Re: Multiple BaseDN's - How Do I Do This?
Rob
You may need to look under authorize and modules in radiusd.conf and
have something like:
#modules { section
ldap CTC_users {
server = ldap
net_timeout =
timeout =
timelimit =
ldap_connections_number =
basedn = dc=abc,dc=edu
filter=((objectClass=person)(|(departmentNumber=CTC)(|(employeeNum
ber=%{Stripped-User-Name:-%{User-Name}})(uid=%{Stripped-User-Name:-%{User-Name}})))
...
#authorize { section
Autz-Type = CTC_accounts {
CTC_users
}
for the users
Autz-Type := CTC_accounts,
Phil Mayers wrote:
Rob VanDusen wrote:
I'm very new to both Linux and FreeRadius, so please excuse me if
this is too easy a question. After a couple weeks of fighting,
reading, testing and reconfiguring - I finally managed to get
FreeRadius 2.x working with my Novell eDirectory. Right now my eDir
tree is made up of 6 O's - one for each building in the
organization. It looks something like this:
ISDTREE | CTC | ESB | MTC | SPS | OAC | JSC
Sorry, that's a bit confusing; are you saying you don't have a common
top-level O or OU
That is, is the current basedn:
o=esb
?
If so, you've got problems (and if I may say so, that's a rather
unwise configuration)
My current config will check via LDAP against a NetWare box and
authorize anyone in the ESB container - but I can't get it to look at
any of the other containers. I tried doing multiple instances of the
LDAP module - but that resulted in the server not authorizing anyone.
http://wiki.freeradius.org/index.php/FAQ#It_still_doesn.27t_work.21
How would I set this up so I can add the other O's as Base DN's? I'd
really appreciate any instructions that a slightly dim bulb could
follow.
-Rob
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
smime.p7s
Description: S/MIME Cryptographic Signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple BaseDN's - How Do I Do This?
Rob VanDusen wrote: I'm very new to both Linux and FreeRadius, so please excuse me if this is too easy a question. After a couple weeks of fighting, reading, testing and reconfiguring - I finally managed to get FreeRadius 2.x working with my Novell eDirectory. Right now my eDir tree is made up of 6 O's - one for each building in the organization. It looks something like this: ISDTREE | CTC | ESB | MTC | SPS | OAC | JSC Sorry, that's a bit confusing; are you saying you don't have a common top-level O or OU That is, is the current basedn: o=esb ? If so, you've got problems (and if I may say so, that's a rather unwise configuration) My current config will check via LDAP against a NetWare box and authorize anyone in the ESB container - but I can't get it to look at any of the other containers. I tried doing multiple instances of the LDAP module - but that resulted in the server not authorizing anyone. http://wiki.freeradius.org/index.php/FAQ#It_still_doesn.27t_work.21 How would I set this up so I can add the other O's as Base DN's? I'd really appreciate any instructions that a slightly dim bulb could follow. -Rob - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple BaseDN's - How Do I Do This?
Yes Phil, that is the unfortunate configuration I have inherited with the job. This is a school district, they really want to keep each school building as it's own top-level O. I work in the ESB building, so that was the baseDN I used for testing. I'd rather not have to run 6 different radius boxes, but I can't seem to figure out how to make the multiple ldap modules work. I found a few how-to's on the web, but they are for the 1.x version and they don't seem to work with the 2.x version. -Rob Phil Mayers [EMAIL PROTECTED] 5/9/2008 7:09 AM Rob VanDusen wrote: I'm very new to both Linux and FreeRadius, so please excuse me if this is too easy a question. After a couple weeks of fighting, reading, testing and reconfiguring - I finally managed to get FreeRadius 2.x working with my Novell eDirectory. Right now my eDir tree is made up of 6 O's - one for each building in the organization. It looks something like this: ISDTREE | CTC | ESB | MTC | SPS | OAC | JSC Sorry, that's a bit confusing; are you saying you don't have a common top-level O or OU That is, is the current basedn: o=esb ? If so, you've got problems (and if I may say so, that's a rather unwise configuration) My current config will check via LDAP against a NetWare box and authorize anyone in the ESB container - but I can't get it to look at any of the other containers. I tried doing multiple instances of the LDAP module - but that resulted in the server not authorizing anyone. http://wiki.freeradius.org/index.php/FAQ#It_still_doesn.27t_work.21 How would I set this up so I can add the other O's as Base DN's? I'd really appreciate any instructions that a slightly dim bulb could follow. -Rob - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple BaseDN's - How Do I Do This?
Rob VanDusen wrote:
Yes Phil, that is the unfortunate configuration I have inherited with
the job. This is a school district, they really want to keep each
school building as it's own top-level O. I work in the ESB building,
Ok.
so that was the baseDN I used for testing. I'd rather not have to run
6 different radius boxes, but I can't seem to figure out how to make
the multiple ldap modules work. I found a few how-to's on the web,
but they are for the 1.x version and they don't seem to work with the
2.x version.
