Multiple (different) LDAP servers and authorisation

Stewart James Stewart.James at vu.edu.au
Wed Aug 15 07:36:18 CEST 2007


Further to my previous email I have gained a better understanding for the situation, as I said in my first post - I have been roped in, so this is my introduction to Radius, specifically freeradius - nothing like being thrown in the deep end to learn a new service. :)

What I have realised is that there are 2 ways that authorisation appear to be called for LDAP. One way is to name the LDAP modules in the authorise section. The other way appears to be through the LDAP-Group in the users file and letting the "files" module then call the LDAP module.

If I have anything incorrect in the above statement please let me know.

Now. With that in mind I can simplify by problem...I think.

The working configuration as it stands is configured to use Auth-Type LDAP as defined in the usersfile with appropriate LDAP-Groups e.g.:

DEFAULT Auth-Type = LDAP, LDAP-Group == "SomeGroup"
        Fall-Through = Yes

There is no mention of the ldap server (novell) in the authorise section of the radiusd.conf file.

This leads me to believe (and looking at -X -f output) that when an access request is made, the radius server does through the authorise section first, hits the files module, the files module then sees the LDAP-Group and calls the LDAP module and checks for the group.

If I don’t have that correct, please feel free to correct me.

Assuming I do have that correct, the behaviour I am seeing is that the eventual call to the LDAP module for checking the group does not seem to allow being configured to fall through to another ldap server if the first ldap server does not yield a successful result.

Thoughts?
 
Stewart :)

-----Original Message-----
From: freeradius-users-bounces+stewart.james=vu.edu.au at lists.freeradius.org [mailto:freeradius-users-bounces+stewart.james=vu.edu.au at lists.freeradius.org] On Behalf Of Stewart James
Sent: Wednesday, 15 August 2007 1:49 PM
To: FreeRadius users mailing list
Subject: RE: Multiple (different) LDAP servers and authorisation

Hi Alan,

Thanks for offering some help, no need to point out that in reality AD != True LDAP. Well and truly aware of it.

Lets step through what we need.

At the moment we have a large number of people that get their authentication/authorisation through the Radius server (VPN Service). There will be a period (over the next few months) where some people will have an account in AD and Novell, some will have just an account in Novell and some will have an account in AD.

What we want to be able to do is allow users to continue using their systems without changing anything in their configuration and for the Radius server to see if they are a authorised user with valid credentials on the AD LDAP interface and if they are not in that, check the Novell LDAP Interface.

I can:
* Have the system perform authentication on the user to the AD system and if the user is notfound, it will then check for the user on the Novell system - providing I do not specify and LDAP-Group requirement in the Users file e.g. Just authentication not authorisation.
* Have the system perform authentication and authorisation on a given user providing I only configure one of the Directory Services (e.g. only list the AD server for both authentication and authorisation)

SO it is only in the authorisation area I am having problems.

Does that make more sense?

Cheers,

Stewart

-----Original Message-----
From: freeradius-users-bounces+stewart.james=vu.edu.au at lists.freeradius.org [mailto:freeradius-users-bounces+stewart.james=vu.edu.au at lists.freeradius.org] On Behalf Of Alan DeKok
Sent: Wednesday, 15 August 2007 12:16 PM
To: FreeRadius users mailing list
Subject: Re: Multiple (different) LDAP servers and authorisation

Stewart James wrote:
> I have been roped in to look over an issue we have with migrating from
> Novell to AD.

  Repeat after me: AD is not an LDAP server.

  It's not.  It fakes it pretty well, but it's not.

> As I stated earlier authentication fall through works like a treat (if
> in the users file I don’t specify an LDAP-Group authentication works).
> If I only specify 1 ldap server to do authentication and authorisation,
> everything works, its only when I try to do authorisation via LDAP-Group
> AND try to do authorisation fall through as documentation above do I
> start getting errors.

  If you are trying to use LDAP to obtain the "known good" password from
AD, it's impossible.

> rlm_ldap: performing search in dc=ad,dc=vu,dc=edu,dc=au, with filter
> (samaccountname=USERNAME)
..
> rlm_ldap: looking for check items in directory...
> 
> rlm_ldap: looking for reply items in directory...

  Nothing.  i.e. The user was found, but *nothing* more than that was found.

> auth: No authenticate method (Auth-Type) configuration found for the
> request: Rejecting the user

  The server doesn't know how to authenticate the user, so the user is
rejected.

  Please explain a little more what you're trying to do, and what you
expect to see where.  Right now, you're trying to debug a solution.
Instead, focus on the problem, and the solution may be simple (or
impossible).

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list