Re: Authorization via LDAP & Authentication via PAM
On Wed, 29 May 2002, Michael Fuller wrote: > Hi all, > > I am trying to get both authentication and authorisation through LDAP. While > authentication works, authorisation still evades me. Ideas anybody ? > > Regards, > Michael Fuller authorize{ files ldap } What is the problem you are facing? Send debugging logs showing where your problem is. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorization via LDAP & Authentication via PAM
Hi all, I am trying to get both authentication and authorisation through LDAP. While authentication works, authorisation still evades me. Ideas anybody ? Regards, Michael Fuller - Original Message - From: "Kostas Kalevras" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, May 28, 2002 5:14 PM Subject: Re: Authorization via LDAP & Authentication via PAM > On Tue, 28 May 2002, Allister Maguire wrote: > > > Hello, > > > > I have got this working by setting: > > > > DEFAULT Auth-Type := pam > > Fall-Through = 1 > > > > In the users file. > > > > I also want to restrict dialin access to certain ldap users, so I > > changed the ldap filter: > > > > filter = "(&(uid=%u)(msNPAllowDialin=TRUE))" > > > > In the ldap {} module. > > > > Only problem is if I set msNPAllowDialin=FALSE, they still get a > > Access-Accept because the files, pam module return ok (I think). > > You could also use the access_attr configuration directive. Then the module will > return reject (well actually userlock) instead of notfound. > > > > > > > > > modcall[authorize]: module "ldap" returns notfound > > modcall: group authorize returns ok > > rad_check_password: Found Auth-Type pam > > auth: type "Pam" > > modcall: entering group authenticate > > pam_pass: using pamauth string for pam.conf lookup > > pam_pass: authentication succeeded for > > modcall[authenticate]: module "pam" returns ok > > modcall: group authenticate returns ok > > Sending Access-Accept of id 1 to 127.0.0.1:32826 > > Finished request 1 > > Going to the next request > > Thread 2 waiting to be assigned a request > > > > > > How many need to fail, for the Access-Request to fail? > > Check out the doc/configurable_failover. You could do something like this in > your authorize section: > > authorize{ > ldap{ > notfound = return > } > [...] > } > > Hope it helps > > -- > Kostas Kalevras Network Operations Center > [EMAIL PROTECTED] National Technical University of Athens, Greece > Work Phone: +30 10 7721861 > 'Go back to the shadow' Gandalf > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorization via LDAP & Authentication via PAM
On Tue, 28 May 2002, Allister Maguire wrote: > Hello, > > I have got this working by setting: > > DEFAULT Auth-Type := pam > Fall-Through = 1 > > In the users file. > > I also want to restrict dialin access to certain ldap users, so I > changed the ldap filter: > > filter = "(&(uid=%u)(msNPAllowDialin=TRUE))" > > In the ldap {} module. > > Only problem is if I set msNPAllowDialin=FALSE, they still get a > Access-Accept because the files, pam module return ok (I think). You could also use the access_attr configuration directive. Then the module will return reject (well actually userlock) instead of notfound. > > > > modcall[authorize]: module "ldap" returns notfound > modcall: group authorize returns ok > rad_check_password: Found Auth-Type pam > auth: type "Pam" > modcall: entering group authenticate > pam_pass: using pamauth string for pam.conf lookup > pam_pass: authentication succeeded for > modcall[authenticate]: module "pam" returns ok > modcall: group authenticate returns ok > Sending Access-Accept of id 1 to 127.0.0.1:32826 > Finished request 1 > Going to the next request > Thread 2 waiting to be assigned a request > > > How many need to fail, for the Access-Request to fail? Check out the doc/configurable_failover. You could do something like this in your authorize section: authorize{ ldap{ notfound = return } [...] } Hope it helps -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorization via LDAP & Authentication via PAM
On Fri, 17 May 2002, Allister Maguire wrote: > Hello, > > In the radiusd.conf file you have the choice of specifing what Modules > are used to: > > authorize { > preprocess > suffix > ldap > } > > And > > authenticate { > pam > } > > > Is it posible to authorize via Ldap (Active Directory, including all > radius attributes) and authenticate via Pam (Kerberos v, Windows 2000 > KDC)? As for ldap i think yes. In any case it would be nice to know how well the ldap module cooperates with Active Directory. > > > Also is it posible to return a set of radius attribute/value-pair's from > a single ldap schema attribute? Eg: > > When I created our radius ldap schema, I only wanted to create ldap > attributes for radius attribute/value-pair's used to check eg: > "Called-Station-Id" etc. I created a generic ldap attribute called > radiusGenericReturn, this would hold a value (attribute/value-pair) > like: "Framed-Protocol=Framed, Framed-IP-Address=192.168.0.234, > Framed-IP-Netmask=255.255.255.0 ...", this would allow the addition of > any new radius attribute's with ease. > > Is this posible? Yes, see ldap.attrmap the $GENERIC$ attributes: checkItem $GENERIC$ radiusCheckItem replyItem $GENERIC$ radiusReplyItem It can only hold one attribute though: radiusReplyItem: Framed-IP-Netmask = 255.255.255.255 > > > Thanks > Allister Maguire > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html