ldap group membership
Hi,
my new problem is as follows ~_~:
I need to check if a username can be found within a ldap-group,
however the uid doesn't exist anywhere else but as an object in the
group.
radius.conf specific lines:
groupname_attribute = cn
groupmembership_filter = "(objectClass=GroupOfNames)"
users file lines:
[EMAIL PROTECTED] Auth-Type := Eap, User-Password == "y",
Ldap-Group == "wifi"
this is a test line which gives the same result as the EAP-TLS
specific line I use in production, however the debug output is much
cleaner..
The idea is to look for the existence of the username within a group,
and not to run a search for the uid, since this will always fail.
Don't ask me why these 'guest' ([EMAIL PROTECTED] is one) uids only
exist within the wifi group, that's a policy raining from the heavens
above me and I can't argue over it... maybe their random policy
generator is overflowing.
Maybe they are even trying to do something non-standard with their
ldap server and I can't tell.
And here we go, as you see freeradius never looks for the group
membership (proven to exist), he first looks for the uid, and this
will fail (which is expected to happen):
# /usr/local/sbin/radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/eap.conf
Config: including file: /usr/local/etc/raddb/sql.conf
main: prefix = "/usr/local"
main: localstatedir = "/var"
main: logdir = "/var/log/radius"
main: libdir = "/usr/local/lib"
main: radacctdir = "/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 40
main: cleanup_delay = 5
main: max_requests = 65536
main: delete_blocked_requests = 0
main: port = 1818
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/var/log/radius/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/var/run/radiusd/radiusd.pid"
main: bind_address = * IP address [***]
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/sbin/checkrad"
main: proxy_requests = no
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
pap: auto_header = yes
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded eap
eap: default_eap_type = "tls"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = "Password: "
gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = "/usr/local/etc/raddb/certs/crl"
tls: pem_file_type = yes
tls: private_key_file = "/usr/local/etc/raddb/certs/newkey.pem"
tls: certificate_file = "/usr/local/etc/raddb/certs/newserv.pem"
tls: CA_file = "/usr/local/etc/raddb/certs/crl/root.pem"
tls: private_key_password = ""
tls: dh_file = "/usr/local/etc/raddb/certs/dh"
tls: random_file = "/usr/local/etc/raddb/certs/random"
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = yes
tls: check_cert_cn = "%{User-Name}"
tls: cipher_list = "(null)"
tls: check_cert_issuer = "(null)"
rlm_eap_tls: Loading the certificate file as a chain
rlm_eap: Loaded and initialized type tls
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap
Ldap Group Membership Requirements
I'm trying to require a user to be a member of the wireless group in ldap to be able to join the wireless. All users can currently join the wireless. I can't find very much documentation on the groupmembers* lines in the ldap section of radius.conf. Basically trying to figure out what I need to add to these lines: groupname_attribute, groupmembership_filter, and groupmembership_attribute. Also not sure if I need to add something to users file like: DEFAULT LDAP-Group == "wireless". Can anyone provide input on what I need to configure, Thanks. wireless group in ldap, you can see cjarrett is a member: dn: cn=wireless,ou=Groups,dc=itfreedom,dc=com objectClass: posixGroup cn: wireless gidNumber: 1011 memberUid: cjarrett - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ldap group membership required
Hello,
I have search the archives and google, and there seems to be lots of
confusion on the subject: Requiring membership to and LDAP group to
authenticate.
I can seem to get it to work. Notice the misspelling og the member:
dn: cn=radius_wifi,ou=Groups,dc=fu,dc=bar
cn: min_radius_wifi
objectClass: groupOfNames
objectClass: top
member: cn=tes guest,ou=Guests,dc=fu,dc=bar
The real user, cn=test guest,ou=Guests,dc=fu,dc=bar, is still able to login.
FreeRadius Version: freeradius-1.0.1
ldap {
server = "localhost"
identity = "uid=authman,dc=fu,dc=bar"
password = XXX
basedn = "dc=fu,dc=bar"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
base_filter = "(objectclass=person)"
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
# profile_attribute = "radiusProfileDn"
#` access_attr = "uid"
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
password_attribute = userPassword
groupname_attribute = cn
groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
groupmembership_attribute =
"cn=radius_wifi,ou=Group,dc=fu,dc=bar"
timeout = 4
timelimit = 3
net_timeout = 1
#compare_check_items = yes
# do_xlat = yes
# access_attr_used_for_allow = no
}
Thank you for the help,
Dan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP Group membership problems
Hi Everybody!
I'm stuck trying to implement an LDAP based FreeRADIUS server -
basically I've got Authorization working perfectly, but at the
Authentication stage, no group reply attributes are set. I'm obviously
not sure what the problem is, but from reading the debug output, it
looks almost as if a ldap search to get the reply attributes is not
being executed.
If I manually execute the search using ldapsearch, using the same bind
options as I see in the debug log, and with the filter specified by
groupmembership_filter, then I get the output that I would like to have
returned by FreeRADIUS as reply items, so I don't think it's a problem
with my LDAP data/schema etc. It just seems like I haven't correctly
instructed FreeRADIUS to actually "do it" - to go and get the group
information.
Here's the relevent section of my debug output...
---start debug output---
rlm_ldap: - authorize
rlm_ldap: performing user authorization for hugh
radius_xlat: '(&(objectClass=radiusProfile)(uid=hugh))'
radius_xlat: 'dc=e-access,dc=com,dc=au'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=e-access,dc=com,dc=au, with filter
(&(objectClass=radiusProfile)(uid=hugh))
rlm_ldap: checking if remote access for hugh is allowed by dialupAccess
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user hugh authorized to use remote access
ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 1
modcall: group authorize returns ok for request 1
rad_check_password: Found Auth-Type LDAP
auth: type "LDAP"
modcall: entering group Auth-Type for request 1
rlm_ldap: - authenticate
rlm_ldap: login attempt by "hugh" with password "testpass"
rlm_ldap: user DN:
cn=hugh,cn=3,cn=2000,cn=package,cn=hugh,cn=user,ou=eaccounts,dc=e-access
,dc=com,dc=au
rlm_ldap: (re)connect to 127.0.0.1:389, authentication 1
rlm_ldap: bind as
cn=hugh,cn=3,cn=2000,cn=package,cn=hugh,cn=user,ou=eaccounts,dc=e-access
,dc=com,dc=au/testpass to 127.0.0.1:389
rlm_ldap: waiting for bind result ...
