Re: LDAP related questions
On Sat, Jul 01, 2006 at 12:04:24PM -0400, Alan DeKok wrote: > Kostas Zorbadelos <[EMAIL PROTECTED]> wrote: > > I saw the cvs version and indeed it contains the code you > > describe. This is a very useful feature. The feature is not contained > > in the latest stable (1.1.2) version. Will it be in the next? > > Probably in 2.0, which we hope to release before the next millenium. > OK, till then, I guess if we need the functionality, we patch the stable version... -:) > Alan DeKok. -- Kostas Zorbadelos [EMAIL PROTECTED] contact: kzorba (at) otenet.gr Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP related questions
Kostas Zorbadelos <[EMAIL PROTECTED]> wrote: > I saw the cvs version and indeed it contains the code you > describe. This is a very useful feature. The feature is not contained > in the latest stable (1.1.2) version. Will it be in the next? Probably in 2.0, which we hope to release before the next millenium. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP related questions
On Wed, Jun 28, 2006 at 04:21:14PM +0300, Kostas Kalevras wrote: > On Wed, 28 Jun 2006, Kostas Zorbadelos wrote: > > >On Wed, Jun 28, 2006 at 02:09:15PM +0300, Kostas Kalevras wrote: > >>>On Wed, Jun 28, 2006 at 11:56:27AM +0300, Kostas Zorbadelos wrote: > >>> > >>>I have a few suspicions where the problem might be. > >>>Is there a way to define the operator in the radius check attributes > >>>of ldap (without using the generic radiusCheckItem attribute)? > >> > >>radiusSessionTimeout: += > >> > > > >I meant in ldap.attrmap. > >When I define for example > > > >checkItem Group-Name radiusProfile > > > >what is the operator implied (& op=21 in the debugging output)? > >Can this be changed? > > In the cvs version at least an extra field is supported in ldap.attrmap > which sets the operator to be used. Dont know if it's supported in the > stable versions. > Thanks Kostas, I saw the cvs version and indeed it contains the code you describe. This is a very useful feature. The feature is not contained in the latest stable (1.1.2) version. Will it be in the next? > > -- > Kostas Kalevras Network Operations Center > [EMAIL PROTECTED] National Technical University of Athens, Greece > Work Phone: +30 210 7721861 > 'Go back to the shadow' Gandalf > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- Kostas [EMAIL PROTECTED] contact: kzorba (at) otenet.gr Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP related questions
On Wed, 28 Jun 2006, Kostas Zorbadelos wrote: On Wed, Jun 28, 2006 at 02:09:15PM +0300, Kostas Kalevras wrote: On Wed, Jun 28, 2006 at 11:56:27AM +0300, Kostas Zorbadelos wrote: I have a few suspicions where the problem might be. Is there a way to define the operator in the radius check attributes of ldap (without using the generic radiusCheckItem attribute)? radiusSessionTimeout: += I meant in ldap.attrmap. When I define for example checkItem Group-Name radiusProfile what is the operator implied (& op=21 in the debugging output)? Can this be changed? In the cvs version at least an extra field is supported in ldap.attrmap which sets the operator to be used. Dont know if it's supported in the stable versions. -- Kostas Zorbadelos [EMAIL PROTECTED] contact: kzorba (at) otenet.gr Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP related questions
On Wed, Jun 28, 2006 at 02:09:15PM +0300, Kostas Kalevras wrote: > >On Wed, Jun 28, 2006 at 11:56:27AM +0300, Kostas Zorbadelos wrote: > > > >I have a few suspicions where the problem might be. > >Is there a way to define the operator in the radius check attributes > >of ldap (without using the generic radiusCheckItem attribute)? > > radiusSessionTimeout: += > I meant in ldap.attrmap. When I define for example checkItem Group-Name radiusProfile what is the operator implied (& op=21 in the debugging output)? Can this be changed? -- Kostas Zorbadelos [EMAIL PROTECTED] contact: kzorba (at) otenet.gr Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP related questions
On Wed, Jun 28, 2006 at 02:11:00PM +0300, Kostas Kalevras wrote: > On Wed, 28 Jun 2006, Kostas Zorbadelos wrote: > > >Hello to everyone. > > > >I have a question regarding a configuration I am trying to achieve. I > >have users stored in an ldap database. An example user entry looks > >like this: > > > >dn: uid=kzorba,ou=people,dc=company,dc=gr > >cn: ZORBADELOS KONSTANTINOS > >uid: kzorba > >clearTextPwd: mypassword > >radiusProfile: PSTN_STATIC > >radiusAccountStatus: activated > >radiusMaxLogins: 1 > >radiusExpDate: 2030/12/31 00:00:00 > >Framed-IP-Address: 62.103.176.39 > >objectClass: account > >objectClass: MyRadiusAccount > >objectClass: top > > > >Tha attribute radiusProfile groups the users. For each group we have a > >corresponding profile > > Why not put the full profile DN in radiusProfile? Then you can use the > profile_attribute mechanism > That would be perfect, however we already have the users database and we use a different Radius software. Our data are in the form I described. Any modifications would require migration and this is what I am trying to avoid. -- Kostas Zorbadelos [EMAIL PROTECTED] contact: kzorba (at) otenet.gr Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP related questions
On Wed, 28 Jun 2006, Kostas Zorbadelos wrote: Hello to everyone. I have a question regarding a configuration I am trying to achieve. I have users stored in an ldap database. An example user entry looks like this: dn: uid=kzorba,ou=people,dc=company,dc=gr cn: ZORBADELOS KONSTANTINOS uid: kzorba clearTextPwd: mypassword radiusProfile: PSTN_STATIC radiusAccountStatus: activated radiusMaxLogins: 1 radiusExpDate: 2030/12/31 00:00:00 Framed-IP-Address: 62.103.176.39 objectClass: account objectClass: MyRadiusAccount objectClass: top Tha attribute radiusProfile groups the users. For each group we have a corresponding profile Why not put the full profile DN in radiusProfile? Then you can use the profile_attribute mechanism -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP related questions
On Wed, 28 Jun 2006, Kostas Zorbadelos wrote: On Wed, Jun 28, 2006 at 11:56:27AM +0300, Kostas Zorbadelos wrote: I have a few suspicions where the problem might be. Is there a way to define the operator in the radius check attributes of ldap (without using the generic radiusCheckItem attribute)? radiusSessionTimeout: += -- Kostas Zorbadelos [EMAIL PROTECTED] contact: kzorba (at) otenet.gr Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP related questions
On Wed, Jun 28, 2006 at 11:56:27AM +0300, Kostas Zorbadelos wrote: I have a few suspicions where the problem might be. Is there a way to define the operator in the radius check attributes of ldap (without using the generic radiusCheckItem attribute)? -- Kostas Zorbadelos [EMAIL PROTECTED] contact: kzorba (at) otenet.gr Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP related questions
Hello to everyone.
