subject:"Please help \! newbie question"

Re: Please help ! newbie question

2001-11-28 Thread aland


Basavaraj Bendigeri [EMAIL PROTECTED] wrote:
 The 'users' file is just one authorization method out of many.  You
   allowed LDAP to be used, so when you disallowed the users file, LDAP
   was still permitted, and therefore it was used.
 
 Actually I was under the impression , that the user will be first 
 checked against the users file and if the authorization was successful 
 would then be handed over to LDAP . Isn't that how it is done ?

  If you tell it to do that, yes.  If you tell it NOT to use the
'users' file, then my original comment is correct.

 I have one more question . This is regarding huntgroups . I assume 
 huntgroups is for restricting users to certain groups , right ? 

  No.  Read the comments at the top of the huntgroups file.

 My question here is can I use the huntgroups file in the scenario 
 wherein I am using LDAP as the authorization and authentication backend 
 for radius and at the same time implement the above requirement .

  That may be possible.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Please help ! newbie question

2001-11-25 Thread Basavaraj Bendigeri



Hi ,
 I have got freeradius up and running . However I have a few 
questions , regarding the users . I have setup ldap as authentication 
backend for freeradius . So my radiusd.conf file , the ldap modules 
section looks like this :
ldap {
 server = 127.0.0.1
 identity = cn=admin,dc=example,dc=com
 password = secret
 basedn = dc=example,dc=com
 filter = (uid=%u)
 default_profile = 
cn=radprofile,ou=People,dc=example,dc=com
 access_group = 
cn=radius_accounts,ou=People,dc=example,dc=com
 access_attr = uid
 dictionary_mapping = ${raddbdir}/ldap.attrmap
 timeout = 4
 timelimit = 3
 net_timeout = 1
 ldap_debug = 0x0028
}

and the authorize section is :

authorize {
preprocess
# 
counter
# 
attr_filter
suffix
files
ldap
}


and authenticate section is :

authenticate {
# 
pam
unix
# By grouping modules together in an authtype block, that authtype will be
# tried on each module in sequence until one returns REJECT or OK. This
# allows authentication failover if the first SQL server has crashed, for
# example.
# 
authtype SQL {
# 
sql
# 
sql2
# 
}
ldap
}


My users file contains the directives :

DEFAULT Auth-Type := LDAP
 Fall-Through = 1

DEFAULT Auth-Type := System
 Fall-Through = 1


# #
# # Last default: shell on the local terminal server.
# #
DEFAULT
Service-Type = Shell-User

I tested the free-radius server by running the radtest command locally as :

radtest basavaraj welcome123 localhost 10 testing123

and it seems to work fine .Both the authorization and authentication 
work fine. A dn by name is basavaraj is present in the ldap directory 
and hence ldap authenticates it successfully  .

However , I commented all the entries in the users file and tested the 
radius server with a different username ,using the following command

radtest guest hello123 localhost 10 testing123

and it works fine too !!!

NOTE : The user guest has a DN entry in the ldap directory . The  module 
files returns not found since there is no entry
in the users file still the authorization is done with ldap . I was 
under the impression that if a user-name is not present in the users 
file then the user should be denied access OR am I doing something wrong 
here . Someone please help me . I have attached the the log  debug 
output below .
-Raj


User-Name = guest
Password = \373\312\t\203\003\231\225\227^c\031\340\r\242_
NAS-IP-Address = 255.255.255.255
NAS-Port-Id = 10
Framed-Protocol = PPP
modcall: entering group authorize
   modcall[authorize]: module preprocess returns ok
   modcall[authorize]: module suffix returns ok
   modcall[authorize]: module files returns notfound
rlm_ldap: - authorize
rlm_ldap: performing user authorization for guest
radius_xlat:  '(uid=guest)'
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as cn=admin,dc=example,dc=com/secret
rlm_ldap: waiting for bind result ...
request 1 done
rlm_ldap: performing search in dc=example,dc=com, with filter (uid=guest)
request 2 done
rlm_ldap: checking if remote access for guest is allowed by uid
rlm_ldap: checking user membership in dialup-enabling group 
cn=radius_accounts,ou=people,dc=example,dc=com
radius_xlat:  '(| ( (objectClass=GroupOfNames) 
(member=uid=guest,ou=People,dc=example,dc=com)) ( 
(objectClass=GroupOfUniqueNames) 
(uniquemember=uid=guest,ou=People,dc=example,dc=com)))'
rlm_ldap: performing search in 
cn=radius_accounts,ou=people,dc=example,dc=com, with filter (| ( 
(objectClass=GroupOfNames) 
(member=uid=guest,ou=People,dc=example,dc=com)) ( 
(objectClass=GroupOfUniqueNames) 
(uniquemember=uid=guest,ou=People,dc=example,dc=com)))
request 3 done
radius_xlat:  '(objectclass=*)'
rlm_ldap: performing search in 
cn=radprofile,ou=people,dc=example,dc=com, with filter (objectclass=*)
request 4 done
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user guest authorized to use remote access
   modcall[authorize]: module ldap returns ok
modcall: group authorize returns ok
   rad_check_password:  Found Auth-Type LDAP
auth: type Ldap
modcall: entering group authenticate
rlm_ldap: - authenticate
rlm_ldap: login attempt by guest with password hello123
radius_xlat:  '(uid=guest)'
rlm_ldap: user DN: uid=guest,ou=People,dc=example,dc=com
rlm_ldap: (re)connect to localhost:389, authentication 1
rlm_ldap: bind as uid=guest,ou=People,dc=example,dc=com/hello123
rlm_ldap: waiting for bind result ...
request 1 done
rlm_ldap: user guest authenticated succesfully
   modcall[authenticate]: module ldap returns ok
modcall: group authenticate returns ok












- 
List info/subscribe/unsubscribe? See

Re: Please help ! newbie question

2001-11-25 Thread aland


Basavaraj Bendigeri [EMAIL PROTECTED] wrote:
 My users file contains the directives :
 
 DEFAULT Auth-Type := LDAP
  Fall-Through = 1
 
 DEFAULT Auth-Type := System
  Fall-Through = 1

  Why?  You're setting the Auth-Type to LDAP, and then immediatley
throwing that away, and setting it to System.  That makes no sense.

 However , I commented all the entries in the users file and tested the 
 radius server with a different username ,using the following command
 
 radtest guest hello123 localhost 10 testing123
 
 and it works fine too !!!
 
 NOTE : The user guest has a DN entry in the ldap directory .

  Yes, your debug log shows:

 modcall: group authorize returns ok
rad_check_password:  Found Auth-Type LDAP

  So something is setting Auth-Type to LDAP.  That's why the user is
being authenticated against the LDAP directory.

 The module files returns not found since there is no entry in the
 users file still the authorization is done with ldap . I was under
 the impression that if a user-name is not present in the users file
 then the user should be denied access OR am I doing something wrong
 here .

  The 'users' file is just one authorization method out of many.  You
allowed LDAP to be used, so when you disallowed the users file, LDAP
was still permitted, and therefore it was used.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Please help ! newbie question

Please help ! newbie question

Re: Please help ! newbie question

3 matches

Site Navigation

Mail list logo

Footer information