rlm_ldap: user hugh authenticated succesfully
modcall[authenticate]: module "ldap" returns ok for request 1
modcall: group Auth-Type returns ok for request 1
Sending Access-Accept of id 40 to 192.168.1.50:49167
Finished request 1
Going to the next request
---end debug output---
Here is the output from radtest
[EMAIL PROTECTED] raddb]# radtest hugh sportswater 127.0.0.1 1 testing123
Sending Access-Request of id 40 to 127.0.0.1:1812
User-Name = "hugh"
User-Password = "testpass"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=40,
length=20
Here is the ldap part of my radiusd.conf file, if you need any more
information don't hesistate to ask - I won't include the whole file here
just because it's so big!
ldap {
server = "127.0.0.1"
identity = "cn=root,dc=e-access,dc=com,dc=au"
password = test1234
basedn = "dc=e-access,dc=com,dc=au"
filter =
"(&(objectClass=radiusProfile)(uid=%{Stripped-User-Name:-%{User-Name}}))
"
# set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
# The StartTLS operation is supposed to be used with
normal
# ldap connections instead of using ldaps (port 689)
connections
start_tls = no
# default_profile = "cn=radprofile,ou=dialup,o=My
Org,c=UA"
# profile_attribute = "radiusProfileDn"
access_attr = "dialupAccess"
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
# password_header = "{clear}"
# password_attribute = userPassword
groupname_attribute = uid
groupmembership_filter =
"(&(objectClass=radiusProfile)(uid=dialup))"
groupmembership_attribute = radiusGroupName
timeout = 4
timelimit = 3
net_timeout = 1
# compare_check_items = yes
# access_attr_used_for_allow = yes
}
Thanks in advance,
Sam Silvester
Systems Administrator
E-Access Internet
Customer Service: 1300 13 88 10
Our technical support hours are 9am - 9pm everyday (ACST)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : Ldap Group Membership Requirements
>Basically trying to > figure out > what I need to add to these lines: groupname_attribute, > groupmembership_filter, and groupmembership_attribute. Also > not sure if > I need to add something to users file like: DEFAULT LDAP-Group == > "wireless". Can anyone provide input on what I need to > configure, Thanks. > > wireless group in ldap, you can see cjarrett is a member: > dn: cn=wireless,ou=Groups,dc=itfreedom,dc=com > objectClass: posixGroup > cn: wireless > gidNumber: 1011 > memberUid: cjarrett You're using POSIXGroups: groupname_attribute = cn Groupmembership_filter = "(&(objectclass=posixGroup)(memberUid=%u)) No groupmembership_attribute. In you users file, for instance: DEFAULT LDAP-Group == "wireless" ... See /usr/share/doc/freeradius/rlm_ldap text file. HTH, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap group membership required
Daniel Durgin wrote: > I have search the archives and google, and there seems to be lots of > confusion on the subject: Requiring membership to and LDAP group to > authenticate. No. Authentication involves checking credentials. Authorization involves *additional* and *independent* filter rules specifying when and where people can authenticate. If you think of checking group membership as authentication, it means that you're conceptual model of how the system works is wrong. Hence designs of any solution will be wrong, and confusion will be multiplied. > I can seem to get it to work. Notice the misspelling og the member: > > dn: cn=radius_wifi,ou=Groups,dc=fu,dc=bar > cn: min_radius_wifi > objectClass: groupOfNames > objectClass: top > member: cn=tes guest,ou=Guests,dc=fu,dc=bar > > > The real user, cn=test guest,ou=Guests,dc=fu,dc=bar, is still able to > login. So... read the debug output to see why. This is mentioned in no many places that there is NO excuse for not doing it. I also fail to understand why people look at the *configuration* to see how the server is *running*.It's like driving car while looking only at a map, and not at the road in front of you. If all goes well, it might work. But as soon as a pedestrian steps in front of your car, you fail to see him, and *boom*, bad things happen. > FreeRadius Version: freeradius-1.0.1 Why? That version is *years* old. Alan DeKok - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap group membership required
Thank you for the quick reply. I beat my head against it again, and again. Then noticed the clients file. I got it working. Alan DeKok wrote: Daniel Durgin wrote: I have search the archives and google, and there seems to be lots of confusion on the subject: Requiring membership to and LDAP group to authenticate. No. Authentication involves checking credentials. Authorization involves *additional* and *independent* filter rules specifying when and where people can authenticate. If you think of checking group membership as authentication, it means that you're conceptual model of how the system works is wrong. Hence designs of any solution will be wrong, and confusion will be multiplied. I can seem to get it to work. Notice the misspelling og the member: dn: cn=radius_wifi,ou=Groups,dc=fu,dc=bar cn: min_radius_wifi objectClass: groupOfNames objectClass: top member: cn=tes guest,ou=Guests,dc=fu,dc=bar The real user, cn=test guest,ou=Guests,dc=fu,dc=bar, is still able to login. So... read the debug output to see why. This is mentioned in no many places that there is NO excuse for not doing it. I also fail to understand why people look at the *configuration* to see how the server is *running*.It's like driving car while looking only at a map, and not at the road in front of you. If all goes well, it might work. But as soon as a pedestrian steps in front of your car, you fail to see him, and *boom*, bad things happen. FreeRadius Version: freeradius-1.0.1 Why? That version is *years* old. It comes with CentOS 5, or one of them Yum Repos. I just needed a radius server to gateway for my LDAP server. Alan DeKok - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thank you for the lesson I learned a lot. -Dan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Activate LDAP group membership checking
Hi,
I'm trying to activate the LDAP group membership checking in FreeRadius.
In my radiusd.conf i've modified the group checking section:
groupname_attribute = cn
groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
groupmembership_attribute = ou
By looking in my openldap logs, freeradius is not even trying to search for
the group.
Do i have to activate something else to enable group checking?
Thank you
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP Group membership problems
What's in your users file?
Check http://doris.cc/radius it explains how to use the User-Profile to
send back group reply attributes. Here is some relevent parts.
LDAP Entry
dn: uid=dial,ou=profiles,ou=radius,dc=mydomain,dc=com
objectclass: radiusprofile
uid: dial
radiusServiceType: Framed-User
radiusFramedProtocol: PPP
radiusFramedIPNetmask: 255.255.255.0
radiusFramedRouting: None
Users File
DEFAULT Huntgroup-Name == dial, Ldap-Group == dial, User-Profile :=
"uid=dial,ou=profiles,ou=radius,dc=mydomain,dc=com"
Fall-Through = no
The users file is saying if you are in the Huntgroup of dial and the
ldap-group of dial, then your reply attributes will be found in
uid=dial,ou=profiles,ou=radius,dc=mydomain,dc=com
Hope that helps
Dusty Doris
On Fri, 6 Feb 2004, Sam Silvester wrote:
> Hi Everybody!
