Hi,
I'm new to freeradius (3 weeks experience) and mailing lists (second attempt)
so please have patience.
I have freeradius 1.1.7 (prebuilt package) on Solaris 10 configured to
authenticate against Active Directory using ntlm-auth.
All working OK.
Now I'm trying to return different reply attributes depending on Active
Directory group membership and restrict which groups can authenticate. Ldap
lookups against the active directory root fail with operation error.
Reconfiguring Active Directory is not a viable option so I have to specify an
OU=xxxx in the query. I have configured two instances of the ldap module for
authorisation, one to query the staff ou and the other to query the student ou.
Both work OK for valid queries but if the user does not exist in the ou the
server still authenticates the username/password and grants access if valid.
Relevant debug output:
rlm_ldap: performing search in ou=students, dc=ad, dc=hud, dc=ac, dc=uk, with
filter (sAMAccountName=stafftest)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap_student" returns notfound for request 8
modcall: leaving group student (returns notfound) for request 8
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 8
rlm_eap: Request found, released from the list
...............................
rlm_eap_peap: Tunneled data is valid.
rlm_eap_peap: Success
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns ok for request 8
modcall: leaving group authenticate (returns ok) for request 8
Sending Access-Accept of id 104 to 10.127.240.217 port 1645
Relevant bits of radiusd.conf:
ldap ldap_student{
server = "server.hud.ac.uk"
identity =
"cn=user,ou=Specials,ou=Staff,dc=ad,dc=hud,dc=ac,dc=uk"
password = secret
port = 636
basedn = "ou=students, dc=ad, dc=hud, dc=ac, dc=uk"
filter = "(sAMAccountName=%{mschap:User-Name:-%{User-Name}})"
start_tls = no
access_attr = "dialupAccess"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
groupname_attribute = cn
groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
groupmembership_attribute = radiusGroupName
timeout = 4
timelimit = 3
net_timeout = 1
}
........................................
instantiate {
exec
expr
ldap_staff
ldap_student
}
authorize {
preprocess
mschap
suffix
eap
Autz-Type staff{
ldap_staff
}
Autz-Type student{
ldap_student
}
files
}
authenticate {
Auth-Type MS-CHAP {
mschap
}
eap
}
I want to reject the user if they are not in the relevant ou. I must be missing
something obvious. Can anyone help please?
Thanks in advance,
Leighton
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
