If this is off topic I apologize in advance. Using Samba 3.0.13 with an LDAP back-end and FreeRadius I was trying to add the Radius schema and kept getting object class violations. It's my limited understanding of LDAP that you can not have more than one structural objectclass. I'm no ldap expert so no email telling me how wrong I am. So I came up with a another solution. Using the Windows NT user manager in samba you can grant dialin permission to a user and authenticate against Radius on the back-end. We currently already depend on User Manager for other things so this helped to centralize our management of our VPN users. All you have to do is select the user / Dialin / Grant Dialin permission to user and apply. Using a working Samba LDAP configuration there is nothing in samba or LDAP to configure it's automatic. I've included the changes necessary in a working radius server to complete it. We have been using this in a Suse ES 9 production environment with great success against a Cisco VPN concentrator for remote user authentication.
Radius Config files
Clients.conf
client 127.0.0.1 {
secret = mysecretpassword
shortname = localhost
nastype = other # localhost isn't usually a NAS...
}
client 192.168.XXX.XXX/24 {
secret = mysecretpassword
shortname = internal-network
nastype = other
}
Users
DEFAULT Auth-Type = LDAP
radius.conf
ldap {
server = "ldap.mydomain.lcl"
identity = "cn=Manager,dc=mydomain,dc=lcl"
password = "myldappassword"
basedn = "dc=mydomain,dc=lcl"
#filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
filter = "(&(uid=%u)(SambaMungedDial=bQA6ACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIABkAAkAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAA))"
# set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
# The StartTLS operation is supposed to be used with normal
# ldap connections instead of using ldaps (port 689) connections
start_tls = no
#default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
#profile_attribute = "radiusProfileDn"
#access_attr = "dialupAccess"
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
# password_header = "{clear}"
# password_attribute = userPassword
# groupname_attribute = cn
# groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
# groupmembership_attribute = radiusGroupName
timeout = 4
timelimit = 3
net_timeout = 1
# compare_check_items = yes
# access_attr_used_for_allow = yes
}
Douglas Sterner
Network Analyst
