Need some help with Access-Reject messages in upgrade from FreeRadius1.1.0 to FreeRadius 2.0.5

Adam Bultman abultman at mtasolutions.com
Fri Oct 31 01:17:40 CET 2008 

So, there's been no response to my last post. Am I being obtuse , or
missing something obvious? 

If there's no way to avoid listing all four ldap servers, I'm going to
have to have probably 25 huge IF statements in order to get the profile
set correctly in my radius config.  I've already re-done my users file
to list all four servers, and it's a bit laborious to do, and it seems
like there'd be a better way.

Adam



Adam Bultman wrote:
> Alan DeKok wrote:
>   
>> Adam Bultman wrote:
>>   
>>     
>>> I decided it would be easier (in the long run) to simply start with a
>>> default freeRadius 2.0.5 config file, and then adjust it to match our
>>> setup. This has so far been going well, except now I've run into a
>>> problem where variables in my users file are not being expanded.
>>>     
>>>       
>>   I suggest using 2.1.1, or the "stable" tree.   See git.freeradius.org.
>>
>>   
>>     
> Done; I've compiled and installed 2.1.1 on my test server.
>
>   
>>> Example from the user's file:
>>> DEFAULT Huntgroup-Name == dsl, serveriron-Ldap-Group == dsl10m,
>>> User-Profile := "uid=dsl10m,ou
>>> =profiles,ou=radius,dc=mtaonline,dc=net", Ldap-UserDN :=
>>> `uid=%{User-Name},ou=dsl,dc=domain
>>> ,dc=com`
>>>         Fall-Through = no
>>>     
>>>       
>>   This won't work because the "users" file doesn't dynamically expand
>> everything.  I suggest using "unlang":
>>
>> 	if ((Huntgroup-Nmae == "dsl") && (serveridon... == ...)) {
>> 		update control {
>> 			User-Profile := "uid=..."
>> 			LDAP-UserDN := "uid=%{User-Name},ou=..."
>> 		}
>> 	}
>>
>>   That will cause the %{User-Name} to be expanded properly.
>>
>>   
>>     
>
> OK; so a few things:
>
> 1. I've put my if (..) stuff inside my sites-enabled/ conf file, and
> groups are working again (yeah!).  My users file is a lot more skeletal now.
>
> 2.  I've read the docs on this now (what precious little there is) about
> the Ldap-Group stuff in the users file, and I'm still not completely
> understanding it.  If I have three LDAP servers, ldap1, ldap2, and
> ldap3, and I have in my users file this:
>
> DEFAULT Huntgroup-Name == dsl, Ldap-Group == dsl10m
>
> Then when I try to authenticate, the server can't find my profile
> (despite having the Huntgroup stuff in my config, as mentioned in #1). 
> It searches for group membership, but it's using some default template
> (which is NOT in modules/ldap - it's nowhere!) and doesn't find a proper
> group membership filter, and fails.   If I put this:
>
> DEFAULT Huntgroup-Name == dsl, ldap1-Ldap-Group == dsl10m
>
> Then it *does* use the group membership stuff in the ldap stanza for
> ldap1 (which I've placed in modules/ldap_cluster) .   Of course, if I
> say, bring down the server for ldap1, all authentication breaks.    The
> same thing applies if I do ldap2-Ldap-Group or ldap3-Ldap-Group.
>
> SO the question: Is there a way to make a default group membership
> filter without having to create DEFAULT lines in the users file for each
> of my ldap servers?    in radiusd.conf, I have redundant-load-balance {}
> stanzas for my ldap servers, but I can't use the ldap "cluster" I create
> in there in my users file.
>
> Adam
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>

More information about the Freeradius-Users mailing list