Re: group search filter openLDAP
On 03/25/2012 12:09 PM, Fajar A. Nugraha wrote: On Sun, Mar 25, 2012 at 4:47 PM, dhanushka ranasinghe wrote: Hi.. we changed Auth-Type := Accept to Auth-Type := PAP , then it starts to work You shouldn't need to do that. A cleaner way would be to read http://freeradius.org/radiusd/man/users.html , and probably just use something like this DEFAULT Ldap-Group != "cn=people,ou=users,dc=home,dc=com", Auth-Type := Reject I don't think that works with LDAP, does it? Maybe: DEFAULT Ldap-Group == "cn=people,ou=users,dc=home,dc=com" Fall-Through = No DEFAULT Auth-Type := Reject - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: group search filter openLDAP
On Sun, Mar 25, 2012 at 4:47 PM, dhanushka ranasinghe wrote: > Hi.. > > we changed Auth-Type := Accept to Auth-Type := PAP , then it starts to work You shouldn't need to do that. A cleaner way would be to read http://freeradius.org/radiusd/man/users.html , and probably just use something like this DEFAULT Ldap-Group != "cn=people,ou=users,dc=home,dc=com", Auth-Type := Reject -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: group search filter openLDAP
Hi.. we changed Auth-Type := Accept to Auth-Type := PAP , then it starts to work Thank for the help Thank You dhanushka On 25 March 2012 12:17, dhanushka ranasinghe wrote: > Hi.. > > how can i make it to read password and then accept it..for that ldap group > > Thank You > Dhanushka > > On 25 March 2012 12:12, Fajar A. Nugraha wrote: >> On Sun, Mar 25, 2012 at 1:35 PM, dhanushka ranasinghe >> wrote: >>> DEFAULT Ldap-Group == "cn=people,ou=users,dc=home,dc=com", Auth-Type := >>> Accept >>> Reply-Message = "You are Accepted" >> >>> then i face the much bigger issue, then freeradius start to ignore >>> the ldap userpassword. even though i type wrong password freeradius >>> granting the access. >> >> That's because you told it to. That's what Auth-Type := Accept does. >> >> -- >> Fajar >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: group search filter openLDAP
Hi.. how can i make it to read password and then accept it..for that ldap group Thank You Dhanushka On 25 March 2012 12:12, Fajar A. Nugraha wrote: > On Sun, Mar 25, 2012 at 1:35 PM, dhanushka ranasinghe > wrote: >> DEFAULT Ldap-Group == "cn=people,ou=users,dc=home,dc=com", Auth-Type := >> Accept >> Reply-Message = "You are Accepted" > >> then i face the much bigger issue, then freeradius start to ignore >> the ldap userpassword. even though i type wrong password freeradius >> granting the access. > > That's because you told it to. That's what Auth-Type := Accept does. > > -- > Fajar > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: group search filter openLDAP
On Sun, Mar 25, 2012 at 1:35 PM, dhanushka ranasinghe wrote: > DEFAULT Ldap-Group == "cn=people,ou=users,dc=home,dc=com", Auth-Type := Accept > Reply-Message = "You are Accepted" > then i face the much bigger issue, then freeradius start to ignore > the ldap userpassword. even though i type wrong password freeradius > granting the access. That's because you told it to. That's what Auth-Type := Accept does. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: group search filter openLDAP
Hi..
As you mention i able to get that ldap group work , i add two
additional entrys in /etc/freeradius/user file to filter the users ,
these are ,
DEFAULT Ldap-Group == "cn=people,ou=users,dc=home,dc=com", Auth-Type := Accept
Reply-Message = "You are Accepted"
DEFAULT Auth-Type := Reject
then i face the much bigger issue, then freeradius start to ignore
the ldap userpassword. even though i type wrong password freeradius
granting the access.
hi guys any way to slove this issue
Thank You
Dhanushka
On 24 March 2012 17:35, Phil Mayers wrote:
> On 03/24/2012 05:51 AM, dhanushka ranasinghe wrote:
>>
>> Hi guys,
>>
>> im using freeradius with LDAP , and its authentication works fine when
>> i use following configuration.
