Am 06.03.2009 um 12:20 schrieb Leighton Man:
Hi,
I'm new to freeradius (3 weeks experience) and mailing lists
(second attempt) so please have patience.
I have freeradius 1.1.7 (prebuilt package) on Solaris 10 configured
to authenticate against Active Directory using ntlm-auth.
All working OK.
Now I'm trying to return different reply attributes depending on
Active Directory group membership and restrict which groups can
authenticate. Ldap lookups against the active directory root fail
with operation error. Reconfiguring Active Directory is not a
viable option so I have to specify an OU=xxxx in the query. I have
configured two instances of the ldap module for authorisation, one
to query the staff ou and the other to query the student ou. Both
work OK for valid queries but if the user does not exist in the ou
the server still authenticates the username/password and grants
access if valid. Relevant debug output:
rlm_ldap: performing search in ou=students, dc=ad, dc=hud, dc=ac,
dc=uk, with filter (sAMAccountName=stafftest)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap_student" returns notfound for
request 8
modcall: leaving group student (returns notfound) for request 8
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 8
rlm_eap: Request found, released from the list
...............................
rlm_eap_peap: Tunneled data is valid.
rlm_eap_peap: Success
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns ok for request 8
modcall: leaving group authenticate (returns ok) for request 8
Sending Access-Accept of id 104 to 10.127.240.217 port 1645
Relevant bits of radiusd.conf:
ldap ldap_student{
server = "server.hud.ac.uk"
identity =
"cn=user,ou=Specials,ou=Staff,dc=ad,dc=hud,dc=ac,dc=uk"
password = secret
Try using := instead of = or == You have to assign the password, not
compare to it. Also perhaps you should use Cleartext-Password if the
password is in clear here.
port = 636
basedn = "ou=students, dc=ad, dc=hud,
dc=ac, dc=uk"
filter = "(sAMAccountName=%{mschap:User-Name:-%
{User-Name}})"
start_tls = no
access_attr = "dialupAccess"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
groupname_attribute = cn
groupmembership_filter = "(|(&
(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&
(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
groupmembership_attribute = radiusGroupName
timeout = 4
timelimit = 3
net_timeout = 1
}
........................................
instantiate {
exec
expr
ldap_staff
ldap_student
}
authorize {
preprocess
mschap
suffix
eap
Autz-Type staff{
ldap_staff
}
Autz-Type student{
ldap_student
}
files
}
authenticate {
Auth-Type MS-CHAP {
mschap
}
eap
}
I want to reject the user if they are not in the relevant ou. I
must be missing something obvious. Can anyone help please?
Thanks in advance,
Leighton
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/
users.html
Nicolas Goutte
extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany
Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html