Hello everyone,
i know this might be considered a bizarre situation but well... i was just wondering if it's possible to do such a thing. I'm in a situation now where i can successfully retrieve group membership of users in the active directory LDAP tree using rlm_ldap, and check them against files. so if i have a user with "memberOf" attribute set to groupA and i set in the raddb/users the following entry: DEFAULTLdap-Group == "groupA", Auth-Type := Reject Reply-Message = "Not Allowed." i successfully deny access to that user. Since i'm already using MySQL for storing accounting informations i was really interested in being able to use the same backend (mysql) also for performing checks against groups. If i perform checks against usernames using the table radcheck they work properly (users retrieved from the LDAP backend), i've tried setting a radcheck like the following: userA Max-Daily-Session := 7200 and after 2 hours the user is unable to authenticate to the NAS because the time allowed has expired. But i cant seem to be able to do the same thing with the groups. i've configured sites-enabled/default like this: authorize { preprocess auth_log chap mschap digest suffix eap { ok = return } files ldap sql expiration logintime pap dailycounter } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } digest unix Auth-Type LDAP { ldap } eap } preacct { preprocess acct_unique suffix files } accounting { detail sql } session { radutmp } post-auth { ldap exec Post-Auth-Type REJECT { # log failed authentications in SQL, too. attr_filter.access_reject } } pre-proxy { } post-proxy { eap } radiusd.conf like this prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = /var/log/freeradius raddbdir = /etc/freeradius radacctdir = ${logdir}/radacct name = freeradius confdir = ${raddbdir} run_dir = ${localstatedir}/run/${name} db_dir = ${raddbdir} libdir = /usr/lib/freeradius pidfile = ${run_dir}/${name}.pid user = freerad group = freerad max_request_time = 30 cleanup_delay = 5 max_requests = 1024 listen { type = auth ipaddr = * port = 0 } listen { ipaddr = * port = 0 type = acct } hostname_lookups = no allow_core_dumps = no regular_expressions= yes extended_expressions= yes log { destination = files file = ${logdir}/radius.log syslog_facility = daemon stripped_names = no auth = no auth_badpass = no auth_goodpass = no } checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = yes } proxy_requests = yes $INCLUDE proxy.conf $INCLUDE clients.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { $INCLUDE ${confdir}/modules/ $INCLUDE eap.conf $INCLUDE sql.conf $INCLUDE sql/mysql/counter.conf } instantiate { exec expr expiration logintime } and sql.conf sql { database = "mysql" driver = "rlm_sql_${database}" server = "localhost" #port = 3306 login = "radius" password = "<removed>" radius_db = "radius" acct_table1 = "radacct" acct_table2 = "radacct" postauth_table = "radpostauth" authcheck_table = "radcheck" authreply_table = "radreply" groupcheck_table = "radgroupcheck" groupreply_table = "radgroupreply" usergroup_table = "radusergroup" deletestalesessions = yes sqltrace = no sqltracefile = ${logdir}/sqltrace.sql num_sql_socks = 5 connect_failure_retry_delay = 60 lifetime = 0 max_queries = 0 nas_table = "nas" $INCLUDE sql/${database}/dialup.conf $INCLUDE sql/${database}/counter.conf } any help is really welcome. thanks and sorry if i couldn't explain myself properly please correct me. -- Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP autenticato? GRATIS solo con Email.it: http://www.email.it/f Sponsor: SUPERMARIO: Acquista Peluche e T-shirt Originali su mistercupido.com Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=12899&d=20130823 -- Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP autenticato? GRATIS solo con Email.it http://www.email.it/f Sponsor: SIMPSON: Acquista Peluche, Gadget e Abbigliamento Originale su mistercupido.com Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=12901&d=23-8
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html