ldap group membership
Hi, my new problem is as follows ~_~: I need to check if a username can be found within a ldap-group, however the uid doesn't exist anywhere else but as an object in the group. radius.conf specific lines: groupname_attribute = cn groupmembership_filter = "(objectClass=GroupOfNames)" users file lines: [EMAIL PROTECTED] Auth-Type := Eap, User-Password == "y", Ldap-Group == "wifi" this is a test line which gives the same result as the EAP-TLS specific line I use in production, however the debug output is much cleaner.. The idea is to look for the existence of the username within a group, and not to run a search for the uid, since this will always fail. Don't ask me why these 'guest' ([EMAIL PROTECTED] is one) uids only exist within the wifi group, that's a policy raining from the heavens above me and I can't argue over it... maybe their random policy generator is overflowing. Maybe they are even trying to do something non-standard with their ldap server and I can't tell. And here we go, as you see freeradius never looks for the group membership (proven to exist), he first looks for the uid, and this will fail (which is expected to happen): # /usr/local/sbin/radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 40 main: cleanup_delay = 5 main: max_requests = 65536 main: delete_blocked_requests = 0 main: port = 1818 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: bind_address = * IP address [***] main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = no proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" pap: auto_header = yes Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded eap eap: default_eap_type = "tls" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "/usr/local/etc/raddb/certs/crl" tls: pem_file_type = yes tls: private_key_file = "/usr/local/etc/raddb/certs/newkey.pem" tls: certificate_file = "/usr/local/etc/raddb/certs/newserv.pem" tls: CA_file = "/usr/local/etc/raddb/certs/crl/root.pem" tls: private_key_password = "" tls: dh_file = "/usr/local/etc/raddb/certs/dh" tls: random_file = "/usr/local/etc/raddb/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = yes tls: check_cert_cn = "%{User-Name}" tls: cipher_list = "(null)" tls: check_cert_issuer = "(null)" rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap
Ldap Group Membership Requirements
I'm trying to require a user to be a member of the wireless group in ldap to be able to join the wireless. All users can currently join the wireless. I can't find very much documentation on the groupmembers* lines in the ldap section of radius.conf. Basically trying to figure out what I need to add to these lines: groupname_attribute, groupmembership_filter, and groupmembership_attribute. Also not sure if I need to add something to users file like: DEFAULT LDAP-Group == "wireless". Can anyone provide input on what I need to configure, Thanks. wireless group in ldap, you can see cjarrett is a member: dn: cn=wireless,ou=Groups,dc=itfreedom,dc=com objectClass: posixGroup cn: wireless gidNumber: 1011 memberUid: cjarrett - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ldap group membership required
Hello, I have search the archives and google, and there seems to be lots of confusion on the subject: Requiring membership to and LDAP group to authenticate. I can seem to get it to work. Notice the misspelling og the member: dn: cn=radius_wifi,ou=Groups,dc=fu,dc=bar cn: min_radius_wifi objectClass: groupOfNames objectClass: top member: cn=tes guest,ou=Guests,dc=fu,dc=bar The real user, cn=test guest,ou=Guests,dc=fu,dc=bar, is still able to login. FreeRadius Version: freeradius-1.0.1 ldap { server = "localhost" identity = "uid=authman,dc=fu,dc=bar" password = XXX basedn = "dc=fu,dc=bar" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" base_filter = "(objectclass=person)" # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" # profile_attribute = "radiusProfileDn" #` access_attr = "uid" # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 password_attribute = userPassword groupname_attribute = cn groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" groupmembership_attribute = "cn=radius_wifi,ou=Group,dc=fu,dc=bar" timeout = 4 timelimit = 3 net_timeout = 1 #compare_check_items = yes # do_xlat = yes # access_attr_used_for_allow = no } Thank you for the help, Dan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP Group membership problems
Hi Everybody! I'm stuck trying to implement an LDAP based FreeRADIUS server - basically I've got Authorization working perfectly, but at the Authentication stage, no group reply attributes are set. I'm obviously not sure what the problem is, but from reading the debug output, it looks almost as if a ldap search to get the reply attributes is not being executed. If I manually execute the search using ldapsearch, using the same bind options as I see in the debug log, and with the filter specified by groupmembership_filter, then I get the output that I would like to have returned by FreeRADIUS as reply items, so I don't think it's a problem with my LDAP data/schema etc. It just seems like I haven't correctly instructed FreeRADIUS to actually "do it" - to go and get the group information. Here's the relevent section of my debug output... ---start debug output--- rlm_ldap: - authorize rlm_ldap: performing user authorization for hugh radius_xlat: '(&(objectClass=radiusProfile)(uid=hugh))' radius_xlat: 'dc=e-access,dc=com,dc=au' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=e-access,dc=com,dc=au, with filter (&(objectClass=radiusProfile)(uid=hugh)) rlm_ldap: checking if remote access for hugh is allowed by dialupAccess rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user hugh authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 1 modcall: group authorize returns ok for request 1 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" modcall: entering group Auth-Type for request 1 rlm_ldap: - authenticate rlm_ldap: login attempt by "hugh" with password "testpass" rlm_ldap: user DN: cn=hugh,cn=3,cn=2000,cn=package,cn=hugh,cn=user,ou=eaccounts,dc=e-access ,dc=com,dc=au rlm_ldap: (re)connect to 127.0.0.1:389, authentication 1 rlm_ldap: bind as cn=hugh,cn=3,cn=2000,cn=package,cn=hugh,cn=user,ou=eaccounts,dc=e-access ,dc=com,dc=au/testpass to 127.0.0.1:389 rlm_ldap: