Fwd: rlm_ldap and group membership
Hello, This is kind of a long email, but I wanted to give all the information that I think YOU(tm) will need. Unfortunately I'm on a sort of time-crunch to get this up and running, so I will try and get as much information in per message as possible. I imagine I'll probably get the solution in a 1-line reply ( put the line: use-groups = yes into your config and it should be good. ;) Some background info: We currently are and have been running cistron radius using local system authentication. Local system authentication in turn goes through nss_ldap to reach our ldap servers. I am now attempting to upgrade to freeradius in order to use native ldap capabilities. Our current configuration (both radius and accounting software) relies upon groups. For example: (old cistron style) DEFAULT Auth-Type = Reject, Group = deletepending DEFAULT Auth-Type = Reject, Group = emailonly DEFAULT Auth-Type = System, Group = multilink, Simultaneous-Use = 2 Port-Limit = 2, Idle-Timeout = 1800 (newer freeradius style) DEFAULT Group == deletepending, Auth-Type := Reject I am having trouble configuring freeradius' rlm_ldap module to check for groups. It does however bind correctly to the ldap server for user authentication. Down below I detailed my thought process in setting this up, as well as provided some logs. So far I have read the docs on freeradius.org, and the freeradius-users freeradius-devel mailing lists (since Aug '99, anything with ldap in the subject). Most information on the list revolves around defining the check reply attributes IN ldap as opposed to the users file. This is fine, and something we may switch over to at some point. However, all of our existing software relies upon membership in groups, and switching that would be too big of a task at this time. The upgrade in freeradius will be one of the first steps along this route. Please read the following info and see if you can spot what I'm doing wrong. The configuration looked fairly simple, but I'm obviously missing some crucial element. Version Info: radiusd: FreeRADIUS Version 0.5, for host i686-pc-linux-gnu, built on May 2 2002 at 10:28:59 Here is my ldap configuration section: ldap { server = localhost basedn = dc=domain,dc=dom filter = (uid=%u) start_tls = no ldap_connections_number = 5 password_attribute = userPassword groupname_attribute = cn groupmembership_filter = ((objectclass=posixgroup)(memberuid=%u)) timeout = 4 timelimit = 3 net_timeout = 1 } docs/rlm_ldap provide this query: # default: (|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) Broken down, this is: (objectClass=GroupOfNames) AND (member=%{Ldap-UserDn}) -or- (objectClass=GroupOfUniqueNames) AND (uniquemember=%{Ldap-UserDn})) This query seems to be for a directory with two types of groups and group members. As our org uses one type, I'm dropping one of the AND conjunctions along with the corresponding OR disjunction. Our directory does not have either of those objectclass, we use objectclass=posixgroup to identify group objects. Also, instead of uniquemember, we use memberuid. The memberuid doesn't point to the distinguished name of the uid, just the short uid. So I should want: (objectclass=posixGroup) AND (memberuid=%u) Here's an ldif version: cn=multilink,ou=Group,dc=domain,dc=dom cn=multilink userpassword={crypt}x description=Members have the Port-Limit and Simultaneous-Use RADIUS parameter set to 2 gidnumber=1025 objectclass=top objectclass=posixGroup memberuid=jhogenmiller Here are some queries performed to show you things working: # testjth01 # multilink # This query is what I think freeradius actually wants, in accordance # with the docs. [john@server john]]$ ldapsearch -b dc=domain,dc=dom '((objectclass=posixgroup)(memberuid=testjth01))' cn cn=multilink,ou=Group,dc=domain,dc=dom cn=multilink # testjth01 - search without specifying cn. # multilink [john@server john]]$ ldapsearch -b dc=domain,dc=dom '((objectclass=posixgroup)(memberuid=testjth01))' cn=multilink,ou=Group,dc=domain,dc=dom cn=multilink userpassword={crypt}x description=Members have the Port-Limit and Simultaneous-Use RADIUS parameter set to 2 gidnumber=1025 objectclass=top objectclass=posixGroup memberuid=jhogenmiller ... memberuid=testjth01 # testjth02 # multilink, deletepending: deny access [john@server john]]$ ldapsearch -b dc=domain,dc=dom '((objectclass=posixgroup)(memberuid=testjth02))' cn cn=deletepending,ou=Group,dc=domain,dc=dom cn=deletepending cn=multilink,ou=Group,dc=domain,dc=dom cn=multilink =-=-=-=-=-=-=-=-=-=-=-=-=-= Ok, with all the ldap stuff out of the way, here's what radius does: (one thing I noticed after some research was that this
Re: Fwd: rlm_ldap and group membership
