ldap-group compare
hi all, i have a very strange problem: i used freeradius 0.8.1 and with the following parts of radiusd.conf: authorize { preprocess fixusername1 fixusername2 suffix files}authenticate { authtype LDAP{ redundant { LDAP1 LDAP2 } } } in users: DEFAULT Ldap-Group == "disable", Auth-Type := Reject DEFAULT Auth-Type := LDAP Everything seems work fine although LDAP1 or LDAP2 is down. I can authenticate without problems. But, the problem appear. You can see that i reject the ldap-group "disable" users. This part work fine too. I can reject them if both LDAP1 and LDAP2 is up. Anyway, if LDAP2 is down, i can't reject the users who is in "disable" group. The clients can authenticate successfully if they enter correct password although they are in "disable" group. Then, I try to turn on the debug mode and found that ldap_groupcmp() just run in LDAP2 . If it is down and it won't switch to LDAP1 to compare, the "group compare" is failed and the radius allow the users access. How can i config so that the ldap_groupcmp() will solve the problem? Thank you ( Note: the radius can switch to use LDAP1 to do authentication if LDAP2 is down but not the "group compare") Brian
Re: RADIUS/LDAP group membership setup
On Sat, 16 Nov 2002 [EMAIL PROTECTED] wrote: Hello, I would like to grant access to network devices based upon group membership. I'm not sure what I am doing wrong. If anyone might have any ideas or could point me to an example that would be great. The devices are Cisco, the directory server is LDAP v2. the AA server is FreeRADIUS v0.7.1. Almost out of the box settings allows anyone with an account on the LDAP server under People to log into the devices: radiusd.conf- ldap { server = checkin.fqdn.com basedn = dc=fqdn,dc=com filter = (uid=%u) timeout = 4 timelimit = 3 net_timeout = 1 } On the LDAP the username used for testing: dn: uid=cisco,ou=People, dc=fqdn,dc=com mail: [EMAIL PROTECTED] uid: cisco givenName: cisco objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson objectClass: inetUser objectClass: inetSubscriber objectClass: ipUser objectClass: nsManagedPerson sn: router cn: cisco userPassword: {SSHA}DELETED== createtimestamp: 20021116160608Z modifytimestamp: 20021116160608Z parentid: 4 entryid: 20 entrydn: uid=cisco,ou=people,dc=fqdn,dc=com subschemasubentry: cn=schema I don't wan't to allow all users access to log onto the network devices so I create a group on the LDAP server,adding the usernames I'd like to permit access to.: dn: cn=NOC,ou=Groups, dc=fqdn,dc=com objectClass: top objectClass: groupofuniquenames createtimestamp: 20021116161756Z modifytimestamp: 20021116161847Z parentid: 3 entryid: 25 entrydn: cn=noc,ou=groups,dc=fqdn,dc=com cn: NOC description: router admins uniqueMember: uid=cisco,ou=People, dc=fqdn,dc=com uniqueMember: uid=greg,ou=People, dc=fqdn,dc=com subschemasubentry: cn=schema Now I change the radiusd.conf file to: ldap { server = checkin.fqdn.com basedn = cn=noc,ou=groups, dc=fqdn,dc=com # filter = (uid=%u,ou=People,dc=fqdn,dc=com) filter = (uid=%u) #filter = (uniquemember:uid=%u,ou=People,dc=fqdn,dc=com) #access_group = cn=noc,ou=groups,dc=fqdn,dc=com dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 groupmembership_filter = (|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) timeout = 4 timelimit = 3 net_timeout = 1 } Don't change your basedn, leave it as it is. Rather, enable the access_group directive. Also, please read doc/rlm_ldap, it should be quite helpfull. Here is how it fails with the above config: auth: type LDAP modcall: entering group authtype rlm_ldap: - authenticate rlm_ldap: login attempt by cisco with password deleted radius_xlat: '(uid=cisco)' radius_xlat: 'cn=noc,ou=groups, dc=fqdn,dc=com' ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to checkin.fqdn.com:389, authentication 0 rlm_ldap: setting TLS mode to 4 rlm_ldap: bind as / to checkin.fqdn.com:389 rlm_ldap: waiting for bind result ... rlm_ldap: performing search in cn=noc,ou=groups, dc=fqdn,dc=com, with filter (uid=cisco) rlm_ldap: object not found or got ambiguous search result ldap_release_conn: Release Id: 0 modcall[authenticate]: module ldap returns notfound modcall: group authtype returns notfound auth: Failed to validate the user. Login incorrect (rlm_ldap: User not found): [cisco/deleted] (from client firewall port 66 cli 216.138.246.211) What would I have to do to allow access to the users listed in the NOC group? thx, g - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RADIUS/LDAP group membership setup
