Problem with LDAP and Groups
Bryan Evege
bryan at bevege.com
Wed Oct 10 22:08:04 CEST 2007
Hello all. First off here's what I want to accomplish in the end. Use
LDAP as the backend to store all user information including radius
attributes, shell info and access to specific devices in specific
locations. For example, Johnny needs access to all linux boxes in
Atlanta and priv-level 15 on cisco routers in Denver. Fred needs
read/write access to all packet shappers in Denver and read only to all
cisco devices in Atlanta and Denver. You get the picture.
I've setup a test server following the document in
/opt/freeradius/share/doc/freeradius/ldap_howto.txt without much
difficulty. This method does a good job of allowing only certain groups
to access certain devices without messing with the huntgroups.
Here's the problem. When a user logs in and is a member of more than
one group radius only uses the first one to match. I've included the
users file below. For example, if the user is a member of the cisco
group and the packeteer group only the packeteer group information gets
passed back because it is found before the cisco group.
Is there a way to say that the request is from a Cisco box so only look
for the user in the cisco group? If the user is then found in that
group then pass back the correct attributes from their profile. I know
I would have to define what a "cisco box" is, probably by IP.
Please let me know if this is even possible and if so provide an
example. If it is not possible please provide some direction on how to
go about doing this.
Freeradius 1.1.7
*_Users file_*
DEFAULT Ldap-Group == acct_disabled, Auth-Type := Reject
Reply-Message = "Account disabled. Please call the helpdesk."
DEFAULT Ldap-Group == packeteer_read_only,User-Profile :=
"uid=packeteer_read_only,ou=profiles,ou=radius,dc=csctus,dc=net",
Auth-Type := LDAP
Fall-Through = no
DEFAULT Ldap-Group == Packeteer,User-Profile :=
"uid=Packeteer,ou=profiles,ou=radius,dc=csctus,dc=net", Auth-Type := LDAP
Fall-Through = no
DEFAULT Ldap-Group == netscreen,User-Profile :=
"uid=netscreen,ou=profiles,ou=radius,dc=csctus,dc=net", Auth-Type := LDAP
Fall-Through = no
DEFAULT Ldap-Group == cisco_priv_15,User-Profile :=
"uid=cisco_priv_15,ou=profiles,ou=radius,dc=csctus,dc=net", Auth-Type :=
LDAP
Fall-Through = no
DEFAULT Ldap-Group == cisco_priv_1,User-Profile :=
"uid=cisco_priv_1,ou=profiles,ou=radius,dc=csctus,dc=net", Auth-Type := LDAP
Fall-Through = no
DEFAULT Ldap-Group == netscreen,User-Profile :=
"uid=netscreen,ou=profiles,ou=radius,dc=csctus,dc=net", Auth-Type := LDAP
DEFAULT Auth-Type := Reject
Reply-Message = "Please call the helpdesk."
DEFAULT Auth-Type = System
fall-Through = 1
Radiusd.conf ldap section
ldap {
server = "localhost"
identity = "cn=Manager,dc=csctus,dc=net"
password = xxxxxxx
basedn = "ou=users,ou=radius,dc=csctus,dc=net"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
# base_filter = "(objectclass=radiusprofile)"
# set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
# The StartTLS operation is supposed to be used with normal
# ldap connections instead of using ldaps (port 689) connections
#start_tls = yes
# tls_cacertfile = /path/to/cacert.pem
# tls_cacertdir = /path/to/ca/dir/
# tls_certfile = /path/to/radius.crt
# tls_keyfile = /path/to/radius.key
# tls_randfile = /path/to/rnd
# tls_require_cert = "demand"
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
# profile_attribute = "radiusProfileDn"
#default_profile =
"uid=Packeteer,ou=profiles,ou=radius,dc=csctus,dc=net"
#profile_attribute = "radiusProfileDn"
#access_attr = "DialupAccess"
