Re: Radius authentication against LDAP question
One question relating to this is about the /etc/raddb/users file- It doesn't seem to work as it's documented, If I have a group set to be rejected based on its membership like this: DEFAULT Group=disabled, Auth-Type:=Reject radius doesn't even check for group membership. The only way it seems to get directed to check membership is with a negative check (!=). DEFAULT LDAP-Group!=newgroup, Auth-Type:=Reject Regardless, I still can't figure out what filter would validate the user newuser as a member of newgroup- performing search in cn=accounts,dc=abc,dc=xyz, with filter ((cn=newgroup)((memberOf=cn=newgroup,cn=groups,cn=accounts,dc=abc,dc=xyz)(uid=newuser))) This is the output of the ldapsearch that shows the group and the fact that the user is a member- # LDAPv3 # base cn=accounts,dc=abc,dc=xyz with scope subtree # filter: ((cn=newgroup)) # requesting: ALL # # newgroup, groups, accounts, abc.xyz dn: cn=newgroup,cn=groups,cn=accounts,dc=abc,dc=xyz objectClass: top objectClass: groupofnames objectClass: nestedgroup objectClass: ldapsergroup objectClass: ldapobject objectClass: posixgroup cn: newgroup description: switch administrators gidNumber: 89586 ipaUniqueID: 5de42704-ab1d-11e1-8e07-525400579da7 member: uid=newuser,cn=users,cn=accounts,dc=abc,dc=xyz -- View this message in context: http://freeradius.1045715.n5.nabble.com/Radius-authentication-against-LDAP-question-tp5713463p5713503.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius authentication against LDAP question
g17jimmy wrote: One question relating to this is about the /etc/raddb/users file- It doesn't seem to work as it's documented, Well... no. If I have a group set to be rejected based on its membership like this: DEFAULT Group=disabled, Auth-Type:=Reject radius doesn't even check for group membership. The only way it seems to get directed to check membership is with a negative check (!=). See man users. Use Group == ... The operators do different things. DEFAULT LDAP-Group!=newgroup, Auth-Type:=Reject Regardless, I still can't figure out what filter would validate the user newuser as a member of newgroup- LDAP-Group == newgroup Everyone else is using it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius authentication against LDAP question
Cool, thanks for pointing that out. My brain filtered out the '==', been staring at this screen too long. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Radius-authentication-against-LDAP-question-tp5713463p5713505.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius authentication against LDAP question
In Thu, May 31, 2012 at 10:05 AM, Jimmy g17ji...@gmail.com wrote: How do I enable Freeradius to not only authenticate the a user but verify a specific attribute for the user? I've been going though the docs but this is escaping me. Thanks. - I'm not sure if this will help, but i have tutorial on how to configure two-factor authentication through freeradius with authorization by openldap. The setup uses the access_attr = dialupAccess. I bet you can use whatever. http://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-add-two-factor-authentication-to-openldap-and-freeradius HTH, Nick -- -- Nick Owen WiKID Systems, Inc. http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius authentication against LDAP question
Nick- I have found that we can use any attribute for the access, but I'm trying to expand our use of radius for another type of user login. In this case I've created an LDAP group for the new user role and have created a new radius virtual server to service the specific authentication and accounting. I have added the group membership checking to the ldap module, and set thefilter for posixGroup. The meaningful config changes and output are below- ===/etc/raddb/modules/ldap (excerpt) groupname_attribute = cn groupmembership_filter = ((objectclass=posixGroup)(memberUid=%u)) ===/etc/raddb/users DEFAULT LDAP-Group!=newgroup, Auth-Type:=Reject Reply-Message=You are not allowed to connect ===radiusd -X (excerpt) [files] expand: ((objectclass=posixGroup)(memberUid=%u)) - ((objectclass=posixGroup)(memberUid=newhuser)) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=accounts,dc=abc,dc=xyz, with filter ((cn=newgroup)((objectclass=posixGroup)(memberUid=newuser))) [ldap] object not found [ldap] ldap_release_conn: Release Id: 0 rlm_ldap::ldap_groupcmp: Group newgroup not found or user is not a member. [files] users: Matched entry DEFAULT at line 2 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = Reject ===ldapsearch output # newgroup, groups, accounts, abc.xyz dn: cn=newgroup,cn=groups,cn=accounts,dc=abc,dc=xyz objectClass: top objectClass: groupofnames objectClass: nestedgroup objectClass: ldapusergroup objectClass: ldapobject objectClass: posixgroup cn: newgroup description: new group gidNumber: 89586 ipaUniqueID: 5de42704-ab1d-11e1-8e07-525400579da7 member: uid=newuser,cn=users,cn=accounts,dc=abc,dc=xyz -- View this message in context: http://freeradius.1045715.n5.nabble.com/Radius-authentication-against-LDAP-question-tp5713463p5713481.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius authentication against LDAP question
Playing with ldapsearch I see that the search string that radiusd -X is reporting to use indeed does not work: =ldapsearch filter (from radiusd -X) performing search in cn=accounts,dc=abc,dc=xyz, with filter ((cn=newgroup)((objectclass=posixGroup)(memberUid=newuser))) = Returns no entries. If I run ldap search with ((cn=newgroup)((objectclass=posixGroup))) - removing the memberUid entry, it returns the entry for the group itself, so something is wrong with how I have the member uid configured. =ldapsearch filter (filter trimmed to group) ldapsearch -x -b cn=accounts,dc=abc,dc=xyz ((cn=newgroup)((objectclass=posixGroup))) # extended LDIF # # LDAPv3 # base cn=accounts,dc=abc,dc=xyz with scope subtree # filter: ((cn=newgroup)((objectclass=posixGroup))) # requesting: ALL # # newgroup, groups, accounts, abc.xyz dn: cn=newgroup,cn=groups,cn=accounts,dc=abc,dc=xyz objectClass: top objectClass: groupofnames objectClass: nestedgroup objectClass: ldapsergroup objectClass: ldapobject objectClass: posixgroup cn: newgroup description: switch administrators gidNumber: 89586 ipaUniqueID: 5de42704-ab1d-11e1-8e07-525400579da7 member: uid=newuser,cn=users,cn=accounts,dc=abc,dc=xyz # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 Any ideas? Thanks. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Radius-authentication-against-LDAP-question-tp5713463p5713483.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html