waiting for bind result ... rlm_ldap: user hugh authenticated succesfully modcall[authenticate]: module "ldap" returns ok for request 1 modcall: group Auth-Type returns ok for request 1 Sending Access-Accept of id 40 to 192.168.1.50:49167 Finished request 1 Going to the next request ---end debug output--- Here is the output from radtest [EMAIL PROTECTED] raddb]# radtest hugh sportswater 127.0.0.1 1 testing123 Sending Access-Request of id 40 to 127.0.0.1:1812 User-Name = "hugh" User-Password = "testpass" NAS-IP-Address = 127.0.0.1 NAS-Port = 1 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=40, length=20 Here is the ldap part of my radiusd.conf file, if you need any more information don't hesistate to ask - I won't include the whole file here just because it's so big! ldap { server = "127.0.0.1" identity = "cn=root,dc=e-access,dc=com,dc=au" password = test1234 basedn = "dc=e-access,dc=com,dc=au" filter = "(&(objectClass=radiusProfile)(uid=%{Stripped-User-Name:-%{User-Name}})) " # set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # The StartTLS operation is supposed to be used with normal # ldap connections instead of using ldaps (port 689) connections start_tls = no # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" # profile_attribute = "radiusProfileDn" access_attr = "dialupAccess" # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 # password_header = "{clear}" # password_attribute = userPassword groupname_attribute = uid groupmembership_filter = "(&(objectClass=radiusProfile)(uid=dialup))" groupmembership_attribute = radiusGroupName timeout = 4 timelimit = 3 net_timeout = 1 # compare_check_items = yes # access_attr_used_for_allow = yes } Thanks in advance, Sam Silvester Systems Administrator E-Access Internet Customer Service: 1300 13 88 10 Our technical support hours are 9am - 9pm everyday (ACST) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : Ldap Group Membership Requirements
>Basically trying to > figure out > what I need to add to these lines: groupname_attribute, > groupmembership_filter, and groupmembership_attribute. Also > not sure if > I need to add something to users file like: DEFAULT LDAP-Group == > "wireless". Can anyone provide input on what I need to > configure, Thanks. > > wireless group in ldap, you can see cjarrett is a member: > dn: cn=wireless,ou=Groups,dc=itfreedom,dc=com > objectClass: posixGroup > cn: wireless > gidNumber: 1011 > memberUid: cjarrett You're using POSIXGroups: groupname_attribute = cn Groupmembership_filter = "(&(objectclass=posixGroup)(memberUid=%u)) No groupmembership_attribute. In you users file, for instance: DEFAULT LDAP-Group == "wireless" ... See /usr/share/doc/freeradius/rlm_ldap text file. HTH, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap group membership required
Daniel Durgin wrote: > I have search the archives and google, and there seems to be lots of > confusion on the subject: Requiring membership to and LDAP group to > authenticate. No. Authentication involves checking credentials. Authorization involves *additional* and *independent* filter rules specifying when and where people can authenticate. If you think of checking group membership as authentication, it means that you're conceptual model of how the system works is wrong. Hence designs of any solution will be wrong, and confusion will be multiplied. > I can seem to get it to work. Notice the misspelling og the member: > > dn: cn=radius_wifi,ou=Groups,dc=fu,dc=bar > cn: min_radius_wifi > objectClass: groupOfNames > objectClass: top > member: cn=tes guest,ou=Guests,dc=fu,dc=bar > > > The real user, cn=test guest,ou=Guests,dc=fu,dc=bar, is still able to > login. So... read the debug output to see why. This is mentioned in no many places that there is NO excuse for not doing it. I also fail to understand why people look at the *configuration* to see how the server is *running*.It's like driving car while looking only at a map, and not at the road in front of you. If all goes well, it might work. But as soon as a pedestrian steps in front of your car, you fail to see him, and *boom*, bad things happen. > FreeRadius Version: freeradius-1.0.1 Why? That version is *years* old. Alan DeKok - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap group membership required
Thank you for the quick reply. I beat my head against it again, and again. Then noticed the clients file. I got it working. Alan DeKok wrote: Daniel Durgin wrote: I have search the archives and google, and there seems to be lots of confusion on the subject: Requiring membership to and LDAP group to authenticate. No. Authentication involves checking credentials. Authorization involves *additional* and *independent* filter rules specifying when and where people can authenticate. If you think of checking group membership as authentication, it means that you're conceptual model of how the system works is wrong. Hence designs of any solution will be wrong, and confusion will be multiplied. I can seem to get it to work. Notice the misspelling og the member: dn: cn=radius_wifi,ou=Groups,dc=fu,dc=bar cn: min_radius_wifi objectClass: groupOfNames objectClass: top member: cn=tes guest,ou=Guests,dc=fu,dc=bar The real user, cn=test guest,ou=Guests,dc=fu,dc=bar, is still able to login. So... read the debug output to see why. This is mentioned in no many places that there is NO excuse for not doing it. I also fail to understand why people look at the *configuration* to see how the server is *running*.It's like driving car while looking only at a map, and not at the road in front of you. If all goes well, it might work. But as soon as a pedestrian steps in front of your car, you fail to see him, and *boom*, bad things happen. FreeRadius Version: freeradius-1.0.1 Why? That version is *years* old. It comes with CentOS 5, or one of them Yum Repos. I just needed a radius server to gateway for my LDAP server. Alan DeKok - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thank you for the lesson I learned a lot. -Dan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Activate LDAP group membership checking
