FreeRadius 3 OpenLDAP and MAC based Auth

Alan DeKok aland at deployingradius.com
Thu Jan 10 22:02:46 CET 2019


On Jan 10, 2019, at 3:53 PM, J├╝rgen Northe <jn at northe-online.de> wrote:
> 
> Yes, the Access-request from the switch contains User-Name and
> User-Password, both attributes contain the mac address without hyphen.  If there is a match in LDAP the user is authorized and therefor
> accepted. The Access-reply should contain the the attributes like VLAN ID.

  That should work.

> I can see that the user is found in the directory...
> 
> (0) ldap1: Performing search in "dc=firma,dc=de" with filter "(cn=106530670342)", scope "sub"
> (0) ldap1: Waiting for search result...
> (0) ldap1: User object found at DN "cn=NBBZ1807-134,cn=4.notebooks,cn=172.17.0.0,cn=SUBNET,cn=DHCP Config,dc=firma,dc=de"
> (0) ldap1: Processing user attributes
> ...
> (0) } # authorize = ok
> 
> Am I wrong to say the authorization was successful?

  Maybe.  "authorized" is not always the same as "authorized with all of the configuration you want it to have".

  If you grab the latest version from GitHub: https://github.com/FreeRADIUS/freeradius-server/tree/v3.0.x

  The file raddb/mods-available/ldap contains updated comments that tell you how to run "ldapsearch".  You can run that using the configuration from the LDAP module (copy it manually to the command line).  And then fight with LDAP / ldapsearch to get it to return the correct data.

  Once that's done, convert the ldapsearch parameters back to the FR config, and it should work.

> In FR2 I had a schema for the freeradius loaded in OpenLDAP. I did not found any related informations for a FR3 schema for OpenLDAP but also tried to use the scheme which I used in FR2 without any other results.

  The server comes with schemas:  doc/schemas/ldap/openldap/freeradius.ldif

  At least, that's in the git repo and the release "tar" files.  Who knows where the various package maintainers put them.

  Alan DeKok.




More information about the Freeradius-Users mailing list