On Mon, 6 May 2002, John wrote: Hello, This is kind of a long email, but I wanted to give all the information that I think YOU(tm) will need. Unfortunately I'm on a sort of time-crunch to get this up and running, so I will try and get as much information in per message as possible. I imagine I'll probably get the solution in a 1-line reply ( put the line: use-groups = yes into your config and it should be good. ;) Well it most probably will :-) Do you have the unix module in your accounting section? It is needed for the radwtmp file (although that should be on a module of it's own). If yes try removing it. The unix module has a groupcmp function of it's own which overrides the one registered by the ldap module. Alan is it ok if I go on and add an Ldap-Group attribute for ldap group membership? -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fwd: rlm_ldap and group membership
It was my understanding that this type of check is done in the authorize and the authenticate sections. However, I checked and sure enough I had the unix module listed in accounting. I removed this, restarted the server and had the same results (no ldap/group checks). Just for fun, I threw ldap into accounting and radiusd promptly yelled at me for being an idiot. I have actually been whittling down my modules per section throughout last week attempting to get this work. It is well within the realm of possibility that I may have removed a module which could interfere with config-debugging efforts. I have pasted my config below your quoted message. BTW, your comment about adding an Ldap-Group attribute both encourages and disturbs me. What is the status of checking for ldap group membership if freeradius (0.5)? Well it most probably will :-) Do you have the unix module in your accounting section? It is needed for the radwtmp file (although that should be on a module of it's own). If yes try removing it. The unix module has a groupcmp function of it's own which overrides the one registered by the ldap module. Alan is it ok if I go on and add an Ldap-Group attribute for ldap group membership? -- Kostas Kalevras Network Operations Center Section configurations. I have removed the colorful comments in order to save space. authorize { ldap } authenticate { ldap { notfound = RETURN } } preacct { suffix files preprocess } accounting { detail radutmp } session { radutmp } John Hogenmiller, kb3dfz Systems Administrator, Pennswoods.net 1(877)897-4883 x 592 --- Wouldn't the sentence I want to put a hyphen between the words Fish and And and And and Chips in my Fish-And-Chips sign have been clearer if quotation marks had been placed before Fish, and between Fish and and, and and and And, and And and and, and and and And, and And and and, and and and Chips, as well as after Chips? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fwd: rlm_ldap and group membership
On Mon, 6 May 2002, John wrote: It was my understanding that this type of check is done in the authorize and the authenticate sections. Not really, the modules register a groupcmp function which can be used by the server and other modules. However, I checked and sure enough I had the unix module listed in accounting. I removed this, restarted the server and had the same results (no ldap/group checks). Just for fun, I threw ldap into accounting and radiusd promptly yelled at me for being an idiot. I have actually been whittling down my modules per section throughout last week attempting to get this work. It is well within the realm of possibility that I may have removed a module which could interfere with config-debugging efforts. I have pasted my config below your quoted message. Yes you have. The files module from the authorize section. That is the module responsible for 'runing' the users file where the group checks are done. BTW, your comment about adding an Ldap-Group attribute both encourages and disturbs me. What is the status of checking for ldap group membership if freeradius (0.5)? Working just fine. I just checked it. The Ldap-Group attribute will be added in order to not have each module override the other. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf Well it most probably will :-) Do you have the unix module in your accounting section? It is needed for the radwtmp file (although that should be on a module of it's own). If yes try removing it. The unix module has a groupcmp function of it's own which overrides the one registered by the ldap module. Alan is it ok if I go on and add an Ldap-Group attribute for ldap group membership? -- Kostas Kalevras Network Operations Center Section configurations. I have removed the colorful comments in order to save space. authorize { ldap } authenticate { ldap { notfound = RETURN } } preacct { suffix files preprocess } accounting { detail radutmp } session { radutmp } John Hogenmiller, kb3dfz Systems Administrator, Pennswoods.net 1(877)897-4883 x 592 --- Wouldn't the sentence I want to put a hyphen between the words Fish and And and And and Chips in my Fish-And-Chips sign have been clearer if quotation marks had been placed before Fish, and between Fish and and, and and and And, and And and and, and and and And, and And and and, and and and Chips, as well as after Chips? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fwd: rlm_ldap and group membership
Kostas Kalevras [EMAIL PROTECTED] wrote: Alan is it ok if I go on and add an Ldap-Group attribute for ldap group membership? Sounds good to me. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html