Hello, I would like to grant access to network devices based upon group membership. I'm not sure what I am doing wrong. If anyone might have any ideas or could point me to an example that would be great. The devices are Cisco, the directory server is LDAP v2. the AA server is FreeRADIUS v0.7.1. Almost out of the box settings allows anyone with an account on the LDAP server under People to log into the devices: radiusd.conf- ldap { server = checkin.fqdn.com basedn = dc=fqdn,dc=com filter = (uid=%u) timeout = 4 timelimit = 3 net_timeout = 1 } On the LDAP the username used for testing: dn: uid=cisco,ou=People, dc=fqdn,dc=com mail: [EMAIL PROTECTED] uid: cisco givenName: cisco objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson objectClass: inetUser objectClass: inetSubscriber objectClass: ipUser objectClass: nsManagedPerson sn: router cn: cisco userPassword: {SSHA}DELETED== createtimestamp: 20021116160608Z modifytimestamp: 20021116160608Z parentid: 4 entryid: 20 entrydn: uid=cisco,ou=people,dc=fqdn,dc=com subschemasubentry: cn=schema I don't wan't to allow all users access to log onto the network devices so I create a group on the LDAP server,adding the usernames I'd like to permit access to.: dn: cn=NOC,ou=Groups, dc=fqdn,dc=com objectClass: top objectClass: groupofuniquenames createtimestamp: 20021116161756Z modifytimestamp: 20021116161847Z parentid: 3 entryid: 25 entrydn: cn=noc,ou=groups,dc=fqdn,dc=com cn: NOC description: router admins uniqueMember: uid=cisco,ou=People, dc=fqdn,dc=com uniqueMember: uid=greg,ou=People, dc=fqdn,dc=com subschemasubentry: cn=schema Now I change the radiusd.conf file to: ldap { server = checkin.fqdn.com basedn = cn=noc,ou=groups, dc=fqdn,dc=com # filter = (uid=%u,ou=People,dc=fqdn,dc=com) filter = (uid=%u) #filter = (uniquemember:uid=%u,ou=People,dc=fqdn,dc=com) #access_group = cn=noc,ou=groups,dc=fqdn,dc=com dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 groupmembership_filter = (|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) timeout = 4 timelimit = 3 net_timeout = 1 } Here is how it fails with the above config: auth: type LDAP modcall: entering group authtype rlm_ldap: - authenticate rlm_ldap: login attempt by cisco with password deleted radius_xlat: '(uid=cisco)' radius_xlat: 'cn=noc,ou=groups, dc=fqdn,dc=com' ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to checkin.fqdn.com:389, authentication 0 rlm_ldap: setting TLS mode to 4 rlm_ldap: bind as / to checkin.fqdn.com:389 rlm_ldap: waiting for bind result ... rlm_ldap: performing search in cn=noc,ou=groups, dc=fqdn,dc=com, with filter (uid=cisco) rlm_ldap: object not found or got ambiguous search result ldap_release_conn: Release Id: 0 modcall[authenticate]: module ldap returns notfound modcall: group authtype returns notfound auth: Failed to validate the user. Login incorrect (rlm_ldap: User not found): [cisco/deleted] (from client firewall port 66 cli 216.138.246.211) What would I have to do to allow access to the users listed in the NOC group? thx, g - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap-group
