Freeradius How to integrate Active Directory and return groupattribute to VPN Concentrator

Alhagie Puye APuye at datawave.com
Fri Dec 2 21:22:03 CET 2005



Alhagie Puye - Network Engineer
Datawave Group of Companies
(604)295-1817  

> >-----Original Message-----
> >From: freeradius-users-bounces at lists.freeradius.org 
> >[mailto:freeradius-users-bounces at lists.freeradius.org] On 
> >Behalf Of Dusty Doris
> >Sent: December 2, 2005 10:11 AM
> >To: FreeRadius users mailing list
> >Subject: RE: Freeradius How to integrate Active Directory 
> >and return groupattribute to VPN Concentrator
> >
> >On Wed, 30 Nov 2005, Alhagie Puye wrote:
> >
> >> Ok, So I played around some more with the settings.
> >>
> >> Actually "group" and "groupofnames" are not correct 
> >attributes for user.
> >>
> >> It is supposed to be "memberof". So I changed line in 
> >ldap.attrmap to 
> >> look like:
> >>
> >> replyItem       Class                           memberof
> >>
> >> Now I'm getting replyItems but the data looks like 
> >garbage. I want it 
> >> to return the group name.
> >>
> >
> >You are returning CN as the class in your radius packet.
> >
> >Class = CN
> >
> >Class is not a string, its an octet so what you are seeing 
> >434e is really CN.  You must be returning something like
> >
> >memberof: CN=somegroup,ou=someou,...
Yes, you are absolutely correct.
I have now installed and configured OpenLdap and followed your
intructions to the teeth because this is driving me to the wall. If I
have to implement OpenLDAP to get this working, then that's what I will
do.......


Here is what I'm getting now:

Cleaning up request 0 ID 183 with timestamp 4390a566
Nothing to do.  Sleeping until we see a request.
rad_recv: Access-Request packet from host 127.0.0.1:44210, id=250,
length=57
        User-Name = "user2"
        User-Password = "whatever"
        NAS-IP-Address = 255.255.255.255
        NAS-Port = 0
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
  modcall[authorize]: module "preprocess" returns ok for request 1
  modcall[authorize]: module "chap" returns noop for request 1
    rlm_realm: No '@' in User-Name = "user2", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 1
rlm_ldap: Entering ldap_groupcmp()
radius_xlat:  'DC=mydomain,DC=com'
radius_xlat:  '(uid=user2)'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in DC=mydomain,DC=com, with filter
(uid=user2)
rlm_ldap: ldap_release_conn: Release Id: 0
radius_xlat:  '(&(uid=user2))(objectclass=radiusprofile)'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in DC=mydomain,DC=com, with filter
(&(radiusGroupName=disabled)(&(uid=user2))(objectclass=radiusprofile))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in
uid=user2,ou=users,ou=radius,dc=mydomain,dc=com, with filter
(objectclass=*)
rlm_ldap::groupcmp: Group disabled not found ????or user not a member
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: Entering ldap_groupcmp()
radius_xlat:  'DC=mydomain,DC=com'
radius_xlat:  '(&(uid=user2))(objectclass=radiusprofile)'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in DC=mydomain,DC=com, with filter
(&(radiusGroupName=dial)(&(uid=user2))(objectclass=radiusprofile))
rlm_ldap::ldap_groupcmp: User found in group dial
rlm_ldap: ldap_release_conn: Release Id: 0
    users: Matched entry DEFAULT at line 169
  modcall[authorize]: module "files" returns ok for request 1
rlm_ldap: - authorize
rlm_ldap: performing user authorization for user2
radius_xlat:  '(uid=user2)'
radius_xlat:  'DC=mydomain,DC=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in DC=mydomain,DC=com, with filter
(uid=user2)
rlm_ldap: performing search in
uid=dial,ou=profiles,ou=radius,dc=mydomain,dc=com, with filter
(objectclass=radiusprofile)
rlm_ldap: Adding radiusFramedRouting as Framed-Routing, value None &
op=11
rlm_ldap: Adding radiusFramedIPNetmask as Framed-IP-Netmask, value
255.255.255.0 & op=11
rlm_ldap: Adding radiusFramedProtocol as Framed-Protocol, value PPP &
op=11
rlm_ldap: Adding radiusServiceType as Service-Type, value Framed-User &
op=11
rlm_ldap: Added password whatever in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusgroupname as Class, value dial & op=11
rlm_ldap: Adding radiusgroupname as Class, value isdn & op=11
rlm_ldap: user user2 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 1
modcall: group authorize returns ok for request 1
  rad_check_password:  Found Auth-Type LDAP
auth: type "LDAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 1
rlm_ldap: - authenticate
rlm_ldap: login attempt by "user2" with password "whatever"
rlm_ldap: user DN: uid=user2,ou=users,ou=radius,dc=mydomain,dc=com
rlm_ldap: (re)connect to localhost:389, authentication 1
rlm_ldap: bind as
uid=user2,ou=users,ou=radius,dc=mydomain,dc=com/whatever to
localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: user user2 authenticated succesfully
  modcall[authenticate]: module "ldap" returns ok for request 1
modcall: group Auth-Type returns ok for request 1
Sending Access-Accept of id 250 to 127.0.0.1:44210
        Framed-Routing = None
        Framed-IP-Netmask = 255.255.255.0
        Framed-Protocol = PPP
        Service-Type = Framed-User
        Class = 0x6469616c
Finished request 1
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 1 ID 250 with timestamp 4390a725
Nothing to do.  Sleeping until we see a request.

Dusty, I know you mentioned that you are implementing what I'm trying to
achieve with the Cisco VPN Concentrator. Is this what I SHOULD expect to
my setup to work?

Thanks in advance,
Alhagie.
> >
> >It seems like rlm_ldap is stripping anything after that = 
> >sign.  You should check the bugs db and see if you can find 
> >something like this.
> >
> >
> >
> >- 
> >List info/subscribe/unsubscribe? See 
> >http://www.freeradius.org/list/users.html
> >


This message (including any attachments) is confidential, may be privileged and is only intended for the person to whom it is addressed.  If you have received it by mistake please notify the sender by return e-mail and delete this message from your system.  Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited.  E-mail communications are inherently vulnerable to interception by unauthorized parties and are susceptible to change.  We will use alternate communication means upon request.




More information about the Freeradius-Users mailing list