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
ldap_cache_timeout = 120
ldap_cache_size = 0
ldap_connections_number = 10
#
# NOTICE: The password_header directive is NOT case insensitive
#
# password_header = "{clear}"
#
# Set:
# password_attribute = nspmPassword
#
# to get the user's password from a Novell eDirectory
# backend. This will work *only if* freeRADIUS is
# configured to build with --with-edir option.
#
#
# The server can usually figure this out on its own, and pull
# the correct User-Password or NT-Password from the database.
#
# Note that NT-Passwords MUST be stored as a 32-digit hex
# string, and MUST start off with "0x", such as:
#
# 0x000102030405060708090a0b0c0d0e0f
#
# Without the leading "0x", NT-Passwords will not work.
# This goes for NT-Passwords stored in SQL, too.
#
password_attribute = userPassword
#
# Un-comment the following to disable Novell eDirectory account
# policy check and intruder detection. This will work *only if*
# FreeRADIUS is configured to build with --with-edir option.
#
edir_account_policy_check=no
#
groupname_attribute = radiusGroupName
#groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
groupmembership_filter =
(&(uid=%{Stripped-User-Name:-%{User-Name}})(objectclass=radiusprofile))
groupmembership_attribute = radiusGroupName
timeout = 4
timelimit = 3
net_timeout = 1
# compare_check_items = yes
# do_xlat = yes
# access_attr_used_for_allow = yes
#
# By default, if the packet contains a User-Password,
# and no other module is configured to handle the
# authentication, the LDAP module sets itself to do
# LDAP bind for authentication.
#
# You can disable this behavior by setting the following
# configuration entry to "no".
#
# allowed values: {no, yes}
# set_auth_type = yes
}
dn: dc=csctus,dc=net
objectClass: dcObject
objectClass: organizationUnit
ou: csctus.net Radius
dc: csctus
dn: ou=radius,dc=csctus,dc=net
objectclass: organizationalunit
ou: radius
dn: ou=profiles,ou=radius,dc=csctus,dc=net
objectclass: organizationalunit
ou: profiles
dn: ou=users,ou=radius,dc=csctus,dc=net
objectclass: organizationalunit
ou: users
dn: ou=admins,ou=radius,dc=csctus,dc=net
objectclass: organizationalunit
ou: admins
dn: uid=dial,ou=profiles,ou=radius,dc=csctus,dc=net
objectclass: radiusprofile
uid: dial
radiusServiceType: Framed-User
radiusFramedProtocol: PPP
radiusFramedIPNetmask: 255.255.255.0
radiusFramedRouting: None
dn: uid=cisco,ou=profiles,ou=radius,dc=csctus,dc=net
objectclass: radiusprofile
uid: cisco
radiusReplyItem: Cisco-AVPair ="priv-lvl=15"
dn: uid=packeteer,ou=profiles,ou=radius,dc=csctus,dc=net
objectclass: radiusprofile
uid: packeteer
radiusReplyItem: Packeteer-AVPair = "access=touch"
dn: uid=isdn,ou=profiles,ou=radius,dc=csctus,dc=net
objectclass: radiusprofile
uid: isdn
radiusServiceType: Framed-User
radiusFramedProtocol: PPP
radiusFramedIPNetmask: 255.255.255.0
radiusFramedRouting: None
dn: uid=example,ou=users,ou=radius,dc=csctus,dc=net
objectclass: radiusProfile
uid: example
userPassword: test
radiusGroupName: dial
radiusGroupName: isdn
dn: uid=bevege,ou=users,ou=radius,dc=csctus,dc=net
radiusGroupName: cisco_priv_15
radiusGroupName: Packeteer
objectClass: radiusprofile
uid: bevege
userPassword: {MD5}xxxxxxxxx
dn: cn=freeradius,ou=admins,ou=radius,dc=csctus,dc=net
objectclass: person
sn: freeradius
cn: freeradius
userPassword: freeradius
dn: cn=billing,ou=admins,ou=radius,dc=csctus,dc=net
objectclass: person
sn: billing
cn: billing
userPassword: billing
dn: cn=replica,ou=admins,ou=radius,dc=csctus,dc=net
objectclass: person
sn: replica
cn: replica
userPassword: replica
Thanks,
BE
More information about the Freeradius-Users
mailing list