re: ldap group filter
Sry for the double posting. Hi, Recently I implemented an radius authentication using the ldap module. Next step is do control the users by groups and I want to ask how could i setup the group filter if i have this kind of configuration for the groups on the LDAP servers. I tried to google it but no luck with useful results. The user authentication is done by uid. Thank You for your help dn: cn=group1, ou=group,dc=home,dc=net objectclass: groupOfUniqueNames gidNumber: 3 cn: group1 uniquemember: uidNumber=30001, ou=people,dc=home,dc=net uniquemember: uidNumber=30002, ou=people,dc=home,dc=net uniquemember: uidNumber=30003, ou=people,dc=home,dc=net dn: uid=test01,ou=people,dc=home,dc=net uid: test01 uidNumber: 30001 gidNumber: 3 cn: test01 sn: test01 objectClass: top objectClass: person objectClass: posixAccount objectClass: shadowAccount loginShell: /bin/bash homeDirectory: /home/test01 -- View this message in context: http://freeradius.1045715.n5.nabble.com/ldap-group-filter-tp4379112p4379700.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: User-Name is not the same as MS-CHAP name
On 05/07/2011 07:50 PM, Robert Mc Cready wrote:
The MS-CHAP-Use-NTLM-Auth := no did the job but I still have one
problem with Windows XP clients, I get a [mschap] ERROR: User-Name
(CAD08862\ldapuser) is not the same as MS-CHAP Name (ldapuser) from
EAP-MSCHAPv2. Users log on locally, the host name is not a domain name.
Windows 7 clients work fine because they send only the username. I do
some rewrites so I can get the username for the LDAP authentication and
the computers name for computer account authentication (I'm not familiar
with unlang yet). We use FR 2.1.10.
Any idea how to fix this ?
You CANNOT rewrite the User-Name attribute, or you will have this problem.
If you want to manipulate the username, you must do so in a separate
attribute, like so:
if (User-Name =~ /^(.+)\\(.+)/) {
update request {
Stripped-User-Name := %{2}
}
}
An easier alternative is to not mangle the username at all, and instead
update any string expansions to use:
%{mschap:User-Name}
...including your LDAP filters. This will just work
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap group filter
On 05/08/2011 10:32 AM, crzrobot wrote:
Sry for the double posting.
Hi,
Recently I implemented an radius authentication using the ldap module.
Next step is do control the users by groups and I want to ask how could i
setup the group filter if i have this kind of configuration for the groups
on the LDAP servers. I tried to google it but no luck with useful results.
The user authentication is done by uid.
Thank You for your help
dn: cn=group1, ou=group,dc=home,dc=net
objectclass: groupOfUniqueNames
gidNumber: 3
cn: group1
uniquemember: uidNumber=30001, ou=people,dc=home,dc=net
uniquemember: uidNumber=30002, ou=people,dc=home,dc=net
uniquemember: uidNumber=30003, ou=people,dc=home,dc=net
It's been a long time, but I think this is invalid LDAP data. The
uniquemember value should be a valid DN.
You probably could make this work in FreeRADIUS, but you should fix your
LDAP schema.
You'll need to do the following:
1. Define a local uid attribute in raddb/dictionary e.g.
ATTRIBUTE Ldap-UID 3000 integer
2. Define a mapping in ldap.attrmap from LDAP to radius for the uid e.g
checkItem Ldap-UID uidNumber
3. Update your group query e.g.
groupmembership_filter = \
(uniquemember=uidNumber=%{control:Ldap-UID},ou=people,dc=home,dc=net}
...but it's hacky and nasty - what if the path after the RDN varies? Fix
your LDAP schema to be right and this will just work
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap group filter
Hi Phil,
Thank You for the response. Your input helps a lot.
I did the modifications you suggested but the fetching of the variable is done
too late. When the checking of the group is done, the %{control:Ldap-UID} comes
empty, but is fetched later. If you see bellow the freeradius output.
There could be a possibility that %{control:Ldap-UID} be filled before the
group test?
Thank You again.
