Re: LDAP related questions
On Sat, Jul 01, 2006 at 12:04:24PM -0400, Alan DeKok wrote: > Kostas Zorbadelos <[EMAIL PROTECTED]> wrote: > > I saw the cvs version and indeed it contains the code you > > describe. This is a very useful feature. The feature is not contained > > in the latest stable (1.1.2) version. Will it be in the next? > > Probably in 2.0, which we hope to release before the next millenium. > OK, till then, I guess if we need the functionality, we patch the stable version... -:) > Alan DeKok. -- Kostas Zorbadelos [EMAIL PROTECTED] contact: kzorba (at) otenet.gr Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP related questions
Kostas Zorbadelos <[EMAIL PROTECTED]> wrote: > I saw the cvs version and indeed it contains the code you > describe. This is a very useful feature. The feature is not contained > in the latest stable (1.1.2) version. Will it be in the next? Probably in 2.0, which we hope to release before the next millenium. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP related questions
On Wed, Jun 28, 2006 at 04:21:14PM +0300, Kostas Kalevras wrote: > On Wed, 28 Jun 2006, Kostas Zorbadelos wrote: > > >On Wed, Jun 28, 2006 at 02:09:15PM +0300, Kostas Kalevras wrote: > >>>On Wed, Jun 28, 2006 at 11:56:27AM +0300, Kostas Zorbadelos wrote: > >>> > >>>I have a few suspicions where the problem might be. > >>>Is there a way to define the operator in the radius check attributes > >>>of ldap (without using the generic radiusCheckItem attribute)? > >> > >>radiusSessionTimeout: += > >> > > > >I meant in ldap.attrmap. > >When I define for example > > > >checkItem Group-Name radiusProfile > > > >what is the operator implied (& op=21 in the debugging output)? > >Can this be changed? > > In the cvs version at least an extra field is supported in ldap.attrmap > which sets the operator to be used. Dont know if it's supported in the > stable versions. > Thanks Kostas, I saw the cvs version and indeed it contains the code you describe. This is a very useful feature. The feature is not contained in the latest stable (1.1.2) version. Will it be in the next? > > -- > Kostas Kalevras Network Operations Center > [EMAIL PROTECTED] National Technical University of Athens, Greece > Work Phone: +30 210 7721861 > 'Go back to the shadow' Gandalf > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- Kostas [EMAIL PROTECTED] contact: kzorba (at) otenet.gr Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP related questions
On Wed, 28 Jun 2006, Kostas Zorbadelos wrote: On Wed, Jun 28, 2006 at 02:09:15PM +0300, Kostas Kalevras wrote: On Wed, Jun 28, 2006 at 11:56:27AM +0300, Kostas Zorbadelos wrote: I have a few suspicions where the problem might be. Is there a way to define the operator in the radius check attributes of ldap (without using the generic radiusCheckItem attribute)? radiusSessionTimeout: += I meant in ldap.attrmap. When I define for example checkItem Group-Name radiusProfile what is the operator implied (& op=21 in the debugging output)? Can this be changed? In the cvs version at least an extra field is supported in ldap.attrmap which sets the operator to be used. Dont know if it's supported in the stable versions. -- Kostas Zorbadelos [EMAIL PROTECTED] contact: kzorba (at) otenet.gr Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP related questions
On Wed, Jun 28, 2006 at 02:09:15PM +0300, Kostas Kalevras wrote: > >On Wed, Jun 28, 2006 at 11:56:27AM +0300, Kostas Zorbadelos wrote: > > > >I have a few suspicions where the problem might be. > >Is there a way to define the operator in the radius check attributes > >of ldap (without using the generic radiusCheckItem attribute)? > > radiusSessionTimeout: += > I meant in ldap.attrmap. When I define for example checkItem Group-Name radiusProfile what is the operator implied (& op=21 in the debugging output)? Can this be changed? -- Kostas Zorbadelos [EMAIL PROTECTED] contact: kzorba (at) otenet.gr Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP related questions
On Wed, Jun 28, 2006 at 02:11:00PM +0300, Kostas Kalevras wrote: > On Wed, 28 Jun 2006, Kostas Zorbadelos wrote: > > >Hello to everyone. > > > >I have a question regarding a configuration I am trying to achieve. I > >have users stored in an ldap database. An example user entry looks > >like this: > > > >dn: uid=kzorba,ou=people,dc=company,dc=gr > >cn: ZORBADELOS KONSTANTINOS > >uid: kzorba > >clearTextPwd: mypassword > >radiusProfile: PSTN_STATIC > >radiusAccountStatus: activated > >radiusMaxLogins: 1 > >radiusExpDate: 2030/12/31 00:00:00 > >Framed-IP-Address: 62.103.176.39 > >objectClass: account > >objectClass: MyRadiusAccount > >objectClass: top > > > >Tha attribute radiusProfile groups the users. For each group we have a > >corresponding profile > > Why not put the full profile DN in radiusProfile? Then you can use the > profile_attribute mechanism > That would be perfect, however we already have the users database and we use a different Radius software. Our data are in the form I described. Any modifications would require migration and this is what I am trying to avoid. -- Kostas Zorbadelos [EMAIL PROTECTED] contact: kzorba (at) otenet.gr Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP related questions
