FreeRadius and LDAP/AD username/password check

Mats Blomgren B mats.b.blomgren at ericsson.com
Mon Feb 18 10:30:52 CET 2008 

Hi,

Today I check the "etc/passwd" for the usernames and passwords and fetches the users default group from "etc/passwd".
In the "users" file I have the rights for each group.

My current config:
OS: Solaris 10
FreeRadius: 1.1.7
Mysql: 5.0.51 - For logging and NAS clients
OS packages installed: db-4.2.52.NC-sol9-sparc-local
OS packages installed: freeradius-1.1.7-sol10-sparc-local
OS packages installed: gcc-3.4.6-sol10-sparc-local
OS packages installed: gdbm-1.8.3-sol9-sparc-local
OS packages installed: libiconv-1.11-sol10-sparc-local
OS packages installed: libtool-1.5.24-sol10-sparc-local
OS packages installed: make-3.81-sol10-sparc-local
OS packages installed: mysql-5.0.51-sol10-sparc-local
OS packages installed: ncurses-5.6-sol10-sparc-local
OS packages installed: netsnmp-5.4.1-sol10-sparc-local
OS packages installed: openldap-2.3.35-sol10-sparc-local
OS packages installed: openssl-0.9.8f-sol10-sparc-local
OS packages installed: perl-5.8.8-sol10-sparc-local
OS packages installed: sasl-2.1.21-sol10-sparc-local
OS packages installed: zlib-1.2.3-sol10-sparc-local
OS packages installed: Freeradius: 1.1.7

#etc/passwd
testuser:x:103:500:Test User:/home/testuser:/bin/bash

#etc/group
admin-network::500:
user-network::600:

#/usr/local/etc/raddb/users
DEFAULT Group == "admin-network", Auth-Type = System
        Service-Type = Administrative-User,
        Fall-Through = No

#/usr/local/etc/raddb/huntgroups
defaultgroup    NAS-IP-Address == 192.168.1.20
                Group = admin-network,
                Group = user-network


Today the user "testuser" would get Administrative rights on the nas with IP=192.168.1.20 since he is a member of the group "admin-network".

I have been browsing the mailing list, wiki and google trying to find out if anyone has done the following:
1. I want to check the username/password against LDAP/AD instead of directly towards "etc/passwd".
2. After that I would like to continue by fetching the user's default group from the Solaris 10 system (/"etc/passwd") to give it rights depending on which group the user belongs to.
3. I know that this means I still have to have the username in the "/etc/passwd" but this will keep the users from having different logins in our infrastructure.

Best regards

Mats Blomgren B - IP Engineer

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080218/8d82ba7b/attachment.html>

More information about the Freeradius-Users mailing list