Migrating configuration. Users file

jan hugo prins jhp at jhprins.org
Thu Sep 21 19:23:30 CEST 2017


Just tested a plaintext user in the authorize file and that one works as
well.
So, at the moment the only thing not working seems to be my LDAP group
matching.

Jan Hugo Prins


On 09/21/2017 07:16 PM, jan hugo prins wrote:
> Hi Alan,
>
> You are absolutely right that changing one thing at the time is the best
> way to go. the first thing I changes was the version of FreeRadius so I
> had to rebuild my complete config file. Most things are working fine
> again. But in the rebuilding of the config file some things actually
> changed a lot because the old syntax was simply not working anymore.
>
> Anyway, now for the users file and the group mapping:
>
> My ldap configuration looks like this:
>
> ldap betterbe {
>         server = "ldap.fqdn"
>         base_dn = "ou=better.be,dc=betterbe,dc=com"
>         user {
>                 base_dn = "${..base_dn}"
>                 filter = "(mailLocalAddress=%{User-Name})"
>         }
>         group {
>                 base_dn = "${..base_dn}"
>                 filter = "(objectClass=posixGroup)"
>                 name_attribute = cn
>                 membership_filter =
> "(&(objectClass=posixGroup)(memberUid=%{Stripped-User-Name}))"
>         }
>         options {
>                 chase_referrals = yes
>                 rebind = yes
>                 res_timeout = 10
>                 srv_timelimit = 3
>                 net_timeout = 1
>                 idle = 60
>                 probes = 3
>                 interval = 3
>         }
>         tls {
>                 start_tls = no
>         }
>         update {
>                 control:Password-With-Header    += 'userPassword'
>                 control:NT-Password             := 'sambaNTPassword'
>                 control:LM-Password             := 'sambaLMPassword'
>         }
>         edir = no
>         edir_autz = no
> }
>
>
> Some entry out of my authorize file:
>
> DEFAULT ldap_betterbe-Ldap-Group == "werkneme-betterbe", Realm ==
> "betterbe.com", Huntgroup-Name == "wireless"
>         Aruba-User-Vlan = 101,
>         Aruba-User-Role = "authenticated"
>
> And the corresponding enrty out of my dictionary file:
>
> ATTRIBUTE       ldap_betterbe-Ldap-Group    3000    string
>
> In the past the user was found based on it's Stripped-User-Name.
>
> As you can see in my previous debug logging, I'm able to authenticate
> with an user out of my ldap environment, the only thing is that some
> attributes are not populated.
>
> Jan Hugo Prins
>
>
>
> On 09/21/2017 06:53 PM, Alan DeKok wrote:
>> On Sep 21, 2017, at 12:18 PM, jan hugo prins <jhp at jhprins.org> wrote:
>>> In my version 2 config I had a users file that was working fine.
>>> In my version 3 config I have moved the content of this file to
>>> mods-config/files/authorize
>>   That should mostly be OK.  There are some changes...
>>
>>> My huntsgroup file is working, or at least I see Huntgroup-Name
>>> attribute in my Auth-Detail logging.
>>>
>>> there are a few things I don't see at the moment and they are all
>>> related to my users /authorize file:
>>>
>>> - User to group mappings.
>>> - Aruba attributes are not added to an authenticated user
>>> - Users in my users file (phones etc) are not able to authenticate.
>>   If you read the debug output, you will see:
>>
>> (0)     [files] = noop
>>
>>   So nothing in the "users" file is being matched.
>>
>>> In version 2 I had use_tunneled_reply = yes in my config.
>>> In version 3 this is depricated and now I have to do something with
>>> update outer.session-state in my inner-tunnel config.
>>   You can still use it.  It's deprecated, as in "other functionality is better", but it still works.
>>
>>> In version 2 I had to add some information regarding groups to the
>>> /etc/raddb/dictionary file. This file is in my config tree, but I have
>>> the idea that it is not being accessed.
>>   It should be in /etc/raddb/dictionary
>>
>>   If the attributes are in the "users" file, and the server starts, then the dictionary entries are being used.
>>
>>   The recommended upgrade method is to test one thing at a time.  Don't port all of your configuration, and expect everything to work.  It might, but it might not.  And if it doesn't work, then it's *very* difficult for you to tell why things are broken.  Because it could be anything.
>>
>>   The other recommendation is to ACTUALLY DESCRIBE WHAT YOU'RE DOING.  If you're asking questions about "users" file entries... post an entry.  Otherwise, the questions are largely "I tried stuff and and it didn't work.  What changes do I make?"
>>
>>   Well, we have no idea what you did, because you didn't tell us.  So tell us what you did (and try things one step at a time).  Maybe then we can help you.
>>
>>   Alan DeKok.
>>
>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list