>
> I'm stuck trying to implement an LDAP based FreeRADIUS server -
> basically I've got Authorization working perfectly, but at the
> Authentication stage, no group reply attributes are set. I'm obviously
> not sure what the problem is, but from reading the debug output, it
> looks almost as if a ldap search to get the reply attributes is not
> being executed.
>
> If I manually execute the search using ldapsearch, using the same bind
> options as I see in the debug log, and with the filter specified by
> groupmembership_filter, then I get the output that I would like to have
> returned by FreeRADIUS as reply items, so I don't think it's a problem
> with my LDAP data/schema etc. It just seems like I haven't correctly
> instructed FreeRADIUS to actually "do it" - to go and get the group
> information.
>
> Here's the relevent section of my debug output...
>
> ---start debug output---
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for hugh
> radius_xlat: '(&(objectClass=radiusProfile)(uid=hugh))'
> radius_xlat: 'dc=e-access,dc=com,dc=au'
> ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in dc=e-access,dc=com,dc=au, with filter
> (&(objectClass=radiusProfile)(uid=hugh))
> rlm_ldap: checking if remote access for hugh is allowed by dialupAccess
> rlm_ldap: looking for check items in directory...
> rlm_ldap: looking for reply items in directory...
> rlm_ldap: user hugh authorized to use remote access
> ldap_release_conn: Release Id: 0
> modcall[authorize]: module "ldap" returns ok for request 1
> modcall: group authorize returns ok for request 1
> rad_check_password: Found Auth-Type LDAP
> auth: type "LDAP"
> modcall: entering group Auth-Type for request 1
> rlm_ldap: - authenticate
> rlm_ldap: login attempt by "hugh" with password "testpass"
> rlm_ldap: user DN:
> cn=hugh,cn=3,cn=2000,cn=package,cn=hugh,cn=user,ou=eaccounts,dc=e-access
> ,dc=com,dc=au
> rlm_ldap: (re)connect to 127.0.0.1:389, authentication 1
> rlm_ldap: bind as
> cn=hugh,cn=3,cn=2000,cn=package,cn=hugh,cn=user,ou=eaccounts,dc=e-access
> ,dc=com,dc=au/testpass to 127.0.0.1:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: user hugh authenticated succesfully
> modcall[authenticate]: module "ldap" returns ok for request 1
> modcall: group Auth-Type returns ok for request 1
> Sending Access-Accept of id 40 to 192.168.1.50:49167
> Finished request 1
> Going to the next request
> ---end debug output---
>
> Here is the output from radtest
>
> [EMAIL PROTECTED] raddb]# radtest hugh sportswater 127.0.0.1 1 testing123
> Sending Access-Request of id 40 to 127.0.0.1:1812
> User-Name = "hugh"
> User-Password = "testpass"
> NAS-IP-Address = 127.0.0.1
> NAS-Port = 1
> rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=40,
> length=20
>
> Here is the ldap part of my radiusd.conf file, if you need any more
> information don't hesistate to ask - I won't include the whole file here
> just because it's so big!
>
> ldap {
> server = "127.0.0.1"
> identity = "cn=root,dc=e-access,dc=com,dc=au"
> password = test1234
> basedn = "dc=e-access,dc=com,dc=au"
> filter =
> "(&(objectClass=radiusProfile)(uid=%{Stripped-User-Name:-%{User-Name}}))
> "
>
> # set this to 'yes' to use TLS encrypted connections
> # to the LDAP database by using the StartTLS extended
> # operation.
> # The StartTLS operation is supposed to be used with
> normal
> # ldap connections instead of using ldaps (port 689)
> connections
> start_tls = no
>
> # default_profile = "cn=radprofile,ou=dialup,o=My
> Org,c=UA"
> # profile_attribute = "radiusProfileDn"
> access_attr = "dialupAccess"
>
> # Mapping of RADIUS dictionary attributes to LDAP
> # directory attributes.
> dictionary_mapping = ${raddbdir}/ldap.attrmap
>
> ldap_connections_number = 5
> # password_header = "{clear}"
> # password_attribute = u
Re: RE : Ldap Group Membership Requirements
So it will search and find the group, but I can still connect with my user even though it isn't in that group. Any ideas on how to keep a user from connecting if their account isn't in that group? Thibault Le Meur wrote: Basically trying to figure out what I need to add to these lines: groupname_attribute, groupmembership_filter, and groupmembership_attribute. Also not sure if I need to add something to users file like: DEFAULT LDAP-Group == "wireless". Can anyone provide input on what I need to configure, Thanks. wireless group in ldap, you can see cjarrett is a member: dn: cn=wireless,ou=Groups,dc=itfreedom,dc=com objectClass: posixGroup cn: wireless gidNumber: 1011 memberUid: cjarrett You're using POSIXGroups: groupname_attribute = cn Groupmembership_filter = "(&(objectclass=posixGroup)(memberUid=%u)) No groupmembership_attribute. In you users file, for instance: DEFAULT LDAP-Group == "wireless" ... See /usr/share/doc/freeradius/rlm_ldap text file. HTH, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : Ldap Group Membership Requirements
DEFAULT LDAP-Group!="wireless", Auth-Type:=Reject Reply-Message="You are not allowed to connect" Ivan Kalik Kalik Informatika ISP Dana 20/6/2007, "Cody Jarrett" <[EMAIL PROTECTED]> piše: >So it will search and find the group, but I can still connect with my >user even though it isn't in that group. Any ideas on how to keep a user >from connecting if their account isn't in that group? > > > >Thibault Le Meur wrote: >>> Basically trying to >>> figure out >>> what I need to add to these lines: groupname_attribute, >>> groupmembership_filter, and groupmembership_attribute. Also >>> not sure if >>> I need to add something to users file like: DEFAULT LDAP-Group == >>> "wireless". Can anyone provide input on what I need to >>> configure, Thanks. >>> >>> wireless group in ldap, you can see cjarrett is a member: >>> dn: cn=wireless,ou=Groups,dc=itfreedom,dc=com >>> objectClass: posixGroup >>> cn: wireless >>> gidNumber: 1011 >>> memberUid: cjarrett >>> >> >> You're using POSIXGroups: >> groupname_attribute = cn >> Groupmembership_filter = "(&(objectclass=posixGroup)(memberUid=%u)) >> >> No groupmembership_attribute. >> >> >> In you users file, for instance: >> DEFAULT LDAP-Group == "wireless" ... >> >> >> See /usr/share/doc/freeradius/rlm_ldap text file. >> >> HTH, >> Thibault >> >> >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> >> > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Activate LDAP group membership checking