Hi, I'm trying to activate the LDAP group membership checking in FreeRadius. In my radiusd.conf i've modified the group checking section: groupname_attribute = cn groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" groupmembership_attribute = ou By looking in my openldap logs, freeradius is not even trying to search for the group. Do i have to activate something else to enable group checking? Thank you - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP Group membership problems
What's in your users file? Check http://doris.cc/radius it explains how to use the User-Profile to send back group reply attributes. Here is some relevent parts. LDAP Entry dn: uid=dial,ou=profiles,ou=radius,dc=mydomain,dc=com objectclass: radiusprofile uid: dial radiusServiceType: Framed-User radiusFramedProtocol: PPP radiusFramedIPNetmask: 255.255.255.0 radiusFramedRouting: None Users File DEFAULT Huntgroup-Name == dial, Ldap-Group == dial, User-Profile := "uid=dial,ou=profiles,ou=radius,dc=mydomain,dc=com" Fall-Through = no The users file is saying if you are in the Huntgroup of dial and the ldap-group of dial, then your reply attributes will be found in uid=dial,ou=profiles,ou=radius,dc=mydomain,dc=com Hope that helps Dusty Doris On Fri, 6 Feb 2004, Sam Silvester wrote: > Hi Everybody! > > I'm stuck trying to implement an LDAP based FreeRADIUS server - > basically I've got Authorization working perfectly, but at the > Authentication stage, no group reply attributes are set. I'm obviously > not sure what the problem is, but from reading the debug output, it > looks almost as if a ldap search to get the reply attributes is not > being executed. > > If I manually execute the search using ldapsearch, using the same bind > options as I see in the debug log, and with the filter specified by > groupmembership_filter, then I get the output that I would like to have > returned by FreeRADIUS as reply items, so I don't think it's a problem > with my LDAP data/schema etc. It just seems like I haven't correctly > instructed FreeRADIUS to actually "do it" - to go and get the group > information. > > Here's the relevent section of my debug output... > > ---start debug output--- > rlm_ldap: - authorize > rlm_ldap: performing user authorization for hugh > radius_xlat: '(&(objectClass=radiusProfile)(uid=hugh))' > radius_xlat: 'dc=e-access,dc=com,dc=au' > ldap_get_conn: Got Id: 0 > rlm_ldap: performing search in dc=e-access,dc=com,dc=au, with filter > (&(objectClass=radiusProfile)(uid=hugh)) > rlm_ldap: checking if remote access for hugh is allowed by dialupAccess > rlm_ldap: looking for check items in directory... > rlm_ldap: looking for reply items in directory... > rlm_ldap: user hugh authorized to use remote access > ldap_release_conn: Release Id: 0 > modcall[authorize]: module "ldap" returns ok for request 1 > modcall: group authorize returns ok for request 1 > rad_check_password: Found Auth-Type LDAP > auth: type "LDAP" > modcall: entering group Auth-Type for request 1 > rlm_ldap: - authenticate > rlm_ldap: login attempt by "hugh" with password "testpass" > rlm_ldap: user DN: > cn=hugh,cn=3,cn=2000,cn=package,cn=hugh,cn=user,ou=eaccounts,dc=e-access > ,dc=com,dc=au > rlm_ldap: (re)connect to 127.0.0.1:389, authentication 1 > rlm_ldap: bind as > cn=hugh,cn=3,cn=2000,cn=package,cn=hugh,cn=user,ou=eaccounts,dc=e-access > ,dc=com,dc=au/testpass to 127.0.0.1:389 > rlm_ldap: waiting for bind result ... > rlm_ldap: user hugh authenticated succesfully > modcall[authenticate]: module "ldap" returns ok for request 1 > modcall: group Auth-Type returns ok for request 1 > Sending Access-Accept of id 40 to 192.168.1.50:49167 > Finished request 1 > Going to the next request > ---end debug output--- > > Here is the output from radtest > > [EMAIL PROTECTED] raddb]# radtest hugh sportswater 127.0.0.1 1 testing123 > Sending Access-Request of id 40 to 127.0.0.1:1812 > User-Name = "hugh" > User-Password = "testpass" > NAS-IP-Address = 127.0.0.1 > NAS-Port = 1 > rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=40, > length=20 > > Here is the ldap part of my radiusd.conf file, if you need any more > information don't hesistate to ask - I won't include the whole file here > just because it's so big! > > ldap { > server = "127.0.0.1" > identity = "cn=root,dc=e-access,dc=com,dc=au" > password = test1234 > basedn = "dc=e-access,dc=com,dc=au" > filter = > "(&(objectClass=radiusProfile)(uid=%{Stripped-User-Name:-%{User-Name}})) > " > > # set this to 'yes' to use TLS encrypted connections > # to the LDAP database by using the StartTLS extended > # operation. > # The StartTLS operation is supposed to be used with > normal > # ldap connections instead of using ldaps (port 689) > connections > start_tls = no > > # default_profile = "cn=radprofile,ou=dialup,o=My > Org,c=UA" > # profile_attribute = "radiusProfileDn" > access_attr = "dialupAccess" > > # Mapping of RADIUS dictionary attributes to LDAP > # directory attributes. > dictionary_mapping = ${raddbdir}/ldap.attrmap > > ldap_connections_number = 5 > # password_header = "{clear}" > # password_attribute = u
Re: RE : Ldap Group Membership Requirements
So it will search and find the group, but I can still connect with my user even though it isn't in that group. Any ideas on how to keep a user from connecting if their account isn't in that group? Thibault Le Meur wrote: Basically trying to figure out what I need to add to these lines: groupname_attribute, groupmembership_filter, and groupmembership_attribute. Also not sure if I need to add something to users file like: DEFAULT LDAP-Group == "wireless". Can anyone provide input on what I need to configure, Thanks. wireless group in ldap, you can see cjarrett is a member: dn: cn=wireless,ou=Groups,dc=itfreedom,dc=com objectClass: posixGroup cn: wireless gidNumber: 1011 memberUid: cjarrett You're using POSIXGroups: groupname_attribute = cn Groupmembership_filter = "(&(objectclass=posixGroup)(memberUid=%u)) No groupmembership_attribute. In you users file, for instance: DEFAULT LDAP-Group == "wireless" ... See /usr/share/doc/freeradius/rlm_ldap text file. HTH, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : Ldap Group Membership Requirements
