Re: Using ldap authentication/authorization
On Mon, 17 Jun 2002, Adi Linden wrote: > To re-phrase my question to include everything I want to do... > > I want to set a daily limit per user in an LDAP attribute. If the daily > limit is reached, the users connection needs to be terminated and further > login be refused until the next day... > > Users that do not have an LDAP attribute need to get a default value (if > possible). > > I have things working in a sense that this works: > > DEFAULT Daily-Session-Time > 3600, Auth-Type := Reject > Reply-Message = "You've used up your daily time limit" > > This does not work: > > DEFAULT Daily-Session-Time > Max-Daily-Session, Auth-Type := Reject > Reply-Message = "You've used up your daily time limit" > > I am assuming that in order to terminate a current loggin session I need > to pass the time left to the NAS in Session-Timeout. How do I do that? > Would this work: > > Session-Timeout = Max-Daily-Session - Daily-Session-Time > > Thanks a bunch! > Adi radiusd.conf: counter daily{ [...] check-name = Max-Daily-Session } authorize{ daily files ldap daily } ldap.attrmap: checkitem Max-Daily-Session radiusMaxDailySession Add the radiusMaxDailySession attribute in your ldap schema (attribute and in your radiusprofile objectclass). Then just add this attribute to all the users you want. If you want to create a default value you could just create a default ldap user profile and add the value you want. The other choise is to add the following in your users file: DEFAULT Max-Daily-Session := 14400 As for the session-timeout don't worry the counter module handles that automatically for you. Hope this helps -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using ldap authentication/authorization
On Fri, 14 Jun 2002, Adi Linden wrote: > How can I assign the Max-Daily-Session value in the "raddb/users" file as > a default for users that do not have this in their LDAP entry? Both of the > following do not work: > > DEFAULT > Max-Daily-Session = 1800, > Reply-Message = "Default settings" > > DEFAULT Max-Daily-Session = 1800 > Reply-Message = "Default settings" > > Thanks, > Adi Make sure that in the authorize section the files module comes _before_ the counter module. The second assignment should work ok. If it doesn't work try: DEFAULT Max-Daily-Session := 1800 Hope it helps -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using ldap authentication/authorization
> > I am assuming this is done with rlm_count. How can I retrieve the > > timelimit from ldap and use it in radius? > > counter { > filename = ${raddbdir}/db.counter > key = User-Name > count-attribute = Acct-Session-Time > reset = daily > counter-name = Daily-Session-Time > check-name = Max-Daily-Session > > allowed-servicetype = Framed-User > cache-size = 5000 > } > > Add an attribute like radiusMaxDailySession in your ldap schema (and in the > radiusprofile aobjectclass). Also add it in ldap.attrmap like: > > checkItem Max-Daily-Session radiusMaxDailySession > > Then you can just set it to whatever value you wish for each user. How can I assign the Max-Daily-Session value in the "raddb/users" file as a default for users that do not have this in their LDAP entry? Both of the following do not work: DEFAULT Max-Daily-Session = 1800, Reply-Message = "Default settings" DEFAULT Max-Daily-Session = 1800 Reply-Message = "Default settings" Thanks, Adi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using ldap authentication/authorization
Oops, answered my own question. I was working with freeradius-0.5. > > DEFAULT Ldap-Group == "admins" This works just fine using a cvs checkout. Adi On Thu, 13 Jun 2002, Adi Linden wrote: > > You can create normal groups in your ldap tree. Then you can do group searches > > like this in your users file: > > > > DEFAULT Ldap-Group == "admins" > > Done that, I get the following error when running "radiusd -s -xxx": > > Module: Loaded files > files: usersfile = "/usr/local/etc/raddb/users" > files: acctusersfile = "/usr/local/etc/raddb/acct_users" > files: compat = "no" > /usr/local/etc/raddb/users[178]: Parse error (check) for entry DEFAULT: > Unknown attribute Ldap-Group > Errors reading /usr/local/etc/raddb/users > radiusd.conf[672]: files: Module instantiation failed. > > If I do this in the users file it never gets checked against the ldap > attribute... Looking at the source, "ldap_groupcmp" should do the group > checking and the "rlm_ldap: Entering ldap_groupcmp()" statement should > appear when it hits the "Group" or "Ldap-Group". > > DEFAULT Group == "admins" > > Thanks, > Adi > > > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using ldap authentication/authorization
> You can create normal groups in your ldap tree. Then you can do group searches > like this in your users file: > > DEFAULT Ldap-Group == "admins" Done that, I get the following error when running "radiusd -s -xxx": Module: Loaded files files: usersfile = "/usr/local/etc/raddb/users" files: acctusersfile = "/usr/local/etc/raddb/acct_users" files: compat = "no" /usr/local/etc/raddb/users[178]: Parse error (check) for entry DEFAULT: Unknown attribute Ldap-Group Errors reading /usr/local/etc/raddb/users radiusd.conf[672]: files: Module instantiation failed. If I do this in the users file it never gets checked against the ldap attribute... Looking at the source, "ldap_groupcmp" should do the group checking and the "rlm_ldap: Entering ldap_groupcmp()" statement should appear when it hits the "Group" or "Ldap-Group". DEFAULT Group == "admins" Thanks, Adi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using ldap authentication/authorization
On Wed, 12 Jun 2002, Adi Linden wrote: > > No you can't. Both have to point to valid DN's in your tree. The > > profile_attribute is an attribute contained in the user entry pointing to the > > profile to be applied for the user, while User-Profile contains the profile to > > be applied in special cases instead of the default profile (I use it to > > implement Large Scale Dialout where I don't need the default reply items > > contained in the default profile). > > So the profiles are entirely in LDAP then. I wanted to stay away from > extending the LDAP schema on the LDAP server if possible and do as much as > possible in the freeradius configuration. Well if you don't want to extend the LDAP schema then you could just use the users file to create profiles. > > From another message on the list I see that it is not possible to group > users by having an attribute such as this either: > > knetRadiusGroup: knetonly > > In "radiusd.conf" the LDAP attribute would have to associate with the > group somehow and then in "users": > > DEFAULT Group == "knetonly" > > Are there any solutions I haven't thought of yet? > > Thanks, > Adi You can create normal groups in your ldap tree. Then you can do group searches like this in your users file: DEFAULT Ldap-Group == "admins" Just set the groupname_attribute in the ldap module configuration section to whatever attribute holds the name of your group. That will be used to do a search to find the requested group like this: groupname_attribute = cn ldap_search($base_dn,(cn=admins) After that the module will use the groupmembership_filter to find if the user belongs to the group. I am planing to also implement the second way of doing group membership which is to have an attribute in the user entries pointing to the _DN_ of the group(s) the user belongs to. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using ldap authentication/authorization
> No you can't. Both have to point to valid DN's in your tree. The > profile_attribute is an attribute contained in the user entry pointing to the > profile to be applied for the user, while User-Profile contains the profile to > be applied in special cases instead of the default profile (I use it to > implement Large Scale Dialout where I don't need the default reply items > contained in the default profile). So the profiles are entirely in LDAP then. I wanted to stay away from extending the LDAP schema on the LDAP server if possible and do as much as possible in the freeradius configuration. >From another message on the list I see that it is not possible to group users by having an attribute such as this either: knetRadiusGroup: knetonly In "radiusd.conf" the LDAP attribute would have to associate with the group somehow and then in "users": DEFAULT Group == "knetonly" Are there any solutions I haven't thought of yet? Thanks, Adi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using ldap authentication/authorization
On Wed, 12 Jun 2002, Adi Linden wrote: > > Add an attribute like radiusMaxDailySession in your ldap schema (and in the > > radiusprofile aobjectclass). Also add it in ldap.attrmap like: > > > > checkItem Max-Daily-Session radiusMaxDailySession > > > > Then you can just set it to whatever value you wish for each user. > > Great, this is exactly what I'd like to happen. > > > > How do I retrieve the pool information from ldap? Can I keep the poolname > > > in an attribute such as knetRadiusPool? Where do I define the pool and > > > associated ip addresses? > > > > > > You could either use the radiusReplyItem like this: > > > > radiusReplyitem: Cisco-AVPair := "ip:addr-pool=mypoolname" > > > > or create your own attribute which you should add to the radiusprofile > > objectclass and ldap.attrmap. > > You define the pool inside your nas. > > Can I define an attribute to contain the profile a user belongs to and > then refer to this attribute value in the users file? > > "doc/rlm_ldap" has a section: > > USER PROFILE ATTRIBUTE: > > The module can use the User-Profile attribute. If it is set, it will > assume that it contains the DN of a profile entry containing radius > attributes. This entry will _replace_ the default profile directive. > That way we can use different profiles based on checks on the radius > attributes contained in the Access-Request packets. For example (users > file): > > DEFAULT Service-Type == Outbound-User, User-Profile := >"uid=outbound-dialup,dc=company,dc=com" > > I assume that the User-Profile refers to the following line in > "radiusd.conf": > > # profile_attribute = "radiusProfileDn" > > Will this work if the DN doesn't exist on the ldap server, or can I use > any string instead of valid DN and have this in ldap: > > radiusProfileDn: knetonly > > and in users: > > DEFAULT Service-Type == Framed-User, User-Profile == "knetonly" No you can't. Both have to point to valid DN's in your tree. The profile_attribute is an attribute contained in the user entry pointing to the profile to be applied for the user, while User-Profile contains the profile to be applied in special cases instead of the default profile (I use it to implement Large Scale Dialout where I don't need the default reply items contained in the default profile). > > Thank you for answering my questions. This has been tremendously helpful > in getting things going! > > Thanks, > Adi > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using ldap authentication/authorization
> Add an attribute like radiusMaxDailySession in your ldap schema (and in the > radiusprofile aobjectclass). Also add it in ldap.attrmap like: > > checkItem Max-Daily-Session radiusMaxDailySession > > Then you can just set it to whatever value you wish for each user. Great, this is exactly what I'd like to happen. > > How do I retrieve the pool information from ldap? Can I keep the poolname > > in an attribute such as knetRadiusPool? Where do I define the pool and > > associated ip addresses? > > > You could either use the radiusReplyItem like this: > > radiusReplyitem: Cisco-AVPair := "ip:addr-pool=mypoolname" > > or create your own attribute which you should add to the radiusprofile > objectclass and ldap.attrmap. > You define the pool inside your nas. Can I define an attribute to contain the profile a user belongs to and then refer to this attribute value in the users file? "doc/rlm_ldap" has a section: USER PROFILE ATTRIBUTE: The module can use the User-Profile attribute. If it is set, it will assume that it contains the DN of a profile entry containing radius attributes. This entry will _replace_ the default profile directive. That way we can use different profiles based on checks on the radius attributes contained in the Access-Request packets. For example (users file): DEFAULT Service-Type == Outbound-User, User-Profile := "uid=outbound-dialup,dc=company,dc=com" I assume that the User-Profile refers to the following line in "radiusd.conf": # profile_attribute = "radiusProfileDn" Will this work if the DN doesn't exist on the ldap server, or can I use any string instead of valid DN and have this in ldap: radiusProfileDn: knetonly and in users: DEFAULT Service-Type == Framed-User, User-Profile == "knetonly" Thank you for answering my questions. This has been tremendously helpful in getting things going! Thanks, Adi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using ldap authentication/authorization
On Wed, 12 Jun 2002, Adi Linden wrote: > > > - Authenticate user by doing a bind to the LDAP server using the users > > > username and password > > > > Yes > > Ok, got that going. > > > > - Get the daily timelimit amount for the user from LDAP and apply that > > > daily limit > > > > Yes > > I am assuming this is done with rlm_count. How can I retrieve the > timelimit from ldap and use it in radius? counter { filename = ${raddbdir}/db.counter key = User-Name count-attribute = Acct-Session-Time reset = daily counter-name = Daily-Session-Time check-name = Max-Daily-Session allowed-servicetype = Framed-User cache-size = 5000 } Add an attribute like radiusMaxDailySession in your ldap schema (and in the radiusprofile aobjectclass). Also add it in ldap.attrmap like: checkItem Max-Daily-Session radiusMaxDailySession Then you can just set it to whatever value you wish for each user. > > > > - I have 2 pools of ip addresses with different access on the terminal > > > server. I need to somehow assign users to one of the pools using an > > > LDAP attribute > > > > Yes. Just create two user profiles and assign each user to one of them. Add a > > Framed-Pool or Cisco-AVPair := "ip:addr-pool=mypoolname" in each profile and you > > are ok. > > How do I retrieve the pool information from ldap? Can I keep the poolname > in an attribute such as knetRadiusPool? Where do I define the pool and > associated ip addresses? You could either use the radiusReplyItem like this: radiusReplyitem: Cisco-AVPair := "ip:addr-pool=mypoolname" or create your own attribute which you should add to the radiusprofile objectclass and ldap.attrmap. You define the pool inside your nas. > > Thanks, > Adi > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using ldap authentication/authorization
> > - Authenticate user by doing a bind to the LDAP server using the users > > username and password > > Yes Ok, got that going. > > - Get the daily timelimit amount for the user from LDAP and apply that > > daily limit > > Yes I am assuming this is done with rlm_count. How can I retrieve the timelimit from ldap and use it in radius? > > - I have 2 pools of ip addresses with different access on the terminal > > server. I need to somehow assign users to one of the pools using an > > LDAP attribute > > Yes. Just create two user profiles and assign each user to one of them. Add a > Framed-Pool or Cisco-AVPair := "ip:addr-pool=mypoolname" in each profile and you > are ok. How do I retrieve the pool information from ldap? Can I keep the poolname in an attribute such as knetRadiusPool? Where do I define the pool and associated ip addresses? Thanks, Adi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using ldap authentication/authorization
On Wed, 12 Jun 2002, Adi Linden wrote: > I am looking at using freeradius to authenticate and authorize dialup > users. All the users are in an LDAP databse. There are a few things I need > to be able to do and I am wondering if freeradius will support it. > > - Authenticate user by doing a bind to the LDAP server using the users > username and password Yes > - Get the daily timelimit amount for the user from LDAP and apply that > daily limit Yes > - I have 2 pools of ip addresses with different access on the terminal > server. I need to somehow assign users to one of the pools using an > LDAP attribute Yes. Just create two user profiles and assign each user to one of them. Add a Framed-Pool or Cisco-AVPair := "ip:addr-pool=mypoolname" in each profile and you are ok. > > Is the above doable with freeradius? > > Thanks, > Adi > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html