ldap-group compare
hi all,
i have a very strange problem:
i used freeradius 0.8.1 and with the following parts of radiusd.conf:
authorize {
preprocess
fixusername1 fixusername2
suffix files}authenticate
{
authtype
LDAP{
redundant
{
LDAP1
LDAP2
} }
}
in users:
DEFAULT Ldap-Group == "disable", Auth-Type := Reject
DEFAULT Auth-Type := LDAP
Everything seems work fine although LDAP1 or LDAP2 is down. I can
authenticate without problems.
But, the problem appear. You can see that i reject the ldap-group "disable"
users. This part work fine too.
I can reject them if both LDAP1 and LDAP2 is up. Anyway, if LDAP2 is down,
i can't reject the users who is in "disable" group.
The clients can authenticate successfully if they enter correct password
although they are in "disable" group.
Then, I try to turn on the debug mode and found that ldap_groupcmp() just
run in LDAP2 . If it is down and it won't switch to LDAP1 to compare,
the "group compare" is failed and the radius allow the users access.
How can i config so that the ldap_groupcmp() will solve the problem?
Thank you
( Note: the radius can switch to use LDAP1 to do authentication if LDAP2 is
down but not the "group compare")
Brian
Re: RADIUS/LDAP group membership setup
On Sat, 16 Nov 2002 [EMAIL PROTECTED] wrote:
Hello,
I would like to grant access to network devices based upon group membership.
I'm not sure what I am doing wrong. If anyone might have any ideas or could point me
to an example that would be great.
The devices are Cisco, the directory server is LDAP v2. the AA server is
FreeRADIUS v0.7.1. Almost out of the box settings allows anyone with an account on
the LDAP server under People to log into the devices:
radiusd.conf-
ldap {
server = checkin.fqdn.com
basedn = dc=fqdn,dc=com
filter = (uid=%u)
timeout = 4
timelimit = 3
net_timeout = 1
}
On the LDAP the username used for testing:
dn: uid=cisco,ou=People, dc=fqdn,dc=com
mail: [EMAIL PROTECTED]
uid: cisco
givenName: cisco
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: inetUser
objectClass: inetSubscriber
objectClass: ipUser
objectClass: nsManagedPerson
sn: router
cn: cisco
userPassword: {SSHA}DELETED==
createtimestamp: 20021116160608Z
modifytimestamp: 20021116160608Z
parentid: 4
entryid: 20
entrydn: uid=cisco,ou=people,dc=fqdn,dc=com
subschemasubentry: cn=schema
I don't wan't to allow all users access to log onto the network devices so I create
a group on the LDAP server,adding the usernames I'd like to permit access to.:
dn: cn=NOC,ou=Groups, dc=fqdn,dc=com
objectClass: top
objectClass: groupofuniquenames
createtimestamp: 20021116161756Z
modifytimestamp: 20021116161847Z
parentid: 3
entryid: 25
entrydn: cn=noc,ou=groups,dc=fqdn,dc=com
cn: NOC
description: router admins
uniqueMember: uid=cisco,ou=People, dc=fqdn,dc=com
uniqueMember: uid=greg,ou=People, dc=fqdn,dc=com
subschemasubentry: cn=schema
Now I change the radiusd.conf file to:
ldap {
server = checkin.fqdn.com
basedn = cn=noc,ou=groups, dc=fqdn,dc=com
# filter = (uid=%u,ou=People,dc=fqdn,dc=com)
filter = (uid=%u)
#filter = (uniquemember:uid=%u,ou=People,dc=fqdn,dc=com)
#access_group = cn=noc,ou=groups,dc=fqdn,dc=com
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
groupmembership_filter =
(|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
timeout = 4
timelimit = 3
net_timeout = 1
}
Don't change your basedn, leave it as it is. Rather, enable the access_group
directive. Also, please read doc/rlm_ldap, it should be quite helpfull.