mic nightic wrote: > By looking in my openldap logs, freeradius is not even trying to search > for the group. > > Do i have to activate something else to enable group checking? doc/rlm_ldap Look for "group support" Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Activate LDAP group membership checking
Yes sir! thank you Found the solution in the doc On Fri, Oct 22, 2010 at 12:57 PM, Alan DeKok wrote: > mic nightic wrote: > > By looking in my openldap logs, freeradius is not even trying to search > > for the group. > > > > Do i have to activate something else to enable group checking? > > doc/rlm_ldap > > Look for "group support" > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MSCHAP Authentication and LDAP Group Membership checking
t: plaintext: NT_KEY: 1E79BE41DB018B9E293DA357E6E5EA0D
Exec-Program: returned: 0
rlm_mschap: adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
Login OK: [voila\\webtest] (from client VPN port 1151 cli 123.111.6.76)
+- entering group post-auth
++[exec] returns noop
Sending Access-Accept of id 83 to 10.2.1.6 port 1059
MS-CHAP2-Success =
0x00533d3136423031434136463832333133373034393432393943303539423539334346434433314336
MS-MPPE-Recv-Key = 0x5e34def484a9a9c160f712e90322bca0
MS-MPPE-Send-Key = 0x2f644ea60d80525ed0b13527ca916aae
MS-MPPE-Encryption-Policy = 0x0001
MS-MPPE-Encryption-Types = 0x0006
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 2 ID 83 with timestamp +888
Ready to process requests.
It appears that MSCHAP is used to verify the password but LDAP is not
properly checking the "VPN-Users" AD groupI believe it is not stripping
the domain portion off correctly as I see the domain name appended to
(sAMAccountName=voila\5cwebtest)
My users File entries:
(The first entry I would like to be used by the concentrator to search the
group and if the user is a member allow them access - of course
authenticating the provided password)
DEFAULT LDAP-Group == "vpn-users"
Fall-Through = Yes
This entry is for our network switches/routers - this appears to be working
without any issue.
DEFAULT LDAP-Group == "Radius-Admin"
Service-Type = Login-User,
cisco-avpair = "shell:priv-lvl=15",
Fall-Through = Yes
If I login from my network devices it performs the ldap searches without
issue and authenticates/authorizes the user - You can see this below:
rlm_ldap: performing search in dc=voila,dc=com, with filter
(&(cn=vpn-users)(|(&(objectClass=group)(member=CN\3dzkms\2cCN\3dUsers\2cDC\3dvoila\2cDC\3dcom))(&(objectClass=GroupOfNames)(member=CN\3dzkms\2cCN\3dUsers\2cDC\3dvoila\2cDC\3dcom
rlm_ldap::ldap_groupcmp: User found in group vpn-users
rlm_ldap: ldap_release_conn: Release Id: 0
users: Matched entry DEFAULT at line 178
rlm_ldap: Entering ldap_groupcmp()
expand: dc=voila,dc=com -> dc=voila,dc=com
expand:
(|(&(objectClass=group)(member=%{check:LDAP-UserDn}))(&(objectClass=GroupOfNames)(member=%{check:LDAP-UserDn})))
->
(|(&(objectClass=group)(member=CN\3dzkms\2cCN\3dUsers\2cDC\3dvoila\2cDC\3dcom))(&(objectClass=GroupOfNames)(member=CN\3dzkms\2cCN\3dUsers\2cDC\3dvoila\2cDC\3dcom)))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=voila,dc=com, with filter
(&(cn=Radius-Admin)(|(&(objectClass=group)(member=CN\3dzkms\2cCN\3dUsers\2cDC\3dvoila\2cDC\3dcom))(&(objectClass=GroupOfNames)(member=CN\3dzkms\2cCN\3dUsers\2cDC\3dvoila\2cDC\3dcom
rlm_ldap::ldap_groupcmp: User found in group Radius-Admin
rlm_ldap: ldap_release_conn: Release Id: 0
users: Matched entry DEFAULT at line 181
++[files] returns ok
rlm_ldap: - authorize
rlm_ldap: performing user authorization for zkms
WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
expand: (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) ->
(sAMAccountName=zkms)
expand: dc=voila,dc=com -> dc=voila,dc=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=voila,dc=com, with filter
(sAMAccountName=zkms)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the
user is configured correctly?
rlm_ldap: user zkms authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
rad_check_password: Found Auth-Type LDAP
auth: type "LDAP"
+- entering group LDAP
rlm_ldap: - authenticate
rlm_ldap: login attempt by "zkms" with password "Omitted"
rlm_ldap: user DN: CN=zkms,CN=Users,DC=voila,DC=com
rlm_ldap: (re)connect to control.voila.com:389, authentication 1
rlm_ldap: bind as CN=zkms,CN=Users,DC=voila,DC=com/Omitted to
control.voila.com:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: user zkms authenticated succesfully
Thanks in advance for any pointers.
--
View this message in context:
http://www.nabble.com/MSCHAP-Authentication-and-LDAP-Group-Membership-checking-tp19321178p19321178.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Configure authentication via LDAP Group membership issue
I have set up a VPN pointing to a FreeRadius server and have it
authenticating successfully against my LDAP server, but I would also like to
limit access to only those people who are a member of the VPN group.
Normally, this would be simple, but because of the LDAP server I am using,
the hierarchy looks like this:
User Account:
ldapsearch -h ldap -x -b "dc=MY,dc=DOMAIN" "(uid=firstname.lastname)"
dn: uid=firstname.lastname,ou=people,dc=MY,dc=DOMAIN
uidNumber: 1024
...
Group entry is:
ldapsearch -h ldap -x -b "dc=MY,dc=DOMAIN" "(cn=VPN Users)"
dn: cn=VPN Users,ou=groups,dc=MY,dc=DOMAIN
memberUid: 1024
...
