Re: Huntgroups/preprocess issue 1.1.6
Alan DeKok wrote: Craig Huckabee wrote: That is sort of the question - what is there to port ? I don't see any documentation saying the format of the huntgroups file changed from 1.1.2 to 1.1.6. It didn't, but the parser got more careful. It used to accept (and ignore) things that the server didn't support. It now complains about them. I've narrowed it down even more - only seems to choke on NAS-Port. NAS-Port-ID or any other attribute I've tried works fine. --Craig - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Huntgroups/preprocess issue 1.1.6
If this is already a known issue, forgive me - I did not find anything in the archives or bug database that appeared relevant. I'm trying to upgrade from FreeRADIUS 1.1.2 to 1.1.6 - building from source on Debian Linux (sarge). The build goes without a hitch, but when running the new version and using the existing configuration files I get the following (relevant output from 'radiusd -X'): ... Module: Loaded preprocess preprocess: huntgroups = /s/freeradius-1.1/etc/raddb/huntgroups preprocess: hints = /s/freeradius-1.1/etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no /s/freeradius-1.1/etc/raddb/huntgroups[30]: Parse error (check) for entry snt-console: Unknown value 1-22 for attribute NAS-Port rlm_preprocess: Error reading /s/freeradius-1.1/etc/raddb/huntgroups radiusd.conf[249]: preprocess: Module instantiation failed. radiusd.conf[341] Unknown module preprocess. radiusd.conf[340] Failed to parse authorize section. The section in the huntgroups file it is choking on is this: snt-console NAS-IP-Address == aaa.bbb.ccc.ddd, NAS-Port == 1-22 If I comment that line out, it also chokes on this entry with a slightly different error ( = expected): nci-console NAS-IP-Address == aaa.bbb.ccc.ddd, NAS-Port == 1,25-32 So - did the syntax for huntgroups change or is this a real bug ? This config works fine with 1.1.2 - I have not tried any of the versions between 1.1.2 and 1.1.6 to narrow down the issue. I can send the full debug output if needed but I didn't want to clobber the list unnecessarily. Thanks, Craig - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Huntgroups/preprocess issue 1.1.6
inverse wrote: The build goes without a hitch, but when running the new version and using the existing configuration files I get the following (relevant output from 'radiusd -X'): the problem IMHO is in using the existing configuration: I had similar issues until I ported mine to the new configuration files, half an hour of work. That is sort of the question - what is there to port ? I don't see any documentation saying the format of the huntgroups file changed from 1.1.2 to 1.1.6. I can understand having to port config files when making a major version leap (e.g. 0.9.3 = 1.1.x), but for a minor version change ? --Craig - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
CVS web interface down ?
Has anyone reported that the FreeRADIUS cvs web interface is down ? If this is a known issue I apologize, didn't find any posts on this list or the developers list. Thanks, Craig - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS SQL Schema File
Daniel Corbe wrote: The mssql.conf file is still there and says: # The database schema is available at: # # src/radiusd/src/modules/rlm_sql/drivers/rlm_sql_freetds/db_mssql.sql :( -Daniel Get it from the CVS Attic: http://www.freeradius.org/cgi-bin/cvsweb.cgi/radiusd/src/modules/rlm_sql/drivers/rlm_sql_freetds/Attic/db_mssql.sql Grab the 1.3 revision (last one before the file was removed). --Craig - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap basedn assignment
[EMAIL PROTECTED] wrote: How do you have this setup? Check out doc/configurable_failover. That should show you how to do it. I'm using configurable failover to get it to roll as it is. From my radiusd.conf file: [ snip ] The above problem line should be: rlm_ldap: bind as uid=username, ou=People, dc=university,dc=edu,c=us/test123 to openldap.university.edu:1744 However, it is taking the userdn from the ad server which gave the first authorize ok. What I need is for it to attempt to authenticate with the appropriate userdn depending on which server it is authenticating to. So it would use the userdn from AD authenticating to the AD server and the openldap userdn when authenticating to the openldap server. For what it is worth, we've seen the same problem here - we applied a local hack to rlm_ldap.c to work around the problem but it isn't a proper fix. --Craig - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: syslog
Miguel Sennoun wrote:
Set log_destination = syslog and
log {
syslog_facility = daemon
}
I tried, but it seems not write radius logs in syslog
Just to be clear - which radius logs are you trying to redirect and
did you make sure that syslog is running/configured correctly ?
in your radiusd.conf. That will get your authentication/authorization
logs going to syslog under the daemon facility. This is all in the
documentation, BTW.
