allowed to log into.I've configured freeradius to map authorizedService -> Service-Type and have set
up Service-Type as a check attribute.
I'm running:(radiusd: FreeRADIUS Version 1.1.3, for host i686-pc-linux-gnu, built on Oct 10 2006 at 13:13:55)
For example, say user foo has: dn: uid=foo, ou=people, dc=zone, dc=example, dc=com ... authorizedService: sshd authorizedService: vpn authorizedService: xdm ...I would like this user to succeed authenticating against RADIUS if Service-Type in the request matches sshd, vpn, or xdm, but, not if it contains anything else.
Is there a way to set up this comparison in freeradius?I've read the FAQ, but, I haven't found a way to do this. I've included debug output below, just in case. Any help, especially a sepecific set of "put this in x configuration file here
and it should work" type help is greatly appreciated. Thanks, OwenTest authentication command (the username, password, and domain name have been replaced to preserve the anonymity of the implementation in question):
In this case, user foo has authorizedService attributes with the following values:
passwd
login
sshd
xdm
gdm
sudo
su
(echo "User-Name = foo" ; echo "User-Password = xyzzy"; echo "Service-
type = sshd" ) | \
radclient localhost auth testing123
results in:
rad_recv: Access-Request packet from host 127.0.0.1:32772, id=37,
length=50
User-Name = "foo"
User-Password = "xyzzy"
Service-Type = sshd
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "foo", looking up realm NULL
rlm_realm: Found realm "NULL"
rlm_realm: Adding Stripped-User-Name = "foo"
rlm_realm: Proxying request from user owen to realm NULL
rlm_realm: Adding Realm = "NULL"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "suffix" returns noop for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for foo
radius_xlat: '(uid=foo)'
radius_xlat: 'ou=people,dc=zone,dc=example,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as / to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=people,dc=zone,dc=example,dc=com,
with filter (uid=foo)
rlm_ldap: checking if remote access for owen is allowed by
authorizedService
rlm_ldap: looking for check items in directory... rlm_ldap: Adding authorizedService as Service-Type, value passwd & op=21 rlm_ldap: Adding authorizedService as Service-Type, value login & op=21 rlm_ldap: Adding authorizedService as Service-Type, value sshd & op=21 rlm_ldap: Adding authorizedService as Service-Type, value xdm & op=21 rlm_ldap: Adding authorizedService as Service-Type, value gdm & op=21 rlm_ldap: Adding authorizedService as Service-Type, value sudo & op=21 rlm_ldap: Adding authorizedService as Service-Type, value su & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: Setting Auth-Type = ldap rlm_ldap: user foo authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type ldap auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group LDAP for request 0 rlm_ldap: - authenticate rlm_ldap: login attempt by "foo" with password "xyzzy" rlm_ldap: user DN: uid=foo,ou=people,dc=zone,dc=example,dc=com rlm_ldap: (re)connect to localhost:389, authentication 1rlm_ldap: bind as uid=foo,ou=people,dc=zone,dc=example,dc=com/xyzzy to localhost:389
rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user owen authenticated succesfully modcall[authenticate]: module "ldap" returns ok for request 0 modcall: leaving group LDAP (returns ok) for request 0 Sending Access-Accept of id 37 to 127.0.0.1 port 32772 Finished request 0 Going to the next request --- Walking the entire request list --- Received response ID 37, code 2, length = 20 Waking up in 6 seconds... Which is correct. However, because the following does not fail:(echo "User-Name = foo" ; echo "User-Password = xyzzy"; echo "Service- type = vpn" ) | \
radclient localhost auth testing123
I suspect it's just that anything succeeds whether it matches or not.
Here is the debug output for the VPN test:
rad_recv: Access-Request packet from host 127.0.0.1:32772, id=39,
length=50
User-Name = "foo"
User-Password = "xyzzy"
Service-Type = vpn
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
modcall[authorize]: module "chap" returns noop for request 1
modcall[authorize]: module "mschap" returns noop for request 1
rlm_realm: No '@' in User-Name = "foo", looking up realm NULL
rlm_realm: Found realm "NULL"
rlm_realm: Adding Stripped-User-Name = "foo"
rlm_realm: Proxying request from user foo to realm NULL
rlm_realm: Adding Realm = "NULL"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "suffix" returns noop for request 1
rlm_ldap: - authorize
rlm_ldap: performing user authorization for foo
radius_xlat: '(uid=foo)'
radius_xlat: 'ou=people,dc=zone,dc=example,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=people,dc=zone,dc=example,dc=com,
with filter (uid=foo)
rlm_ldap: checking if remote access for foo is allowed by
authorizedService
rlm_ldap: looking for check items in directory... rlm_ldap: Adding authorizedService as Service-Type, value passwd & op=21 rlm_ldap: Adding authorizedService as Service-Type, value login & op=21 rlm_ldap: Adding authorizedService as Service-Type, value sshd & op=21 rlm_ldap: Adding authorizedService as Service-Type, value xdm & op=21 rlm_ldap: Adding authorizedService as Service-Type, value gdm & op=21 rlm_ldap: Adding authorizedService as Service-Type, value sudo & op=21 rlm_ldap: Adding authorizedService as Service-Type, value su & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: Setting Auth-Type = ldap rlm_ldap: user foo authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 1 modcall: leaving group authorize (returns ok) for request 1 rad_check_password: Found Auth-Type ldap auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group LDAP for request 1 rlm_ldap: - authenticate rlm_ldap: login attempt by "foo" with password "xyzzy" rlm_ldap: user DN: uid=foo,ou=people,dc=zone,dc=example,dc=com rlm_ldap: (re)connect to localhost:389, authentication 1rlm_ldap: bind as uid=foo,ou=people,dc=zone,dc=example,dc=com/ n0t4u2c! to localhost:389
rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user foo authenticated succesfully modcall[authenticate]: module "ldap" returns ok for request 1 modcall: leaving group LDAP (returns ok) for request 1 Sending Access-Accept of id 39 to 127.0.0.1 port 32772 Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... Received response ID 39, code 2, length = 20
PGP.sig
Description: This is a digitally signed message part
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