DEFAULT LDAP-Group!="wireless", Auth-Type:=Reject Reply-Message="You are not allowed to connect" Ivan Kalik Kalik Informatika ISP Dana 20/6/2007, "Cody Jarrett" <[EMAIL PROTECTED]> piše: >So it will search and find the group, but I can still connect with my >user even though it isn't in that group. Any ideas on how to keep a user >from connecting if their account isn't in that group? > > > >Thibault Le Meur wrote: >>> Basically trying to >>> figure out >>> what I need to add to these lines: groupname_attribute, >>> groupmembership_filter, and groupmembership_attribute. Also >>> not sure if >>> I need to add something to users file like: DEFAULT LDAP-Group == >>> "wireless". Can anyone provide input on what I need to >>> configure, Thanks. >>> >>> wireless group in ldap, you can see cjarrett is a member: >>> dn: cn=wireless,ou=Groups,dc=itfreedom,dc=com >>> objectClass: posixGroup >>> cn: wireless >>> gidNumber: 1011 >>> memberUid: cjarrett >>> >> >> You're using POSIXGroups: >> groupname_attribute = cn >> Groupmembership_filter = "(&(objectclass=posixGroup)(memberUid=%u)) >> >> No groupmembership_attribute. >> >> >> In you users file, for instance: >> DEFAULT LDAP-Group == "wireless" ... >> >> >> See /usr/share/doc/freeradius/rlm_ldap text file. >> >> HTH, >> Thibault >> >> >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> >> > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Activate LDAP group membership checking
mic nightic wrote: > By looking in my openldap logs, freeradius is not even trying to search > for the group. > > Do i have to activate something else to enable group checking? doc/rlm_ldap Look for "group support" Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Activate LDAP group membership checking
Yes sir! thank you Found the solution in the doc On Fri, Oct 22, 2010 at 12:57 PM, Alan DeKok wrote: > mic nightic wrote: > > By looking in my openldap logs, freeradius is not even trying to search > > for the group. > > > > Do i have to activate something else to enable group checking? > > doc/rlm_ldap > > Look for "group support" > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MSCHAP Authentication and LDAP Group Membership checking
t: plaintext: NT_KEY: 1E79BE41DB018B9E293DA357E6E5EA0D Exec-Program: returned: 0 rlm_mschap: adding MS-CHAPv2 MPPE keys ++[mschap] returns ok Login OK: [voila\\webtest] (from client VPN port 1151 cli 123.111.6.76) +- entering group post-auth ++[exec] returns noop Sending Access-Accept of id 83 to 10.2.1.6 port 1059 MS-CHAP2-Success = 0x00533d3136423031434136463832333133373034393432393943303539423539334346434433314336 MS-MPPE-Recv-Key = 0x5e34def484a9a9c160f712e90322bca0 MS-MPPE-Send-Key = 0x2f644ea60d80525ed0b13527ca916aae MS-MPPE-Encryption-Policy = 0x0001 MS-MPPE-Encryption-Types = 0x0006 Finished request 2. Going to the next request Waking up in 4.9 seconds. Cleaning up request 2 ID 83 with timestamp +888 Ready to process requests. It appears that MSCHAP is used to verify the password but LDAP is not properly checking the "VPN-Users" AD groupI believe it is not stripping the domain portion off correctly as I see the domain name appended to (sAMAccountName=voila\5cwebtest) My users File entries: (The first entry I would like to be used by the concentrator to search the group and if the user is a member allow them access - of course authenticating the provided password) DEFAULT LDAP-Group == "vpn-users" Fall-Through = Yes This entry is for our network switches/routers - this appears to be working without any issue. DEFAULT LDAP-Group == "Radius-Admin" Service-Type = Login-User, cisco-avpair = "shell:priv-lvl=15", Fall-Through = Yes If I login from my network devices it performs the ldap searches without issue and authenticates/authorizes the user - You can see this below: rlm_ldap: performing search in dc=voila,dc=com, with filter (&(cn=vpn-users)(|(&(objectClass=group)(member=CN\3dzkms\2cCN\3dUsers\2cDC\3dvoila\2cDC\3dcom))(&(objectClass=GroupOfNames)(member=CN\3dzkms\2cCN\3dUsers\2cDC\3dvoila\2cDC\3dcom rlm_ldap::ldap_groupcmp: User found in group vpn-users rlm_ldap: ldap_release_conn: Release Id: 0 users: Matched entry DEFAULT at line 178 rlm_ldap: Entering ldap_groupcmp() expand: dc=voila,dc=com -> dc=voila,dc=com expand: (|(&(objectClass=group)(member=%{check:LDAP-UserDn}))(&(objectClass=GroupOfNames)(member=%{check:LDAP-UserDn}))) -> (|(&(objectClass=group)(member=CN\3dzkms\2cCN\3dUsers\2cDC\3dvoila\2cDC\3dcom))(&(objectClass=GroupOfNames)(member=CN\3dzkms\2cCN\3dUsers\2cDC\3dvoila\2cDC\3dcom))) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=voila,dc=com, with filter (&(cn=Radius-Admin)(|(&(objectClass=group)(member=CN\3dzkms\2cCN\3dUsers\2cDC\3dvoila\2cDC\3dcom))(&(objectClass=GroupOfNames)(member=CN\3dzkms\2cCN\3dUsers\2cDC\3dvoila\2cDC\3dcom rlm_ldap::ldap_groupcmp: User found in group Radius-Admin rlm_ldap: ldap_release_conn: Release Id: 0 users: Matched entry DEFAULT at line 181 ++[files] returns ok rlm_ldap: - authorize rlm_ldap: performing user authorization for zkms WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) -> (sAMAccountName=zkms) expand: dc=voila,dc=com -> dc=voila,dc=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=voila,dc=com, with filter (sAMAccountName=zkms) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? rlm_ldap: user zkms authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop rad_check_password: Found Auth-Type LDAP auth: type "LDAP" +- entering group LDAP rlm_ldap: - authenticate rlm_ldap: login attempt by "zkms" with password "Omitted" rlm_ldap: user DN: CN=zkms,CN=Users,DC=voila,DC=com rlm_ldap: (re)connect to control.voila.com:389, authentication 1 rlm_ldap: bind as CN=zkms,CN=Users,DC=voila,DC=com/Omitted to control.voila.com:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user zkms authenticated succesfully Thanks in advance for any pointers. -- View this message in context: http://www.nabble.com/MSCHAP-Authentication-and-LDAP-Group-Membership-checking-tp19321178p19321178.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Configure authentication via LDAP Group membership issue
I have set up a VPN pointing to a FreeRadius server and have it authenticating successfully against my LDAP server, but I would also like to limit access to only those people who are a member of the VPN group. Normally, this would be simple, but because of the LDAP server I am using, the hierarchy looks like this: User Account: ldapsearch -h ldap -x -b "dc=MY,dc=DOMAIN" "(uid=firstname.lastname)" dn: uid=firstname.lastname,ou=people,dc=MY,dc=DOMAIN uidNumber: 1024 ... Group entry is: ldapsearch -h ldap -x -b "dc=MY,dc=DOMAIN" "(cn=VPN Users)" dn: cn=VPN Users,ou=groups,dc=MY,dc=DOMAIN memberUid: 1024 ... So I need to somehow configure Radius to search on me, get my uidNumber and then search on the group. If I skip the searching to get the uidNumber, I can configure the Radius (for this single account) correctly: In the ldap module I include: ... groupname_attribute = cn groupmembership_filter = "(memberUid=1024)" with the following entry in the users file: DEFAULT Auth-Type = LDAP Fall-Through = 1 DEFAULT LDAP-Group == "VPN Users" Service-Type = Administrative-User and this works as expected, but is there any way I can substitute the 1024 for an ldap search result so I can dynamically return the uidNumber for the %{User-Name} field? Thanks! Cheers, David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP password lookup and LDAP group membership
Hello all. Another problem I'm having - I want to be able to check that a user is in a group in LDAP. I've been using the users file to do this, and here's what I've tried: DEFAULT Ldap-Group == "CN=x,OU=y,DC=z", Auth-Type := LDAP, Fall-Through = No This setup accepts me whether or not I'm in the group. If I do this: DEFAULT Ldap-Group == "CN=x,OU=y,DC=z", Auth-Type := LDAP, Fall-Through = No DEFAULT Auth-Type := Reject I'll always be rejected. LDAP refers to an Auth-Type I've set up. I didn't think it was relevant so I didn't include it here. Thanks in advance, Jason - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSCHAP Authentication and LDAP Group Membership checking
;+- entering group MS-CHAP > rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. > rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. > rlm_mschap: Told to do MS-CHAPv2 for webtest with NT-Password >expand: --domain=%{mschap:NT-Domain} -> --domain=voila >expand: --username=%{mschap:User-Name} -> --username=webtest > mschap2: 0e >expand: --challenge=%{mschap:Challenge:-00} -> >--challenge=dcdc37024aecaec1 >expand: --nt-response=%{mschap:NT-Response:-00} -> >--nt-response=5808068d4047ef8a58e79d488a62d41e89128aabd6d88c52 >Exec-Program output: NT_KEY: 1E79BE41DB018B9E293DA357E6E5EA0D >Exec-Program-Wait: plaintext: NT_KEY: 1E79BE41DB018B9E293DA357E6E5EA0D >Exec-Program: returned: 0 >rlm_mschap: adding MS-CHAPv2 MPPE keys >++[mschap] returns ok >Login OK: [voila\\webtest] (from client VPN port 1151 cli 123.111.6.76) >+- entering group post-auth >++[exec] returns noop >Sending Access-Accept of id 83 to 10.2.1.6 port 1059 >MS-CHAP2-Success = >0x00533d3136423031434136463832333133373034393432393943303539423539334346434433314336 >MS-MPPE-Recv-Key = 0x5e34def484a9a9c160f712e90322bca0 >MS-MPPE-Send-Key = 0x2f644ea60d80525ed0b13527ca916aae >MS-MPPE-Encryption-Policy = 0x0001 >MS-MPPE-Encryption-Types = 0x0006 >Finished request 2. >Going to the next request >Waking up in 4.9 seconds. >Cleaning up request 2 ID 83 with timestamp +888 >Ready to process requests. > >It appears that MSCHAP is used to verify the password but LDAP is not >properly checking the "VPN-Users" AD groupI believe it is not stripping >the domain portion off correctly as I see the domain name appended to >(sAMAccountName=voila\5cwebtest) > >My users File entries: > >(The first entry I would like to be used by the concentrator to search the >group and if the user is a member allow them access - of course >authenticating the provided password) > >DEFAULT LDAP-Group == "vpn-users" >Fall-Through = Yes > >This entry is for our network switches/routers - this appears to be working >without any issue. > >DEFAULT LDAP-Group == "Radius-Admin" >Service-Type = Login-User, >cisco-avpair = "shell:priv-lvl=15", >Fall-Through = Yes > >If I login from my network devices it performs the ldap searches without >issue and authenticates/authorizes the user - You can see this below: > >rlm_ldap: performing search in dc=voila,dc=com, with filter >(&(cn=vpn-users)(|(&(objectClass=group)(member=CN\3dzkms\2cCN\3dUsers\2cDC\3dvoila\2cDC\3dcom))(&(objectClass=GroupOfNames)(member=CN\3dzkms\2cCN\3dUsers\2cDC\3dvoila\2cDC\3dcom >rlm_ldap::ldap_groupcmp: User found in group vpn-users >rlm_ldap: ldap_release_conn: Release Id: 0 >users: Matched entry DEFAULT at line 178 >rlm_ldap: Entering ldap_groupcmp() >expand: dc=voila,dc=com -> dc=voila,dc=com >expand: >(|(&(objectClass=group)(member=%{check:LDAP-UserDn}))(&(objectClass=GroupOfNames)(member=%{check:LDAP-UserDn}))) >-> >(|(&(objectClass=group)(member=CN\3dzkms\2cCN\3dUsers\2cDC\3dvoila\2cDC\3dcom))(&(objectClass=GroupOfNames)(member=CN\3dzkms\2cCN\3dUsers\2cDC\3dvoila\2cDC\3dcom))) >rlm_ldap: ldap_get_conn: Checking Id: 0 >rlm_ldap: ldap_get_conn: Got Id: 0 >rlm_ldap: performing search in dc=voila,dc=com, with filter >(&(cn=Radius-Admin)(|(&(objectClass=group)(member=CN\3dzkms\2cCN\3dUsers\2cDC\3dvoila\2cDC\3dcom))(&(objectClass=GroupOfNames)(member=CN\3dzkms\2cCN\3dUsers\2cDC\3dvoila\2cDC\3dcom >rlm_ldap::ldap_groupcmp: User found in group Radius-Admin >rlm_ldap: ldap_release_conn: Release Id: 0 >users: Matched entry DEFAULT at line 181 >++[files] returns ok >rlm_ldap: - authorize >rlm_ldap: performing user authorization for zkms >WARNING: Deprecated conditional expansion ":-". See "man unlang" for >details >expand: (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) -> >(sAMAccountName=zkms) >expand: dc=voila,dc=com -> dc=voila,dc=com >rlm_ldap: ldap_get_conn: Checking Id: 0 >rlm_ldap: ldap_get_conn: Got Id: 0 >rlm_ldap: performing search in dc=voila,dc=com, with filter >(sAMAccountName=zkms) >rlm_ldap: looking for check items in directory... >rlm_ldap: looking for reply items in directory... >WARNING: No "known good" password was found in LDAP. Are you sure that the >user is configured correctly? >rlm_ldap: user zkms authorized to use remote access >rlm_ldap: ldap_release_conn: Release Id: 0 >++[ldap] returns ok >++[expiration] returns noop >++[logintime] returns noop >rlm_pap: WARNING! No "
Re: Configure authentication via LDAP Group membership issue