There is nothing in my documentation (freeradius 1.0.2
Straight from the distributed radiusd.conf:
#
# Destination for log messages. This can be one of:
#
# files - log to ${log_file}, as defined above.
# syslog - to syslog (see also the log{} section, below)
# stdout - standard output
# stderr - standard error.
#
# The command-line option -X over-rides this option, and forces
# logging to go to stdout.
#
That last note is VERY important - if you are testing using -X, you
won't see anything in syslog.
and further down:
#
# Logging section. The various log_* configuration items
# will eventually be moved here.
#
log {
#
# Which syslog facility to use, if ${log_destination} == syslog
#
# The exact values permitted here are OS-dependent. You probably
# don't want to change this.
#
syslog_facility = daemon
}
--
/ Craig Huckabee| e-mail: [EMAIL PROTECTED] /
/ Code 715-CH | phone: (843) 218 5653 /
/ SPAWAR Systems Center | close proximity: Hey You! /
/ Charleston, SC|ICBM: 32.78N, 79.93W /
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: syslog
Miguel Sennoun wrote: I would like to redirect all radius logs (even accounting). Well, as I mentioned accounting isn't there yet unless someone else has done it. [ SNIP ] Thank you for the extract of the radiusd.conf but in mine this section is not present. Even in the 1.0.3 conf files. So I added the section but I don't know if it is supported by my server. I went back and looked - it is in the main CVS line but those changes were not pulled up for the release versions. Looks like Alan checked in the syslog bits ~11 months ago, but I don't see where they made it up into a release version. Could be missing the merge, though. We run a build made from the CVS sources, and it works, so if that is an option for you then I'd suggest that. --Craig -- / Craig Huckabee| e-mail: [EMAIL PROTECTED] / / Code 715-CH | phone: (843) 218 5653 / / SPAWAR Systems Center | close proximity: Hey You! / / Charleston, SC|ICBM: 32.78N, 79.93W / - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: syslog
Miguel Sennoun wrote:
I wonder if there is a way to treat freeradius logs with the syslog deamon
(or syslog-ng).
Yes, we do it here...syslog/syslog-ng either works fine.
I tried the option -l syslog but It appears it doesn't works fine.
Set log_destination = syslog and
log {
syslog_facility = daemon
}
in your radiusd.conf. That will get your authentication/authorization
logs going to syslog under the daemon facility. This is all in the
documentation, BTW.
If you search the list archives, you'll see where Alan kindly pointed
out to me where to make some modifications so accounting info could be
syslog'd as well - I have not had time to do it yet.
HTH,
Craig
--
/ Craig Huckabee| e-mail: [EMAIL PROTECTED] /
/ Code 715-CH | phone: (843) 218 5653 /
/ SPAWAR Systems Center | close proximity: Hey You! /
/ Charleston, SC|ICBM: 32.78N, 79.93W /
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco VPN3005 group auth
John Sorel wrote: I was able to get both the group and user authenticated on the Radius server now but there is no matching of the user to the group. This user can login using any group, not just the one I want them to use. How does the radius server match / check the user to the group? Sorry for jumping in late on this, but last information I have is that there is an open bug with Cisco for their VPN concentrators not obeying groups when RADIUS authentication is used. I don't have a TAC case # for this - we got this information at a recent technical summit. HTH, Craig -- / Craig Huckabee| e-mail: [EMAIL PROTECTED] / / Code 715-CH | phone: (843) 218 5653 / / SPAWAR Systems Center | close proximity: Hey You! / / Charleston, SC|ICBM: 32.78N, 79.93W / - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Digest authentication over FreeRadius against an LDAP server
Alan DeKok wrote: A. Burak Gurdag [EMAIL PROTECTED] wrote: I can manage to do digest authentication (according to sterman-draft-00) over FreeRadius against an LDAP server in which user passwords are stored in cleartext. I would like to store passwords in SSHA or MD5 encoded form in the LDAP server. But it does not seem possible since FreeRadius has no way to know the password to calculate the digest to authenticate. Am I wrong? You're right. It's impossible. Do I have to delegate the digest calculation and verification to the LDAP server to achieve this (in this case I have to put my focus on the LDAP server that I use)? You can't. The LDAP server has no more information that FreeRADIUS has, and therefore can't do anything different. And there are *no* LDAP servers that can do digest authentication. That I can guarantee. Is there another way that you can suggest? Store clear-text passwords in LDAP. Alan DeKok. Or use EAP-TTLS/PAP to get a clear text password from your clients and use encrypted passwords in LDAP. --Craig -- / Craig Huckabee| e-mail: [EMAIL PROTECTED] / / Code 715-CH | phone: (843) 218 5653 / / SPAWAR Systems Center | close proximity: Hey You! / / Charleston, SC|ICBM: 32.78N, 79.93W / - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: -i and -p commandline options
