Authenticating groups via LDAP

John Dennis jdennis at redhat.com
Fri May 21 07:26:41 CEST 2010 

On 05/20/2010 05:44 PM, John Maher wrote:
> I really didn't want to post here, but I just can't make any headway
> with my radius implementation.  I am very new at this and still quite
> confused on how the various config files function and interact with each
> other.  So, I'm not surprised that my implementation is only sort of
> working.
>
> I have installed freeradius 2.1.8 on Ubuntu Server 8.04 by making deb
> packages from the source and installing the deb packages.
>
> Radius is relying on an LDAP server for authentication of wireless
> clients. Only clients with valid usernames and passwords in LDAP will
> get authenticated.
>
> What I would really like to do (other than actually be able to
> understand the concepts behind the config files) is require clients to
> be in a particular LDAP group (e.g., wireless-users) in order to
> successfully authenticate.  I don't understand how to make that happen.
> I've tried creating group filters like this in "modules/ldap":
>
> groupname_attribute = cn
> groupmembership_filter =
> "(&(objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{User-Name}}))"
> groupmembership_attribute = memberUid
>
> and this in "users":
>
> DEFAULT LDAP-GROUP == vpn-users
>          Service-Type = Administrative-User
>
> But the output seems to indicate that it is not even considering my
> radiusd.conf config when it comes to the filter.  (see output below).
>
> I would so welcome assistance with this.  In addition, is there any
> resource that is particularly good at explaining how radius and its
> config files really works?

I feel your pain, the ldap module is poorly documented and hard to use. 
There is doc in doc/ldap_howto.txt, not sure where that might be 
installed on Ubuntu though. Just a caveat about that ldap_howto.txt, 
it's a bit out of date and was written with a particular configuration 
in mind, but you do need to wrap your head around it to understand where 
values are coming from.

ldap-group isn't very meaningful to set in the users file because it's 
an attribute in the ldap directory. In fact using the users file isn't 
generally useful in combination with with ldap because your users are in 
ldap, not a flat file, right? The users file can be useful when you want 
to match on the NAS via huntgroups, the ldap_howto does a fair job of 
illustrating that. So anyway you won't ever find "vpn-users" defined via 
the users file because the line you have won't be matched by anything 
Why? Because group gets set via ldap lookups using the 
groupmembership_filter and asking for the groupname_attribute for what 
the filter matched. So one question to ask is: is your ldap directory 
populated with the object classes and attributes this filter is 
searching for?

As an aside one of the very first things I noticed looking at your debug 
output is the ldap module was built to use the Novell eDirectory server 
(which is a compile time switch). Unless you're using the Novell 
eDirectory server rather than a generic directory server things are 
going to behave a bit weird. Any idea why it's built to use Novell? 
Anyway that's probably not the crux of your problem at the moment, just 
a data point. I don't know why the eDirectory #ifdef's are even in 
rlm_ldap, to be honest they seem to be "odd" to put it politely.

I don't have time at the moment to fully analyze what's going on in your 
set up but one of the very first things I noticed was this:

(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
->
(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=)))

Notice something? Ldap-UserDn was replaced by the empty string and that 
search filter isn't going to do you much good is it? So where does 
Ldap-UserDn come from? From doing a search in LDAP for the user. If the 
user is found then Ldap-UserDn is set to the location at which the user 
was found (think of a dn (i.e. distinguished name) as an address or 
pointer in an LDAP directory). So how was the search done to find the 
user? Well that's just a couple of lines above in the debug output:

   [ldap] performing search in dc=cns, with filter (uid=jmaher)

One of the frustrating things about rlm_ldap is it doesn't provide debug 
output on successful searches, only failures. There is no failure, so we 
assume the search succeeded, but we really don't know what the result 
was :-( As a debugging tip I would suggest running ldapsearch on the 
command line with the same filter and see what you get back.

You should get back a ldap search result with exactly one match with a 
specific dn, that dn is what should be showing up as Ldap-UserDn in 
rlm_ldap. So for starters you need to either populate your directory 
such that ldapsearch finds your user using the same parameters you 
configured in rlm_ldap, or you need to modify the parameters in rlm_ldap 
to match your directory such that it can find the user. That's a good 
starting place from which you can build further functionality.

Hope that helps,

-- 
John Dennis <jdennis at redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeradius-Users mailing list