On 6/15/04 7:18 PM, Veerabhushan Hatte at <[EMAIL PROTECTED]> wrote:
> I was going through the mail responses and I am facing some problem for the
> same configuration. I have few questions and your help is greatly appreciated.
> 1. Do I need enable pam authentication to use LDAP?
I don't think so. We do not have PAM active on our instance of radiusd.
> 2. If I need to use pam, do I need to install OpenLDAP to run LDAP on
> freeRADIUS?
I think you may need openLDAP installed when you compile radiusd. We run
radiusd on OSX so we already had LDAP installed. I think I saw your
original email that you were having trouble starting radiusd and one user
suggested that you needed openLDAP prior to compilation. If it does in fact
now start, you can use the follwing edits to adjust you configs. Our works
like a charm now.
One pitfall we had is that when the user is looked up in AD, the cn= LDAP
property looks at AD's Display Name. This means that if Michael Check is
logging in as [EMAIL PROTECTED], the Display Name in AD must also be the same
as the account name (user name). The default in AD is to set cn as 'Michael
Check'. You need to change it to 'mcheck'.
The same goes for the account that radiusd uses to look up the information
in the AD. In our case ldapuser and radiusserver.
We still haven't figured out if there is an LDAP property that maps the
username to AD's account (user) name. If you or others know of it, I'd like
to know.
> If you could send me the configuration file for LDAP configuration, it would
> be really helpful.
The following setup allows users to be authenticated off 2 diff AD LDAP
servers depending on the domain (realm). Users without a domain are
athenticated off the first AD LDAP server.
The requests come from a ras and a vpn concentrator on the foo1 network to
radiusd which is also on the foo1 network.
We use the AD property access_attr="msNPAllowDialin" to determine whether
the user can log in. This is the boolean in AD whether to allow VPN/Dial-in
under the account properties.
clients.conf
--------------------
#
client 192.168.2.28 {
secret = secretpass
shortname = vpn.foo1.com
nastype = cisco
}
client 192.168.2.29 {
secret = secretpass
shortname = ras.foo1.com
nastype = patton
}
#
proxy.conf
--------------------
realm foo1.com {
type = radius
authhost = LOCAL
accthost = LOCAL
}
realm foo2.com {
type = radius
authhost = LOCAL
accthost = LOCAL
}
users
--------------------
#
# First setup all accounts to be checked against the UNIX /etc/passwd.
# (Unless a password was already given earlier in this file).
#
#DEFAULT Auth-Type := system
# Fall-Through = 1
#
# Setup all accounts to be checked against the MAI-LDAP module
# This is for users that do not specify a realm (ie. @foo.com)
#
DEFAULT Autz-Type := FOO1
Auth-Type := FOO1,
Fall-Through = 1
DEFAULT Realm == "NULL", Autz-Type := FOO1, Auth-Type := FOO1
DEFAULT Realm == "foo1.com", Autz-Type := FOO1, Auth-Type := FOO1
DEFAULT Realm == "foo2.com", Autz-Type := FOO2, Auth-Type := FOO2
radiusd.conf
--------------------
# Lightweight Directory Access Protocol (LDAP)
#
# This module definition allows you to use LDAP for
# authorization and authentication (Auth-Type := LDAP)
#
# See doc/rlm_ldap for description of configuration options
# and sample authorize{} and authenticate{} blocks
ldap FOO1 {
server = "192.168.2.5"
identity = "cn=ldapuser,cn=users,dc=foo1,dc=com"
password = foopass
basedn = "cn=users,dc=foo1,dc=com"
filter = "(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})"
access_attr="msNPAllowDialin"
password_attribute=userPassword
# set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
start_tls = no
# set this to 'yes' to use TLS encrypted connections to the
# LDAP database by passing the LDAP_OPT_X_TLS_TRY option to
# the ldap library.
tls_mode = no
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
# profile_attribute = "radiusProfileDn"
#access_attr = "dialupAccess"
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
# ldap_cache_timeout = 120
# ldap_cache_size = 0
ldap_connections_number = 5
# password_header = "{clear}"
# password_attribute = userPassword
# groupname_attribute = cn
# groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupO
fUniqueNames)(uniquemember=%{Ldap-UserDn})))"
# groupmembership_attribute = radiusGroupName
timeout = 4
timelimit = 3
net_timeout = 1
# compare_check_items = yes
# access_attr_used_for_allow = yes
}
ldap FOO2 {
server = "10.0.1.5"
identity = "cn=radiusserver,cn=users,dc=foo2,dc=com"
password = foopass
basedn = "ou=merchandisers,dc=foo2,dc=com"
filter = "(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})"
# access_attr="msNPAllowDialin"
password_attribute=userPassword
# set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
start_tls = no
# set this to 'yes' to use TLS encrypted connections to the
# LDAP database by passing the LDAP_OPT_X_TLS_TRY option to
# the ldap library.
tls_mode = no
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
# profile_attribute = "radiusProfileDn"
#access_attr = "dialupAccess"
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
# ldap_cache_timeout = 120
# ldap_cache_size = 0
ldap_connections_number = 5
# password_header = "{clear}"
# password_attribute = userPassword
# groupname_attribute = cn
# groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupO
fUniqueNames)(uniquemember=%{Ldap-UserDn})))"
# groupmembership_attribute = radiusGroupName
timeout = 4
timelimit = 3
net_timeout = 1
# compare_check_items = yes
# access_attr_used_for_allow = yes
}
# Authorization. First preprocess (hints and huntgroups files),
# then realms, and finally look in the "users" file.
authorize {
#
chap
#
mschap
# attr_filter
# eap
suffix
# The ldap module will set Auth-Type to LDAP if it has not already been set
Autz-Type FOO1 {
FOO1
}
Autz-Type FOO2 {
FOO2
}
files
# etc_smbpasswd
# daily
}
# Authentication.
#
authenticate {
#
authtype PAP {
pap
}
#
authtype CHAP {
chap
}
#
# MSCHAP authentication.
authtype MS-CHAP {
mschap
}
# pam
#
unix
# Uncomment it if you want to use ldap for authentication
authtype LDAP {
FOO1
}
Auth-Type FOO1 {
FOO1
}
Auth-Type FOO2 {
FOO2
}
# eap
}
Finally, in debugging our config, I would be interested to know if someone
could tell me why a NULL user (mcheck, no realm) will use the correct
Autz-Type, but still finds the LDAP Auth-Type instead of FOO1 like specified
in the users file. It seems the DEFAULT Autz-Type is found, but still uses
the LDAP Auth-Type. Weird. Either way, that is why it is still in the
configs below.
Hope this helps,
-Michael Check
--
Solo Group, Inc. # mcheck (at) sologroup (dot) com
Chicago, Illinois # http://www.sologroup.com/
--
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
