Re: Authorization via LDAP & Authentication via PAM
On Wed, 29 May 2002, Michael Fuller wrote:
> Hi all,
>
> I am trying to get both authentication and authorisation through LDAP. While
> authentication works, authorisation still evades me. Ideas anybody ?
>
> Regards,
> Michael Fuller
authorize{
files
ldap
}
What is the problem you are facing? Send debugging logs showing where your
problem is.
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 10 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorization via LDAP & Authentication via PAM
Hi all,
I am trying to get both authentication and authorisation through LDAP. While
authentication works, authorisation still evades me. Ideas anybody ?
Regards,
Michael Fuller
- Original Message -
From: "Kostas Kalevras" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, May 28, 2002 5:14 PM
Subject: Re: Authorization via LDAP & Authentication via PAM
> On Tue, 28 May 2002, Allister Maguire wrote:
>
> > Hello,
> >
> > I have got this working by setting:
> >
> > DEFAULT Auth-Type := pam
> > Fall-Through = 1
> >
> > In the users file.
> >
> > I also want to restrict dialin access to certain ldap users, so I
> > changed the ldap filter:
> >
> > filter = "(&(uid=%u)(msNPAllowDialin=TRUE))"
> >
> > In the ldap {} module.
> >
> > Only problem is if I set msNPAllowDialin=FALSE, they still get a
> > Access-Accept because the files, pam module return ok (I think).
>
> You could also use the access_attr configuration directive. Then the
module will
> return reject (well actually userlock) instead of notfound.
>
> >
> >
> >
> > modcall[authorize]: module "ldap" returns notfound
> > modcall: group authorize returns ok
> > rad_check_password: Found Auth-Type pam
> > auth: type "Pam"
> > modcall: entering group authenticate
> > pam_pass: using pamauth string for pam.conf lookup
> > pam_pass: authentication succeeded for
> > modcall[authenticate]: module "pam" returns ok
> > modcall: group authenticate returns ok
> > Sending Access-Accept of id 1 to 127.0.0.1:32826
> > Finished request 1
> > Going to the next request
> > Thread 2 waiting to be assigned a request
> >
> >
> > How many need to fail, for the Access-Request to fail?
>
> Check out the doc/configurable_failover. You could do something like this
in
> your authorize section:
>
> authorize{
> ldap{
> notfound = return
> }
> [...]
> }
>
> Hope it helps
>
> --
> Kostas Kalevras Network Operations Center
> [EMAIL PROTECTED] National Technical University of Athens, Greece
> Work Phone: +30 10 7721861
> 'Go back to the shadow' Gandalf
>
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorization via LDAP & Authentication via PAM
On Tue, 28 May 2002, Allister Maguire wrote:
> Hello,
>
> I have got this working by setting:
>
> DEFAULT Auth-Type := pam
> Fall-Through = 1
>
> In the users file.
>
> I also want to restrict dialin access to certain ldap users, so I
> changed the ldap filter:
>
> filter = "(&(uid=%u)(msNPAllowDialin=TRUE))"
>
> In the ldap {} module.
>
> Only problem is if I set msNPAllowDialin=FALSE, they still get a
> Access-Accept because the files, pam module return ok (I think).
You could also use the access_attr configuration directive. Then the module will
return reject (well actually userlock) instead of notfound.
>
>
>
> modcall[authorize]: module "ldap" returns notfound
> modcall: group authorize returns ok
> rad_check_password: Found Auth-Type pam
> auth: type "Pam"
> modcall: entering group authenticate
> pam_pass: using pamauth string for pam.conf lookup
> pam_pass: authentication succeeded for
> modcall[authenticate]: module "pam" returns ok
> modcall: group authenticate returns ok
> Sending Access-Accept of id 1 to 127.0.0.1:32826
> Finished request 1
> Going to the next request
> Thread 2 waiting to be assigned a request
>
>
> How many need to fail, for the Access-Request to fail?
Check out the doc/configurable_failover. You could do something like this in
your authorize section:
authorize{
ldap{
notfound = return
}
[...]
}
Hope it helps
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 10 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorization via LDAP & Authentication via PAM
On Fri, 17 May 2002, Allister Maguire wrote:
> Hello,
>
> In the radiusd.conf file you have the choice of specifing what Modules
> are used to:
>
> authorize {
> preprocess
> suffix
> ldap
> }
>
> And
>
> authenticate {
> pam
> }
>
>
> Is it posible to authorize via Ldap (Active Directory, including all
> radius attributes) and authenticate via Pam (Kerberos v, Windows 2000
> KDC)?
As for ldap i think yes. In any case it would be nice to know how well the ldap
module cooperates with Active Directory.
>
>
> Also is it posible to return a set of radius attribute/value-pair's from
> a single ldap schema attribute? Eg:
>
> When I created our radius ldap schema, I only wanted to create ldap
> attributes for radius attribute/value-pair's used to check eg:
> "Called-Station-Id" etc. I created a generic ldap attribute called
> radiusGenericReturn, this would hold a value (attribute/value-pair)
> like: "Framed-Protocol=Framed, Framed-IP-Address=192.168.0.234,
> Framed-IP-Netmask=255.255.255.0 ...", this would allow the addition of
> any new radius attribute's with ease.
>
> Is this posible?
Yes, see ldap.attrmap the $GENERIC$ attributes:
checkItem $GENERIC$ radiusCheckItem
replyItem $GENERIC$ radiusReplyItem
It can only hold one attribute though:
radiusReplyItem: Framed-IP-Netmask = 255.255.255.255
>
>
> Thanks
> Allister Maguire
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 10 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
