Redundant ldap server with freeradius 1.0.5
sumi thra
sumi.techno at gmail.com
Mon Apr 24 07:30:29 CEST 2006
On 4/24/06, sumi thra <sumi.techno at gmail.com> wrote:
>
> Hi Alan,
>
> Thanks for your earliest reply.
>
> Please find the attached configuration file for details & Let me know what
> is mis-configured.
>
Config file :
prefix = /usr
exec_prefix = /usr
sysconfdir = ${prefix}/etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/radius
raddbdir = /var/etc/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = ${exec_prefix}/lib/radius
pidfile = ${run_dir}/radiusd.pid
max_request_time = 90
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
#user = admin
#group = users
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = no
log_auth = no
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
proxy_requests = yes
snmp = yes
$INCLUDE ${confdir}/proxy.conf
$INCLUDE ${confdir}/clients.conf
$INCLUDE ${confdir}/snmp.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
pap {
encryption_scheme = clear
}
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
unix {
cache = no
cache_reload = 600
radwtmp = /var/log/radius/radwtmp
}
mschap {
authtype = MS-CHAP
#use_mppe = no
#require_encryption = yes
#require_strong = yes
#with_ntdomain_hack = no
}
ldap ldap_primary {
server = 1.1.1.1
port = 389
identity = "cn=Manager,o=My Org,c=INDIA"
password = secret
basedn = o=My Org,c=INDIA
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
start_tls = no
access_attr = "dialupacces"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
#password_header = "{SHA}"
password_attribute = userPassword
groupname_attribute = cn
groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
groupmembership_attribute = radiusGroupName
timeout = 4
timelimit = 3
net_timeout = 1
access_attr_used_for_allow = no
}
ldap ldap_secondary {
server = ldap.your.domain
port = 389
identity = cn=admin,o=My Org,c=UA
password = mypass
basedn = o=My Org
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
start_tls = no
access_attr = "dialupacces"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
#password_header = "{SHA}"
password_attribute = userPassword
groupname_attribute = cn
groupmembership_filter =
(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
groupmembership_attribute = radiusGroupName
timeout = 4
timelimit = 3
net_timeout = 1
access_attr_used_for_allow = no
}
passwd etc_passwd {
filename = /var/etc/passwd
format = "*User-Name::User-Password"
delimiter = :
}
passwd etc_group {
filename = /var/etc/group
format = "~Group-Name::*,User-Name"
delimiter = :
}
realm suffix_oblic {
format = suffix
delimiter = /
ignore_default = no
ignore_null = no
}
realm prefix_oblic {
format = prefix
delimiter = /
ignore_default = no
ignore_null = no
}
realm suffix_at {
format = suffix
delimiter = @
ignore_default = no
ignore_null = no
}
realm prefix_at {
format = prefix
delimiter = @
ignore_default = no
ignore_null = no
}
realm suffix_percent {
format = suffix
delimiter = %
ignore_default = no
ignore_null = no
}
realm prefix_percent {
format = prefix
delimiter = %
ignore_default = no
ignore_null = no
}
checkval {
item-name = Calling-Station-Id
check-name = Calling-Station-Id
data-type = string
#notfound-reject = no
}
preprocess {
huntgroups = ${confdir}/huntgroups
hu_int32_ts = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
compat = no
}
detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/acct-%Y%m%d
detailperm = 0666
}
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
}
radutmp {
filename = /var/log/radius/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
perm = 0600
callerid = yes
}
radutmp {
filename = /var/log/radius/sradutmp
perm = 0644
callerid = no
}
attr_filter {
attrsfile = ${confdir}/attrs
}
counter daily {
filename = ${raddbdir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
expr {
}
digest {
}
exec {
wait = yes
input_pairs = request
}
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = request
output_pairs = reply
}
ippool main_pool {
range-start = 192.168.1.1
range-stop = 192.168.3.254
netmask = 255.255.255.0
cache-size = 800
session-db = ${raddbdir}/db.ippool
ip-index = ${raddbdir}/db.ipindex
override = no
maximum-timeout = 0
}
$INCLUDE ${confdir}/eap.conf
}
instantiate {
#exec
#expr
}
authorize {
preprocess
#etc_passwd
#etc_group
chap
mschap
suffix_oblic
prefix_oblic
suffix_at
prefix_at
suffix_percent
prefix_percent
files
redundant{
ldap_primary
ldap_secondary
}
eap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
Auth-Type LDAP {
redundant {
ldap_primary
ldap_secondary
}
}
#unix
eap
}
preacct {
preprocess
acct_unique
suffix_oblic
files
}
accounting {
detail
#unix
#radutmp
}
session {
#radutmp
}
post-auth {
}
pre-proxy {
}
post_proxy {
eap
}
Thanks
> Sumithra.
>
> On 4/24/06, Alan DeKok <aland at nitros9.org> wrote:
> >
> > "sumi thra" <sumi.techno at gmail.com> wrote:
> > > My configuration in the radiusd.conf is...
> > >
> > > ldap {
> > > redundant {
> >
> > Huh? The "redundant" section doesn't go into "ldap", it goes into
> > "authorize".
>
>
> Yes. The redundant ldap config goes into authorize module. Please
> look into the config file attached for detailed configuration.
>
>
> Alan DeKok.
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20060424/b62cd1e0/attachment.html>
More information about the Freeradius-Users
mailing list