On Thu, 12 Sep 2002 [EMAIL PROTECTED] wrote: hi, On Thu, 12 Sep 2002, Brian Leung wrote: how about the user object, do i need to add anyting attribute to there if you have already added the user DN under the group DN, then there's no need to add any attribute on the user object. it will be looked-up on the group DN for the user's membership. another way of checking group membership via LDAP is utilizing the groupmembership_attribute on radiusd.conf. you just need to add another attribute which the ldap module checks if it exists on the user object. IMHO, this is more elegant if you have thousands of users belonging to different groups. Yes it is. You do get into problems though if you are in a delegated administration environment since you then allow whoever has access to the user entry to assign the user to whatever group he wants. so for this DN, # ronaldo, testing dn: uid=ronaldo,o=testing objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: inetLocalMailRecipient objectClass: radiusprofile objectClass: posixAccount objectClass: PureFTPdUser cn: ronaldo sn: ronaldo mail: ronaldo@testing uid: ronaldo uidNumber: 1001 gidNumber: 1001 homeDirectory: /home/ronaldo userPassword:: FTPuid: 1001 FTPQuotaMBytes: 1 radiusProfileDn: cn=radiusprofile2,o=testing add this attribute: radiusGroupName: testgroup and create this: [Group DN] # mygroup, testing dn: cn=testgroup,ou=testing cn: testgroup objectClass: posixGroup gidNumber: 1101 and on radiusd.conf, set groupmembership_attribute = radiusGroupName restart, radiusd and see the results. regards, ronald Well, actually if you don't put a group DN in the radiusGroupName attribute you don't need to create the group entry. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap-group
Thank you so much Kostas Kalevras wrote: On Thu, 12 Sep 2002 [EMAIL PROTECTED] wrote: hi, On Thu, 12 Sep 2002, Brian Leung wrote: how about the user object, do i need to add anyting attribute to there if you have already added the user DN under the group DN, then there's no need to add any attribute on the user object. it will be looked-up on the group DN for the user's membership. another way of checking group membership via LDAP is utilizing the groupmembership_attribute on radiusd.conf. you just need to add another attribute which the ldap module checks if it exists on the user object. IMHO, this is more elegant if you have thousands of users belonging to different groups. Yes it is. You do get into problems though if you are in a delegated administration environment since you then allow whoever has access to the user entry to assign the user to whatever group he wants. so for this DN, # ronaldo, testing dn: uid=ronaldo,o=testing objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: inetLocalMailRecipient objectClass: radiusprofile objectClass: posixAccount objectClass: PureFTPdUser cn: ronaldo sn: ronaldo mail: ronaldo@testing uid: ronaldo uidNumber: 1001 gidNumber: 1001 homeDirectory: /home/ronaldo userPassword:: FTPuid: 1001 FTPQuotaMBytes: 1 radiusProfileDn: cn=radiusprofile2,o=testing add this attribute: radiusGroupName: testgroup and create this: [Group DN] # mygroup, testing dn: cn=testgroup,ou=testing cn: testgroup objectClass: posixGroup gidNumber: 1101 and on radiusd.conf, set groupmembership_attribute = radiusGroupName restart, radiusd and see the results. regards, ronald Well, actually if you don't put a group DN in the radiusGroupName attribute you don't need to create the group entry. -- Kostas KalevrasNetwork Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone:+30 10 7721861 'Go back to the shadow'Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
A Little Problem in Ldap-Group
Dear Radius Users, I am using theFR-0.7 to authenticate against OpenLDAP-2.0 GROUP. I have only one group called "G022" and members of the group will be able to connect only between 11pm and 8am. My radius user file has only the followingtwo entries. ##USERS### DEFAULT AUTH-TYPE:=LDAP Fall-Through=1 DEFAULT Ldap-Group == "G022", Current-Time:="Any2300-0800" Service-Type= Framed-User, Framed-Protocol = PPP All users not belonging to the above group will be authenticated and will be billed by our billing software. But when I run radiusd in debug mode, I get error and the user is is getting Access-Reject Packet. Please help!!! ##LDIF dn: dc=neline,dc=com dc: neline objectClass: top objectClass: domain dn: ou=radius, dc=neline,dc=com ou: radius objectClass: organizationalUnit