[ldap] Entering ldap_groupcmp()
[files] expand: ou=people,DC=home,DC=net - ou=people,DC=home,DC=net
[files] expand: %{Stripped-User-Name} -
[files] ... expanding second conditional
[files] expand: %{User-Name} - test01
[files] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) - (uid=test01)
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to localhost:389, authentication 0
[ldap] bind as cn=admin,dc=home,dc=net/test123 to localhost:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] performing search in ou=people,DC=home,DC=net, with filter (uid=test01)
[ldap] ldap_release_conn: Release Id: 0
[files] expand:
(uniquemember=uidNumber=%{control:Ldap-UID},ou=people,dc=home,dc=net) -
(uniquemember=uidNumber=,ou=people,dc=home,dc=net)
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in cn=group1,ou=group,dc=home,dc=net, with filter
(uniquemember=uidNumber=,ou=people,dc=home,dc=net)
[ldap] object not found
[ldap] ldap_release_conn: Release Id: 0
rlm_ldap::ldap_groupcmp: Group cn=group1,ou=group,dc=home,dc=net not found or
user is not a member.
++[files] returns noop
[ldap] performing user authorization for test01
[ldap] expand: %{Stripped-User-Name} -
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} - test01
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) - (uid=test01)
[ldap] expand: ou=people,DC=home,DC=net - ou=people,DC=home,DC=net
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in ou=people,DC=home,DC=net, with filter (uid=test01)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] uidNumber - Ldap-UID == 30001 - here is fetched
--
[ldap] userPassword - Password-With-Header ==
{SSHA}5Va5FraqFtiFvnYULYP9me/OxLN0lh4P
[ldap] looking for reply items in directory...
[ldap] Setting Auth-Type = LDAP
[ldap] user test01 authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
From: Phil Mayers [via FreeRadius]
ml-node+4379760-567345519-206...@n5.nabble.com
To: crzrobot matei...@yahoo.com
Sent: Sunday, 8 May 2011, 12:29
Subject: Re: ldap group filter
On 05/08/2011 10:32 AM, crzrobot wrote:
Sry for the double posting.
Hi,
Recently I implemented an radius authentication using the ldap module.
Next step is do control the users by groups and I want to ask how could i
setup the group filter if i have this kind of configuration for the groups
on the LDAP servers. I tried to google it but no luck with useful results.
The user authentication is done by uid.
Thank You for your help
dn: cn=group1, ou=group,dc=home,dc=net
objectclass: groupOfUniqueNames
gidNumber: 3
cn: group1
uniquemember: uidNumber=30001, ou=people,dc=home,dc=net
uniquemember: uidNumber=30002, ou=people,dc=home,dc=net
uniquemember: uidNumber=30003, ou=people,dc=home,dc=net
It's been a long time, but I think this is invalid LDAP data. The
uniquemember value should be a valid DN.
You probably could make this work in FreeRADIUS, but you should fix your
LDAP schema.
You'll need to do the following:
1. Define a local uid attribute in raddb/dictionary e.g.
ATTRIBUTE Ldap-UID 3000 integer
2. Define a mapping in ldap.attrmap from LDAP to radius for the uid e.g
checkItem Ldap-UID uidNumber
3. Update your group query e.g.
groupmembership_filter = \
(uniquemember=uidNumber=%{control:Ldap-UID},ou=people,dc=home,dc=net}
...but it's hacky and nasty - what if the path after the RDN varies? Fix
your LDAP schema to be right and this will just work
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
If you reply to this email, your message will be added to the discussion
below:http://freeradius.1045715.n5.nabble.com/ldap-group-filter-tp4379112p4379760.html
To unsubscribe from ldap group filter, click here.
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/ldap-group-filter-tp4379112p4380082.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap group filter
On 05/08/2011 04:19 PM, crzrobot wrote:
Hi Phil,
Thank You for the response. Your input helps a lot.
I did the modifications you suggested but the fetching of the variable
is done too late. When the checking of the group is done, the
%{control:Ldap-UID} comes empty, but is fetched later. If you see bellow
the freeradius output.
There could be a possibility that %{control:Ldap-UID} be filled before
the group test?
Sure. Move the ldap module before the files module, like so:
authorize {
...
ldap
files
...
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap group filter
Hi Phil,
Now is working as expected . You are a good man.
Thank You
From: Phil Mayers p.may...@imperial.ac.uk
To: freeradius-users@lists.freeradius.org
Sent: Sunday, 8 May 2011, 18:17
Subject: Re: ldap group filter
On 05/08/2011 04:19 PM, crzrobot wrote:
Hi Phil,
Thank You for the response. Your input helps a lot.
