<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Hi All,<br>
<br>
I've been setting up my College's first FreeRadius server and I've been
having a hard time wrapping my brain around the config with the
documentation that is available. If you'll bear with me here through
this super long post, I'll go into more depth.<br>
<br>
What I'm trying to do: <br>
I want to configure FreeRadius to Authorize a user against an LDAP
directory based on IF that user has the following values:<br>
<br>
<b>edupersonprimaryaffiliation:
</b>STAFF<br>
AND<br>
<b>psadminarea</b>: BUSINESS - SMEAL COLLEGE<br>
<br>
<u>OR</u><br>
<br>
<b>edupersonprimaryaffiliation: </b>Faculty<br>
AND<br>
<b>psadminarea</b>: BUSINESS - SMEAL COLLEGE<br>
<br>
If the user's values don't match either of these two condition, they
are rejected. If they match either, then they are authenticated agains
a kerberos server.<br>
<br>
<br>
I've got the basic configuration working in that FreeRadius will go out
to the LDAP directory (right now it just seems to check if the
attribute exists but does not make a judgement on it) and then it will
go out to the Kerberos server and Authenticate.<br>
<br>
<br>
I want to now add the conditions I stated above but I'm a bit lost this
point. At first I thought that this was something the CheckValue module
should handle, then I thought maybe it should just be a part of the
filter in the LDAP module, then I thought about maybe the values need
to be in the dictionary files. At this point, it became apparent that I
simply don't understand how FreeRadius handles itself. It is not
apparent to me how or where FreeRadius makes its decisions on
conditional values. This is where I hope some of you can help. I really
like FreeRadius in that it is obviously a quality product, but as it is
with the documentation and my lack of Radius experience, I just can't
seem to get at the last piece of this puzzle.<br>
<br>
Right now, I have the following settings (with debug output further
down)<br>
radiusd.conf, LDAP module:<br>
<br>
ldap {<br>
server = "ldap.psu.edu"<br>
# identity = "cn=admin,o=My Org,c=UA"<br>
# password = mypass<br>
basedn = "dc=psu,dc=edu"<br>
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"<br>
# base_filter = "(objectclass=radiusprofile)"<br>
<br>
# set this to 'yes' to use TLS encrypted connections<br>
# to the LDAP database by using the StartTLS extended<br>
# operation.<br>
# The StartTLS operation is supposed to be used with
normal<br>
# ldap connections instead of using ldaps (port 689)
connections<br>
start_tls = no<br>
<br>
# tls_cacertfile = /path/to/cacert.pem<br>
# tls_cacertdir = /path/to/ca/dir/<br>
# tls_certfile = /path/to/radius.crt<br>
# tls_keyfile = /path/to/radius.key<br>
# tls_randfile = /path/to/rnd<br>
# tls_require_cert = "demand"<br>
<br>
# default_profile = "cn=radprofile,ou=dialup,o=My
Org,c=UA"<br>
# profile_attribute = "radiusProfileDn"<br>
access_attr = "psadminarea"<br>
<br>
# Mapping of RADIUS dictionary attributes to LDAP<br>
# directory attributes.<br>
dictionary_mapping = ${raddbdir}/ldap.attrmap<br>
<br>
ldap_connections_number = 5<br>
<br>
#<br>
# NOTICE: The password_header directive is NOT case
insensitive<br>
#<br>
# password_header = "{clear}"<br>
#<br>
# Set:<br>
# password_attribute = nspmPassword<br>
#<br>
# to get the user's password from a Novell eDirectory<br>
# backend. This will work *only if* freeRADIUS is<br>
# configured to build with --with-edir option.<br>
#<br>
#<br>
# The server can usually figure this out on its own,
and pull<br>
# the correct User-Password or NT-Password from the
database.<br>
#<br>
# Note that NT-Passwords MUST be stored as a 32-digit
hex<br>
# string, and MUST start off with "0x", such as:<br>
#<br>
# 0x000102030405060708090a0b0c0d0e0f<br>
#<br>
# Without the leading "0x", NT-Passwords will not work.<br>
# This goes for NT-Passwords stored in SQL, too.<br>
#<br>
# password_attribute = userPassword<br>
#<br>
# Un-comment the following to disable Novell eDirectory
account<br>
# policy check and intruder detection. This will work
*only if*<br>
# FreeRADIUS is configured to build with --with-edir
option.<br>
#<br>
# edir_account_policy_check=no<br>
#<br>
# groupname_attribute = cn<br>
# groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"<br>
# groupmembership_attribute = radiusGroupName<br>
timeout = 4<br>
timelimit = 3<br>
net_timeout = 1<br>
# compare_check_items = yes<br>
# do_xlat = yes<br>
# access_attr_used_for_allow = yes<br>
<br>
#<br>
# By default, if the packet contains a User-Password,<br>
# and no other module is configured to handle the<br>
# authentication, the LDAP module sets itself to do<br>
# LDAP bind for authentication.<br>
#<br>
# You can disable this behavior by setting the
following<br>
# configuration entry to "no".<br>
#<br>
# allowed values: {no, yes}<br>
# set_auth_type = yes<br>
}<br>
<br>
<br>
<br>
In the file dictionary:<br>
ATTRIBUTE Is_Smeal_Member 3998 string <br>
ATTRIBUTE Is_Smeal_Fac_Staff_Member 3999 stringModule:
Loaded preprocess <br>
preprocess: huntgroups = "/etc/freeradius/huntgroups"<br>
preprocess: hints = "/etc/freeradius/hints"<br>
preprocess: with_ascend_hack = no<br>
preprocess: ascend_channels_per_line = 23<br>
preprocess: with_ntdomain_hack = no<br>
preprocess: with_specialix_jetstream_hack = no<br>
preprocess: with_cisco_vsa_hack = no<br>