All, I have still not been able to find a solution for this, it looks like I might be able to use an xlat rule for it, but I can't get my head around how to write it. Can anyone point me to suitable documentation for xlat - while I have read all the docco that comes with the FreeRadius (in /usr/share) I am missing something in order to apply it. Cheers, David - Original Message - From: "David Hobley" <[EMAIL PROTECTED]> To: freeradius-users@lists.freeradius.org Sent: Tuesday, 23 October 2007 04:10:51 PM (GMT+1000) Australia/Brisbane Subject: Configure authentication via LDAP Group membership issue I have set up a VPN pointing to a FreeRadius server and have it authenticating successfully against my LDAP server, but I would also like to limit access to only those people who are a member of the VPN group. Normally, this would be simple, but because of the LDAP server I am using, the hierarchy looks like this: User Account: ldapsearch -h ldap -x -b "dc=MY,dc=DOMAIN" "(uid=firstname.lastname)" dn: uid=firstname.lastname,ou=people,dc=MY,dc=DOMAIN uidNumber: 1024 ... Group entry is: ldapsearch -h ldap -x -b "dc=MY,dc=DOMAIN" "(cn=VPN Users)" dn: cn=VPN Users,ou=groups,dc=MY,dc=DOMAIN memberUid: 1024 ... So I need to somehow configure Radius to search on me, get my uidNumber and then search on the group. If I skip the searching to get the uidNumber, I can configure the Radius (for this single account) correctly: In the ldap module I include: ... groupname_attribute = cn groupmembership_filter = "(memberUid=1024)" with the following entry in the users file: DEFAULT Auth-Type = LDAP Fall-Through = 1 DEFAULT LDAP-Group == "VPN Users" Service-Type = Administrative-User and this works as expected, but is there any way I can substitute the 1024 for an ldap search result so I can dynamically return the uidNumber for the %{User-Name} field? Thanks! Cheers, David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FW: LDAP password lookup and LDAP group membership
Nevermind, I found how to get this to work. I was assuming that anything in the Check-Item were all AND'd together when they are on one line. I got it to work this way: DEFAULT Ldap-Group != "CN=x,OU=y,DC=z", Auth-Type := Reject DEFAULT Auth-Type := LDAP -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Zawacki Jason D Contr AFRL/IFOS Sent: Wednesday, April 27, 2005 10:23 AM To: 'freeradius-users@lists.freeradius.org' Subject: LDAP password lookup and LDAP group membership Hello all. Another problem I'm having - I want to be able to check that a user is in a group in LDAP. I've been using the users file to do this, and here's what I've tried: DEFAULT Ldap-Group == "CN=x,OU=y,DC=z", Auth-Type := LDAP, Fall-Through = No This setup accepts me whether or not I'm in the group. If I do this: DEFAULT Ldap-Group == "CN=x,OU=y,DC=z", Auth-Type := LDAP, Fall-Through = No DEFAULT Auth-Type := Reject I'll always be rejected. LDAP refers to an Auth-Type I've set up. I didn't think it was relevant so I didn't include it here. Thanks in advance, Jason - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Troube with matching LDAP group membership in authorize
I'm trying to setup radius authentication for enable access on our networking gear and having a tough time getting a working config. I'd like to have FR check a group in LDAP for membership before authorizing. That is, I only want user's listed in the "uniquemember" attribute of the Operations group object to be granted access. Reading the FR docs this is possible -- I must be missing something. First, here are the relevant portions of my configs: Hint file: DEFAULT NAS-Port-Type == Virtual, Service-Type == NAS-Prompt-User, ldap_enable-Ldap-Group := "operations", Autz-Type := ldap_enable, Auth-Type := LDAP radius.conf: ldap ldap_enable{ server = "fds1.hq.powerset.com" basedn = "dc=powerset,dc=com" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" start_tls = yes tls_cacertfile = /opt/fedora-ds/alias/starfield.pem tls_require_cert= "demand" # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 # ldap_debug = 1 #groupname_attribute = cn groupmembership_filter = "(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))" timeout = 4 timelimit = 3 net_timeout = 3 # compare_check_items = yes # do_xlat = yes access_attr_used_for_allow = no set_auth_type = no } I have several LDAP instances defined in radius.config, but this is the one I want to use. I instantiate it first in radius.config so that hints can use it: instantiate { ldap_enable exec expr } And a corresponsing Autz-Type in radius.config: authorize { preprocess suffix ntdomain eap autztype ldap{ redundant { fds1 #fds2 } } autztype ldap_enable{ ldap_enable } files pap } Here's the debug output from when I try and connect: rad_recv: Access-Request packet from host 64.13.145.238:1024, id=96, length=71 User-Name = "dick" User-Password = "" NAS-IP-Address = 64.13.145.238 NAS-Identifier = "h2848-1" NAS-Port-Type = Virtual Service-Type = NAS-Prompt-User Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 hints: Matched DEFAULT at 35 <--- This is the correct entry modcall[authorize]: module "preprocess" returns ok for request 0 rlm_realm: No '@' in User-Name = "dick", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_realm: No '\' in User-Name = "dick", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "ntdomain" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 modcall[authorize]: module "files" returns notfound for request 0 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 0 modcall: leaving group authorize (returns ok) for request 0 It appears that FR is ignoring the Autz-Type I set in hints and just processes the entries in authorize in sequential order. This is the default behavior unless an Autz-Type is explicitly set (which I do in hints). How do I get the Autz-Type to kick-in and have FR send the request to the proper LDAP entry? Thanks in advance, -richard Sucker-punch spam with award-winning protection. Try the free Yahoo! Mail Beta. http://advision.webevents.yahoo.com/mailbeta/features_spam.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Troube with matching LDAP group membership in authorize
