I am using Sun One DS 5.2 as my authentication source and freeradius-0.8-1 on RH Linux. I did not extend the schema to included the radius object class.
How can I properly deny certain users or groups from being able to dial in and establish PPP sessions?
I am a little confused after reading http://www.freeradius.org/radiusd/doc/rlm_ldap and http://www.freeradius.org/faq/#5.2.
This is my users file - stxlib Password == "******" Service-Type == Login-User, Login-IP-Host == hostname, Login-Service == Telnet, Login-TCP-Port == 23
DEFAULT Auth-Type := LDAP, Prefix == "P", Strip-User-Name == Yes Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254, Framed-Routing = None, Framed-MTU = 1500, Session-Timeout := 14400, Idle-Timeout := 900, Fall-Through = Yes
and the portion of my radius.conf that I think is relevant -
modules {
pam {
# pam_auth = radiusd
pam_auth = system-auth
}
ldap {
server = "ahost"
#port = 636
port = 389
# identity = "cn=admin,o=My Org,c=UA"
# password = mypass
basedn = "dc=uvi,dc=edu"
filter = "(uid=%u)"
# set this to 'yes' to use TLS encrypted connections
# to the LDAP database.
start_tls = no
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
# profile_attribute = "radiusProfileDn"
access_group = "cn=DialupUsers,ou=DialUsers,o=uvi.edu"
#access_attr = "dialupAccess"
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
#dictionary_mapping = ${raddbdir}/ldap.attrmap
# ldap_cache_timeout = 120
# ldap_cache_size = 0
ldap_connections_number = 5
# password_header = "{clear}"
# password_attribute = userPassword
# Next 2 lines uncommented 20 Mar 2003 -jrl
groupname_attribute = cn
groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
timeout = 4
timelimit = 3
net_timeout = 1
# compare_check_items = yes
# access_attr_used_for_allow = yes
}
# Livingston-style 'users' file
#
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
compat = no
}
detail {
detailfile = ${radacctdir}/%{Framed-IP-Address}/detail
detailperm = 0600
}
Thanks for your help
Wesley Joyce
"If you can't explain it simply, then you don't know it well enough. - Unknown."
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html