Here is how it fails with the above config:
auth: type LDAP
modcall: entering group authtype
rlm_ldap: - authenticate
rlm_ldap: login attempt by cisco with password deleted
radius_xlat: '(uid=cisco)'
radius_xlat: 'cn=noc,ou=groups, dc=fqdn,dc=com'
ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to checkin.fqdn.com:389, authentication 0
rlm_ldap: setting TLS mode to 4
rlm_ldap: bind as / to checkin.fqdn.com:389
rlm_ldap: waiting for bind result ...
rlm_ldap: performing search in cn=noc,ou=groups, dc=fqdn,dc=com, with filter
(uid=cisco)
rlm_ldap: object not found or got ambiguous search result
ldap_release_conn: Release Id: 0
modcall[authenticate]: module ldap returns notfound
modcall: group authtype returns notfound
auth: Failed to validate the user.
Login incorrect (rlm_ldap: User not found): [cisco/deleted] (from client firewall
port 66 cli 216.138.246.211)
What would I have to do to allow access to the users listed in the NOC group?
thx,
g
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RADIUS/LDAP group membership setup
Hello,
I would like to grant access to network devices based upon group membership. I'm
not sure what I am doing wrong. If anyone might have any ideas or could point me to
an example that would be great.
The devices are Cisco, the directory server is LDAP v2. the AA server is FreeRADIUS
v0.7.1. Almost out of the box settings allows anyone with an account on the LDAP
server under People to log into the devices:
radiusd.conf-
ldap {
server = checkin.fqdn.com
basedn = dc=fqdn,dc=com
filter = (uid=%u)
timeout = 4
timelimit = 3
net_timeout = 1
}
On the LDAP the username used for testing:
dn: uid=cisco,ou=People, dc=fqdn,dc=com
mail: [EMAIL PROTECTED]
uid: cisco
givenName: cisco
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: inetUser
objectClass: inetSubscriber
objectClass: ipUser
objectClass: nsManagedPerson
sn: router
cn: cisco
userPassword: {SSHA}DELETED==
createtimestamp: 20021116160608Z
modifytimestamp: 20021116160608Z
parentid: 4
entryid: 20
entrydn: uid=cisco,ou=people,dc=fqdn,dc=com
subschemasubentry: cn=schema
I don't wan't to allow all users access to log onto the network devices so I create a
group on the LDAP server,adding the usernames I'd like to permit access to.:
dn: cn=NOC,ou=Groups, dc=fqdn,dc=com
objectClass: top
objectClass: groupofuniquenames
createtimestamp: 20021116161756Z
modifytimestamp: 20021116161847Z
parentid: 3
entryid: 25
entrydn: cn=noc,ou=groups,dc=fqdn,dc=com
cn: NOC
description: router admins
uniqueMember: uid=cisco,ou=People, dc=fqdn,dc=com
uniqueMember: uid=greg,ou=People, dc=fqdn,dc=com
subschemasubentry: cn=schema
Now I change the radiusd.conf file to:
ldap {
server = checkin.fqdn.com
basedn = cn=noc,ou=groups, dc=fqdn,dc=com
# filter = (uid=%u,ou=People,dc=fqdn,dc=com)
filter = (uid=%u)
#filter = (uniquemember:uid=%u,ou=People,dc=fqdn,dc=com)
#access_group = cn=noc,ou=groups,dc=fqdn,dc=com
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
groupmembership_filter =
(|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
timeout = 4
timelimit = 3
net_timeout = 1
}
Here is how it fails with the above config:
auth: type LDAP
modcall: entering group authtype
rlm_ldap: - authenticate
rlm_ldap: login attempt by cisco with password deleted
radius_xlat: '(uid=cisco)'
radius_xlat: 'cn=noc,ou=groups, dc=fqdn,dc=com'
ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to checkin.fqdn.com:389, authentication 0
rlm_ldap: setting TLS mode to 4
rlm_ldap: bind as / to checkin.fqdn.com:389
rlm_ldap: waiting for bind result ...
rlm_ldap: performing search in cn=noc,ou=groups, dc=fqdn,dc=com, with filter
(uid=cisco)
rlm_ldap: object not found or got ambiguous search result
ldap_release_conn: Release Id: 0
modcall[authenticate]: module ldap returns notfound
modcall: group authtype returns notfound
auth: Failed to validate the user.