On Wed, 28 Jun 2006, Kostas Zorbadelos wrote: Hello to everyone. I have a question regarding a configuration I am trying to achieve. I have users stored in an ldap database. An example user entry looks like this: dn: uid=kzorba,ou=people,dc=company,dc=gr cn: ZORBADELOS KONSTANTINOS uid: kzorba clearTextPwd: mypassword radiusProfile: PSTN_STATIC radiusAccountStatus: activated radiusMaxLogins: 1 radiusExpDate: 2030/12/31 00:00:00 Framed-IP-Address: 62.103.176.39 objectClass: account objectClass: MyRadiusAccount objectClass: top Tha attribute radiusProfile groups the users. For each group we have a corresponding profile Why not put the full profile DN in radiusProfile? Then you can use the profile_attribute mechanism -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP related questions
On Wed, 28 Jun 2006, Kostas Zorbadelos wrote: On Wed, Jun 28, 2006 at 11:56:27AM +0300, Kostas Zorbadelos wrote: I have a few suspicions where the problem might be. Is there a way to define the operator in the radius check attributes of ldap (without using the generic radiusCheckItem attribute)? radiusSessionTimeout: += -- Kostas Zorbadelos [EMAIL PROTECTED] contact: kzorba (at) otenet.gr Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP related questions
On Wed, Jun 28, 2006 at 11:56:27AM +0300, Kostas Zorbadelos wrote: I have a few suspicions where the problem might be. Is there a way to define the operator in the radius check attributes of ldap (without using the generic radiusCheckItem attribute)? -- Kostas Zorbadelos [EMAIL PROTECTED] contact: kzorba (at) otenet.gr Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP related questions
Hello to everyone. I have a question regarding a configuration I am trying to achieve. I have users stored in an ldap database. An example user entry looks like this: dn: uid=kzorba,ou=people,dc=company,dc=gr cn: ZORBADELOS KONSTANTINOS uid: kzorba clearTextPwd: mypassword radiusProfile: PSTN_STATIC radiusAccountStatus: activated radiusMaxLogins: 1 radiusExpDate: 2030/12/31 00:00:00 Framed-IP-Address: 62.103.176.39 objectClass: account objectClass: MyRadiusAccount objectClass: top Tha attribute radiusProfile groups the users. For each group we have a corresponding profile # PSTN_STATIC, radiusProfiles, company.gr dn: cn=PSTN_STATIC,ou=radiusProfiles,dc=company,dc=gr cn: PSTN_STATIC objectClass: freeradiusProfile objectClass: top radiusNASPortType: Async radiusFramedProtocol: PPP radiusCisco-AVPair: lcp:interface-config#1=ip vrf forwarding STATIC_USER radiusCisco-AVPair: lcp:interface-config#2=ip unnumbered Loopback1001 radiusServiceType: Framed Now, I want to authorize the user according to this information. I have read and tried the configuration described in ldap_howto.txt shipped in the freeradius distribution. It uses the Ldap-Group attribute and the users file. This configuration is sub-optimal because it generates many ldap queries trying to figure out in which group a user belongs. If we have many entries in the users file, one for each group, each entry will generate a couple of queries until the matching entry is found. So if we have, for example, a hundred groups and the last one in the users file matches, we will have generated ~200 ldap queries, just to find the group the user belongs to. I try the following alternative approach: #ldap.attrmap checkItem Group radiusProfile #users file ... DEFAULT Group == PSTN_STATIC, User-Profile := "cn=PSTN_DYNAMIC,ou=radiusProfiles,dc=company,dc=gr" Fall-Through = no DEFAULT Auth-Type := Reject Reply-Message = "Unauthorized access." #radiusd.conf authorize { preprocess chap mschap suffix ldap files ldap } In the first pass through the ldap module I want to set the Group attribute, then in users file set the User-Profile and I use one more pass through the ldap module to get the profile attributes. However this is what I get when testing with radclient: rad_recv: Access-Request packet from host 127.0.0.1:41392, id=167, length=52 User-Name = "kzorba" User-Password = "XX" NAS-IP-Address = 62.103.0.99 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "kzorba", looking up realm NULL rlm_realm: Found realm "NULL" rlm_realm: Adding Stripped-User-Name = "kzorba" rlm_realm: Proxying request from user kzorba to realm NULL rlm_realm: Adding Realm = "NULL" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for kzorba radius_xlat: '(&(uid=kzorba)(objectClass=MyRadiusAccount)(radiusAccountStatus=activated))' radius_xlat: 'ou=people,dc=company,dc=gr' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldapserver.company.gr:489, authentication 0 rlm_ldap: bind as cn=Directory Manager/XX to ldapserver.company.gr:489 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=people,dc=company,dc=gr, with filter (&(uid=kzorba)(objectClass=MyRadiusAccount)(radiusAccountStatus=activated)) rlm_ldap: Added password XX in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding radiusProfile as Group, value PSTN_STATIC & op=21 ^^ rlm_ldap: Adding radiusMaxLogins as Simultaneous-Use, value 1 & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: Adding Framed-IP-Address as Framed-IP-Address, value 62.103.176.39 & op=11 rlm_ldap: user kzorba authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 users: Matched entry DEFAULT at line 82 ^^^(?) Here, the files module does not match the line with the Group == PSTN_STATIC condition, but the last DEFAULT line that rejects the user modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for kzorba radius_xlat: '(&(uid=kzorba)(objectClass=MyRadiusAccount)(radiusAccountStatus=activated))' radius_xlat: 'ou=people,dc=company,dc=gr' rlm_ldap: