Re: Configure authentication via LDAP Group membership issue
All,
I have still not been able to find a solution for this, it looks like I might
be able to use an xlat rule for it, but I can't get my head around how to write
it. Can anyone point me to suitable documentation for xlat - while I have read
all the docco that comes with the FreeRadius (in /usr/share) I am missing
something in order to apply it.
Cheers,
David
- Original Message -
From: David Hobley [EMAIL PROTECTED]
To: freeradius-users@lists.freeradius.org
Sent: Tuesday, 23 October 2007 04:10:51 PM (GMT+1000) Australia/Brisbane
Subject: Configure authentication via LDAP Group membership issue
I have set up a VPN pointing to a FreeRadius server and have it
authenticating successfully against my LDAP server, but I would also like to
limit access to only those people who are a member of the VPN group.
Normally, this would be simple, but because of the LDAP server I am using,
the hierarchy looks like this:
User Account:
ldapsearch -h ldap -x -b dc=MY,dc=DOMAIN (uid=firstname.lastname)
dn: uid=firstname.lastname,ou=people,dc=MY,dc=DOMAIN
uidNumber: 1024
...
Group entry is:
ldapsearch -h ldap -x -b dc=MY,dc=DOMAIN (cn=VPN Users)
dn: cn=VPN Users,ou=groups,dc=MY,dc=DOMAIN
memberUid: 1024
...
So I need to somehow configure Radius to search on me, get my uidNumber and
then search on the group. If I skip the searching to get the uidNumber, I
can configure the Radius (for this single account) correctly:
In the ldap module I include:
...
groupname_attribute = cn
groupmembership_filter = (memberUid=1024)
with the following entry in the users file:
DEFAULT Auth-Type = LDAP
Fall-Through = 1
DEFAULT LDAP-Group == VPN Users
Service-Type = Administrative-User
and this works as expected, but is there any way I can substitute the 1024
for an ldap search result so I can dynamically return the uidNumber for the
%{User-Name} field?
Thanks!
Cheers,
David
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Configure authentication via LDAP Group membership issue [sec=unclassified]
___
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
David Hobley
Sent: Wednesday, 31 October 2007 10:50
To: FreeRadius users mailing list
Subject: Re: Configure authentication via LDAP Group membership
issue
All,
I have still not been able to find a solution for this, it looks
like I might be able to use an xlat rule for it, but I can't get my head
around how to write it. Can anyone point me to suitable documentation
for xlat - while I have read all the docco that comes with the
FreeRadius (in /usr/share) I am missing something in order to apply it.
Cheers,
David
- Original Message -
From: David Hobley [EMAIL PROTECTED]
To: freeradius-users@lists.freeradius.org
Sent: Tuesday, 23 October 2007 04:10:51 PM (GMT+1000)
Australia/Brisbane
Subject: Configure authentication via LDAP Group membership
issue
I have set up a VPN pointing to a FreeRadius server and have it
authenticating successfully against my LDAP server, but I would
also like to
limit access to only those people who are a member of the VPN
group.
Normally, this would be simple, but because of the LDAP server I
am using,
the hierarchy looks like this:
User Account:
ldapsearch -h ldap -x -b dc=MY,dc=DOMAIN
(uid=firstname.lastname)
dn: uid=firstname.lastname,ou=people,dc=MY,dc=DOMAIN
uidNumber: 1024
...
Group entry is:
ldapsearch -h ldap -x -b dc=MY,dc=DOMAIN (cn=VPN Users)
dn: cn=VPN Users,ou=groups,dc=MY,dc=DOMAIN
memberUid: 1024
...
So I need to somehow configure Radius to search on me, get my
uidNumber and
then search on the group. If I skip the searching to get the
uidNumber, I
can configure the Radius (for this single account) correctly:
In the ldap module I include:
...
groupname_attribute = cn
groupmembership_filter = (memberUid=1024)
with the following entry in the users file:
DEFAULT Auth-Type = LDAP
Fall-Through = 1
DEFAULT LDAP-Group == VPN Users
Service-Type = Administrative-User
and this works as expected, but is there any way I can
substitute the 1024
for an ldap search result so I can dynamically return the
uidNumber for the
%{User-Name} field?
Thanks!
Cheers,
David
The memberUid attribute in a posixgroup is supposed to hold the uid, not
the uidNumber. That would make your groupmembership_filter =
(memberUid=%{User-Name}) or more robustly,
groupmembership_filter =
((memberUid=%{Stripped-User-Name:-%{User-Name}})(objectClass=posixGrou
p))
Regards,
Frank Ranner
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configure authentication via LDAP Group membership issue [sec=unclassified]
Frank,
Thank you - greatly appreciated. This made me realise that my thinking was
foggy when I had defined group memberships. All working now.
Cheers,
David
- Original Message -
From: Frank MR Ranner [EMAIL PROTECTED]
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Sent: Wednesday, 31 October 2007 10:20:36 AM (GMT+1000) Australia/Brisbane
Subject: RE: Configure authentication via LDAP Group membership issue
[sec=unclassified]
...
___
The memberUid attribute in a posixgroup is supposed to hold the uid, not
the uidNumber. That would make your groupmembership_filter =
(memberUid=%{User-Name}) or more robustly,
groupmembership_filter =
((memberUid=%{Stripped-User-Name:-%{User-Name}})(objectClass=posixGrou
p))
Regards,
Frank Ranner
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Configure authentication via LDAP Group membership issue
I have set up a VPN pointing to a FreeRadius server and have it
authenticating successfully against my LDAP server, but I would also like to
limit access to only those people who are a member of the VPN group.
Normally, this would be simple, but because of the LDAP server I am using,
the hierarchy looks like this:
User Account:
ldapsearch -h ldap -x -b dc=MY,dc=DOMAIN (uid=firstname.lastname)
dn: uid=firstname.lastname,ou=people,dc=MY,dc=DOMAIN
uidNumber: 1024
...
Group entry is:
ldapsearch -h ldap -x -b dc=MY,dc=DOMAIN (cn=VPN Users)
dn: cn=VPN Users,ou=groups,dc=MY,dc=DOMAIN
memberUid: 1024
...
So I need to somehow configure Radius to search on me, get my uidNumber and
then search on the group. If I skip the searching to get the uidNumber, I
can configure the Radius (for this single account) correctly:
In the ldap module I include:
...
groupname_attribute = cn
groupmembership_filter = (memberUid=1024)
with the following entry in the users file:
DEFAULT Auth-Type = LDAP
Fall-Through = 1
DEFAULT LDAP-Group == VPN Users
Service-Type = Administrative-User
and this works as expected, but is there any way I can substitute the 1024
for an ldap search result so I can dynamically return the uidNumber for the
%{User-Name} field?
Thanks!
Cheers,
David
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
