lmPassword as LM-Password
> rlm_ldap: looking for reply items in directory...
> rlm_ldap: user cforbes authorized to use remote access
> ldap_release_conn: Release Id: 0
> modcall[authorize]: module "ldap" returns ok for request 0
> modcall: group authorize returns ok for request 0
> rad_check_password: Found Auth-Type LDAP
> auth: type "LDAP"
> Processing the authenticate section of radiusd.conf
> modcall: entering group Auth-Type for request 0
> rlm_ldap: - authenticate
> rlm_ldap: login attempt by "cforbes" with password
> rlm_ldap: user DN: cn=Casey Forbes,ou=Users,dc=kensfoods,dc=com
> rlm_ldap: (re)connect to ldap.kensfoods.com:389, authentication 1
> rlm_ldap: bind as cn=Casey Forbes,ou=Users,dc=kensfoods,dc=com to
> ldap.kensfoods.com:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: user cforbes authenticated succesfully
> modcall[authenticate]: module "ldap" returns ok for request 0
> modcall: group Auth-Type returns ok for request 0
> Login OK: [cforbes] (from client localhost port 1)
> Sending Access-Accept of id 100 to 127.0.0.1:40092
> Finished request 0
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