>>
>> server = "ldap.home.com"
>> identity = "cn=admin,dc=home,dc=com"
>> password = home
>> basedn = "ou=users,dc=home,dc=com"
>> filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
>> base_filter = "(objectclass=radiusprofile)"
>> access_attr = "uid"
>> authtype = ldap
>>
>> but , then i created the LDAP group, and add the members to that,
>>
>> eg :
>>
>> dn: cn=people,ou=users,dc=home,dc=com
>> objectClass: groupOfNames
>> objectClass: top
>> cn: wso2
>> member: uid=userone,ou=user,dc=home,dc=com
>> member: uid=usertwo,ou=user,dc=home,dc=com
>>
>> , then i change my ldap config as follows ,
>>
>> server = "ldap.home.com"
>> identity = "cn=admin,dc=home,dc=com"
>> password = home
>> basedn = "cn=people,ou=users,dc=home,dc=com"
>> filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
>> base_filter = "(objectclass=radiusprofile)"
>> access_attr = "uid"
>> authtype = ldap
>>
>> but this method is not working , radius debug output says, user
>> cannot be searched within that group. ,
>>
>> is there any particular search method that i need use... ? , what can
>> i do to sort out this problem ?
>
>
> This is all completely wrong. You have told the LDAP module to search for
> all objects, including users, starting from the DN of the group you have
> created.
>
> Set your LDAP back how it was, then uncomment the "groupmembership_filter"
> and "groupname_attribute" in the "ldap" module config, that comes with the
> server by default. It should just work.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: group search filter openLDAP
On 03/24/2012 05:51 AM, dhanushka ranasinghe wrote:
Hi guys,
im using freeradius with LDAP , and its authentication works fine when
i use following configuration.
server = "ldap.home.com"
identity = "cn=admin,dc=home,dc=com"
password = home
basedn = "ou=users,dc=home,dc=com"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
base_filter = "(objectclass=radiusprofile)"
access_attr = "uid"
authtype = ldap
but , then i created the LDAP group, and add the members to that,
eg :
dn: cn=people,ou=users,dc=home,dc=com
objectClass: groupOfNames
objectClass: top
cn: wso2
member: uid=userone,ou=user,dc=home,dc=com
member: uid=usertwo,ou=user,dc=home,dc=com
, then i change my ldap config as follows ,
server = "ldap.home.com"
identity = "cn=admin,dc=home,dc=com"
password = home
basedn = "cn=people,ou=users,dc=home,dc=com"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
base_filter = "(objectclass=radiusprofile)"
access_attr = "uid"
authtype = ldap
but this method is not working , radius debug output says, user
cannot be searched within that group. ,
is there any particular search method that i need use... ? , what can
i do to sort out this problem ?
This is all completely wrong. You have told the LDAP module to search
for all objects, including users, starting from the DN of the group you
have created.
Set your LDAP back how it was, then uncomment the
"groupmembership_filter" and "groupname_attribute" in the "ldap" module
config, that comes with the server by default. It should just work.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
group search filter openLDAP
Hi guys,
im using freeradius with LDAP , and its authentication works fine when
i use following configuration.
server = "ldap.home.com"
identity = "cn=admin,dc=home,dc=com"
password = home
basedn = "ou=users,dc=home,dc=com"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
base_filter = "(objectclass=radiusprofile)"
access_attr = "uid"
authtype = ldap
but , then i created the LDAP group, and add the members to that,
eg :
dn: cn=people,ou=users,dc=home,dc=com
objectClass: groupOfNames
objectClass: top
cn: wso2
member: uid=userone,ou=user,dc=home,dc=com
member: uid=usertwo,ou=user,dc=home,dc=com
, then i change my ldap config as follows ,
server = "ldap.home.com"
identity = "cn=admin,dc=home,dc=com"
password = home
basedn = "cn=people,ou=users,dc=home,dc=com"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
base_filter = "(objectclass=radiusprofile)"
access_attr = "uid"
authtype = ldap
but this method is not working , radius debug output says, user
cannot be searched within that group. ,
is there any particular search method that i need use... ? , what can
i do to sort out this problem ?
Thank You
Dhanushka
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
