LDAP Config Clarification

Jason Frisvold xenophage0 at gmail.com
Mon Mar 16 18:44:57 CET 2009


Hi all,

	I recently set up a new freeradius installation for VPN authentication.
 This is my first foray into using the LDAP module and, while I am
successfully authenticating, I want to make sure that my config is both
correct and streamlined.  I am seeing a few failed authentications due
to loss of LDAP connections, so I'm also trying to identify where that
problem exists.

	The radius server is currently very low use, handling only a few
requests an hour.  This may increase later on, but I don't see it having
to handle more than a few requests per minute.  However, I would like to
make sure those requests are handled efficiently and quickly.

	The current radius ldap config looks like this :

modules {
	ldap {
		server = "ldap.example.com"
                port = 636
                identity = "cn=manager,o=MyOrg"
                password = MySuperSecretPassword
                basedn = "o=MyOrg"
                filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
                start_tls = no
                access_attr = "memberOf"
                dictionary_mapping = ${raddbdir}/ldap.attrmap
                ldap_connections_number = 5
                groupname_attribute = cn
                groupmembership_filter =
"(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))"
                groupmembership_attribute = memberOf
                net_timeout = 1
                timeout = 8
                timelimit = 3
	}
}

In our users file, we have the following :

DEFAULT Auth-Type := Reject
        Fall-Through = 1

DEFAULT Ldap-Group == "cn=vpn,ou=groups,o=myorg", Auth-Type := Accept
        Fall-Through = 1

DEFAULT Ldap-Group == "cn=admin,ou=groups,o=myorg"
        Class = ADMIN,
        Fall-Through = 1

DEFAULT Ldap-Group == "cn=user,ou=groups,o=myorg"
        Class = USER,
        Fall-Through = 1


Essentially, we want to assign a user to a specific class based on what
group they are in, with some groups superseding others.  Our LDAP
entries have multiple memberOf attributes that list the groups a user is
in, as well as groups that list the members.

I was able to get this to work, but it appears that every group is
scanned to find the user rather than merely using the memberOf attribute
in the main LDAP record.  Is there a way to trigger on that rather than
scanning the groups?  Note: The dictionary mapping file (ldap.attrs) is
the default one, I have made no changes.

With respect to the users file, I believe I can remove the Fall-Through
parameter there for all but the vpn LDAP group.  That would cut down,
somewhat, on the group scanning.

In the main radius config, can I remove all of the unused modules?  I
don't believe we're using PAP/CHAP/MS-CHAP at all, nor are we using the
unix passwd file or EAP.  Those can all be commented out to save
time/resources, correct?

And finally, can someone give me a few hints on how to identify the
cause of the "LDAP connection lost" messages we see?  They seem to be
intermittent and I am unable to find a cause for them.  The network is
stable and there is no loss of connectivity at the lower layers.  I
believe radius is sending keepalives, correct, so a loss of connectivity
could indicate keepalives being lost?

Any help is appreciated!  Thanks!  If there's any additional information
I can provide that would help, please let me know.


-- 
---------------------------
Jason Frisvold
xenophage0 at gmail.com
---------------------------
"I love deadlines. I like the whooshing sound they make as they fly by."
   - Douglas Adams



More information about the Freeradius-Users mailing list