I have a question regarding a configuration I am trying to achieve. I
have users stored in an ldap database. An example user entry looks
like this:
dn: uid=kzorba,ou=people,dc=company,dc=gr
cn: ZORBADELOS KONSTANTINOS
uid: kzorba
clearTextPwd: mypassword
radiusProfile: PSTN_STATIC
radiusAccountStatus: activated
radiusMaxLogins: 1
radiusExpDate: 2030/12/31 00:00:00
Framed-IP-Address: 62.103.176.39
objectClass: account
objectClass: MyRadiusAccount
objectClass: top
Tha attribute radiusProfile groups the users. For each group we have a
corresponding profile
# PSTN_STATIC, radiusProfiles, company.gr
dn: cn=PSTN_STATIC,ou=radiusProfiles,dc=company,dc=gr
cn: PSTN_STATIC
objectClass: freeradiusProfile
objectClass: top
radiusNASPortType: Async
radiusFramedProtocol: PPP
radiusCisco-AVPair: lcp:interface-config#1=ip vrf forwarding STATIC_USER
radiusCisco-AVPair: lcp:interface-config#2=ip unnumbered Loopback1001
radiusServiceType: Framed
Now, I want to authorize the user according to this information. I
have read and tried the configuration described in ldap_howto.txt
shipped in the freeradius distribution. It uses the Ldap-Group
attribute and the users file. This configuration is sub-optimal
because it generates many ldap queries trying to figure out in which
group a user belongs. If we have many entries in the users file, one
for each group, each entry will generate a couple of queries until the
matching entry is found. So if we have, for example, a hundred groups
and the last one in the users file matches, we will have generated ~200
ldap queries, just to find the group the user belongs to.
I try the following alternative approach:
#ldap.attrmap
checkItem Group radiusProfile
#users file
...
DEFAULT Group == PSTN_STATIC, User-Profile :=
"cn=PSTN_DYNAMIC,ou=radiusProfiles,dc=company,dc=gr"
Fall-Through = no
DEFAULT Auth-Type := Reject
Reply-Message = "Unauthorized access."
#radiusd.conf
authorize {
preprocess
chap
mschap
suffix
ldap
files
ldap
}
In the first pass through the ldap module I want to set the Group
attribute, then in users file set the User-Profile and I use one more
pass through the ldap module to get the profile attributes. However
this is what I get when testing with radclient:
rad_recv: Access-Request packet from host 127.0.0.1:41392, id=167, length=52
User-Name = "kzorba"
User-Password = "XX"
NAS-IP-Address = 62.103.0.99
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "kzorba", looking up realm NULL
rlm_realm: Found realm "NULL"
rlm_realm: Adding Stripped-User-Name = "kzorba"
rlm_realm: Proxying request from user kzorba to realm NULL
rlm_realm: Adding Realm = "NULL"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "suffix" returns noop for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for kzorba
radius_xlat:
'(&(uid=kzorba)(objectClass=MyRadiusAccount)(radiusAccountStatus=activated))'
radius_xlat: 'ou=people,dc=company,dc=gr'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldapserver.company.gr:489, authentication 0
rlm_ldap: bind as cn=Directory Manager/XX to ldapserver.company.gr:489
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=people,dc=company,dc=gr, with filter
(&(uid=kzorba)(objectClass=MyRadiusAccount)(radiusAccountStatus=activated))
rlm_ldap: Added password XX in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding radiusProfile as Group, value PSTN_STATIC & op=21
^^
rlm_ldap: Adding radiusMaxLogins as Simultaneous-Use, value 1 & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding Framed-IP-Address as Framed-IP-Address, value 62.103.176.39 &
op=11
rlm_ldap: user kzorba authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 0
users: Matched entry DEFAULT at line 82
^^^(?)
Here, the files module does not match the line with the Group == PSTN_STATIC
condition, but the last DEFAULT line that rejects the user
modcall[authorize]: module "files" returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for kzorba
radius_xlat:
'(&(uid=kzorba)(objectClass=MyRadiusAccount)(radiusAccountStatus=activated))'
radius_xlat: 'ou=people,dc=company,dc=gr'
rlm_ldap:
