Re: Configure authentication via LDAP Group membership issue
All, I have still not been able to find a solution for this, it looks like I might be able to use an xlat rule for it, but I can't get my head around how to write it. Can anyone point me to suitable documentation for xlat - while I have read all the docco that comes with the FreeRadius (in /usr/share) I am missing something in order to apply it. Cheers, David - Original Message - From: David Hobley [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Tuesday, 23 October 2007 04:10:51 PM (GMT+1000) Australia/Brisbane Subject: Configure authentication via LDAP Group membership issue I have set up a VPN pointing to a FreeRadius server and have it authenticating successfully against my LDAP server, but I would also like to limit access to only those people who are a member of the VPN group. Normally, this would be simple, but because of the LDAP server I am using, the hierarchy looks like this: User Account: ldapsearch -h ldap -x -b dc=MY,dc=DOMAIN (uid=firstname.lastname) dn: uid=firstname.lastname,ou=people,dc=MY,dc=DOMAIN uidNumber: 1024 ... Group entry is: ldapsearch -h ldap -x -b dc=MY,dc=DOMAIN (cn=VPN Users) dn: cn=VPN Users,ou=groups,dc=MY,dc=DOMAIN memberUid: 1024 ... So I need to somehow configure Radius to search on me, get my uidNumber and then search on the group. If I skip the searching to get the uidNumber, I can configure the Radius (for this single account) correctly: In the ldap module I include: ... groupname_attribute = cn groupmembership_filter = (memberUid=1024) with the following entry in the users file: DEFAULT Auth-Type = LDAP Fall-Through = 1 DEFAULT LDAP-Group == VPN Users Service-Type = Administrative-User and this works as expected, but is there any way I can substitute the 1024 for an ldap search result so I can dynamically return the uidNumber for the %{User-Name} field? Thanks! Cheers, David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Configure authentication via LDAP Group membership issue [sec=unclassified]
___ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Hobley Sent: Wednesday, 31 October 2007 10:50 To: FreeRadius users mailing list Subject: Re: Configure authentication via LDAP Group membership issue All, I have still not been able to find a solution for this, it looks like I might be able to use an xlat rule for it, but I can't get my head around how to write it. Can anyone point me to suitable documentation for xlat - while I have read all the docco that comes with the FreeRadius (in /usr/share) I am missing something in order to apply it. Cheers, David - Original Message - From: David Hobley [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Tuesday, 23 October 2007 04:10:51 PM (GMT+1000) Australia/Brisbane Subject: Configure authentication via LDAP Group membership issue I have set up a VPN pointing to a FreeRadius server and have it authenticating successfully against my LDAP server, but I would also like to limit access to only those people who are a member of the VPN group. Normally, this would be simple, but because of the LDAP server I am using, the hierarchy looks like this: User Account: ldapsearch -h ldap -x -b dc=MY,dc=DOMAIN (uid=firstname.lastname) dn: uid=firstname.lastname,ou=people,dc=MY,dc=DOMAIN uidNumber: 1024 ... Group entry is: ldapsearch -h ldap -x -b dc=MY,dc=DOMAIN (cn=VPN Users) dn: cn=VPN Users,ou=groups,dc=MY,dc=DOMAIN memberUid: 1024 ... So I need to somehow configure Radius to search on me, get my uidNumber and then search on the group. If I skip the searching to get the uidNumber, I can configure the Radius (for this single account) correctly: In the ldap module I include: ... groupname_attribute = cn groupmembership_filter = (memberUid=1024) with the following entry in the users file: DEFAULT Auth-Type = LDAP Fall-Through = 1 DEFAULT LDAP-Group == VPN Users Service-Type = Administrative-User and this works as expected, but is there any way I can substitute the 1024 for an ldap search result so I can dynamically return the uidNumber for the %{User-Name} field? Thanks! Cheers, David The memberUid attribute in a posixgroup is supposed to hold the uid, not the uidNumber. That would make your groupmembership_filter = (memberUid=%{User-Name}) or more robustly, groupmembership_filter = ((memberUid=%{Stripped-User-Name:-%{User-Name}})(objectClass=posixGrou p)) Regards, Frank Ranner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configure authentication via LDAP Group membership issue [sec=unclassified]
Frank, Thank you - greatly appreciated. This made me realise that my thinking was foggy when I had defined group memberships. All working now. Cheers, David - Original Message - From: Frank MR Ranner [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Wednesday, 31 October 2007 10:20:36 AM (GMT+1000) Australia/Brisbane Subject: RE: Configure authentication via LDAP Group membership issue [sec=unclassified] ... ___ The memberUid attribute in a posixgroup is supposed to hold the uid, not the uidNumber. That would make your groupmembership_filter = (memberUid=%{User-Name}) or more robustly, groupmembership_filter = ((memberUid=%{Stripped-User-Name:-%{User-Name}})(objectClass=posixGrou p)) Regards, Frank Ranner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Configure authentication via LDAP Group membership issue
I have set up a VPN pointing to a FreeRadius server and have it authenticating successfully against my LDAP server, but I would also like to limit access to only those people who are a member of the VPN group. Normally, this would be simple, but because of the LDAP server I am using, the hierarchy looks like this: User Account: ldapsearch -h ldap -x -b dc=MY,dc=DOMAIN (uid=firstname.lastname) dn: uid=firstname.lastname,ou=people,dc=MY,dc=DOMAIN uidNumber: 1024 ... Group entry is: ldapsearch -h ldap -x -b dc=MY,dc=DOMAIN (cn=VPN Users) dn: cn=VPN Users,ou=groups,dc=MY,dc=DOMAIN memberUid: 1024 ... So I need to somehow configure Radius to search on me, get my uidNumber and then search on the group. If I skip the searching to get the uidNumber, I can configure the Radius (for this single account) correctly: In the ldap module I include: ... groupname_attribute = cn groupmembership_filter = (memberUid=1024) with the following entry in the users file: DEFAULT Auth-Type = LDAP Fall-Through = 1 DEFAULT LDAP-Group == VPN Users Service-Type = Administrative-User and this works as expected, but is there any way I can substitute the 1024 for an ldap search result so I can dynamically return the uidNumber for the %{User-Name} field? Thanks! Cheers, David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html