I did the modifications you suggested but the fetching of the variable
is done too late. When the checking of the group is done, the
%{control:Ldap-UID} comes empty, but is fetched later. If you see bellow
the freeradius output.
There could be a possibility that %{control:Ldap-UID} be filled before
the group test?
Sure. Move the ldap module before the files module, like so:
authorize {
...
ldap
files
...
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:
Hey, Did u resolve ur issue with Radius ? /Pradyumna --- On Tue, 26/4/11, arpitha arpitha arpitha...@gmail.com wrote: From: arpitha arpitha arpitha...@gmail.com Subject: To: freeradius-users@lists.freeradius.org Date: Tuesday, 26 April, 2011, 10:16 AM hi, 'm very new to freeradius, i want to setup radius server to authenticate another system connected through an access point. i'l b grateful if any1 can tell d steps 2 do this r give links 2 d related materials. Thnks in advance :-) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous logins
Hi, I am trying to prevent simultaneous logins on my freeradius server, I need to do it with MYSQL, I have enabled simul_count query, and enabled sql for session and accounting. Now, the tricky part is that my server is also my firewall and all requests are comming to the same nick which is listed on my clients.conf file, the nas type is other and therefore the check is ignored. When I setup as type cisco it get no response from SNMP session, and the wiki suggest that SNMP is not working with version 2.1.10 unless some modification is done. Can I keep sql accounting and radutmp for session? will this work ok? Thanks Franz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous logins
On Mon, May 9, 2011 at 5:38 AM, Franz flam...@gmail.com wrote: Hi, I am trying to prevent simultaneous logins on my freeradius server, I need to do it with MYSQL, I have enabled simul_count query, and enabled sql for session and accounting. Seems reasonable Now, the tricky part is that my server is also my firewall and all requests are comming to the same nick which is listed on my clients.conf file, the nas type is other and therefore the check is ignored. When I setup as type cisco it get no response from SNMP session, and the wiki suggest that SNMP is not working with version 2.1.10 unless some modification is done. I have no idea what you're talking about. You can have sql to manage accounting and session (using the acccounting data), which should be independent of NAS type, without the need for SNMP or any external command/utility. Look at simul_count_query and simul_verify_query. Sometimes it's easier to: - uncomment simul_count_query - adjust it according your needs (for example, we use acctstoptime to store when an accounting packet arrives, including acct-start and acct-interim, so in our case we can't use AND acctstoptime IS NULL part). - comment-out simul_verify_query -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous logins
What I meant on the second part is that i am using localhost on
clients.conf, so now when i am just checking session with sql
simul_count_query, and as soon as the request is received by server it says
the user is already logged in, even is is not logged in:
checkrad: No NAS type, or type other not checking
rlm_sql (sql): Released sql socket id: 1
++[sql] returns ok
expand: good - good
Multiple logins (max 1) [MPP attempt]: [C8P7G6/C8P7G6] (from client
localhost port 7 cli 192.168.0.7) good
Using Post-Auth-Type Reject
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group REJECT {...}
On Mon, May 9, 2011 at 1:23 AM, Fajar A. Nugraha l...@fajar.net wrote:
On Mon, May 9, 2011 at 5:38 AM, Franz flam...@gmail.com wrote:
Hi,
I am trying to prevent simultaneous logins on my freeradius server, I
need
to do it with MYSQL, I have enabled simul_count query, and enabled sql
for
session and accounting.
Seems reasonable
Now, the tricky part is that my server is also my
firewall and all requests are comming to the same nick which is listed on
my
clients.conf file, the nas type is other and therefore the check is
ignored.
When I setup as type cisco it get no response from SNMP session, and the
wiki suggest that SNMP is not working with version 2.1.10 unless some
modification is done.
I have no idea what you're talking about.
You can have sql to manage accounting and session (using the
acccounting data), which should be independent of NAS type, without
the need for SNMP or any external command/utility. Look at
simul_count_query and simul_verify_query. Sometimes it's easier to:
- uncomment simul_count_query
- adjust it according your needs (for example, we use acctstoptime to
store when an accounting packet arrives, including acct-start and
acct-interim, so in our case we can't use AND acctstoptime IS NULL
part).
- comment-out simul_verify_query
--
Fajar
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