Nevermind I found the problem. There's a limitation in ldap_groupcmp() such that only the last LDAP module instantiated is actually checked -- ignoring whatever you specify. I found this info from http://lists.cistron.nl/pipermail/freeradius-users/2004-June/033220.html. "In any case the ldap module which will be instantiated last will be the one that will handle ldap-group comparisons. If we add a check that will change to the first ldap module which is instantiated. I think it's more or less a matter of personal taste, which module we 'd like to handle ldap-group comparisons. Is it really worth the effort. Users can just change the order in which the ldap modules are instantiated in order to achieve what they want." Rather disappointing that this limitation still exists from 2 years ago. Does FR2.0 have some sort of object-based virtualization that would support this? Like, a "LDAP group" object which you could tie LDAP instances to and make the check there? -richard - Original Message From: Richard Hesse <[EMAIL PROTECTED]> To: freeradius-users@lists.freeradius.org Sent: Tuesday, January 30, 2007 12:40:36 PM Subject: Troube with matching LDAP group membership in authorize I'm trying to setup radius authentication for enable access on our networking gear and having a tough time getting a working config. I'd like to have FR check a group in LDAP for membership before authorizing. That is, I only want user's listed in the "uniquemember" attribute of the Operations group object to be granted access. Reading the FR docs this is possible -- I must be missing something. First, here are the relevant portions of my configs: Hint file: DEFAULT NAS-Port-Type == Virtual, Service-Type == NAS-Prompt-User, ldap_enable-Ldap-Group := "operations", Autz-Type := ldap_enable, Auth-Type := LDAP radius.conf: ldap ldap_enable{ server = "fds1.hq.powerset.com" basedn = "dc=powerset,dc=com" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" start_tls = yes tls_cacertfile = /opt/fedora-ds/alias/starfield.pem tls_require_cert= "demand" # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 # ldap_debug = 1 #groupname_attribute = cn groupmembership_filter = "(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))" timeout = 4 timelimit = 3 net_timeout = 3 # compare_check_items = yes # do_xlat = yes access_attr_used_for_allow = no set_auth_type = no } I have several LDAP instances defined in radius.config, but this is the one I want to use. I instantiate it first in radius.config so that hints can use it: instantiate { ldap_enable exec expr } And a corresponsing Autz-Type in radius.config: authorize { preprocess suffix ntdomain eap autztype ldap{ redundant { fds1 #fds2 } } autztype ldap_enable{ ldap_enable } files pap } Here's the debug output from when I try and connect: rad_recv: Access-Request packet from host 64.13.145.238:1024, id=96, length=71 User-Name = "dick" User-Password = "" NAS-IP-Address = 64.13.145.238 NAS-Identifier = "h2848-1" NAS-Port-Type = Virtual Service-Type = NAS-Prompt-User Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 hints: Matched DEFAULT at 35 <--- This is the correct entry modcall[authorize]: module "preprocess" returns ok for request 0 rlm_realm: No '@' in User-Name = "dick", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_realm: No '\' in User-Name = "dick", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "ntdomain" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 modcall[authorize]: module "files" returns notfound for request 0 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[aut
Re: Troube with matching LDAP group membership in authorize
Richard Hesse wrote: > Rather disappointing that this limitation still exists from 2 years ago. As always, patches are welcome. > Does FR2.0 have some sort of object-based virtualization that would support > this? > Like, a "LDAP group" object which you could tie LDAP instances to and make > the check there? No, but we'd welcome patches. In any case, if you carefully read the text you quoted, you'll see a solution that doesn't require patches: List ALL ldap modules in the "instantiate" section, and list "ldap_enable" last. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Troube with matching LDAP group membership in authorize
> In any case, if you carefully read the text you quoted, you'll see a > solution that doesn't require patches: List ALL ldap modules in the >"instantiate" section, and list "ldap_enable" last. > Alan DeKok. Yes, that's what I ended up doing. However, I lose the ability to do load-balance and redunancy constructs. rlm_ldap indicates that I can list multiple LDAP servers for the host in radius.conf. How exactly does that work compared to redundancy or load-balance? Does it try the first, then the second, etc every time? Does it round-robin? Thanks, -richard Want to start your own business? Learn how on Yahoo! Small Business. http://smallbusiness.yahoo.com/r-index - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Troube with matching LDAP group membership in authorize
Richard Hesse wrote: > > Yes, that's what I ended up doing. However, I lose the ability > to do load-balance and redunancy constructs. Why? > rlm_ldap indicates > that I can list multiple LDAP servers for the host in > radius.conf. How exactly does that work compared to redundancy > or load-balance? Does it try the first, then the second, etc > every time? Does it round-robin? doc/configurable_failover doc/load-balance.txt Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Troube with matching LDAP group membership in authorize
Richard Hesse wrote: Nevermind I found the problem. There's a limitation in ldap_groupcmp() such that only the last LDAP module instantiated is actually checked -- ignoring whatever you specify. I found this info from http://lists.cistron.nl/pipermail/freeradius-users/2004-June/033220.html. That's for the attribute "Ldap-Group". The module-name-prefixed version, "ldap_enable-Ldap-Group" should work fine. Your original mail listed: Hint file: DEFAULT NAS-Port-Type == Virtual, Service-Type == NAS-Prompt-User, ldap_enable-Ldap-Group := "operations", Autz-Type := ldap_enable, Auth-Type := LDAP You are using := to compare ldap_enable-Ldap-Group - use == Try setting the Autz-Type in the "users" file - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Configure authentication via LDAP Group membership issue [sec=unclassified]
___ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Hobley Sent: Wednesday, 31 October 2007 10:50 To: FreeRadius users mailing list Subject: Re: Configure authentication via LDAP Group membership issue All, I have still not been able to find a solution for this, it looks like I might be able to use an xlat rule for it, but I can't get my head around how to write it. Can anyone point me to suitable documentation for xlat - while I have read all the docco that comes with the FreeRadius (in /usr/share) I am missing something in order to apply it. Cheers, David - Original Message - From: "David Hobley" <[EMAIL PROTECTED]> To: freeradius-users@lists.freeradius.org Sent: Tuesday, 23 October 2007 04:10:51 PM (GMT+1000) Australia/Brisbane Subject: Configure authentication via LDAP Group membership issue I have set up a VPN pointing to a FreeRadius server and have it authenticating successfully against my LDAP server, but I would also like to limit access to only those people who are a member of the VPN group. Normally, this would be simple, but because of the LDAP server I am using, the hierarchy looks like this: User Account: ldapsearch -h ldap -x -b "dc=MY,dc=DOMAIN" "(uid=firstname.lastname)" dn: uid=firstname.lastname,ou=people,dc=MY,dc=DOMAIN uidNumber: 1024 ... Group entry is: ldapsearch -h ldap -x -b "dc=MY,dc=DOMAIN" "(cn=VPN Users)" dn: cn=VPN Users,ou=groups,dc=MY,dc=DOMAIN memberUid: 1024 ... So I need to somehow configure Radius to search on me, get my uidNumber and then search on the group. If I skip the searching to get the uidNumber, I can configure the Radius (for this single account) correctly: In the ldap module I include: ... groupname_attribute = cn groupmembership_filter = "(memberUid=1024)" with the following entry in the users file: DEFAULT Auth-Type = LDAP Fall-Through = 1 DEFAULT LDAP-Group == "VPN Users" Service-Type = Administrative-User and this works as expected, but is there any way I can substitute the 1024 for an ldap search result so I can dynamically return the uidNumber for the %{User-Name} field? Thanks! Cheers, David The memberUid attribute in a posixgroup is supposed to hold the uid, not the uidNumber. That would make your groupmembership_filter = "(memberUid=%{User-Name})" or more robustly, groupmembership_filter = "(&(memberUid=%{Stripped-User-Name:-%{User-Name}})(objectClass=posixGrou p))" Regards, Frank Ranner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configure authentication via LDAP Group membership issue [sec=unclassified]
Frank, Thank you - greatly appreciated. This made me realise that my thinking was foggy when I had defined group memberships. All working now. Cheers, David - Original Message - From: "Frank MR Ranner" <[EMAIL PROTECTED]> To: "FreeRadius users mailing list" Sent: Wednesday, 31 October 2007 10:20:36 AM (GMT+1000) Australia/Brisbane Subject: RE: Configure authentication via LDAP Group membership issue [sec=unclassified] ... ___ The memberUid attribute in a posixgroup is supposed to hold the uid, not the uidNumber. That would make your groupmembership_filter = "(memberUid=%{User-Name})" or more robustly, groupmembership_filter = "(&(memberUid=%{Stripped-User-Name:-%{User-Name}})(objectClass=posixGrou p))" Regards, Frank Ranner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP Group membership check not working after upgrade to Windows Server 2003
ert.pem > # cacertdir = /path/to/ca/dir/ > # certfile = /path/to/radius.crt > # keyfile = /path/to/radius.key > # randfile = /path/to/rnd > > # Certificate Verification requirements. Can be: > #"never" (don't even bother trying) > #"allow" (try, but don't fail if the cerificate > # can't be verified) > #"demand" (fail if the certificate doesn't verify.) > # > # The default is "allow" > # require_cert = "demand" > } > # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" > # profile_attribute = "radiusProfileDn" > # access_attr = "User-Password" > > # Mapping of RADIUS dictionary attributes to LDAP > # directory attributes. > dictionary_mapping = ${confdir}/ldap.attrmap > > # Set password_attribute = nspmPassword to get the > # user's password from a Novell eDirectory > # backend. This will work ONLY IF FreeRADIUS has been > # built with the --with-edir configure option. > # > # See also the following links: > # > # http://www.novell.com/coolsolutions/appnote/16745.html > > # > https://secure-support.novell.com/KanisaPlatform/Publishing/558/3009668_f.SAL_Public.html > # > # Novell may require TLS encrypted sessions before returning > # the user's password. > # > # password_attribute = User-Password > > # Un-comment the following to disable Novell > # eDirectory account policy check and intruder > # detection. This will work *only if* FreeRADIUS is > # configured to build with --with-edir option. > # > edir_account_policy_check = no > > # > # Group membership checking. Disabled by default. > # > groupname_attribute = cn > #groupmembership_filter = > "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" > groupmembership_filter = > "(|(&(objectClass=group)(member=%{check:LDAP-UserDn}))(&(objectClass=GroupOfNames)(member=%{check:LDAP-UserDn})))" > groupmembership_attribute = memberOf > > # compare_check_items = yes >do_xlat = yes > # access_attr_used_for_allow = yes > > # > # By default, if the packet contains a User-Password, > # and no other module is configured to handle the > # authentication, the LDAP module sets itself to do > # LDAP bind for authentication. > # > # > # THIS WILL ONLY WORK FOR PAP AUTHENTICATION. > # > # THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP). > # > # You can disable this behavior by setting the following > # configuration entry to "no". > # > # allowed values: {no, yes} > > # set_auth_type = yes > > # ldap_debug: debug flag for LDAP SDK > # (see OpenLDAP documentation). Set this to enable > # huge amounts of LDAP debugging on the screen. > # You should only use this if you are an LDAP expert. > # > # default: 0x (no debugging messages) > # Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS) > ldap_debug = 0x0028 > > __ > > Samba / Windbind responses: > > [EMAIL PROTECTED] modules]# wbinfo -t > checking the trust secret via RPC calls succeeded > > [EMAIL PROTECTED] modules]# wbinfo -a testuser%mypass > plaintext password authentication failed > error code was NT_STATUS_NO_SUCH_USER (0xc064) > error messsage was: No such user > Could not authenticate user testuser%mypass with plaintext password > challenge/response password authentication succeeded > > wbinfo -u and wbinfo -g enumerate all users/groups. > > > > > > -- View this message in context: http://www.nabble.com/LDAP-Group-membership-check-not-working-after-upgrade-to-Windows-Server-2003-tp19496304p19544572.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html