Holger Steppke wrote: Hi, in the man page i found the comment that this options are deprecated and listen/bind should be used. Just my sentence on this why to let them stay in the code :) I found such options very usfully maintaining same configuration across multiple redundand servers. So eg. Radiusd.conf could be the same (pushed from a central storage) where the commanline option will be adjusted per server to the ip the servers has. Regards Holger Holger, We had this same problem - our fix was to dynamically generate the 'listen' statements needed on each server during startup and put them in a file in /tmp. Then our central radiusd.conf uses the 'include' directive to pull in that file. --Craig -- / Craig Huckabee| e-mail: [EMAIL PROTECTED] / / Code 715-CH | phone: (843) 218 5653 / / SPAWAR Systems Center | close proximity: Hey You! / / Charleston, SC|ICBM: 32.78N, 79.93W / - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DHCP and FreeRADIUS accounting
David ROUMANET wrote: Hello, in wireless network (EAP/TTLS), there is no way to use FreeRADIUS for dynamic IP affectation, so I use dhcpd. Unfortunely, I'm not able to have accounting with IP address == user. I will write a script to scan dhcpd log and RADIUS accounting log but before I would to be sure nobody has already done this... I don't want to re-invent the wheel ;) Could anybody help me ? thanks a lot, David - David ROUMANET Tel : 04 76 51 46 08 Centre Interuniversitaire de Calcul Grenoblois Fax : 04 76 42 11 71 - dhcpd is the right tool for that job - I've never understood why people think FreeRADIUS should hand out IPs. What we do is have dhcpd syslog to a central syslog-ng server, which in turn filters the incoming data and inserts those logs into a MySQL server. FreeRADIUS can log accounting packets to MySQL as well. Works well - although I personally would rather have FreeRADIUS use 'syslog' to log *everything* rather than have a build dependency for MySQL in my FreeRADIUS builds. We log authentication packets via syslog, and I pray to the 'FreeRADIUS developer gods' that logging accounting via syslog may be added some day (or at least personal time to find to the correct place in the source code to add this myself). :) --Craig -- / Craig Huckabee| e-mail: [EMAIL PROTECTED] / / Code 715-CH | phone: (843) 218 5653 / / SPAWAR Systems Center | close proximity: Hey You! / / Charleston, SC|ICBM: 32.78N, 79.93W / - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP and fatal unknown_ca
All of you that are having this problem - do you have a server certificate on your FreeRADIUS server that has the Microsoft specific OIDs and the CA for that certificate installed on the client ? The built-in supplicant in XP will not validate that server certificate if it is missing that OID - as described in the EAP-TLS setup documentation. I'm assuming the same applies to PEAP as well. HTH, Craig Dudley Atkinson wrote: The problem I experienced was with both the XP built-in client and the Cisco Aironet Utility. I haven't tried others. Maybe I will try the Secure2W. -atkinson -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Øystein Gåsdal Sent: Thursday, February 10, 2005 1:34 PM To: 'freeradius-users@lists.freeradius.org' Subject: RE: PEAP and fatal unknown_ca I too has experienced problems when I use the built in 802.1x client in WinXP. If I try other clients, like Secure2W, it works fine. My guess is that it is a bug in the built-in client. - Oystein -Original Message- From: Dan Armstrong [mailto:[EMAIL PROTECTED] Sent: 10. februar 2005 02:51 To: [EMAIL PROTECTED]; freeradius-users@lists.freeradius.org Subject: Re: PEAP and fatal unknown_ca Hello, I've just subscribed to the list, so pardon me if this was covered... we are using FreeRadius to authenticate PEAP over Cisco Aironets with Windows XP. We can only get it working if we tell XP to ignore the cert that comes from radius - ie uncheck that Validate Server Certifiate box. Mac OS-X seems to work fine.. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- / Craig Huckabee| e-mail: [EMAIL PROTECTED] / / Code 715-CH | phone: (843) 218 5653 / / SPAWAR Systems Center | close proximity: Hey You! / / Charleston, SC|ICBM: 32.78N, 79.93W / - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP?? Why
Chan Min Wai wrote: Greeting all, After sometime on this mailing list I found most of the problem for LDAP is the EAP stuff. And always the passwords in LDAP MUST be clear text. I've one question here. Is there anyway to put encrypted password in LDAP so free radius will work with it? (Anyway that is in your mind e.g: mschap, chap ...) And IF I really insane and want to put an MD5 encrypted password for eap usage in the LDAP, what kind of modification I'll be looking into and which program would it be? Openldap? freeradius LDAP module? I don't mind to pay for the contribution somehow. Regards, Chan Min Wai - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html EAP-TTLS PAP. You keep your LDAP passwords encrypted, username/password can be sent unencrypted via PAP inside EAP-TTLS encrypted tunnel. Works great with OSX and Windows XP w/ SecureW2 client installed. -- / Craig Huckabee| e-mail: [EMAIL PROTECTED] / / Code 715-CH | phone: (843) 218 5653 / / SPAWAR Systems Center | close proximity: Hey You! / / Charleston, SC|ICBM: 32.78N, 79.93W / - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ippool Or DHCP Server.
Paul Hampson wrote: On Wed, Nov 03, 2004 at 07:04:09PM +0800, Chan Min Wai wrote: I hope that radius server can talk to the DHCP server and tell the DHCP server what ip address to be allocate... Write a script in that adds the authenticated client's MAC address and the IP Address you've assigned to the DHCP server's config and reloads the DHCP server. It'll also have to get rid of other stanzas for that MAC address/IP address (trusting rlm_ippool to know what IP addresses are free, which means you need to be getting Accounting packets, I expect.) This assumes rlm_ippool can even work with 802.1x... What does it use for NAS-Port? Put this in an rlm_exec with (wait=1) after your rlm_ippool module. Again, this assumes 802.1x (did I call it 802.11x earlier???) happens before DHCP does. ^_^ 802.1x turns the physical port on in the case of a wired network, or completes the association of a client to a wireless AP in a wireless seetup. The next step is usually your protocol level setup, i.e. getting an IP address. The RADIUS server would normally be out of the loop at the protocol level. You can write a script, or just let the DHCP server give out addresses out of a pool, etc. --Craig - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Redhat 8.0 make errors
RH9 is even worse - gcc is somewhat broken there too. We just built a good gcc and use it on our RH8, Debian, Solaris, etc boxes. Same for all of our other toolsets - helps reduce the number of issues that come about because the 'vendor' decided to go with the bleeding edge on something or came up with their own wacky build/numbering scheme (see RedHat kernel RPMs and libraries). Debian 3.0 comes with some really old yet stable versions of things and required the least amount of tweaking IMHO - maybe load up that, perhaps even using the 'testing' branch ? HTH, Craig Matthew Western, IT Support, Lonsdale wrote: Oh, that's a comfort then. :) can I compile it on a Redhat 9 and chuck it on a redhat 8 box? Perhaps I'd better give up on that box and chuck in a new box to prove my point Ta M -Original Message- From: Craig Huckabee [mailto:[EMAIL PROTECTED] Sent: Thursday, 7 October 2004 10:01 AM To: [EMAIL PROTECTED] Subject: Re: Redhat 8.0 make errors Matthew Western, IT Support, Lonsdale wrote: Hi All, I know this is a very bad idea.tm but I'm trying to get FREERadius working on Redhat 8.0 on a customers internal linux server.The current build won't compile which doesn't really surprise me. I was wondering if there are any old hands at freeradius that remembers which build would work with Redhat 8 I've got it running on a somewhat custom build of RedHat 8 right now. The install utility distributed with RH8 is horribly broken, you're better off replacing it with a valid install.sh that works. The gcc shipped is also somewhat broken. --Craig - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Redhat 8.0 make errors
Matthew Western, IT Support, Lonsdale wrote: Hi All, I know this is a very bad idea.tm but I'm trying to get FREERadius working on Redhat 8.0 on a customers internal linux server.The current build won't compile which doesn't really surprise me. I was wondering if there are any old hands at freeradius that remembers which build would work with Redhat 8 I've got it running on a somewhat custom build of RedHat 8 right now. The install utility distributed with RH8 is horribly broken, you're better off replacing it with a valid install.sh that works. The gcc shipped is also somewhat broken. --Craig - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Solaris 9 and pam_radius 1.3.16
[ long gcc build errors removed ] The behavior of labels and some other syntax changes happened around gcc 3.4.0. For example, for the rlm_x99_token module, in x99_rlm.c, a ';' is needed after the label at or around line 547. The RedHat source RPM has this patch, I don't know how 'correct' gcc's behavior is but this fixes the compile issues I had with freeradius. The same sorts of changes may be needed for the pam_auth_radius sources. HTH, Craig - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS: machine authentication