So I need to somehow configure Radius to search on me, get my uidNumber and
then search on the group. If I skip the searching to get the uidNumber, I
can configure the Radius (for this single account) correctly:
In the ldap module I include:
...
groupname_attribute = cn
groupmembership_filter = "(memberUid=1024)"
with the following entry in the users file:
DEFAULT Auth-Type = LDAP
Fall-Through = 1
DEFAULT LDAP-Group == "VPN Users"
Service-Type = Administrative-User
and this works as expected, but is there any way I can substitute the 1024
for an ldap search result so I can dynamically return the uidNumber for the
%{User-Name} field?
Thanks!
Cheers,
David
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP password lookup and LDAP group membership
Hello all. Another problem I'm having - I want to be able to check that a user is in a group in LDAP. I've been using the users file to do this, and here's what I've tried: DEFAULT Ldap-Group == "CN=x,OU=y,DC=z", Auth-Type := LDAP, Fall-Through = No This setup accepts me whether or not I'm in the group. If I do this: DEFAULT Ldap-Group == "CN=x,OU=y,DC=z", Auth-Type := LDAP, Fall-Through = No DEFAULT Auth-Type := Reject I'll always be rejected. LDAP refers to an Auth-Type I've set up. I didn't think it was relevant so I didn't include it here. Thanks in advance, Jason - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSCHAP Authentication and LDAP Group Membership checking
;+- entering group MS-CHAP
> rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password.
> rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password.
> rlm_mschap: Told to do MS-CHAPv2 for webtest with NT-Password
>expand: --domain=%{mschap:NT-Domain} -> --domain=voila
>expand: --username=%{mschap:User-Name} -> --username=webtest
> mschap2: 0e
>expand: --challenge=%{mschap:Challenge:-00} ->
>--challenge=dcdc37024aecaec1
>expand: --nt-response=%{mschap:NT-Response:-00} ->
>--nt-response=5808068d4047ef8a58e79d488a62d41e89128aabd6d88c52
>Exec-Program output: NT_KEY: 1E79BE41DB018B9E293DA357E6E5EA0D
>Exec-Program-Wait: plaintext: NT_KEY: 1E79BE41DB018B9E293DA357E6E5EA0D
>Exec-Program: returned: 0
>rlm_mschap: adding MS-CHAPv2 MPPE keys
>++[mschap] returns ok
>Login OK: [voila\\webtest] (from client VPN port 1151 cli 123.111.6.76)
>+- entering group post-auth
>++[exec] returns noop
>Sending Access-Accept of id 83 to 10.2.1.6 port 1059
>MS-CHAP2-Success =
>0x00533d3136423031434136463832333133373034393432393943303539423539334346434433314336
>MS-MPPE-Recv-Key = 0x5e34def484a9a9c160f712e90322bca0
>MS-MPPE-Send-Key = 0x2f644ea60d80525ed0b13527ca916aae
>MS-MPPE-Encryption-Policy = 0x0001
>MS-MPPE-Encryption-Types = 0x0006
>Finished request 2.
>Going to the next request
>Waking up in 4.9 seconds.
>Cleaning up request 2 ID 83 with timestamp +888
>Ready to process requests.
>
>It appears that MSCHAP is used to verify the password but LDAP is not
>properly checking the "VPN-Users" AD groupI believe it is not stripping
>the domain portion off correctly as I see the domain name appended to
>(sAMAccountName=voila\5cwebtest)
>
>My users File entries:
>
>(The first entry I would like to be used by the concentrator to search the
>group and if the user is a member allow them access - of course
>authenticating the provided password)
>
>DEFAULT LDAP-Group == "vpn-users"
>Fall-Through = Yes
>
>This entry is for our network switches/routers - this appears to be working
>without any issue.
>
>DEFAULT LDAP-Group == "Radius-Admin"
>Service-Type = Login-User,
>cisco-avpair = "shell:priv-lvl=15",
>Fall-Through = Yes
>
>If I login from my network devices it performs the ldap searches without
>issue and authenticates/authorizes the user - You can see this below:
>
>rlm_ldap: performing search in dc=voila,dc=com, with filter
>(&(cn=vpn-users)(|(&(objectClass=group)(member=CN\3dzkms\2cCN\3dUsers\2cDC\3dvoila\2cDC\3dcom))(&(objectClass=GroupOfNames)(member=CN\3dzkms\2cCN\3dUsers\2cDC\3dvoila\2cDC\3dcom
>rlm_ldap::ldap_groupcmp: User found in group vpn-users
>rlm_ldap: ldap_release_conn: Release Id: 0
>users: Matched entry DEFAULT at line 178
>rlm_ldap: Entering ldap_groupcmp()
>expand: dc=voila,dc=com -> dc=voila,dc=com
>expand:
>(|(&(objectClass=group)(member=%{check:LDAP-UserDn}))(&(objectClass=GroupOfNames)(member=%{check:LDAP-UserDn})))
>->
>(|(&(objectClass=group)(member=CN\3dzkms\2cCN\3dUsers\2cDC\3dvoila\2cDC\3dcom))(&(objectClass=GroupOfNames)(member=CN\3dzkms\2cCN\3dUsers\2cDC\3dvoila\2cDC\3dcom)))
>rlm_ldap: ldap_get_conn: Checking Id: 0
>rlm_ldap: ldap_get_conn: Got Id: 0
>rlm_ldap: performing search in dc=voila,dc=com, with filter
>(&(cn=Radius-Admin)(|(&(objectClass=group)(member=CN\3dzkms\2cCN\3dUsers\2cDC\3dvoila\2cDC\3dcom))(&(objectClass=GroupOfNames)(member=CN\3dzkms\2cCN\3dUsers\2cDC\3dvoila\2cDC\3dcom
>rlm_ldap::ldap_groupcmp: User found in group Radius-Admin
>rlm_ldap: ldap_release_conn: Release Id: 0
>users: Matched entry DEFAULT at line 181
>++[files] returns ok
>rlm_ldap: - authorize
>rlm_ldap: performing user authorization for zkms
>WARNING: Deprecated conditional expansion ":-". See "man unlang" for
>details
>expand: (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) ->
>(sAMAccountName=zkms)
>expand: dc=voila,dc=com -> dc=voila,dc=com
>rlm_ldap: ldap_get_conn: Checking Id: 0
>rlm_ldap: ldap_get_conn: Got Id: 0
>rlm_ldap: performing search in dc=voila,dc=com, with filter
>(sAMAccountName=zkms)
>rlm_ldap: looking for check items in directory...