Multiple LDAP modules should work; as per the FAQ entry I linked to,
it's not working is not very specific. Could you show us what you
tried and the output from radiusd -X when it fails.
You would want something like this:
modules {
ldap ldap_esb {
basedn = o=esb
}
ldap ldap_sps {
..
}
...etc
}
instantiate {
redundant all_ldap {
ldap_esb
ldap_sps
...etc
}
}
server {
authorize {
preprocess
all_ldap
}
authenticate {
# stuff here depends on auth method
}
}
How are you *authenticating* the users once they're found in LDAP - do
the LDAP servers return plaintext password / password hashes to
FreeRadius and FreeRadius does the authentication, or does Freeradius
need to do an LDAP simple bind against the LDAP server (which will
only work for PAP requests)
If the former (LDAP servers give password/hashed to FR) then each ldap
module should say:
modules {
ldap ldap_xxx {
set_auth_type = no
}
}
...and you should have something like:
server {
authorize {
preprocess
all_ldap
chap
mschap
pap
}
authenticate {
Auth-Type PAP
pap
}
Auth-Type CHAP
chap
}
Auth-Type MS-CHAP
mschap
}
}
}
It the latter i.e. LDAP simple bind, you will need:
modules {
ldap ldap_xxx {
set_auth_type = yes
}
}
...and you should have something like:
server {
authorize {
preprocess
all_ldap
}
authenticate {
Auth-Type ldap_esb {
ldap_esb
}
Auth-Type ldap_xxx {
ldap_xxx
}
...etc
}
}
Obviously the configs above are sample; for this setup (which is not
so common) you may need to play a bit. In particular, the above configs
omit several of the standard modules e.g. eap, files, etc. Don't use
them as-is.
The standard advice applies:
1. start with the default config
2. make small changes
3. test after each change
4. store each working config in a version control repo (e.g. svn) so
if you break it you can compare and go back
Finally, I am making the assumption the usernames are unique across the
entire LDAP tree i.e. there are no duplicates:
cn=jdoe,o=esb
cn=jdoe,o=sps
...if there are, it's going to be very tricky
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple BaseDN's - How Do I Do This?
On Thu, May 8, 2008 at 7:57 PM, Rob VanDusen [EMAIL PROTECTED] wrote:
My current config will check via LDAP against a NetWare box and authorize
anyone in the ESB container - but I can't get it to look at any of the other
containers. I tried doing multiple instances of the LDAP module - but that
resulted in the server not authorizing anyone.
You probably didn't do it right, because it should work...
How would I set this up so I can add the other O's as Base DN's? I'd really
appreciate any instructions that a slightly dim bulb could follow.
Create a LDAP module for every context you want to use with RADIUS:
ldap CTC {
server = IP/FQDN
identity = cn=user, o=container
password = password
basedn = o=CTC
filter = (cn=%{Stripped-User-Name:-%{User-Name}})
base_filter = (objectclass=radiusprofile)
start_tls = yes
tls_require_cert = demand
#access_attr = dialupAccess
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
password_attribute = nspmPassword
edir_account_policy_check=yes
timeout = 4
timelimit = 3
net_timeout = 1
}
ldap ESB {
basedn = o=ESB
... etc. for all other contexts
}
Now refer to these modules in the Authorize and Post-Authentication
(if you want eDirectory policies) by module name, like:
authorize {
...
CTC
ESB
...
}
post-auth {
...
CTC
ESB
Post-Auth-Type REJECT {
CTC
ESB
...
}
...
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple BaseDN's - How Do I Do This?
Thanks Phil! I was missing the instantiate section, everything else fell into
place and started working after that (at least it looks to be with very minimal
testing). I cleaned up my files and deleted all the extra comments - I must
have deleted that section - I should have left them alone. Thanks agin for all
the help.
-Rob
Phil Mayers [EMAIL PROTECTED] 5/9/2008 8:51 AM
}
instantiate {
redundant all_ldap {
ldap_esb
ldap_sps
...etc
}
}
server {
authorize {
preprocess
all_ldap
}
authenticate {
# stuff here depends on auth method
}
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple BaseDN's - How Do I Do This?
I'm very new to both Linux and FreeRadius, so please excuse me if this is too easy a question. After a couple weeks of fighting, reading, testing and reconfiguring - I finally managed to get FreeRadius 2.x working with my Novell eDirectory. Right now my eDir tree is made up of 6 O's - one for each building in the organization. It looks something like this: ISDTREE | CTC | ESB | MTC | SPS | OAC | JSC My current config will check via LDAP against a NetWare box and authorize anyone in the ESB container - but I can't get it to look at any of the other containers. I tried doing multiple instances of the LDAP module - but that resulted in the server not authorizing anyone. How would I set this up so I can add the other O's as Base DN's? I'd really appreciate any instructions that a slightly dim bulb could follow. -Rob - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