Joe Meslovich wrote: I just wanted to add some information to this message. I turned on EAPOL file tracing in the registery. When I look at the trace log that is created on the client and error is occuring when the client should be generating the response that contains its credentials. The error code in the EAPOL log is -2146893802. From what I've seen that error code has to do with not finding a keyset pair. When doing machine authentication do the certificates need to be installed in a special manner? When I go into mmc I see the certificates that I installed in the local computer store. Joe Meslovich Joe, The advice given by others on using this document : http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm is good advice. I've made machine certificates with a private CA and bone stock OpenSSL 0.9.7d - I got the same error until I made sure that the certificate contained the oid given in that write up. If you look at the certificate with mmc and it is created correctly it should have just the one possible 'usage' - Proves your identity to a remote computer. HTH, Craig - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Machine certificate with XP and freeradius
Joe,
I used the 'users' file and a regex to strip that out - it works with
1.0.0-pre3:
DEFAULT EAP-Message =* ANY,User-Name =~ ^([^/]+)/(.*)$,Autz-Type :=
PKI-HOST
FixedHost = `%{2}`,
Fall-Through = no
This works for us, hope it helps you.
--Craig
Joe Meslovich wrote:
Yeah I have just stumbled on that registry key. Thanks for the help though
I am now getting requests at the radius server that have host/computername
as the username. I am looking through the documentation for trying to make
that work. And just so everyone knows I am using freeradius 0.9.3. Some of
the examples of saw of stripping out the host/ part looked like they were
for older versions of freeradius.
Joe Meslovich.
On Fri, 16 Jul 2004, Michael Griego wrote:
Normal operation for that type of environment is to have a machine cert
so that the machine can authenticate to the network before a users logs
on to the machine itself, then to have a user cert for each user on the
machine so that once the user logs in, the authentication switches to
that user.
Now, that being said, I believe I remember reading that there is a
registry key you can change that will force the machine to *only* auth
as the machine. I don't know which key it is off the top of my head,
but it would reside under the
HKEY_LOCAL_MACHINE\Software\Microsoft\EAPOL branch of the registry. You
can probably do some quick web searching and find it. You have to set
this in the registry though, there is no corresponding GUI setting. As
for the Authenticate as computer... setting in the Authentication tab,
that only controls the before the user logs in authentication to the
network.
--Mike
On Fri, 2004-07-16 at 06:57, Joe Meslovich wrote:
First off I would like to apologize if this is a frequently asked
question, but I am new to the list.
What I would like to do is authenticate a laptop running Windows XP using
a machine certificate versus a user certificate. So far I have created a
certificate on the freeradius server and made sure that the name in the CN
field is the name of the system. I placed that certificate and the
root.der in the local computer certificate store of the laptop.
From the freeradius side of things I never see a request to authenticate.
The laptop brings up the wireless interface and in the task bar it pops up
a warning stating that it cannot find a certificate with which to
authenticate the system. What do I need to do to make it see that computer
certificate. In the wireless configuration settings I have the thing to
Authenticate as computer when computer information is available.
Do I need to move that certificate to a different place or do I need to do
something to tell the system to look in the local computer store for it.
Joe Meslovich
Joe Meslovich [EMAIL PROTECTED]
Associate Network/Systems Engineer IT Center
Tel: (540) 828 - 5343
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Joe Meslovich [EMAIL PROTECTED]
Associate Network/Systems Engineer IT Center
Tel: (540) 828 - 5343
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
/ Craig Huckabee| e-mail: [EMAIL PROTECTED] /
/ Code 715-CH | phone: (843) 218 5653 /
/ SPAWAR Systems Center | close proximity: Hey You! /
/ Charleston, SC|ICBM: 32.78N, 79.93W /
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authorize Authenticate behavior, rlm_ldap
Before I go off and start making code changes, I wanted to check if what
I'm seeing is expected behavior.
