Re: WebDAV HTTP Auth to RADIUS, possible?
On 8/30/06, Alan DeKok [EMAIL PROTECTED] wrote: Michael Check [EMAIL PROTECTED] wrote: Is it possible to set up an Apache 1.3 server with WebDAV to authenticate to a freeRADIUS? Unless I'm mistaken, webdav uses HTTP digest for authentication. That makes it difficult. If it's using basic authentication, mod_auth_radius can help. We're using freeRadius 1.1.0 on OSX.4, successfully authenticatiing off an Active Directory master. If it's using HTTP digest authentication, then this is impossible. HTTP digest requires the clear-text password, and AD doesn't supply it. Thanks Alan and Samuel. I d/l the mod-auth_radius and got it installed. I haven't successfully gotten it to work, but I haven't spent enough time yet. Task for today. WebDAV will allow either Basic or Digest (it uses the same HTTP Auth mechanism that Apache provides) so I think it will work. Even with DAV On, you can have AuthType Basic - so my assumption at this point is that it will work. I'll report back to the list. Thanks! Michael Check - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cannot compile and run on Mac OS X 10.4.7
On 8/22/06, Michael Check [EMAIL PROTECTED] wrote: We tried googling around and we're happy to hear that freeradius will be a part of 10.5, but we'd like to get it running now... There really is no other docs we've found on getting it compiled (after difficulty like the above) and installed. Certainly nothing recent anyway. Is it true that it _should_ just work? :) Thanks in advance for any assistance, This is issue is not really solved, I didn't get it to compile, but I thought those of you that are looking for a solution to run freeRADIUS on OSX should look to the package installer that I found. It is quite recent (version 1.1.0pre0) and runs great. The company has a neat prodcut for managing the scripts that you should look at, too. Here is the url: http://www.carpestellarem.com Thanks, Michael Check - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
WebDAV HTTP Auth to RADIUS, possible?
Is it possible to set up an Apache 1.3 server with WebDAV to authenticate to a freeRADIUS? Ideally, I would like to tell the Apache directives to look at freeRADIUS for authentication using the httpd.conf file. Has anyone ever done this or able to point me in a direction? Is it even possible? We're using freeRadius 1.1.0 on OSX.4, successfully authenticatiing off an Active Directory master. Thanks in advance, Michael Check - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Cannot compile and run on Mac OS X 10.4.7
On 8/23/06, Stephen Gran [EMAIL PROTECTED] wrote: I _think_ that it blows up in rlm_exec because it's the first module that uses a symbol from the radiusd binary (as opposed to a library). I also think this has something to do with the mystery that is OS X's linker namespaces. Beyond that, I'm starting to flounder. I have no Mac machine handy to test these assumptions on (and I'm not even sure how I would test the second one), so I can't really say much more, sorry. In terms of accessing binaries or libs, would it have anything to do with permissions? Is that possible? Does anyone have any suggestions on using, perhaps, a previous version? Or some experience with using a certain version of the OSX developer tools for compiling? I know these questions are a bit obtuse, but I'd like help in even a direction to pursue. If you don't actually need the modules that cause problems, you can comment the references out and see if that gets you by. OK, where to do that? In the original make file? Good luck, and sorry, but without something to test on, I'm out of ideas. Thanks, I'll need the luck, I guess. Hey, for grins, I compiled and ran version 1.0.5. It makes it through the compile with no problems and when run, I get: unix: radwtmp = /usr/local/var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) radiusd.conf[10] Failed to link to module 'rlm_eap': dlopen(rlm_eap.so, 9): image not found So, similar problem, different module. Am I on to something here? Can someone tell me what I am on to? :) Michael Check - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cannot compile and run on Mac OS X 10.4.7
On 8/24/06, Lasse [EMAIL PROTECTED] wrote: I can't say for sure what the problem is, but 1.0.5 is the last one I have been able to get running on Mac OS X. Thanks Lasse, can you tell me a bit about your environment in which it worked? (OSX version, DeveloperTools version, platform, etc.) Did you change anything at compile or run time? Thanks, Michael Check - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cannot compile and run on Mac OS X 10.4.7