objectClass: top dn: uid=testing,ou=radius, dc=neline,dc=com sn: testing userPassword:: bmVsaW5l loginShell: /bin/noshell l: testing uidNumber: 1500 gidNumber: 1000 objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount uid: testing cn: testing homeDirectory: /home/testing description: test acct for radius auth dn: ou=usergroup, dc=neline,dc=com ou: usergroup objectClass: top objectClass: organizationalUnit dn: cn=testgroup,ou=usergroup, dc=neline,dc=com gidNumber: 1000 memberUid: testing objectClass: top objectClass: groupOfUniqueNames objectClass: posixGroup uniqueMember: uid=testing,ou=radius,dc=neline,dc=com cn: testgroup ##radiusd.conf## ldap { server = "192.9.168.2" # identity = "cn=admin,o=My Org,c=UA" # password = mypass basedn = "dc=neline,dc=com" filter = "((objectclass=posixaccount)(uid=%u))" # set this to 'yes' to use TLS encrypted connections # to the LDAP database. start_tls = no # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" # profile_attribute = "radiusProfileDn" access_group = "cn=testgroup,ou=usergroup,dc=neline,dc=com" #access_attr = "dialupAccess" # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap # ldap_cache_timeout = 120 # ldap_cache_size = 0 ldap_connections_number = 5 # password_header = "{clear}" #password_attribute = userPassword groupname_attribute = cn groupmembership_filter = "(|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" timeout = 4 timelimit = 3 net_timeout = 1 # compare_check_items = yes # access_attr_used_for_allow = yes } ##RADIUSD Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/var" main: logdir = "/var/log" main: libdir = "/usr/local/lib" main: radacctdir = "/var/log/radacct" main: hostname_lookups = no read_config_files: reading dictionary read_config_files: reading clients read_config_files: reading realms read_config_files: reading naslist main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 security: max_attributes = 200 security: reject_delay = 1 main: debug_level = 0 read_config_files: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded LDAP ldap: server = "192.9.168.2" ldap: port = 389 ldap: net_timeout = 1 ldap: timeout = 4 ldap: timelimit = 3 ldap: ldap_cache_timeout = 0 ldap: ldap_cache_size = 0 ldap: identity = "" ldap: start_tls = no ldap: password = "" ldap: basedn = "dc=neline,dc=com" ldap: filter = "((objectclass=posixaccount)(uid=%u))" ldap: default_profile = "(null)" ldap: profile_attribute = "(null)" ldap: access_group = "cn=testgroup,ou=usergroup,dc=neline,dc=com" ldap: password_header = "(null)" ldap: password_attribute = "(null)" ldap: access_attr = "(null)" ldap: groupname_attribute = "cn" ldap: group
ldap-group
hi all, i want to use ldap-group in users file and after i config DefaultLdap-group == disable , Auth-Type := Reject what ldif should i add to the ldap server? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap-group
On Wed, 11 Sep 2002, Brian Leung wrote: hi all, i want to use ldap-group in users file and after i config DefaultLdap-group == disable , Auth-Type := Reject what ldif should i add to the ldap server? Thanks Just create a GroupOfNames or a GroupOfUniqueNames entry and add the corresponding users entries as members. Something like: dn: cn=admins,ou=groups,dc=company,dc=com objectclass: top objectclass: groupofuniquenames description: Admins Group cn: admins uniquemember: uid=user1,ou=people,dc=company,dc=com uniquemember: uid=user2,ou=people,dc=company,dc=com -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap-group