First, some background information (this is with FreeRADIUS 1.0.0-pre0):
We have one FreeRADIUS server configured like this
In the modules section...
ldap local_user {
server = ds1.foo.com
basedn = ou=People,dc=foo,dc=com --- One basedn
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
...
}
ldap corporate_user {
server = ds1.bar.com
basedn = ou=People,dc=bar,dc=com --- A different basedn
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
...
}
In the authorize section...
group {
local_user {
reject = reject
userlock = reject
ok = return
}
corporate_user {
reject = reject
userlock = reject
ok = return
}
notfound = return
}
In the authenticate section...
Auth-Type LDAP {
group {
local_user {
reject = 1
}
corporate_user
}
}
Here is what I see - if a user is 'authorized' by the LDAP server from
'local_user', then an attempt to authenticate that user against the LDAP
server from 'local_user' is attempted, using uid=%{User-Name},
ou=People, dc=foo, dc=com as the Ldap-UserDN.
If that authentication fails, then it attempts to authenticate against
the LDAP server from corporate_user, with *uid=%{User-Name},
ou=People, dc=foo, dc=com as the Ldap-UserDN* (the same as before) and
NOT uid=%{User-Name}, ou=People, dc=bar, dc=com as the Ldap-UserDN -
Note the different BaseDNs defined for both servers.
In a nutshell, rlm_ldap doesn't appear to get the right BaseDN or it
just uses the BaseDN from whatever ldap instance 'authorized' the user.
Is that expected behavior ? Or should it use the BaseDN from the ldap
instance described in the 'authenticate' section ?
Long story about why we have two LDAP servers with different basedns and
why a user would need to authenticate off of either one, I won't go into
that here. Suffice it to say we're in transition.
Any insight is appreciated,
Craig
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Confused by doc/variables.txt
Alan DeKok wrote:
Craig Huckabee [EMAIL PROTECTED] wrote:
However, if I use this:
DEFAULT User-Name =~ ^([^/]+)/(.*)
Foo = `%{2}`
...
then attempt to look at Foo using %{reply:Foo}, I get the expected value
and the filter works.
Try the original, but look for foo in %{Foo}, or %{request:Foo}
Alan DeKok.
Doesn't work - both %{Foo} and %{request:Foo} come back empty when
setting Foo on the check line in users.
:(
Anything else you can think of ?
--Craig
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Confused by doc/variables.txt
Alan DeKok wrote:
Craig Huckabee [EMAIL PROTECTED] wrote:
Doesn't work - both %{Foo} and %{request:Foo} come back empty when
setting Foo on the check line in users.
Hmm...
Anything else you can think of ?
Try using another attribute.
Or, follow the code execution in src/modules/rlm_files/rlm_files.c
Alan DeKok.
I may try the latter later on today. Thanks!
--Craig
--
/ Craig Huckabee| e-mail: [EMAIL PROTECTED] /
/ Code 715-CH | phone: (843) 218 5653 /
/ SPAWAR Systems Center | close proximity: Hey You! /
/ Charleston, SC|ICBM: 32.78N, 79.93W /
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Confused by doc/variables.txt
Craig Huckabee wrote:
attr_rewrite works but breaks EAP for me :(
I've reattempted using the users file again, and double checked that
files does indeed come before the ldap sections in the authorize
section - still get a blank filter.
A debug run shows that files is indeed getting processed, somehow
'Hint' is never getting set. Could my regex be wrong ?
DEFAULT User-Name =~ ^([^/]+)/(.*), Hint := `%{2}`
Fall-Through = yes
Just to follow up to myself, here is the behavior I'm seeing (using
FreeRADIUS built from CVS yesterday to include Alan's fix - thanks!)
If I use this in the users file:
DEFAULT User-Name =~ ^([^/]+)/(.*), Foo := `%{2}`
...
then attempt to look at Foo using %{check:Foo} (in radiusd.conf), I get
nothing - Foo is empty.
However, if I use this:
DEFAULT User-Name =~ ^([^/]+)/(.*)
Foo = `%{2}`
...
then attempt to look at Foo using %{reply:Foo}, I get the expected value
and the filter works.
