The scoop is I'm using Freeradius 1.1.3 under RHEL/Centos 5.2 and I'm trying to get authentication working so FreeRadius will authenticate a user OLNY if they are in a certain LDAP group.. In this case that group is called 'it'.
Where I am at now is if the user is in or out of the 'it' group the authentication goes through ok (depending if the password is correct, of course). I would like the authenication to fail if the password is correct BUT the user is not in a certain ('it') group. Here are my configs snippets: ========= /etc/raddb/users =========== DEFAULT Auth-Type = LDAP Fall-Through = 1 DEFAULT LDAP-Group == it Service-Type = Administrative-User ========= /etc/raddb/radiusd.conf =========== ldap { server = "192.168.150.140" identity = "uid=admin,ou=People,dc=acme,dc=com" password = "BadPass" basedn = "dc=acme,dc=com" filter = "(uid=%u)" # base_filter = "(objectclass=radiusprofile)" start_tls = no # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" # profile_attribute = "radiusProfileDn" access_attr = uid # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 groupname_attribute = cn groupmembership_filter = "(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))" groupmembership_attribute = it timeout = 4 timelimit = 3 net_timeout = 1 compare_check_items = yes # do_xlat = yes access_attr_used_for_allow = yes } ====== Output when user is OUT of the 'it' group ====== rad_recv: Access-Request packet from host 127.0.0.1:32770, id=213, length=59 User-Name = "vpntest" User-Password = "ChangeMeToo" NAS-IP-Address = 255.255.255.255 NAS-Port = 10 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "vpntest", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 1 users: Matched entry DEFAULT at line 152 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'dc=acme,dc=com' radius_xlat: '(uid=vpntest)' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=acme,dc=com, with filter (uid=vpntest) rlm_ldap: ldap_release_conn: Release Id: 0 radius_xlat: '(&(objectClass=GroupOfNames)(member=uid\3dvpntest\2cou\3dPeople\2cdc\3dacme\2cdc\3dcom))' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=acme,dc=com, with filter (&(cn=it)(&(objectClass=GroupOfNames)(member=uid\3dvpntest\2cou\3dPeople\2cdc\3dacme\2cdc\3dcom))) rlm_ldap: object not found or got ambiguous search result rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in uid=vpntest,ou=People,dc=acme,dc=com, with filter (objectclass=*) rlm_ldap::ldap_groupcmp: ldap_get_values() failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "files" returns ok for request 1 modcall: leaving group authorize (returns ok) for request 1 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group LDAP for request 1 rlm_ldap: - authenticate rlm_ldap: login attempt by "vpntest" with password "ChangeMeToo" rlm_ldap: user DN: uid=vpntest,ou=People,dc=acme,dc=com rlm_ldap: (re)connect to 192.168.150.140:389, authentication 1 rlm_ldap: bind as uid=vpntest,ou=People,dc=acme,dc=com/ChangeMeToo to 192.168.150.140:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user vpntest authenticated succesfully modcall[authenticate]: module "ldap" returns ok for request 1 modcall: leaving group LDAP (returns ok) for request 1 Sending Access-Accept of id 213 to 127.0.0.1 port 32770 Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 213 with timestamp 4aa7438c Nothing to do. Sleeping until we see a request. ====== Output when user is IN of the 'it' group ====== rad_recv: Access-Request packet from host 127.0.0.1:32770, id=220, length=59 User-Name = "vpntest" User-Password = "ChangeMeToo" NAS-IP-Address = 255.255.255.255 NAS-Port = 10 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 modcall[authorize]: module "chap" returns noop for request 2 modcall[authorize]: module "mschap" returns noop for request 2 rlm_realm: No '@' in User-Name = "vpntest", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 2 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 2 users: Matched entry DEFAULT at line 152 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'dc=acme,dc=com' radius_xlat: '(uid=vpntest)' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=acme,dc=com, with filter (uid=vpntest) rlm_ldap: ldap_release_conn: Release Id: 0 radius_xlat: '(&(objectClass=GroupOfNames)(member=uid\3dvpntest\2cou\3dPeople\2cdc\3dacme\2cdc\3dcom))' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=acme,dc=com, with filter (&(cn=it)(&(objectClass=GroupOfNames)(member=uid\3dvpntest\2cou\3dPeople\2cdc\3dacme\2cdc\3dcom))) rlm_ldap::ldap_groupcmp: User found in group it rlm_ldap: ldap_release_conn: Release Id: 0 users: Matched entry DEFAULT at line 155 modcall[authorize]: module "files" returns ok for request 2 modcall: leaving group authorize (returns ok) for request 2 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group LDAP for request 2 rlm_ldap: - authenticate rlm_ldap: login attempt by "vpntest" with password "ChangeMeToo" rlm_ldap: user DN: uid=vpntest,ou=People,dc=acme,dc=com rlm_ldap: (re)connect to 192.168.150.140:389, authentication 1 rlm_ldap: bind as uid=vpntest,ou=People,dc=acme,dc=com/ChangeMeToo to 192.168.150.140:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user vpntest authenticated succesfully modcall[authenticate]: module "ldap" returns ok for request 2 modcall: leaving group LDAP (returns ok) for request 2 Sending Access-Accept of id 220 to 127.0.0.1 port 32770 Service-Type = Administrative-User Finished request 2 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 2 ID 220 with timestamp 4aa743f8 Nothing to do. Sleeping until we see a request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html