Different behaviour with LDAP

Þórður Ívarsson toti at skrin.is
Wed Aug 31 14:28:57 CEST 2005

I am authorizing wireless network cards in "users file" with radius server (old cistron radius) and that is working fine

entry like:
121212-232323 Auth-Type = Accept

Only network card matching abov entry get access

Now I am building new radius server with FreeRadius and users information and passwords are kept in Open-LDAP

I have following entry in my "users file"

DEFAULT Huntgroup-Name == "wireless", Service-Type == Framed-User, Autz-Type:=zldap-macaddr, Auth-Type := Accept
        Fall-Through = No

and this is in "radiusd.conf"
        ldap ldap-macaddr {
                server = "localhost"
                identity = "cn=manager,dc=skrin,dc=local"
                password = kept_secret
                basedn = "ou=users,ou=internet,dc=skrin,dc=local"
                filter = "(&(macAddress=%{Stripped-User-Name:-%{User-Name}})(radiusGroupName=wireless))"
                base_filter = "(objectclass=radiusprofile)"

                start_tls = no

                dictionary_mapping = ${raddbdir}/ldap.attrmap

                ldap_connections_number = 5

                # password_attribute = userPassword
                # groupname_attribute = cn
                # groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
                # groupmembership_attribute = radiusGroupName
                timeout = 4
                timelimit = 3
                net_timeout = 1
                # compare_check_items = yes
                # do_xlat = yes

I have also different sections for different huntgroups of the LDAP entry in radiusd.conf for other services and they work fine.

The behaviour of the radius server is like that - authorize the client/user (match against huntgroup and ldap attribute search) then authenticate the user (trying to log into ldap server with user/password), but I have Auth-Type= accept, that I understand is allowing everyone that matces the authorize section. This breaks, it allows everyone that matches huntgroup but fails authorize. Is this normal or not?

Þórður Ívarsson
Skrín ehf

More information about the Freeradius-Users mailing list