Re: Multiple BaseDN's - How Do I Do This?
Rob You may need to look under authorize and modules in radiusd.conf and have something like: #modules { section ldap CTC_users { server = ldap net_timeout = timeout = timelimit = ldap_connections_number = basedn = dc=abc,dc=edu filter=((objectClass=person)(|(departmentNumber=CTC)(|(employeeNum ber=%{Stripped-User-Name:-%{User-Name}})(uid=%{Stripped-User-Name:-%{User-Name}}))) ... #authorize { section Autz-Type = CTC_accounts { CTC_users } for the users Autz-Type := CTC_accounts, Phil Mayers wrote: Rob VanDusen wrote: I'm very new to both Linux and FreeRadius, so please excuse me if this is too easy a question. After a couple weeks of fighting, reading, testing and reconfiguring - I finally managed to get FreeRadius 2.x working with my Novell eDirectory. Right now my eDir tree is made up of 6 O's - one for each building in the organization. It looks something like this: ISDTREE | CTC | ESB | MTC | SPS | OAC | JSC Sorry, that's a bit confusing; are you saying you don't have a common top-level O or OU That is, is the current basedn: o=esb ? If so, you've got problems (and if I may say so, that's a rather unwise configuration) My current config will check via LDAP against a NetWare box and authorize anyone in the ESB container - but I can't get it to look at any of the other containers. I tried doing multiple instances of the LDAP module - but that resulted in the server not authorizing anyone. http://wiki.freeradius.org/index.php/FAQ#It_still_doesn.27t_work.21 How would I set this up so I can add the other O's as Base DN's? I'd really appreciate any instructions that a slightly dim bulb could follow. -Rob - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple BaseDN's - How Do I Do This?
Rob VanDusen wrote: I'm very new to both Linux and FreeRadius, so please excuse me if this is too easy a question. After a couple weeks of fighting, reading, testing and reconfiguring - I finally managed to get FreeRadius 2.x working with my Novell eDirectory. Right now my eDir tree is made up of 6 O's - one for each building in the organization. It looks something like this: ISDTREE | CTC | ESB | MTC | SPS | OAC | JSC Sorry, that's a bit confusing; are you saying you don't have a common top-level O or OU That is, is the current basedn: o=esb ? If so, you've got problems (and if I may say so, that's a rather unwise configuration) My current config will check via LDAP against a NetWare box and authorize anyone in the ESB container - but I can't get it to look at any of the other containers. I tried doing multiple instances of the LDAP module - but that resulted in the server not authorizing anyone. http://wiki.freeradius.org/index.php/FAQ#It_still_doesn.27t_work.21 How would I set this up so I can add the other O's as Base DN's? I'd really appreciate any instructions that a slightly dim bulb could follow. -Rob - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple BaseDN's - How Do I Do This?
Yes Phil, that is the unfortunate configuration I have inherited with the job. This is a school district, they really want to keep each school building as it's own top-level O. I work in the ESB building, so that was the baseDN I used for testing. I'd rather not have to run 6 different radius boxes, but I can't seem to figure out how to make the multiple ldap modules work. I found a few how-to's on the web, but they are for the 1.x version and they don't seem to work with the 2.x version. -Rob Phil Mayers [EMAIL PROTECTED] 5/9/2008 7:09 AM Rob VanDusen wrote: I'm very new to both Linux and FreeRadius, so please excuse me if this is too easy a question. After a couple weeks of fighting, reading, testing and reconfiguring - I finally managed to get FreeRadius 2.x working with my Novell eDirectory. Right now my eDir tree is made up of 6 O's - one for each building in the organization. It looks something like this: ISDTREE | CTC | ESB | MTC | SPS | OAC | JSC Sorry, that's a bit confusing; are you saying you don't have a common top-level O or OU That is, is the current basedn: o=esb ? If so, you've got problems (and if I may say so, that's a rather unwise configuration) My current config will check via LDAP against a NetWare box and authorize anyone in the ESB container - but I can't get it to look at any of the other containers. I tried doing multiple instances of the LDAP module - but that resulted in the server not authorizing anyone. http://wiki.freeradius.org/index.php/FAQ#It_still_doesn.27t_work.21 How would I set this up so I can add the other O's as Base DN's? I'd really appreciate any instructions that a slightly dim bulb could follow. -Rob - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple BaseDN's - How Do I Do This?
