Fwd: rlm_ldap and group membership
Hello,
This is kind of a long email, but I wanted to give all the information that I think
YOU(tm) will need. Unfortunately I'm on a sort of time-crunch to get this up and
running, so I will try and get as
much information in per message as possible. I imagine I'll probably get the
solution in a 1-line reply ( put the line: use-groups = yes into your config and it
should be good. ;)
Some background info:
We currently are and have been running cistron radius using local
system authentication. Local system authentication in turn goes
through nss_ldap to reach our ldap servers. I am now attempting
to upgrade to freeradius in order to use native ldap capabilities.
Our current configuration (both radius and accounting software) relies
upon groups. For example:
(old cistron style)
DEFAULT Auth-Type = Reject, Group = deletepending
DEFAULT Auth-Type = Reject, Group = emailonly
DEFAULT Auth-Type = System, Group = multilink, Simultaneous-Use = 2
Port-Limit = 2,
Idle-Timeout = 1800
(newer freeradius style)
DEFAULT Group == deletepending, Auth-Type := Reject
I am having trouble configuring freeradius' rlm_ldap module to check for
groups. It does however bind correctly to the ldap server for user
authentication. Down below I detailed my thought process in setting this up, as
well as provided some logs. So far I have read the docs on freeradius.org, and
the freeradius-users freeradius-devel mailing lists (since Aug '99, anything
with ldap in the subject). Most information on the list revolves around defining
the check reply attributes IN ldap as opposed to the users file. This is fine,
and something we may switch over to at some point. However, all of our existing
software relies upon membership in groups, and switching that would be too big
of a task at this time. The upgrade in freeradius will be one of the first steps
along this route.
Please read the following info and see if you can spot what I'm doing wrong.
The configuration looked fairly simple, but I'm obviously missing some crucial
element.
Version Info:
radiusd: FreeRADIUS Version 0.5, for host i686-pc-linux-gnu, built on May 2
2002 at 10:28:59
Here is my ldap configuration section:
ldap {
server = localhost
basedn = dc=domain,dc=dom
filter = (uid=%u)
start_tls = no
ldap_connections_number = 5
password_attribute = userPassword
groupname_attribute = cn
groupmembership_filter = ((objectclass=posixgroup)(memberuid=%u))
timeout = 4
timelimit = 3
net_timeout = 1
}
docs/rlm_ldap provide this query:
# default:
(|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
Broken down, this is:
(objectClass=GroupOfNames) AND (member=%{Ldap-UserDn})
-or-
(objectClass=GroupOfUniqueNames) AND (uniquemember=%{Ldap-UserDn}))
This query seems to be for a directory with two types of groups
and group members. As our org uses one type, I'm dropping one of
the AND conjunctions along with the corresponding OR disjunction.
Our directory does not have either of those objectclass, we use
objectclass=posixgroup to identify group objects. Also, instead of
uniquemember, we use memberuid. The memberuid doesn't point to the
distinguished name of the uid, just the short uid. So I should want:
(objectclass=posixGroup) AND (memberuid=%u)
Here's an ldif version:
cn=multilink,ou=Group,dc=domain,dc=dom
cn=multilink
userpassword={crypt}x
description=Members have the Port-Limit and Simultaneous-Use RADIUS
parameter set to 2
gidnumber=1025
objectclass=top
objectclass=posixGroup
memberuid=jhogenmiller
Here are some queries performed to show you things working:
# testjth01
# multilink
# This query is what I think freeradius actually wants, in accordance
# with the docs.
[john@server john]]$ ldapsearch -b dc=domain,dc=dom
'((objectclass=posixgroup)(memberuid=testjth01))' cn
cn=multilink,ou=Group,dc=domain,dc=dom
cn=multilink
# testjth01 - search without specifying cn.
# multilink
[john@server john]]$ ldapsearch -b dc=domain,dc=dom
'((objectclass=posixgroup)(memberuid=testjth01))'
cn=multilink,ou=Group,dc=domain,dc=dom
cn=multilink
userpassword={crypt}x
description=Members have the Port-Limit and Simultaneous-Use RADIUS
parameter set to 2
gidnumber=1025
objectclass=top
objectclass=posixGroup
memberuid=jhogenmiller
...
memberuid=testjth01
# testjth02
# multilink, deletepending: deny access
[john@server john]]$ ldapsearch -b dc=domain,dc=dom
'((objectclass=posixgroup)(memberuid=testjth02))' cn
cn=deletepending,ou=Group,dc=domain,dc=dom
cn=deletepending
cn=multilink,ou=Group,dc=domain,dc=dom
cn=multilink
=-=-=-=-=-=-=-=-=-=-=-=-=-=
Ok, with all the ldap stuff out of the way, here's what radius does:
(one thing I noticed after some research was that this
Re: Fwd: rlm_ldap and group membership
On Mon, 6 May 2002, John wrote: Hello, This is kind of a long email, but I wanted to give all the information that I think YOU(tm) will need. Unfortunately I'm on a sort of time-crunch to get this up and running, so I will try and get as much information in per message as possible. I imagine I'll probably get the solution in a 1-line reply ( put the line: use-groups = yes into your config and it should be good. ;) Well it most probably will :-) Do you have the unix module in your accounting section? It is needed for the radwtmp file (although that should be on a module of it's own). If yes try removing it. The unix module has a groupcmp function of it's own which overrides the one registered by the ldap module. Alan is it ok if I go on and add an Ldap-Group attribute for ldap group membership? -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fwd: rlm_ldap and group membership
It was my understanding that this type of check is done in the authorize and the
authenticate sections. However, I checked and sure enough I had the unix
module listed in accounting. I removed this, restarted the server and had the
same results (no ldap/group checks).
Just for fun, I threw ldap into accounting and radiusd promptly yelled at me for
being an idiot.
I have actually been whittling down my modules per section throughout last week
attempting to get this work. It is well within the realm of possibility that I may
have removed a module which could interfere with config-debugging efforts. I
have pasted my config below your quoted message.
BTW, your comment about adding an Ldap-Group attribute both encourages and
disturbs me. What is the status of checking for ldap group membership if
freeradius (0.5)?
Well it most probably will :-)
Do you have the unix module in your accounting section? It is needed for
the
radwtmp file (although that should be on a module of it's own). If yes try
removing it. The unix module has a groupcmp function of it's own which
overrides the one registered by the ldap module.
Alan is it ok if I go on and add an Ldap-Group attribute for ldap group
membership?
--
Kostas Kalevras Network Operations Center
Section configurations. I have removed the colorful comments in order to save
space.
authorize {
ldap
}
authenticate {
ldap {
notfound = RETURN
}
}
preacct {
suffix
files
preprocess
}
accounting {
detail
radutmp
}
session {
radutmp
}
John Hogenmiller, kb3dfz
Systems Administrator, Pennswoods.net
1(877)897-4883 x 592
---
Wouldn't the sentence I want to put a hyphen between the words Fish
and And and And and Chips in my Fish-And-Chips sign have been clearer if
quotation marks had been placed before Fish, and between Fish and and, and
and and And, and And and and, and and and And, and And and and, and and
and Chips, as well as after Chips?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fwd: rlm_ldap and group membership
On Mon, 6 May 2002, John wrote:
It was my understanding that this type of check is done in the authorize and the
authenticate sections.
Not really, the modules register a groupcmp function which can be used by the
server and other modules.
However, I checked and sure enough I had the unix
module listed in accounting. I removed this, restarted the server and had the
same results (no ldap/group checks).
Just for fun, I threw ldap into accounting and radiusd promptly yelled at me for
being an idiot.
I have actually been whittling down my modules per section throughout last week
attempting to get this work. It is well within the realm of possibility that I may
have removed a module which could interfere with config-debugging efforts. I
have pasted my config below your quoted message.
Yes you have. The files module from the authorize section. That is the module
responsible for 'runing' the users file where the group checks are done.
BTW, your comment about adding an Ldap-Group attribute both encourages and
disturbs me. What is the status of checking for ldap group membership if
freeradius (0.5)?
Working just fine. I just checked it. The Ldap-Group attribute will be added in
order to not have each module override the other.
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 10 7721861
'Go back to the shadow' Gandalf
Well it most probably will :-)
Do you have the unix module in your accounting section? It is needed for
the
radwtmp file (although that should be on a module of it's own). If yes try
removing it. The unix module has a groupcmp function of it's own which
overrides the one registered by the ldap module.
Alan is it ok if I go on and add an Ldap-Group attribute for ldap group
membership?
--
Kostas Kalevras Network Operations Center
Section configurations. I have removed the colorful comments in order to save
space.
authorize {
ldap
}
authenticate {
ldap {
notfound = RETURN
}
}
preacct {
suffix
files
preprocess
}
accounting {
detail
radutmp
}
session {
radutmp
}
John Hogenmiller, kb3dfz
Systems Administrator, Pennswoods.net
1(877)897-4883 x 592
---
Wouldn't the sentence I want to put a hyphen between the words Fish
and And and And and Chips in my Fish-And-Chips sign have been clearer if
quotation marks had been placed before Fish, and between Fish and and, and
and and And, and And and and, and and and And, and And and and, and and
and Chips, as well as after Chips?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fwd: rlm_ldap and group membership
Kostas Kalevras [EMAIL PROTECTED] wrote: Alan is it ok if I go on and add an Ldap-Group attribute for ldap group membership? Sounds good to me. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