Login incorrect (rlm_ldap: User not found): [cisco/deleted] (from client firewall port
66 cli 216.138.246.211)
What would I have to do to allow access to the users listed in the NOC group?
thx,
g
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap-group
On Thu, 12 Sep 2002 [EMAIL PROTECTED] wrote: hi, On Thu, 12 Sep 2002, Brian Leung wrote: how about the user object, do i need to add anyting attribute to there if you have already added the user DN under the group DN, then there's no need to add any attribute on the user object. it will be looked-up on the group DN for the user's membership. another way of checking group membership via LDAP is utilizing the groupmembership_attribute on radiusd.conf. you just need to add another attribute which the ldap module checks if it exists on the user object. IMHO, this is more elegant if you have thousands of users belonging to different groups. Yes it is. You do get into problems though if you are in a delegated administration environment since you then allow whoever has access to the user entry to assign the user to whatever group he wants. so for this DN, # ronaldo, testing dn: uid=ronaldo,o=testing objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: inetLocalMailRecipient objectClass: radiusprofile objectClass: posixAccount objectClass: PureFTPdUser cn: ronaldo sn: ronaldo mail: ronaldo@testing uid: ronaldo uidNumber: 1001 gidNumber: 1001 homeDirectory: /home/ronaldo userPassword:: FTPuid: 1001 FTPQuotaMBytes: 1 radiusProfileDn: cn=radiusprofile2,o=testing add this attribute: radiusGroupName: testgroup and create this: [Group DN] # mygroup, testing dn: cn=testgroup,ou=testing cn: testgroup objectClass: posixGroup gidNumber: 1101 and on radiusd.conf, set groupmembership_attribute = radiusGroupName restart, radiusd and see the results. regards, ronald Well, actually if you don't put a group DN in the radiusGroupName attribute you don't need to create the group entry. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap-group
Thank you so much Kostas Kalevras wrote: On Thu, 12 Sep 2002 [EMAIL PROTECTED] wrote: hi, On Thu, 12 Sep 2002, Brian Leung wrote: how about the user object, do i need to add anyting attribute to there if you have already added the user DN under the group DN, then there's no need to add any attribute on the user object. it will be looked-up on the group DN for the user's membership. another way of checking group membership via LDAP is utilizing the groupmembership_attribute on radiusd.conf. you just need to add another attribute which the ldap module checks if it exists on the user object. IMHO, this is more elegant if you have thousands of users belonging to different groups. Yes it is. You do get into problems though if you are in a delegated administration environment since you then allow whoever has access to the user entry to assign the user to whatever group he wants. so for this DN, # ronaldo, testing dn: uid=ronaldo,o=testing objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: inetLocalMailRecipient objectClass: radiusprofile objectClass: posixAccount objectClass: PureFTPdUser cn: ronaldo sn: ronaldo mail: ronaldo@testing uid: ronaldo uidNumber: 1001 gidNumber: 1001 homeDirectory: /home/ronaldo userPassword:: FTPuid: 1001 FTPQuotaMBytes: 1 radiusProfileDn: cn=radiusprofile2,o=testing add this attribute: radiusGroupName: testgroup and create this: [Group DN] # mygroup, testing dn: cn=testgroup,ou=testing cn: testgroup objectClass: posixGroup gidNumber: 1101 and on radiusd.conf, set groupmembership_attribute = radiusGroupName restart, radiusd and see the results. regards, ronald Well, actually if you don't put a group DN in the radiusGroupName attribute you don't need to create the group entry. -- Kostas KalevrasNetwork Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone:+30 10 7721861 'Go back to the shadow'Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
A Little Problem in Ldap-Group
Dear Radius Users,
I am using theFR-0.7 to authenticate against
OpenLDAP-2.0 GROUP. I have only one group called "G022" and members of the group
will be able to connect only between 11pm and 8am. My radius user file has only
the followingtwo entries.