how about the user object, do i need to add anyting attribute to there # ronaldo, testing dn: uid=ronaldo,o=testing objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: inetLocalMailRecipient objectClass: radiusprofile objectClass: posixAccount objectClass: PureFTPdUser cn: ronaldo sn: ronaldo mail: ronaldo@testing uid: ronaldo uidNumber: 1001 gidNumber: 1001 homeDirectory: /home/ronaldo userPassword:: FTPuid: 1001 FTPQuotaMBytes: 1 radiusProfileDn: cn=radiusprofile2,o=testing Kostas Kalevras wrote: On Wed, 11 Sep 2002, Brian Leung wrote: hi all, i want to use ldap-group in users file and after i config DefaultLdap-group == disable , Auth-Type := Reject what ldif should i add to the ldap server? Thanks Just create a GroupOfNames or a GroupOfUniqueNames entry and add the corresponding users entries as members. Something like: dn: cn=admins,ou=groups,dc=company,dc=com objectclass: top objectclass: groupofuniquenames description: Admins Group cn: admins uniquemember: uid=user1,ou=people,dc=company,dc=com uniquemember: uid=user2,ou=people,dc=company,dc=com -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap-group
hi, On Thu, 12 Sep 2002, Brian Leung wrote: how about the user object, do i need to add anyting attribute to there if you have already added the user DN under the group DN, then there's no need to add any attribute on the user object. it will be looked-up on the group DN for the user's membership. another way of checking group membership via LDAP is utilizing the groupmembership_attribute on radiusd.conf. you just need to add another attribute which the ldap module checks if it exists on the user object. IMHO, this is more elegant if you have thousands of users belonging to different groups. so for this DN, # ronaldo, testing dn: uid=ronaldo,o=testing objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: inetLocalMailRecipient objectClass: radiusprofile objectClass: posixAccount objectClass: PureFTPdUser cn: ronaldo sn: ronaldo mail: ronaldo@testing uid: ronaldo uidNumber: 1001 gidNumber: 1001 homeDirectory: /home/ronaldo userPassword:: FTPuid: 1001 FTPQuotaMBytes: 1 radiusProfileDn: cn=radiusprofile2,o=testing add this attribute: radiusGroupName: testgroup and create this: [Group DN] # mygroup, testing dn: cn=testgroup,ou=testing cn: testgroup objectClass: posixGroup gidNumber: 1101 and on radiusd.conf, set groupmembership_attribute = radiusGroupName restart, radiusd and see the results. regards, ronald -- [Never be afraid to try something new. Remember, amateurs built the ark, and professionals built the Titanic.] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorisation based on LDAP Group membership
On Thu, 13 Jun 2002, Michael Fuller wrote: It is not working. where am I going wrong ? Regards, Michael Fuller Could you also include the ldap section of the radiusd.conf as well as the authenticate and authorize sections? Also the server debuging output of the corresponding request. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authorisation based on LDAP Group membership
Hi all, I have installed openldap and freeradius on a Red Hat v7.3 box. I want to use ldap for radius authentication and authorisation. I want to control authorisation on a per group basis, and added the radiusprofile object class to a group. The radiusServiceType was then set to Administrative-User. However, members of this group are not able to telnet to any of our cisco routers. The arrangement works fine if I follow the same procedure on a per user basis. Is there any change that I have to make to radiusd.conf ? Where am I going wrong ? Please help. Regards, Michael Fuller - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorisation based on LDAP Group membership
On Wed, 12 Jun 2002, Michael Fuller wrote: Hi all, I have installed openldap and freeradius on a Red Hat v7.3 box. I want to use ldap for radius authentication and authorisation. I want to control authorisation on a per group basis, and added the radiusprofile object class to a group. The radiusServiceType was then set to Administrative-User. However, members of this group are not able to telnet to any of our cisco routers. The arrangement works fine if I follow the same procedure on a per user basis. Is there any change that I have to make to radiusd.conf ? Where am I going wrong ? Please help. Regards, Michael Fuller The profiles don't work on a group basis. What you can is to add a profile_attribute (the name can be configured through the profile_attribute configuration directive) in the ldap entries of all the users belonging in the administrator group. That attribute will point to the DN of an entry containing the radiusServiceType attribute. In other words: dn: uid=admin,ou=people,dc=your,dc=company,dc=com cn: Administrator radiusprofiledn: uid=admin-profile,ou=people,dc=your,dc=company,dc=com [...] dn: uid=admin-profile,ou=people,dc=your,dc=company,dc=com cn: Administrator Dialup Profile radiusServiceType: Administrative-User That should work just fine. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorisation based on LDAP Group membership