suppress -o .libs/rlm_perl-1.1.2.so rlm_perl.lo /usr/local/lib/libradius.dylib -L/usr/local/lib -L/System/Library/Perl/5.8.6/darwin-thread-multi-2level/CORE -lperl -ldl -lm -lc -lresolv -lpthread -lc -install_name /usr/local/lib/rlm_perl-1.1.2.so /usr/local/src/freeradius-1.1.2/install-sh -c -c .libs/rlm_perl-1.1.2.soT /usr/local/lib/rlm_perl-1.1.2.so (cd /usr/local/lib rm -f rlm_perl.so ln -s rlm_perl-1.1.2.so rlm_perl.so) /usr/local/src/freeradius-1.1.2/install-sh -c -c .libs/rlm_perl.lai /usr/local/lib/rlm_perl.la /usr/local/src/freeradius-1.1.2/install-sh -c -c .libs/rlm_perl.a /usr/local/lib/rlm_perl.a ranlib /usr/local/lib/rlm_perl.a chmod 644 /usr/local/lib/rlm_perl.a AND RUNNING sudo radiusd -X, the following error results: read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib radiusd.conf[1565] Failed to link to module 'rlm_exec': dlopen(/usr/local/lib/rlm_exec-1.1.2.so, 9): Symbol not found: _debug_flag Referenced from: /usr/local/lib/rlm_exec-1.1.2.so Expected in: flat namespace AND QUITS IMMEDIATELY --- We tried googling around and we're happy to hear that freeradius will be a part of 10.5, but we'd like to get it running now... There really is no other docs we've found on getting it compiled (after difficulty like the above) and installed. Certainly nothing recent anyway. Is it true that it _should_ just work? :) Thanks in advance for any assistance, Michael Check - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeRADIUS+AD help
On 6/15/04 7:18 PM, Veerabhushan Hatte at [EMAIL PROTECTED] wrote:
I was going through the mail responses and I am facing some problem for the
same configuration. I have few questions and your help is greatly appreciated.
1. Do I need enable pam authentication to use LDAP?
I don't think so. We do not have PAM active on our instance of radiusd.
2. If I need to use pam, do I need to install OpenLDAP to run LDAP on
freeRADIUS?
I think you may need openLDAP installed when you compile radiusd. We run
radiusd on OSX so we already had LDAP installed. I think I saw your
original email that you were having trouble starting radiusd and one user
suggested that you needed openLDAP prior to compilation. If it does in fact
now start, you can use the follwing edits to adjust you configs. Our works
like a charm now.
One pitfall we had is that when the user is looked up in AD, the cn= LDAP
property looks at AD's Display Name. This means that if Michael Check is
logging in as [EMAIL PROTECTED], the Display Name in AD must also be the same
as the account name (user name). The default in AD is to set cn as 'Michael
Check'. You need to change it to 'mcheck'.
The same goes for the account that radiusd uses to look up the information
in the AD. In our case ldapuser and radiusserver.
We still haven't figured out if there is an LDAP property that maps the
username to AD's account (user) name. If you or others know of it, I'd like
to know.
If you could send me the configuration file for LDAP configuration, it would
be really helpful.
The following setup allows users to be authenticated off 2 diff AD LDAP
servers depending on the domain (realm). Users without a domain are
athenticated off the first AD LDAP server.
The requests come from a ras and a vpn concentrator on the foo1 network to
radiusd which is also on the foo1 network.
We use the AD property access_attr=msNPAllowDialin to determine whether
the user can log in. This is the boolean in AD whether to allow VPN/Dial-in
under the account properties.
clients.conf
#
client 192.168.2.28 {
secret= secretpass
shortname= vpn.foo1.com
nastype= cisco
}
client 192.168.2.29 {
secret= secretpass
shortname= ras.foo1.com
nastype= patton
}
#
proxy.conf
realm foo1.com {
type= radius
authhost= LOCAL
accthost= LOCAL
}
realm foo2.com {
type= radius
authhost= LOCAL
accthost= LOCAL
}
users
#
# First setup all accounts to be checked against the UNIX /etc/passwd.
# (Unless a password was already given earlier in this file).
#
#DEFAULTAuth-Type := system
#Fall-Through = 1
#
# Setup all accounts to be checked against the MAI-LDAP module
# This is for users that do not specify a realm (ie. @foo.com)
#
DEFAULTAutz-Type := FOO1
Auth-Type := FOO1,
Fall-Through = 1
DEFAULT Realm == NULL, Autz-Type := FOO1, Auth-Type := FOO1
DEFAULT Realm == foo1.com, Autz-Type := FOO1, Auth-Type := FOO1
DEFAULTRealm == foo2.com, Autz-Type := FOO2, Auth-Type := FOO2
radiusd.conf
# Lightweight Directory Access Protocol (LDAP)
#
# This module definition allows you to use LDAP for
# authorization and authentication (Auth-Type := LDAP)
#
# See doc/rlm_ldap for description of configuration options
# and sample authorize{} and authenticate{} blocks
ldap FOO1 {
server = 192.168.2.5
identity = cn=ldapuser,cn=users,dc=foo1,dc=com
password = foopass
basedn = cn=users,dc=foo1,dc=com
filter = (sAMAccountName=%{Stripped-User-Name:-%{User-Name}})
