Hello,
I would like to grant access to network devices based upon group membership. I'm
not sure what I am doing wrong. If anyone might have any ideas or could point me to
an example that would be great.
The devices are Cisco, the directory server is LDAP v2. the AA server is FreeRADIUS
v0.7.1. Almost out of the box settings allows anyone with an account on the LDAP
server under People to log into the devices:
radiusd.conf-
ldap {
server = "checkin.fqdn.com"
basedn = "dc=fqdn,dc=com"
filter = "(uid=%u)"
timeout = 4
timelimit = 3
net_timeout = 1
}
On the LDAP the username used for testing:
dn: uid=cisco,ou=People, dc=fqdn,dc=com
mail: [EMAIL PROTECTED]
uid: cisco
givenName: cisco
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: inetUser
objectClass: inetSubscriber
objectClass: ipUser
objectClass: nsManagedPerson
sn: router
cn: cisco
userPassword: {SSHA}<DELETED>==
createtimestamp: 20021116160608Z
modifytimestamp: 20021116160608Z
parentid: 4
entryid: 20
entrydn: uid=cisco,ou=people,dc=fqdn,dc=com
subschemasubentry: cn=schema
I don't wan't to allow all users access to log onto the network devices so I create a
group on the LDAP server,adding the usernames I'd like to permit access to.:
dn: cn=NOC,ou=Groups, dc=fqdn,dc=com
objectClass: top
objectClass: groupofuniquenames
createtimestamp: 20021116161756Z
modifytimestamp: 20021116161847Z
parentid: 3
entryid: 25
entrydn: cn=noc,ou=groups,dc=fqdn,dc=com
cn: NOC
description: router admins
uniqueMember: uid=cisco,ou=People, dc=fqdn,dc=com
uniqueMember: uid=greg,ou=People, dc=fqdn,dc=com
subschemasubentry: cn=schema
Now I change the radiusd.conf file to:
ldap {
server = "checkin.fqdn.com"
basedn = "cn=noc,ou=groups, dc=fqdn,dc=com"
# filter = "(uid=%u,ou=People,dc=fqdn,dc=com)"
filter = "(uid=%u)"
# filter = "(uniquemember:uid=%u,ou=People,dc=fqdn,dc=com)"
# access_group = "cn=noc,ou=groups,dc=fqdn,dc=com"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
timeout = 4
timelimit = 3
net_timeout = 1
}
Here is how it fails with the above config:
auth: type "LDAP"
modcall: entering group authtype
rlm_ldap: - authenticate
rlm_ldap: login attempt by "cisco" with password "deleted"
radius_xlat: '(uid=cisco)'
radius_xlat: 'cn=noc,ou=groups, dc=fqdn,dc=com'
ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to checkin.fqdn.com:389, authentication 0
rlm_ldap: setting TLS mode to 4
rlm_ldap: bind as / to checkin.fqdn.com:389
rlm_ldap: waiting for bind result ...
rlm_ldap: performing search in cn=noc,ou=groups, dc=fqdn,dc=com, with filter
(uid=cisco)
rlm_ldap: object not found or got ambiguous search result
ldap_release_conn: Release Id: 0
modcall[authenticate]: module "ldap" returns notfound
modcall: group authtype returns notfound
auth: Failed to validate the user.
Login incorrect (rlm_ldap: User not found): [cisco/deleted] (from client firewall port
66 cli 216.138.246.211)
What would I have to do to allow access to the users listed in the NOC group?
thx,
g
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
