Returning attributes based on group membership using NTLM_AUTH
Alexander Clouter
alex at digriz.org.uk
Mon Aug 8 10:13:52 CEST 2011
Moe, John <jmoe at hatch.com.au> wrote:
>
> Oh goodie, I'm getting somewhere. :-)
>
...except on the top posting front <email-nazi/>. ;P
> 1) So, I don't need to uncomment "ldap" in the authenticate section, as it's
> not going to do the password validation, right?
>
Sounds right.
> 2) Do I just configure the module, put "ldap" in the authorize section of
> sites-enables/default, and put "Ldap-Group" in the check-items?
>
Indeed.
> 3) How much/what options do I need to configure in the ldap module config?
> I've configured server, basedn, filter, groupname_attribute,
> groupmembership_filter and groupmembership_attribute, but all I get is
> "Operations error". If I add identity and secret, I get a "Referral" failure.
> I've also tried the chase_referrals and rebind options, both with and without
> the identity/secret optinos, but they don't seem to change anything.
>
What does the following give you from the command line:
----
ldapsearch -LLL -x -h mygc.my.domain.name -b dc=my,dc=domain,dc=name sAMAccountName=username
----
Until you can get 'ldapsearch' to work, you are unlikely to get
FreeRADIUS to work. From the debug output and your description, it
sounds more like a "how you are using LDAP" rather than "how FreeRADIUS
is using LDAP" problem.
If you can get ldapsearch to display the attributes you are after, then
you can start to tinker with FreeRADIUS.
> Module: Linked to module rlm_ldap
> Module: Instantiating ldap
> ldap {
> server = "mygc.my.domain.name"
> port = 389
> password = ""
> identity = ""
> net_timeout = 1
> timeout = 4
> timelimit = 3
> tls_mode = no
> start_tls = no
> tls_require_cert = "allow" <-- remember to make this 'require'
> tls {
> start_tls = no
> require_cert = "allow" <-- remember to make this 'require'
> }
> basedn = "dc=my,dc=domain,dc=name"
> filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
> base_filter = "(objectclass=radiusprofile)"
> auto_header = no
> access_attr_used_for_allow = yes
> chase_referrals = yes
> rebind = yes
> groupname_attribute = "cn"
> groupmembership_filter = "(&(objectClass=group)(member=%Ldap-UserDn}))"
> groupmembership_attribute = "memberOf"
> dictionary_mapping = "/etc/raddb/ldap.attrmap"
> ldap_debug = 0
> ldap_connections_number = 5
> compare_check_items = no
> do_xlat = yes
> set_auth_type = no
> }
>
> [snipped]
>
> rlm_ldap: Entering ldap_groupcmp()
> [files] expand: dc=my,dc=domain,dc=name -> dc=my,dc=domain,dc=name
> [files] expand: %{Stripped-User-Name} ->
> [files] expand: %{User-Name} -> username
> [files] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=username)
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to mygc.my.domain.name:389, authentication 0
> rlm_ldap: bind as / to mygc.my.domain.name:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: performing search in dc=my,dc=domain,dc=name, with filter (sAMAccountName=username)
> rlm_ldap: ldap_search() failed: Operations error
> rlm_ldap::ldap_groupcmp: search failed
> rlm_ldap: ldap_release_conn: Release Id: 0
If you have the stomach, a quick Google search takes you to the PHP
website[1] (ewwww) but there is a posting that you should find useful.
Looks like with Win2k3 you must have referrer following turned off and
you cannot search the *whole* base of your directory, you can only
search a sub-branch. I suspect the fix is nothing more than setting
'basedn' to "ou=lusers,dc=my,dc=domain,dc=name".
Cheers
[1] http://www.php.net/manual/en/function.ldap-search.php#45388
--
Alexander Clouter
.sigmonster says: Without fools there would be no wisdom.
More information about the Freeradius-Users
mailing list