Hi all, Thanks to Kostas Kalevras for the clarification. Will my requirement work on an OU basis ? I can add the attributes to the administrators on a per user basis, as there will be only two or three of them. My dial up users are a different story. I have around 500 users in my database. About 50 of them will not have any restrictions on connect - A profile without any session limit restrictions About 300 of them will be allowed to connect only for a limited time per day - A profile with restrictions on session limit. The rest of the users will not have any dial up - A profile that does not permit dial up access. I do not think it is practically possible to assign these rights on a per user basis. How do I assign these three profiles to these three types of users ? Please help Thanks and regards, Michael Fuller - Original Message - From: Kostas Kalevras [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, June 12, 2002 7:22 PM Subject: Re: Authorisation based on LDAP Group membership On Wed, 12 Jun 2002, Michael Fuller wrote: Hi all, I have installed openldap and freeradius on a Red Hat v7.3 box. I want to use ldap for radius authentication and authorisation. I want to control authorisation on a per group basis, and added the radiusprofile object class to a group. The radiusServiceType was then set to Administrative-User. However, members of this group are not able to telnet to any of our cisco routers. The arrangement works fine if I follow the same procedure on a per user basis. Is there any change that I have to make to radiusd.conf ? Where am I going wrong ? Please help. Regards, Michael Fuller The profiles don't work on a group basis. What you can is to add a profile_attribute (the name can be configured through the profile_attribute configuration directive) in the ldap entries of all the users belonging in the administrator group. That attribute will point to the DN of an entry containing the radiusServiceType attribute. In other words: dn: uid=admin,ou=people,dc=your,dc=company,dc=com cn: Administrator radiusprofiledn: uid=admin-profile,ou=people,dc=your,dc=company,dc=com [...] dn: uid=admin-profile,ou=people,dc=your,dc=company,dc=com cn: Administrator Dialup Profile radiusServiceType: Administrative-User That should work just fine. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius + ldap group membership
Hi All, I'm testing freeradius 0.4 with openldap 2.x . I've some problems setting the groups and users in the ldap directory. i've added the following line in the ldap.attrmap : chekcItem Group DialGroup In each Ldap User Profile, the DialGroup Attribute is set to the appropriate Group Profile cn. Each Group Profile should store reply items common to all members of the group. When testing the config, freeradius debug mode (radiusd -X) shows that the attribute DialGroup was added as check item but there's no subsquent ldap_groupcmp call searching for items related to the selected Group. rlm_ldap: looking for check items in directory... rlm_ldap Adding DialGroup as Group, value stuff op=11 However, the groupmembership_filter, groupname_attribute were set appropriatly in the radiusd.conf. the users file contains a single DEFAULT entry : DEFAULTAuth-Type=Ldap Fall-Through = 1 Note that using only User Profile,without refering to Group Profile,works well. Am I missing something? Please, Can someone provide a working sample. thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html