Re: How to config to get group attributes
On Wed, 2004-05-05 at 13:13, Alan DeKok wrote: > > Now one more question: is there any way to get FreeRadius to look at the > > NIS information, directly or indirectly? > > NIS supplies a lot of information. Are you looking to have it read > group information from NIS? If so, there's no built-in way to do it. > > You can, however, run an external shell script to do it. See the > "groups" command. Run the groups command from a shell script(see > scripts/exec-program-wait), and turn the output into a list of "Class > += group" attributes. The server will do the rest. Brilliant, now we're talkin'! I added the following Exec-Program-Wait to the raddb/users file: DEFAULT Auth-Type = System Exec-Program-Wait = "/usr/local/System/bin/nis-group-list.sh", Fall-Through = 1 And the nis-group-list.sh script is: #!/bin/bash export UN=`echo $USER_NAME|tr -d \"` for FF in `/usr/bin/groups $UN | cut -d":" -f2` do echo "Class += \"$FF\"," done echo Framed-IP-Address = 255.255.255.255 exit 0 One strange side-effect was encountered that the export line is used to overcome. The environment variable $USER_NAME includes quotes around the name (e.g., if the username is 'joe' the string translates literally as "joe" including the quotes). 'groups' takes the quotes literally and errors (cuz the user "joe" doesn't exist, only joe does). So I strip the quotes. No biggie. Thanks again for the help! I wouldn't have found the script example without you as it appears RedHat/Fedora doesn't include them in the install, only with the source. -- John Duino <[EMAIL PROTECTED]> National Engineering Technology - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to config to get group attributes
John Duino <[EMAIL PROTECTED]> wrote: > Now it works! Hurray! Thank you! You're welcome. > Now one more question: is there any way to get FreeRadius to look at the > NIS information, directly or indirectly? NIS supplies a lot of information. Are you looking to have it read group information from NIS? If so, there's no built-in way to do it. You can, however, run an external shell script to do it. See the "groups" command. Run the groups command from a shell script(see scripts/exec-program-wait), and turn the output into a list of "Class += group" attributes. The server will do the rest. Test the shell script from the command-line first, though... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to config to get group attributes
> I'm sorry, but I expect people to be able to read the configuration
> file, and make some simple conclusions from it. In this case, you
> expected a configuration which had NO MENTION of "Class" or
> "Filter-Id" to somehow magically use them.
Conclusions are one thing. For those of us who don't know the difference
it is a leap of knowledge.
>
> You're probalby using system authentication. In that case, there's
> a system call used by FreeRADIUS to get the user's password. That
> system call eventually ends up using NIS, but FreeRADIUS doesn't know
> that.
Understood, and that makes sense. I was (logically) jumping past the
functional steps.
>
> I told you. Replace "Group-Name" with "Class" or "Filter-Id".
> Point the "/etc/group" configuration at a group file from the
> /etc/group directory on your system.
Sorry, that wasn't obvious to me from your previous post.
For completeness of this exchange, I added the following to
radiusd.conf:
passwd etc_group {
filename = /etc/group
format = "=Class:::*,User-Name"
hashsize = 50
ignorenislike = no
allowmultiplekeys = yes
delimiter = ":"
}
and then added "etc_group" in the "authorize" section.
Oh, and because I'm using Fedora, the rlm_passwd is not included. I
downloaded the source and rebuilt freeradius using the RH Spec file
after adding "rlm_passwd" to "src/modules/stable".
Now it works! Hurray! Thank you!
Now one more question: is there any way to get FreeRadius to look at the
NIS information, directly or indirectly?
--
John Duino <[EMAIL PROTECTED]>
National Engineering Technology
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to config to get group attributes
John Duino <[EMAIL PROTECTED]> wrote: > Well, as I stated, I am a newbie at Radius and FreeRadius, and thus, do > not know all the 'proper' terms. And if I knew how to completely phrase > my question I would probably know how to solve it! The issue isn't so much phrasing as intent. You described what you were doing, not what you wanted. > > If you edit it to add "Class", or "Filter-Id", it will be a little > > better. > > Well, again, if I knew exactly of which I speak, I would not be asking > for help. I'm sorry, but I expect people to be able to read the configuration file, and make some simple conclusions from it. In this case, you expected a configuration which had NO MENTION of "Class" or "Filter-Id" to somehow magically use them. > > The "passwd" module doesn't read directories. It reads files. It's > > documented as reading files. It's not documented as interacting with > > NIS. > > I'm a bit confused then: if it doesn't read directories (as in a > directory server, eg NIS) how is it currently authenticating me via NIS? It's not. The passwd module doesn't authenticate anyone. You're probalby using system authentication. In that case, there's a system call used by FreeRADIUS to get the user's password. That system call eventually ends up using NIS, but FreeRADIUS doesn't know that. > I am asking for help in configuring freeradius; what do I need to > do? Is module example "passwd etc_group" the correct place to start? > If so, and since I thought I already did that and it did not work > for me, what am I doing wrong? I told you. Replace "Group-Name" with "Class" or "Filter-Id". Point the "/etc/group" configuration at a group file from the /etc/group directory on your system. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to config to get group attributes
On Wed, 2004-05-05 at 09:21, Alan DeKok wrote: > John Duino <[EMAIL PROTECTED]> wrote: > > The NAS understands the "Attribute value pairs" information, in this > > case either Class(25) or FilterId(11) labeling, with the returned value > > being the group name(s). See discussion below. > > It would have helped if you said this at the start. Talking about > "why your solution doesn't do what you expect" is often a waste of > time. Well, as I stated, I am a newbie at Radius and FreeRadius, and thus, do not know all the 'proper' terms. And if I knew how to completely phrase my question I would probably know how to solve it! > > Instead, talk about what you want to do. In this case, it's: > > - send a Class or Filter-Id attribute to the NAS, with the content > being the names of the Unix groups to which the user belongs. > > > The section I posted > > previously labeled "passwd etc_group", and is directly FROM the default > > radiusd.conf, is described as doing exactly what I expect/hope. > > No, it's not. It adds a "Group-Name" attribute, not a Class or > Filter-Id. > > If you edit it to add "Class", or "Filter-Id", it will be a little > better. Well, again, if I knew exactly of which I speak, I would not be asking for help. > > The "passwd" module doesn't read directories. It reads files. It's > documented as reading files. It's not documented as interacting with > NIS. I'm a bit confused then: if it doesn't read directories (as in a directory server, eg NIS) how is it currently authenticating me via NIS? > > So the "passwed" module won't read "directories", with "NIS > extensions". You've got to point it to each and every "group" file > you want it to read. To do this, you probably need multiple instances > of the module, one for each file you want it to read. Okay, but at this point for me that's like saying, "To get to the moon you simply have to build a rocket." I am asking for help in configuring freeradius; what do I need to do? Is module example "passwd etc_group" the correct place to start? If so, and since I thought I already did that and it did not work for me, what am I doing wrong? -- John Duino <[EMAIL PROTECTED]> National Engineering Technology - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to config to get group attributes
John Duino <[EMAIL PROTECTED]> wrote: > The NAS understands the "Attribute value pairs" information, in this > case either Class(25) or FilterId(11) labeling, with the returned value > being the group name(s). See discussion below. It would have helped if you said this at the start. Talking about "why your solution doesn't do what you expect" is often a waste of time. Instead, talk about what you want to do. In this case, it's: - send a Class or Filter-Id attribute to the NAS, with the content being the names of the Unix groups to which the user belongs. > Why does it not have to do with radiusd.conf? The issue is that your problem was poorly defined. No amount of editing "radiusd.conf" will cause your problem to become well-defined. > The section I posted > previously labeled "passwd etc_group", and is directly FROM the default > radiusd.conf, is described as doing exactly what I expect/hope. No, it's not. It adds a "Group-Name" attribute, not a Class or Filter-Id. If you edit it to add "Class", or "Filter-Id", it will be a little better. > The radius server, upon positive authentication, should also then > parse the group directory (/etc/group, in this case, including its > NIS extension) The "passwd" module doesn't read directories. It reads files. It's documented as reading files. It's not documented as interacting with NIS. So the "passwed" module won't read "directories", with "NIS extensions". You've got to point it to each and every "group" file you want it to read. To do this, you probably need multiple instances of the module, one for each file you want it to read. > and return in the Authenticator additional information labeled as > "Attribute value pairs" that would, in this case, be the groups the user > belongs to. If you return them in the correct attributes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to config to get group attributes