>rlm_ldap: looking for reply items in directory...
>WARNING: No "known good" password was found in LDAP. Are you sure that the
>user is configured correctly?
>rlm_ldap: user zkms authorized to use remote access
>rlm_ldap: ldap_release_conn: Release Id: 0
>++[ldap] returns ok
>++[expiration] returns noop
>++[logintime] returns noop
>rlm_pap: WARNING! No "
Re: Configure authentication via LDAP Group membership issue
All,
I have still not been able to find a solution for this, it looks like I might
be able to use an xlat rule for it, but I can't get my head around how to write
it. Can anyone point me to suitable documentation for xlat - while I have read
all the docco that comes with the FreeRadius (in /usr/share) I am missing
something in order to apply it.
Cheers,
David
- Original Message -
From: "David Hobley" <[EMAIL PROTECTED]>
To: freeradius-users@lists.freeradius.org
Sent: Tuesday, 23 October 2007 04:10:51 PM (GMT+1000) Australia/Brisbane
Subject: Configure authentication via LDAP Group membership issue
I have set up a VPN pointing to a FreeRadius server and have it
authenticating successfully against my LDAP server, but I would also like to
limit access to only those people who are a member of the VPN group.
Normally, this would be simple, but because of the LDAP server I am using,
the hierarchy looks like this:
User Account:
ldapsearch -h ldap -x -b "dc=MY,dc=DOMAIN" "(uid=firstname.lastname)"
dn: uid=firstname.lastname,ou=people,dc=MY,dc=DOMAIN
uidNumber: 1024
...
Group entry is:
ldapsearch -h ldap -x -b "dc=MY,dc=DOMAIN" "(cn=VPN Users)"
dn: cn=VPN Users,ou=groups,dc=MY,dc=DOMAIN
memberUid: 1024
...
So I need to somehow configure Radius to search on me, get my uidNumber and
then search on the group. If I skip the searching to get the uidNumber, I
can configure the Radius (for this single account) correctly:
In the ldap module I include:
...
groupname_attribute = cn
groupmembership_filter = "(memberUid=1024)"
with the following entry in the users file:
DEFAULT Auth-Type = LDAP
Fall-Through = 1
DEFAULT LDAP-Group == "VPN Users"
Service-Type = Administrative-User
and this works as expected, but is there any way I can substitute the 1024
for an ldap search result so I can dynamically return the uidNumber for the
%{User-Name} field?
Thanks!
Cheers,
David
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FW: LDAP password lookup and LDAP group membership
Nevermind, I found how to get this to work. I was assuming that anything in the Check-Item were all AND'd together when they are on one line. I got it to work this way: DEFAULT Ldap-Group != "CN=x,OU=y,DC=z", Auth-Type := Reject DEFAULT Auth-Type := LDAP -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Zawacki Jason D Contr AFRL/IFOS Sent: Wednesday, April 27, 2005 10:23 AM To: 'freeradius-users@lists.freeradius.org' Subject: LDAP password lookup and LDAP group membership Hello all. Another problem I'm having - I want to be able to check that a user is in a group in LDAP. I've been using the users file to do this, and here's what I've tried: DEFAULT Ldap-Group == "CN=x,OU=y,DC=z", Auth-Type := LDAP, Fall-Through = No This setup accepts me whether or not I'm in the group. If I do this: DEFAULT Ldap-Group == "CN=x,OU=y,DC=z", Auth-Type := LDAP, Fall-Through = No DEFAULT Auth-Type := Reject I'll always be rejected. LDAP refers to an Auth-Type I've set up. I didn't think it was relevant so I didn't include it here. Thanks in advance, Jason - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Troube with matching LDAP group membership in authorize
I'm trying to setup radius authentication for enable access on our networking
gear and having a tough time getting a working config. I'd like to have FR
check a group in LDAP for membership before authorizing. That is, I only want
user's listed in the "uniquemember" attribute of the Operations group object to
be granted access. Reading the FR docs this is possible -- I must be missing
something. First, here are the relevant portions of my configs:
Hint file:
DEFAULT NAS-Port-Type == Virtual, Service-Type == NAS-Prompt-User,
ldap_enable-Ldap-Group := "operations", Autz-Type := ldap_enable, Auth-Type :=
LDAP
radius.conf:
ldap ldap_enable{
server = "fds1.hq.powerset.com"
basedn = "dc=powerset,dc=com"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
start_tls = yes
tls_cacertfile = /opt/fedora-ds/alias/starfield.pem
tls_require_cert= "demand"
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
# ldap_debug = 1
#groupname_attribute = cn
groupmembership_filter =
"(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))"
timeout = 4
timelimit = 3
net_timeout = 3
# compare_check_items = yes
# do_xlat = yes
access_attr_used_for_allow = no
set_auth_type = no
}
I have several LDAP instances defined in radius.config, but this is the one I
want to use. I instantiate it first in radius.config so that hints can use it:
instantiate {
ldap_enable
exec
expr
}
And a corresponsing Autz-Type in radius.config:
authorize {
preprocess
suffix
ntdomain
eap
autztype ldap{
redundant {
fds1
#fds2
}
}
autztype ldap_enable{
ldap_enable
}
files
pap
}
Here's the debug output from when I try and connect:
rad_recv: Access-Request packet from host 64.13.145.238:1024, id=96, length=71
User-Name = "dick"
User-Password = ""
NAS-IP-Address = 64.13.145.238
NAS-Identifier = "h2848-1"
NAS-Port-Type = Virtual
Service-Type = NAS-Prompt-User
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
hints: Matched DEFAULT at 35 <--- This is the correct entry
modcall[authorize]: module "preprocess" returns ok for request 0
rlm_realm: No '@' in User-Name = "dick", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_realm: No '\' in User-Name = "dick", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "ntdomain" returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 0
modcall[authorize]: module "files" returns notfound for request 0
rlm_pap: WARNING! No "known good" password found for the user. Authentication
may fail because of this.
modcall[authorize]: module "pap" returns noop for request 0
modcall: leaving group authorize (returns ok) for request 0
It appears that FR is ignoring the Autz-Type I set in hints and just processes
the entries in authorize in sequential order. This is the default behavior
unless an Autz-Type is explicitly set (which I do in hints). How do I get the
Autz-Type to kick-in and have FR send the request to the proper LDAP entry?
Thanks in advance,
-richard
Sucker-punch spam with award-winning protection.