Rob VanDusen wrote: Yes Phil, that is the unfortunate configuration I have inherited with the job. This is a school district, they really want to keep each school building as it's own top-level O. I work in the ESB building, Ok. so that was the baseDN I used for testing. I'd rather not have to run 6 different radius boxes, but I can't seem to figure out how to make the multiple ldap modules work. I found a few how-to's on the web, but they are for the 1.x version and they don't seem to work with the 2.x version. Multiple LDAP modules should work; as per the FAQ entry I linked to, it's not working is not very specific. Could you show us what you tried and the output from radiusd -X when it fails. You would want something like this: modules { ldap ldap_esb { basedn = o=esb } ldap ldap_sps { .. } ...etc } instantiate { redundant all_ldap { ldap_esb ldap_sps ...etc } } server { authorize { preprocess all_ldap } authenticate { # stuff here depends on auth method } } How are you *authenticating* the users once they're found in LDAP - do the LDAP servers return plaintext password / password hashes to FreeRadius and FreeRadius does the authentication, or does Freeradius need to do an LDAP simple bind against the LDAP server (which will only work for PAP requests) If the former (LDAP servers give password/hashed to FR) then each ldap module should say: modules { ldap ldap_xxx { set_auth_type = no } } ...and you should have something like: server { authorize { preprocess all_ldap chap mschap pap } authenticate { Auth-Type PAP pap } Auth-Type CHAP chap } Auth-Type MS-CHAP mschap } } } It the latter i.e. LDAP simple bind, you will need: modules { ldap ldap_xxx { set_auth_type = yes } } ...and you should have something like: server { authorize { preprocess all_ldap } authenticate { Auth-Type ldap_esb { ldap_esb } Auth-Type ldap_xxx { ldap_xxx } ...etc } } Obviously the configs above are sample; for this setup (which is not so common) you may need to play a bit. In particular, the above configs omit several of the standard modules e.g. eap, files, etc. Don't use them as-is. The standard advice applies: 1. start with the default config 2. make small changes 3. test after each change 4. store each working config in a version control repo (e.g. svn) so if you break it you can compare and go back Finally, I am making the assumption the usernames are unique across the entire LDAP tree i.e. there are no duplicates: cn=jdoe,o=esb cn=jdoe,o=sps ...if there are, it's going to be very tricky - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple BaseDN's - How Do I Do This?
On Thu, May 8, 2008 at 7:57 PM, Rob VanDusen [EMAIL PROTECTED] wrote: My current config will check via LDAP against a NetWare box and authorize anyone in the ESB container - but I can't get it to look at any of the other containers. I tried doing multiple instances of the LDAP module - but that resulted in the server not authorizing anyone. You probably didn't do it right, because it should work... How would I set this up so I can add the other O's as Base DN's? I'd really appreciate any instructions that a slightly dim bulb could follow. Create a LDAP module for every context you want to use with RADIUS: ldap CTC { server = IP/FQDN identity = cn=user, o=container password = password basedn = o=CTC filter = (cn=%{Stripped-User-Name:-%{User-Name}}) base_filter = (objectclass=radiusprofile) start_tls = yes tls_require_cert = demand #access_attr = dialupAccess dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 password_attribute = nspmPassword edir_account_policy_check=yes timeout = 4 timelimit = 3 net_timeout = 1 } ldap ESB { basedn = o=ESB ... etc. for all other contexts } Now refer to these modules in the Authorize and Post-Authentication (if you want eDirectory policies) by module name, like: authorize { ... CTC ESB ... } post-auth { ... CTC ESB Post-Auth-Type REJECT { CTC ESB ... } ... } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple BaseDN's - How Do I Do This?
Thanks Phil! I was missing the instantiate section, everything else fell into place and started working after that (at least it looks to be with very minimal testing). I cleaned up my files and deleted all the extra comments - I must have deleted that section - I should have left them alone. Thanks agin for all the help. -Rob Phil Mayers [EMAIL PROTECTED] 5/9/2008 8:51 AM } instantiate { redundant all_ldap { ldap_esb ldap_sps ...etc } } server { authorize { preprocess all_ldap } authenticate { # stuff here depends on auth method } } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html