##USERS###
DEFAULT AUTH-TYPE:=LDAP
Fall-Through=1
DEFAULT Ldap-Group == "G022",
Current-Time:="Any2300-0800"
Service-Type= Framed-User,
Framed-Protocol = PPP
All users not belonging to the above group will be
authenticated and will be billed by our billing software.
But when I run radiusd in debug mode, I get error
and the user is is getting Access-Reject Packet. Please help!!!
##LDIF
dn: dc=neline,dc=com
dc: neline
objectClass: top
objectClass: domain
dn: ou=radius, dc=neline,dc=com
ou: radius
objectClass: organizationalUnit
objectClass: top
dn: uid=testing,ou=radius, dc=neline,dc=com
sn: testing
userPassword:: bmVsaW5l
loginShell: /bin/noshell
l: testing
uidNumber: 1500
gidNumber: 1000
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
uid: testing
cn: testing
homeDirectory: /home/testing
description: test acct for radius auth
dn: ou=usergroup, dc=neline,dc=com
ou: usergroup
objectClass: top
objectClass: organizationalUnit
dn: cn=testgroup,ou=usergroup, dc=neline,dc=com
gidNumber: 1000
memberUid: testing
objectClass: top
objectClass: groupOfUniqueNames
objectClass: posixGroup
uniqueMember: uid=testing,ou=radius,dc=neline,dc=com
cn: testgroup
##radiusd.conf##
ldap {
server = "192.9.168.2"
# identity = "cn=admin,o=My Org,c=UA"
# password = mypass
basedn = "dc=neline,dc=com"
filter = "((objectclass=posixaccount)(uid=%u))"
# set this to 'yes' to use TLS encrypted connections
# to the LDAP database.
start_tls = no
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
# profile_attribute = "radiusProfileDn"
access_group = "cn=testgroup,ou=usergroup,dc=neline,dc=com"
#access_attr = "dialupAccess"
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
# ldap_cache_timeout = 120
# ldap_cache_size = 0
ldap_connections_number = 5
# password_header = "{clear}"
#password_attribute = userPassword
groupname_attribute = cn
groupmembership_filter =
"(|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
timeout = 4
timelimit = 3
net_timeout = 1
# compare_check_items = yes
# access_attr_used_for_allow = yes
}
##RADIUSD
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/sql.conf
main: prefix = "/usr/local"
main: localstatedir = "/var"
main: logdir = "/var/log"
main: libdir = "/usr/local/lib"
main: radacctdir = "/var/log/radacct"
main: hostname_lookups = no
read_config_files: reading dictionary
read_config_files: reading clients
read_config_files: reading realms
read_config_files: reading naslist
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
security: max_attributes = 200
security: reject_delay = 1
main: debug_level = 0
read_config_files: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded LDAP
ldap: server = "192.9.168.2"
ldap: port = 389
ldap: net_timeout = 1
ldap: timeout = 4
ldap: timelimit = 3
ldap: ldap_cache_timeout = 0
ldap: ldap_cache_size = 0
ldap: identity = ""
ldap: start_tls = no
ldap: password = ""
ldap: basedn = "dc=neline,dc=com"
ldap: filter = "((objectclass=posixaccount)(uid=%u))"
ldap: default_profile = "(null)"
ldap: profile_attribute = "(null)"
ldap: access_group = "cn=testgroup,ou=usergroup,dc=neline,dc=com"
ldap: password_header = "(null)"
ldap: password_attribute = "(null)"
ldap: access_attr = "(null)"
ldap: groupname_attribute = "cn"
ldap: group
ldap-group
hi all, i want to use ldap-group in users file and after i config DefaultLdap-group == disable , Auth-Type := Reject what ldif should i add to the ldap server? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap-group
On Wed, 11 Sep 2002, Brian Leung wrote: hi all, i want to use ldap-group in users file and after i config DefaultLdap-group == disable , Auth-Type := Reject what ldif should i add to the ldap server? Thanks Just create a GroupOfNames or a GroupOfUniqueNames entry and add the corresponding users entries as members. Something like: dn: cn=admins,ou=groups,dc=company,dc=com objectclass: top objectclass: groupofuniquenames description: Admins Group cn: admins uniquemember: uid=user1,ou=people,dc=company,dc=com uniquemember: uid=user2,ou=people,dc=company,dc=com -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap-group