(note Foo is defined in the dictionary as a custom attribute, wasn't
100% sure if that was required - using Hint yielded the same results)
So, should 'check:variable' work for the first case ? Is this a bug
or (more likely) something I'm missing from my configuration.
Thanks in advance and also thanks for the patience while I learn the ins
and outs of the configuration.
--Craig
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Confused by doc/variables.txt
Kostas Kalevras wrote:
The other idea is to use attr_rewrite as already suggested. In any case, make
sure that the files module comes before ldap in the authorize section for the
above to work.
attr_rewrite works but breaks EAP for me :(
I've reattempted using the users file again, and double checked that
files does indeed come before the ldap sections in the authorize section
- still get a blank filter.
A debug run shows that files is indeed getting processed, somehow 'Hint'
is never getting set. Could my regex be wrong ?
DEFAULT User-Name =~ ^([^/]+)/(.*), Hint := `%{2}`
Fall-Through = yes
Thanks,
Craig
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Confused by doc/variables.txt
Kostas Kalevras wrote:
The above won't work. You can't just add the User-Name line in the rlm_ldap
configuration and expect it to work.
I didn't expect it to just work, but I wanted to at least try something
before posting a question. The documentation isn't as clear as your
answer so I was grasping at straws.
You can either use rlm_attr_rewrite to strip the 'host/' part, or probably add
a Hint variable in the users file and use that as the filter:
--users--
DEFAULT User-Name =~ ^([^/]+)/(.*), Hint := `%{2}`
--radiusd.conf--
ldap {
filter = (cn=%{check:Hint})
...
}
I tried adding the expression to the users file as you suggest - that
doesn't appear to work either. I still end up with a cn='' filter. Any
other ideas are greatly appreciated.
Thanks,
Craig
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Compiling with rlm_krb Possible BUG?
Steve, Don't do that. com_err is a standard lib shipped with Kerberos because some vendors don't supply one. If you've got MIT Kerberos installed, libcom_err.so should be living in /usr/local/lib. To insure everything works properly and that you don't have some conflicts between SEAM and MIT, make sure /usr/local/lib is first on your system library path (check with crle). What version of Kerberos are you using ? I've got two Solaris 9 installs (versions 1.2.8 and 1.3.1) and I've built freeradius on both - no issues. Check your kerberos version by using the krb5-config script (also shipped with most recent versions of MIT Kerberos). --Craig Gary McKinney wrote: Steve, Did moving the the com_err from RLM_LIBS line to the HEADERS line correct the problem compiling?? ( you know what they say: Just because it compiled does not mean it compiled!)... If that corrected the compile problem and it works for you I suspect the changes would be of interest to others wanting to use Kerboros as well... Gary N. McKinney - Original Message - From: Steve OBrien To: [EMAIL PROTECTED] Sent: Tuesday, April 06, 2004 6:33 PM Subject: Re: Compiling with rlm_krb Possible BUG? I edited the makefile and moved -lcom_err from the RLM_LIBS line to the HEADERS line and make seemed to work. Not sure if that is a bug... Steve --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.654 / Virus Database: 419 - Release Date: 4/6/2004 -- / Craig Huckabee| e-mail: [EMAIL PROTECTED] / / Code 715-CH | phone: (843) 218 5653 / / SPAWAR Systems Center | close proximity: Hey You! / / Charleston, SC|ICBM: 32.78N, 79.93W / - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Compiling with rlm_krb
Steve OBrien wrote: To insure everything works properly and that you don't have some conflicts between SEAM and MIT Do you have the Solaris Kerberos packages installed? I've used the MIT binary packages and built my own. SEAM is almost usable by default, but it falls short in the GSSAPI implementation. I've got two Solaris 9 installs (versions 1.2.8 and 1.3.1) and I've built freeradius on both - no issues. Are you using Kerberos for freeradius authentication? If you are would you mind sharing you radiusd.conf Kerberos configuration, I have not been able to find much information about it. We were using it during some tests - I'll see if I have some notes laying around and post them. --Craig -- / Craig Huckabee| e-mail: [EMAIL PROTECTED] / / Code 715-CH | phone: (843) 218 5653 / / SPAWAR Systems Center | close proximity: Hey You! / / Charleston, SC|ICBM: 32.78N, 79.93W / - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