access_attr=msNPAllowDialin
password_attribute=userPassword
# set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
start_tls = no
# set this to 'yes' to use TLS encrypted connections to the
# LDAP database by passing the LDAP_OPT_X_TLS_TRY option to
# the ldap library.
tls_mode = no
# default_profile = cn=radprofile,ou=dialup,o=My Org,c=UA
# profile_attribute = radiusProfileDn
#access_attr = dialupAccess
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
# ldap_cache_timeout = 120
# ldap_cache_size = 0
ldap_connections_number = 5
# password_header = {clear}
# password_attribute = userPassword
# groupname_attribute = cn
# groupmembership_filter =
(|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupO
fUniqueNames)(uniquemember=%{Ldap-UserDn})))
# groupmembership_attribute = radiusGroupName
timeout = 4
timelimit = 3
net_timeout = 1
# compare_check_items = yes
Re: Authenticating to different LDAP servers
On 6/15/04 8:05 AM, Alan DeKok [EMAIL PROTECTED] wrote:
authenticate {
# Uncomment it if you want to use ldap for authentication
authtype LDAP {
ldap1
ldap2
}
You've put BOTH ldap modules into one group. Why?
This was the first try in thinking that the Authentication would cascade
through the servers. I had set up diff groups in testing, but couldn't get
freeRADIUS to come up with the correct Auth-Type (like you suggest below).
How can we get freeRADIUS to know that we're authenticating off the _second_
LDAP server?
Put the ldap modules into different authtype groups: LDAP1 and
LDAP2, and then set Auth-Type to one of LDAP1 or LDAP2.
OK. I can place them in diff groups as I show below, but how (and where) do
I set the correct Auth-Type?
authenticate {
authtype LDAP1 {
ldap1
}
authtype LDAP2 {
ldap2
}
}
Thanks in advance,
Michael Check
Solo Group, Inc.
--
[EMAIL PROTECTED]
www.sologroup.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authenticating to different LDAP servers
Hello all,
We are using freeRADIUS version 0.9.3 on a MacOSX box running 10.2.6
We have a Patton dial-in access server that is using freeRADIUS to AAA off
Active Directory running on a W2K box (192.168.2.5) with domain marshall.com
We have now set up a W2003 server (10.0.1.5) running active directory for a
domain msi.com
The domains are on separate LANs but completely routable between.
The Patton is on the marshall.com side of the network and uses LDAP through
freeRADIUS and works great.
Our desire is to configure freeRADIUS to authenticate specific users off the
msi.com domain also using LDAP.
I configured radiusd.conf to authorize off the new server and it does, but
when authentication comes around, it tries to authenticate off the first
LDAP server it finds which is 192.168.2.5
I have tracked the issue to the fact that the radiusd.conf file specifically
states that authentication does not cascade (fall through?) but
authorization does.
Here are the conf file areas:
modules {
# snip
ldap ldap1 {
server = 192.168.2.5
identity = cn=ldapuser,cn=users,dc=marshall,dc=com
password = foo
basedn = cn=users,dc=marshall,dc=com
filter = (sAMAccountName=%{Stripped-User-Name:-%{User-Name}})
access_attr=msNPAllowDialin
password_attribute=userPassword
# snip
}
ldap ldap2 {
server = 10.0.1.5
identity = cn=radiusserver,cn=users,dc=msi,dc=com
password = foo
basedn = ou=merchandisers,dc=msi,dc=com
filter = (sAMAccountName=%{Stripped-User-Name:-%{User-Name}})
# access_attr=msNPAllowDialin
password_attribute=userPassword
# snip
}
}
authorize {
# The ldap module will set Auth-Type to LDAP if it has not already been set
ldap1
ldap2
}
authenticate {
# Uncomment it if you want to use ldap for authentication
authtype LDAP {
ldap1
ldap2
}
}
So debugging shows that the authorize section works as expected, but, also
as expected, it tries to authenticate off the _first_ LDAP server only and
fails.
How can we get freeRADIUS to know that we're authenticating off the _second_
LDAP server? I tried setting up another DEFAULT user in the users file
thinking that I could define another Auth-Type, but I cannot figure out how
to direct freeRADIUS to choose the correct DEFAULT user.
Any help is greatly appreciated.
Thanks,
Michael Check
Solo Group, Inc.
--
[EMAIL PROTECTED]
www.sologroup.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