Try the free Yahoo! Mail Beta.
http://advision.webevents.yahoo.com/mailbeta/features_spam.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Troube with matching LDAP group membership in authorize
Nevermind I found the problem. There's a limitation in ldap_groupcmp() such
that only the last LDAP module instantiated is actually checked -- ignoring
whatever you specify. I found this info from
http://lists.cistron.nl/pipermail/freeradius-users/2004-June/033220.html.
"In any case the ldap module which will be
instantiated last will be the one that will handle ldap-group comparisons. If we
add a check that will change to the first ldap module which is instantiated. I
think it's more or less a matter of personal taste, which module we 'd like to
handle ldap-group comparisons. Is it really worth the effort. Users can just
change the order in which the ldap modules are
instantiated in order to achieve
what they want."
Rather disappointing that this limitation still exists from 2 years ago. Does
FR2.0 have some sort of object-based virtualization that would support this?
Like, a "LDAP group" object which you could tie LDAP instances to and make the
check there?
-richard
- Original Message
From: Richard Hesse <[EMAIL PROTECTED]>
To: freeradius-users@lists.freeradius.org
Sent: Tuesday, January 30, 2007 12:40:36 PM
Subject: Troube with matching LDAP group membership in authorize
I'm trying to setup radius authentication for enable access on our networking
gear and having a tough time getting a working config. I'd like to have FR
check a group in LDAP for membership before authorizing. That is, I only want
user's listed in the "uniquemember" attribute of the Operations group object to
be granted access. Reading the FR docs this is possible -- I must be missing
something. First, here are the relevant portions of my configs:
Hint file:
DEFAULT NAS-Port-Type == Virtual, Service-Type == NAS-Prompt-User,
ldap_enable-Ldap-Group := "operations", Autz-Type := ldap_enable, Auth-Type :=
LDAP
radius.conf:
ldap ldap_enable{
server = "fds1.hq.powerset.com"
basedn = "dc=powerset,dc=com"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
start_tls = yes
tls_cacertfile = /opt/fedora-ds/alias/starfield.pem
tls_require_cert= "demand"
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
# ldap_debug = 1
#groupname_attribute = cn
groupmembership_filter =
"(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))"
timeout = 4
timelimit = 3
net_timeout = 3
# compare_check_items = yes
# do_xlat = yes
access_attr_used_for_allow = no
set_auth_type = no
}
I have several LDAP instances defined in radius.config, but this is the one I
want to use. I instantiate it first in radius.config so that hints can use it:
instantiate {
ldap_enable
exec
expr
}
And a corresponsing Autz-Type in radius.config:
authorize {
preprocess
suffix
ntdomain
eap
autztype ldap{
redundant {
fds1
#fds2
}
}
autztype ldap_enable{
ldap_enable
}
files
pap
}
Here's the debug output from when I try and connect:
rad_recv: Access-Request packet from host 64.13.145.238:1024, id=96, length=71
User-Name = "dick"
User-Password = ""
NAS-IP-Address = 64.13.145.238
NAS-Identifier = "h2848-1"
NAS-Port-Type = Virtual
Service-Type = NAS-Prompt-User
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
hints: Matched DEFAULT at 35 <--- This is the correct entry
modcall[authorize]: module "preprocess" returns ok for request 0
rlm_realm: No '@' in User-Name = "dick", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_realm: No '\' in User-Name = "dick", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "ntdomain" returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 0
modcall[authorize]: module "files" returns notfound for request 0
rlm_pap: WARNING! No "known good" password found for the user. Authentication
may fail because of this.
modcall[aut
Re: Troube with matching LDAP group membership in authorize
Richard Hesse wrote: > Rather disappointing that this limitation still exists from 2 years ago. As always, patches are welcome. > Does FR2.0 have some sort of object-based virtualization that would support > this? > Like, a "LDAP group" object which you could tie LDAP instances to and make > the check there? No, but we'd welcome patches. In any case, if you carefully read the text you quoted, you'll see a solution that doesn't require patches: List ALL ldap modules in the "instantiate" section, and list "ldap_enable" last. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Troube with matching LDAP group membership in authorize
> In any case, if you carefully read the text you quoted, you'll see a > solution that doesn't require patches: List ALL ldap modules in the >"instantiate" section, and list "ldap_enable" last. > Alan DeKok. Yes, that's what I ended up doing. However, I lose the ability to do load-balance and redunancy constructs. rlm_ldap indicates that I can list multiple LDAP servers for the host in radius.conf. How exactly does that work compared to redundancy or load-balance? Does it try the first, then the second, etc every time? Does it round-robin? Thanks, -richard Want to start your own business? Learn how on Yahoo! Small Business. http://smallbusiness.yahoo.com/r-index - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Troube with matching LDAP group membership in authorize
Richard Hesse wrote: > > Yes, that's what I ended up doing. However, I lose the ability > to do load-balance and redunancy constructs. Why? > rlm_ldap indicates > that I can list multiple LDAP servers for the host in > radius.conf. How exactly does that work compared to redundancy > or load-balance? Does it try the first, then the second, etc > every time? Does it round-robin? doc/configurable_failover doc/load-balance.txt Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Troube with matching LDAP group membership in authorize
Richard Hesse wrote: Nevermind I found the problem. There's a limitation in ldap_groupcmp() such that only the last LDAP module instantiated is actually checked -- ignoring whatever you specify. I found this info from http://lists.cistron.nl/pipermail/freeradius-users/2004-June/033220.html. That's for the attribute "Ldap-Group". The module-name-prefixed version, "ldap_enable-Ldap-Group" should work fine. Your original mail listed: Hint file: DEFAULT NAS-Port-Type == Virtual, Service-Type == NAS-Prompt-User, ldap_enable-Ldap-Group := "operations", Autz-Type := ldap_enable, Auth-Type := LDAP You are using := to compare ldap_enable-Ldap-Group - use == Try setting the Autz-Type in the "users" file - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Configure authentication via LDAP Group membership issue [sec=unclassified]
___
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
David Hobley
Sent: Wednesday, 31 October 2007 10:50
To: FreeRadius users mailing list
Subject: Re: Configure authentication via LDAP Group membership
issue
All,
I have still not been able to find a solution for this, it looks
like I might be able to use an xlat rule for it, but I can't get my head
around how to write it. Can anyone point me to suitable documentation
for xlat - while I have read all the docco that comes with the
FreeRadius (in /usr/share) I am missing something in order to apply it.