how about the user object, do i need to add anyting attribute to there # ronaldo, testing dn: uid=ronaldo,o=testing objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: inetLocalMailRecipient objectClass: radiusprofile objectClass: posixAccount objectClass: PureFTPdUser cn: ronaldo sn: ronaldo mail: ronaldo@testing uid: ronaldo uidNumber: 1001 gidNumber: 1001 homeDirectory: /home/ronaldo userPassword:: FTPuid: 1001 FTPQuotaMBytes: 1 radiusProfileDn: cn=radiusprofile2,o=testing Kostas Kalevras wrote: On Wed, 11 Sep 2002, Brian Leung wrote: hi all, i want to use ldap-group in users file and after i config DefaultLdap-group == disable , Auth-Type := Reject what ldif should i add to the ldap server? Thanks Just create a GroupOfNames or a GroupOfUniqueNames entry and add the corresponding users entries as members. Something like: dn: cn=admins,ou=groups,dc=company,dc=com objectclass: top objectclass: groupofuniquenames description: Admins Group cn: admins uniquemember: uid=user1,ou=people,dc=company,dc=com uniquemember: uid=user2,ou=people,dc=company,dc=com -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap-group
hi, On Thu, 12 Sep 2002, Brian Leung wrote: how about the user object, do i need to add anyting attribute to there if you have already added the user DN under the group DN, then there's no need to add any attribute on the user object. it will be looked-up on the group DN for the user's membership. another way of checking group membership via LDAP is utilizing the groupmembership_attribute on radiusd.conf. you just need to add another attribute which the ldap module checks if it exists on the user object. IMHO, this is more elegant if you have thousands of users belonging to different groups. so for this DN, # ronaldo, testing dn: uid=ronaldo,o=testing objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: inetLocalMailRecipient objectClass: radiusprofile objectClass: posixAccount objectClass: PureFTPdUser cn: ronaldo sn: ronaldo mail: ronaldo@testing uid: ronaldo uidNumber: 1001 gidNumber: 1001 homeDirectory: /home/ronaldo userPassword:: FTPuid: 1001 FTPQuotaMBytes: 1 radiusProfileDn: cn=radiusprofile2,o=testing add this attribute: radiusGroupName: testgroup and create this: [Group DN] # mygroup, testing dn: cn=testgroup,ou=testing cn: testgroup objectClass: posixGroup gidNumber: 1101 and on radiusd.conf, set groupmembership_attribute = radiusGroupName restart, radiusd and see the results. regards, ronald -- [Never be afraid to try something new. Remember, amateurs built the ark, and professionals built the Titanic.] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorisation based on LDAP Group membership
On Thu, 13 Jun 2002, Michael Fuller wrote: It is not working. where am I going wrong ? Regards, Michael Fuller Could you also include the ldap section of the radiusd.conf as well as the authenticate and authorize sections? Also the server debuging output of the corresponding request. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authorisation based on LDAP Group membership
Hi all, I have installed openldap and freeradius on a Red Hat v7.3 box. I want to use ldap for radius authentication and authorisation. I want to control authorisation on a per group basis, and added the radiusprofile object class to a group. The radiusServiceType was then set to Administrative-User. However, members of this group are not able to telnet to any of our cisco routers. The arrangement works fine if I follow the same procedure on a per user basis. Is there any change that I have to make to radiusd.conf ? Where am I going wrong ? Please help. Regards, Michael Fuller - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorisation based on LDAP Group membership
