On 6/15/04 7:18 PM, Veerabhushan Hatte at <[EMAIL PROTECTED]> wrote: > I was going through the mail responses and I am facing some problem for the > same configuration. I have few questions and your help is greatly appreciated. > 1. Do I need enable pam authentication to use LDAP?
I don't think so. We do not have PAM active on our instance of radiusd. > 2. If I need to use pam, do I need to install OpenLDAP to run LDAP on > freeRADIUS? I think you may need openLDAP installed when you compile radiusd. We run radiusd on OSX so we already had LDAP installed. I think I saw your original email that you were having trouble starting radiusd and one user suggested that you needed openLDAP prior to compilation. If it does in fact now start, you can use the follwing edits to adjust you configs. Our works like a charm now. One pitfall we had is that when the user is looked up in AD, the cn= LDAP property looks at AD's Display Name. This means that if Michael Check is logging in as [EMAIL PROTECTED], the Display Name in AD must also be the same as the account name (user name). The default in AD is to set cn as 'Michael Check'. You need to change it to 'mcheck'. The same goes for the account that radiusd uses to look up the information in the AD. In our case ldapuser and radiusserver. We still haven't figured out if there is an LDAP property that maps the username to AD's account (user) name. If you or others know of it, I'd like to know. > If you could send me the configuration file for LDAP configuration, it would > be really helpful. The following setup allows users to be authenticated off 2 diff AD LDAP servers depending on the domain (realm). Users without a domain are athenticated off the first AD LDAP server. The requests come from a ras and a vpn concentrator on the foo1 network to radiusd which is also on the foo1 network. We use the AD property access_attr="msNPAllowDialin" to determine whether the user can log in. This is the boolean in AD whether to allow VPN/Dial-in under the account properties. clients.conf -------------------- # client 192.168.2.28 { secret = secretpass shortname = vpn.foo1.com nastype = cisco } client 192.168.2.29 { secret = secretpass shortname = ras.foo1.com nastype = patton } # proxy.conf -------------------- realm foo1.com { type = radius authhost = LOCAL accthost = LOCAL } realm foo2.com { type = radius authhost = LOCAL accthost = LOCAL } users -------------------- # # First setup all accounts to be checked against the UNIX /etc/passwd. # (Unless a password was already given earlier in this file). # #DEFAULT Auth-Type := system # Fall-Through = 1 # # Setup all accounts to be checked against the MAI-LDAP module # This is for users that do not specify a realm (ie. @foo.com) # DEFAULT Autz-Type := FOO1 Auth-Type := FOO1, Fall-Through = 1 DEFAULT Realm == "NULL", Autz-Type := FOO1, Auth-Type := FOO1 DEFAULT Realm == "foo1.com", Autz-Type := FOO1, Auth-Type := FOO1 DEFAULT Realm == "foo2.com", Autz-Type := FOO2, Auth-Type := FOO2 radiusd.conf -------------------- # Lightweight Directory Access Protocol (LDAP) # # This module definition allows you to use LDAP for # authorization and authentication (Auth-Type := LDAP) # # See doc/rlm_ldap for description of configuration options # and sample authorize{} and authenticate{} blocks ldap FOO1 { server = "192.168.2.5" identity = "cn=ldapuser,cn=users,dc=foo1,dc=com" password = foopass basedn = "cn=users,dc=foo1,dc=com" filter = "(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})" access_attr="msNPAllowDialin" password_attribute=userPassword # set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. start_tls = no # set this to 'yes' to use TLS encrypted connections to the # LDAP database by passing the LDAP_OPT_X_TLS_TRY option to # the ldap library. tls_mode = no # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" # profile_attribute = "radiusProfileDn" #access_attr = "dialupAccess" # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap # ldap_cache_timeout = 120 # ldap_cache_size = 0 ldap_connections_number = 5 # password_header = "{clear}" # password_attribute = userPassword # groupname_attribute = cn # groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupO fUniqueNames)(uniquemember=%{Ldap-UserDn})))" # groupmembership_attribute = radiusGroupName timeout = 4 timelimit = 3 net_timeout = 1 # compare_check_items = yes # access_attr_used_for_allow = yes } ldap FOO2 { server = "10.0.1.5" identity = "cn=radiusserver,cn=users,dc=foo2,dc=com" password = foopass basedn = "ou=merchandisers,dc=foo2,dc=com" filter = "(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})" # access_attr="msNPAllowDialin" password_attribute=userPassword # set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. start_tls = no # set this to 'yes' to use TLS encrypted connections to the # LDAP database by passing the LDAP_OPT_X_TLS_TRY option to # the ldap library. tls_mode = no # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" # profile_attribute = "radiusProfileDn" #access_attr = "dialupAccess" # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap # ldap_cache_timeout = 120 # ldap_cache_size = 0 ldap_connections_number = 5 # password_header = "{clear}" # password_attribute = userPassword # groupname_attribute = cn # groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupO fUniqueNames)(uniquemember=%{Ldap-UserDn})))" # groupmembership_attribute = radiusGroupName timeout = 4 timelimit = 3 net_timeout = 1 # compare_check_items = yes # access_attr_used_for_allow = yes } # Authorization. First preprocess (hints and huntgroups files), # then realms, and finally look in the "users" file. authorize { # chap # mschap # attr_filter # eap suffix # The ldap module will set Auth-Type to LDAP if it has not already been set Autz-Type FOO1 { FOO1 } Autz-Type FOO2 { FOO2 } files # etc_smbpasswd # daily } # Authentication. # authenticate { # authtype PAP { pap } # authtype CHAP { chap } # # MSCHAP authentication. authtype MS-CHAP { mschap } # pam # unix # Uncomment it if you want to use ldap for authentication authtype LDAP { FOO1 } Auth-Type FOO1 { FOO1 } Auth-Type FOO2 { FOO2 } # eap } Finally, in debugging our config, I would be interested to know if someone could tell me why a NULL user (mcheck, no realm) will use the correct Autz-Type, but still finds the LDAP Auth-Type instead of FOO1 like specified in the users file. It seems the DEFAULT Autz-Type is found, but still uses the LDAP Auth-Type. Weird. Either way, that is why it is still in the configs below. Hope this helps, -Michael Check -- Solo Group, Inc. # mcheck (at) sologroup (dot) com Chicago, Illinois # http://www.sologroup.com/ -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html