Cheers,
David
- Original Message -
From: "David Hobley" <[EMAIL PROTECTED]>
To: freeradius-users@lists.freeradius.org
Sent: Tuesday, 23 October 2007 04:10:51 PM (GMT+1000)
Australia/Brisbane
Subject: Configure authentication via LDAP Group membership
issue
I have set up a VPN pointing to a FreeRadius server and have it
authenticating successfully against my LDAP server, but I would
also like to
limit access to only those people who are a member of the VPN
group.
Normally, this would be simple, but because of the LDAP server I
am using,
the hierarchy looks like this:
User Account:
ldapsearch -h ldap -x -b "dc=MY,dc=DOMAIN"
"(uid=firstname.lastname)"
dn: uid=firstname.lastname,ou=people,dc=MY,dc=DOMAIN
uidNumber: 1024
...
Group entry is:
ldapsearch -h ldap -x -b "dc=MY,dc=DOMAIN" "(cn=VPN Users)"
dn: cn=VPN Users,ou=groups,dc=MY,dc=DOMAIN
memberUid: 1024
...
So I need to somehow configure Radius to search on me, get my
uidNumber and
then search on the group. If I skip the searching to get the
uidNumber, I
can configure the Radius (for this single account) correctly:
In the ldap module I include:
...
groupname_attribute = cn
groupmembership_filter = "(memberUid=1024)"
with the following entry in the users file:
DEFAULT Auth-Type = LDAP
Fall-Through = 1
DEFAULT LDAP-Group == "VPN Users"
Service-Type = Administrative-User
and this works as expected, but is there any way I can
substitute the 1024
for an ldap search result so I can dynamically return the
uidNumber for the
%{User-Name} field?
Thanks!
Cheers,
David
The memberUid attribute in a posixgroup is supposed to hold the uid, not
the uidNumber. That would make your groupmembership_filter =
"(memberUid=%{User-Name})" or more robustly,
groupmembership_filter =
"(&(memberUid=%{Stripped-User-Name:-%{User-Name}})(objectClass=posixGrou
p))"
Regards,
Frank Ranner
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configure authentication via LDAP Group membership issue [sec=unclassified]
Frank,
Thank you - greatly appreciated. This made me realise that my thinking was
foggy when I had defined group memberships. All working now.
Cheers,
David
- Original Message -
From: "Frank MR Ranner" <[EMAIL PROTECTED]>
To: "FreeRadius users mailing list"
Sent: Wednesday, 31 October 2007 10:20:36 AM (GMT+1000) Australia/Brisbane
Subject: RE: Configure authentication via LDAP Group membership issue
[sec=unclassified]
...
___
The memberUid attribute in a posixgroup is supposed to hold the uid, not
the uidNumber. That would make your groupmembership_filter =
"(memberUid=%{User-Name})" or more robustly,
groupmembership_filter =
"(&(memberUid=%{Stripped-User-Name:-%{User-Name}})(objectClass=posixGrou
p))"
Regards,
Frank Ranner
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP Group membership check not working after upgrade to Windows Server 2003
ert.pem
> # cacertdir = /path/to/ca/dir/
> # certfile = /path/to/radius.crt
> # keyfile = /path/to/radius.key
> # randfile = /path/to/rnd
>
> # Certificate Verification requirements. Can be:
> #"never" (don't even bother trying)
> #"allow" (try, but don't fail if the cerificate
> # can't be verified)
> #"demand" (fail if the certificate doesn't verify.)
> #
> # The default is "allow"
> # require_cert = "demand"
> }
> # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
> # profile_attribute = "radiusProfileDn"
> # access_attr = "User-Password"
>
> # Mapping of RADIUS dictionary attributes to LDAP
> # directory attributes.
> dictionary_mapping = ${confdir}/ldap.attrmap
>
> # Set password_attribute = nspmPassword to get the
> # user's password from a Novell eDirectory
> # backend. This will work ONLY IF FreeRADIUS has been
> # built with the --with-edir configure option.
> #
> # See also the following links:
> #
> # http://www.novell.com/coolsolutions/appnote/16745.html
>
> #
> https://secure-support.novell.com/KanisaPlatform/Publishing/558/3009668_f.SAL_Public.html
> #
> # Novell may require TLS encrypted sessions before returning
> # the user's password.
> #
> # password_attribute = User-Password
>
> # Un-comment the following to disable Novell
> # eDirectory account policy check and intruder
> # detection. This will work *only if* FreeRADIUS is
> # configured to build with --with-edir option.
> #
> edir_account_policy_check = no
>
> #
> # Group membership checking. Disabled by default.
> #
> groupname_attribute = cn
> #groupmembership_filter =
> "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
> groupmembership_filter =
> "(|(&(objectClass=group)(member=%{check:LDAP-UserDn}))(&(objectClass=GroupOfNames)(member=%{check:LDAP-UserDn})))"
> groupmembership_attribute = memberOf
>
> # compare_check_items = yes
>do_xlat = yes
> # access_attr_used_for_allow = yes
>
> #
> # By default, if the packet contains a User-Password,
> # and no other module is configured to handle the
> # authentication, the LDAP module sets itself to do
> # LDAP bind for authentication.
> #
> #
> # THIS WILL ONLY WORK FOR PAP AUTHENTICATION.
> #
> # THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP).
> #
> # You can disable this behavior by setting the following
> # configuration entry to "no".
> #
> # allowed values: {no, yes}
>
> # set_auth_type = yes
>
> # ldap_debug: debug flag for LDAP SDK
> # (see OpenLDAP documentation). Set this to enable
> # huge amounts of LDAP debugging on the screen.
> # You should only use this if you are an LDAP expert.
> #
> # default: 0x (no debugging messages)
> # Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
> ldap_debug = 0x0028
>
> __
>
> Samba / Windbind responses:
>
> [EMAIL PROTECTED] modules]# wbinfo -t
> checking the trust secret via RPC calls succeeded
>
> [EMAIL PROTECTED] modules]# wbinfo -a testuser%mypass
> plaintext password authentication failed
> error code was NT_STATUS_NO_SUCH_USER (0xc064)
> error messsage was: No such user
> Could not authenticate user testuser%mypass with plaintext password
> challenge/response password authentication succeeded
>
> wbinfo -u and wbinfo -g enumerate all users/groups.
>
>
>
>
>
>
--
View this message in context:
http://www.nabble.com/LDAP-Group-membership-check-not-working-after-upgrade-to-Windows-Server-2003-tp19496304p19544572.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