On Wed, 12 Jun 2002, Michael Fuller wrote: Hi all, I have installed openldap and freeradius on a Red Hat v7.3 box. I want to use ldap for radius authentication and authorisation. I want to control authorisation on a per group basis, and added the radiusprofile object class to a group. The radiusServiceType was then set to Administrative-User. However, members of this group are not able to telnet to any of our cisco routers. The arrangement works fine if I follow the same procedure on a per user basis. Is there any change that I have to make to radiusd.conf ? Where am I going wrong ? Please help. Regards, Michael Fuller The profiles don't work on a group basis. What you can is to add a profile_attribute (the name can be configured through the profile_attribute configuration directive) in the ldap entries of all the users belonging in the administrator group. That attribute will point to the DN of an entry containing the radiusServiceType attribute. In other words: dn: uid=admin,ou=people,dc=your,dc=company,dc=com cn: Administrator radiusprofiledn: uid=admin-profile,ou=people,dc=your,dc=company,dc=com [...] dn: uid=admin-profile,ou=people,dc=your,dc=company,dc=com cn: Administrator Dialup Profile radiusServiceType: Administrative-User That should work just fine. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorisation based on LDAP Group membership
Hi all, Thanks to Kostas Kalevras for the clarification. Will my requirement work on an OU basis ? I can add the attributes to the administrators on a per user basis, as there will be only two or three of them. My dial up users are a different story. I have around 500 users in my database. About 50 of them will not have any restrictions on connect - A profile without any session limit restrictions About 300 of them will be allowed to connect only for a limited time per day - A profile with restrictions on session limit. The rest of the users will not have any dial up - A profile that does not permit dial up access. I do not think it is practically possible to assign these rights on a per user basis. How do I assign these three profiles to these three types of users ? Please help Thanks and regards, Michael Fuller - Original Message - From: Kostas Kalevras [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, June 12, 2002 7:22 PM Subject: Re: Authorisation based on LDAP Group membership On Wed, 12 Jun 2002, Michael Fuller wrote: Hi all, I have installed openldap and freeradius on a Red Hat v7.3 box. I want to use ldap for radius authentication and authorisation. I want to control authorisation on a per group basis, and added the radiusprofile object class to a group. The radiusServiceType was then set to Administrative-User. However, members of this group are not able to telnet to any of our cisco routers. The arrangement works fine if I follow the same procedure on a per user basis. Is there any change that I have to make to radiusd.conf ? Where am I going wrong ? Please help. Regards, Michael Fuller The profiles don't work on a group basis. What you can is to add a profile_attribute (the name can be configured through the profile_attribute configuration directive) in the ldap entries of all the users belonging in the administrator group. That attribute will point to the DN of an entry containing the radiusServiceType attribute. In other words: dn: uid=admin,ou=people,dc=your,dc=company,dc=com cn: Administrator radiusprofiledn: uid=admin-profile,ou=people,dc=your,dc=company,dc=com [...] dn: uid=admin-profile,ou=people,dc=your,dc=company,dc=com cn: Administrator Dialup Profile radiusServiceType: Administrative-User That should work just fine. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius + ldap group membership
Hi All, I'm testing freeradius 0.4 with openldap 2.x . I've some problems setting the groups and users in the ldap directory. i've added the following line in the ldap.attrmap : chekcItem Group DialGroup In each Ldap User Profile, the DialGroup Attribute is set to the appropriate Group Profile cn. Each Group Profile should store reply items common to all members of the group. When testing the config, freeradius debug mode (radiusd -X) shows that the attribute DialGroup was added as check item but there's no subsquent ldap_groupcmp call searching for items related to the selected Group. rlm_ldap: looking for check items in directory... rlm_ldap Adding DialGroup as Group, value stuff op=11 However, the groupmembership_filter, groupname_attribute were set appropriatly in the radiusd.conf. the users file contains a single DEFAULT entry : DEFAULTAuth-Type=Ldap Fall-Through = 1 Note that using only User Profile,without refering to Group Profile,works well. Am I missing something? Please, Can someone provide a working sample. thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
