Hi ,
I have got freeradius up and running . However I have a few
questions , regarding the users . I have setup ldap as authentication
backend for freeradius . So my radiusd.conf file , the ldap modules
section looks like this :
ldap {
server = 127.0.0.1
identity = cn=admin,dc=example,dc=com
password = secret
basedn = dc=example,dc=com
filter = (uid=%u)
default_profile =
cn=radprofile,ou=People,dc=example,dc=com
access_group =
cn=radius_accounts,ou=People,dc=example,dc=com
access_attr = uid
dictionary_mapping = ${raddbdir}/ldap.attrmap
timeout = 4
timelimit = 3
net_timeout = 1
ldap_debug = 0x0028
}
and the authorize section is :
authorize {
preprocess
#
counter
#
attr_filter
suffix
files
ldap
}
and authenticate section is :
authenticate {
#
pam
unix
# By grouping modules together in an authtype block, that authtype will be
# tried on each module in sequence until one returns REJECT or OK. This
# allows authentication failover if the first SQL server has crashed, for
# example.
#
authtype SQL {
#
sql
#
sql2
#
}
ldap
}
My users file contains the directives :
DEFAULT Auth-Type := LDAP
Fall-Through = 1
DEFAULT Auth-Type := System
Fall-Through = 1
# #
# # Last default: shell on the local terminal server.
# #
DEFAULT
Service-Type = Shell-User
I tested the free-radius server by running the radtest command locally as :
radtest basavaraj welcome123 localhost 10 testing123
and it seems to work fine .Both the authorization and authentication
work fine. A dn by name is basavaraj is present in the ldap directory
and hence ldap authenticates it successfully .
However , I commented all the entries in the users file and tested the
radius server with a different username ,using the following command
radtest guest hello123 localhost 10 testing123
and it works fine too !!!
NOTE : The user guest has a DN entry in the ldap directory . The module
files returns not found since there is no entry
in the users file still the authorization is done with ldap . I was
under the impression that if a user-name is not present in the users
file then the user should be denied access OR am I doing something wrong
here . Someone please help me . I have attached the the log debug
output below .
-Raj
User-Name = guest
Password = \373\312\t\203\003\231\225\227^c\031\340\r\242_
NAS-IP-Address = 255.255.255.255
NAS-Port-Id = 10
Framed-Protocol = PPP
modcall: entering group authorize
modcall[authorize]: module preprocess returns ok
modcall[authorize]: module suffix returns ok
modcall[authorize]: module files returns notfound
rlm_ldap: - authorize
rlm_ldap: performing user authorization for guest
radius_xlat: '(uid=guest)'
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as cn=admin,dc=example,dc=com/secret
rlm_ldap: waiting for bind result ...
request 1 done
rlm_ldap: performing search in dc=example,dc=com, with filter (uid=guest)
request 2 done
rlm_ldap: checking if remote access for guest is allowed by uid
rlm_ldap: checking user membership in dialup-enabling group
cn=radius_accounts,ou=people,dc=example,dc=com
radius_xlat: '(| ( (objectClass=GroupOfNames)
(member=uid=guest,ou=People,dc=example,dc=com)) (
(objectClass=GroupOfUniqueNames)
(uniquemember=uid=guest,ou=People,dc=example,dc=com)))'
rlm_ldap: performing search in
cn=radius_accounts,ou=people,dc=example,dc=com, with filter (| (
(objectClass=GroupOfNames)
(member=uid=guest,ou=People,dc=example,dc=com)) (
(objectClass=GroupOfUniqueNames)
(uniquemember=uid=guest,ou=People,dc=example,dc=com)))
request 3 done
radius_xlat: '(objectclass=*)'
rlm_ldap: performing search in
cn=radprofile,ou=people,dc=example,dc=com, with filter (objectclass=*)
request 4 done
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user guest authorized to use remote access
modcall[authorize]: module ldap returns ok
modcall: group authorize returns ok
rad_check_password: Found Auth-Type LDAP
auth: type Ldap
modcall: entering group authenticate
rlm_ldap: - authenticate
rlm_ldap: login attempt by guest with password hello123
radius_xlat: '(uid=guest)'
rlm_ldap: user DN: uid=guest,ou=People,dc=example,dc=com
rlm_ldap: (re)connect to localhost:389, authentication 1
rlm_ldap: bind as uid=guest,ou=People,dc=example,dc=com/hello123
rlm_ldap: waiting for bind result ...
request 1 done
rlm_ldap: user guest authenticated succesfully
modcall[authenticate]: module ldap returns ok
modcall: group authenticate returns ok
-
List info/subscribe/unsubscribe? See