On Wed, 2004-05-05 at 07:22, Alan DeKok wrote: > John Duino <[EMAIL PROTECTED]> wrote: > > Users authenticate fine, but I am not getting any group information back > > to the Aventail. tcpdump confirms no info being passed. The group info > > is primarily in NIS, but I have even tried putting some in the local > > /etc/group for testing without success. > > There are no standard RADIUS attributes to send group information in > a RADIUS packet. I do not know if it is "standard" (eg, RFC defined) but it is possible. See discussion below. > > As of recently in the CVS snapshots, there is a "dictionary.unix" > file, with Unix group related attributes. However... if the NAS > documentation doesn't say it understands those attributes, then it > won't use them. The NAS understands the "Attribute value pairs" information, in this case either Class(25) or FilterId(11) labeling, with the returned value being the group name(s). See discussion below. > > > I'm using Unix authentication (system uses NIS) and I'm attempting > > to access this from an Aventail EX1500. > > Uh, no. The Aventail is authenticating via RADIUS. FreeRADIUS can > be configured to do authentication against /etc/passwd, but the > Aventail NAS doesn't know that this is happening. Merely a grammatical slip. I know the Aventail is using Radius. FreeRadius is using the system's Unix-based authentication, which in this case is NIS-based. > > > I do not totally (obviously) grasp the intricacies of the radiusd.conf > > file, multiple authentication schemes, etc. > > It has nothing to do with "radiusd.conf". > > Why are you trying to send Unix group information to the NAS? Why does it not have to do with radiusd.conf? The section I posted previously labeled "passwd etc_group", and is directly FROM the default radiusd.conf, is described as doing exactly what I expect/hope. The radius server, upon positive authentication, should also then parse the group directory (/etc/group, in this case, including its NIS extension) and return in the Authenticator additional information labeled as "Attribute value pairs" that would, in this case, be the groups the user belongs to. I am trying to get this for it allows me to use 'predefined' groupings of people (in this case, people within certain unix-based groups) as another criteria in my ACLs on the Aventail. -- John Duino <[EMAIL PROTECTED]> National Engineering Technology - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to config to get group attributes
John Duino <[EMAIL PROTECTED]> wrote: > Users authenticate fine, but I am not getting any group information back > to the Aventail. tcpdump confirms no info being passed. The group info > is primarily in NIS, but I have even tried putting some in the local > /etc/group for testing without success. There are no standard RADIUS attributes to send group information in a RADIUS packet. As of recently in the CVS snapshots, there is a "dictionary.unix" file, with Unix group related attributes. However... if the NAS documentation doesn't say it understands those attributes, then it won't use them. > I'm using Unix authentication (system uses NIS) and I'm attempting > to access this from an Aventail EX1500. Uh, no. The Aventail is authenticating via RADIUS. FreeRADIUS can be configured to do authentication against /etc/passwd, but the Aventail NAS doesn't know that this is happening. > I do not totally (obviously) grasp the intricacies of the radiusd.conf > file, multiple authentication schemes, etc. It has nothing to do with "radiusd.conf". Why are you trying to send Unix group information to the NAS? Alan Dekok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to config to get group attributes
> I'm a complete radius newbie and I can't manage to get this to work. > Running v0.9.3 on Fedora Core 1. I'm using Unix authentication (system > uses NIS) and I'm attempting to access this from an Aventail EX1500. > > Users authenticate fine, but I am not getting any group information back > to the Aventail. tcpdump confirms no info being passed. The group info > is primarily in NIS, but I have even tried putting some in the local > /etc/group for testing without success. i understand that you are trying to authenticate group users? > > I do not totally (obviously) grasp the intricacies of the radiusd.conf > file, multiple authentication schemes, etc. but here are the things I > did that I thought would make it work: > radiusd -X helps a lot on debugging mode FC1 includes freeradius package. have done it freeradius+MySQL under FC1 as well. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to config to get group attributes
I'm a complete radius newbie and I can't manage to get this to work.
Running v0.9.3 on Fedora Core 1. I'm using Unix authentication (system
uses NIS) and I'm attempting to access this from an Aventail EX1500.
Users authenticate fine, but I am not getting any group information back
to the Aventail. tcpdump confirms no info being passed. The group info
is primarily in NIS, but I have even tried putting some in the local
/etc/group for testing without success.
I do not totally (obviously) grasp the intricacies of the radiusd.conf
file, multiple authentication schemes, etc. but here are the things I
did that I thought would make it work:
I uncommented and/or changed the following in radiusd.conf:
passwd etc_group {
filename = /etc/group
format = "=Group-Name:::*,User-Name"
hashsize = 50
ignorenislike = no
allowmultiplekeys = yes
delimiter = ":"
}
Do I need to add something else somewhere? HELP!
TIA!
--
John Duino <[EMAIL PROTECTED]>
National Engineering Technology
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