Module: Instantiated preprocess (preprocess) <br>
Module: Loaded realm <br>
realm: format = "suffix"<br>
realm: delimiter = "@"<br>
realm: ignore_default = no<br>
realm: ignore_null = no<br>
Module: Instantiated realm (suffix) <br>
Module: Loaded LDAP <br>
ldap: server = "ldap.psu.edu"<br>
ldap: port = 389<br>
ldap: net_timeout = 1<br>
ldap: timeout = 4<br>
ldap: timelimit = 3<br>
ldap: identity = ""<br>
ldap: tls_mode = no<br>
ldap: start_tls = no<br>
ldap: tls_cacertfile = "(null)"<br>
ldap: tls_cacertdir = "(null)"<br>
ldap: tls_certfile = "(null)"<br>
ldap: tls_keyfile = "(null)"<br>
ldap: tls_randfile = "(null)"<br>
ldap: tls_require_cert = "allow"<br>
ldap: password = ""<br>
ldap: basedn = "dc=psu,dc=edu"<br>
ldap: filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"<br>
ldap: base_filter = "(objectclass=radiusprofile)"<br>
ldap: default_profile = "(null)"<br>
ldap: profile_attribute = "(null)"<br>
ldap: password_header = "(null)"<br>
ldap: password_attribute = "(null)"<br>
ldap: access_attr = "psadminarea"<br>
ldap: groupname_attribute = "cn"<br>
ldap: groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"<br>
ldap: groupmembership_attribute = "(null)"<br>
ldap: dictionary_mapping = "/etc/freeradius/ldap.attrmap"<br>
ldap: ldap_debug = 0<br>
ldap: ldap_connections_number = 5<br>
ldap: compare_check_items = no<br>
ldap: access_attr_used_for_allow = yes<br>
ldap: do_xlat = yes<br>
ldap: edir_account_policy_check = yes<br>
ldap: set_auth_type = yes<br>
rlm_ldap: Registering ldap_groupcmp for Ldap-Group<br>
rlm_ldap: Registering ldap_xlat with xlat_name ldap<br>
rlm_ldap: reading ldap<->radius mappings from file
/etc/freeradius/ldap.attrmap<br>
rlm_ldap: LDAP psadminarea mapped to RADIUS Is_Smeal_Member<br>
rlm_ldap: LDAP edupersonprimaryaffiliation mapped to RADIUS
Is_Smeal_Fac_Staff_Member<br>
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$<br>
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$<br>
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type<br>
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use<br>
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id<br>
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS
Calling-Station-Id<br>
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password<br>
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password<br>
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT<br>
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration<br>
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type<br>
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol<br>
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address<br>
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask<br>
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route<br>
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing<br>
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id<br>
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU<br>
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS
Framed-Compression<br>
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host<br>
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service<br>
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port<br>
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number<br>
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id<br>
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS
Framed-IPX-Network<br>
rlm_ldap: LDAP radiusClass mapped to RADIUS Class<br>
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout<br>
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout<br>
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS
Termination-Action<br>
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service<br>
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node<br>
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group<br>
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS
Framed-AppleTalk-Link<br>
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS
Framed-AppleTalk-Network<br>
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS
Framed-AppleTalk-Zone<br>
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit<br>
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port<br>
conns: 0x811b320<br>
Module: Instantiated ldap (ldap) <br>
Module: Loaded Acct-Unique-Session-Id <br>
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"<br>
Module: Instantiated acct_unique (acct_unique) <br>
Module: Loaded files <br>
files: usersfile = "/etc/freeradius/users"<br>
files: acctusersfile = "/etc/freeradius/acct_users"<br>
files: preproxy_usersfile = "/etc/freeradius/preproxy_users"<br>
files: compat = "no"<br>
Module: Instantiated files (files) <br>
Module: Loaded detail <br>
detail: detailfile =
"/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d"<br>
detail: detailperm = 384<br>
detail: dirperm = 493<br>
detail: locking = no<br>
Module: Instantiated detail (detail) <br>
Module: Loaded System <br>
unix: cache = no<br>
unix: passwd = "(null)"<br>
unix: shadow = "(null)"<br>
unix: group = "(null)"<br>
unix: radwtmp = "/var/log/freeradius/radwtmp"<br>
unix: usegroup = no<br>
unix: cache_reload = 600<br>
Module: Instantiated unix (unix) <br>
Module: Loaded radutmp <br>
radutmp: filename = "/var/log/freeradius/radutmp"<br>
radutmp: username = "%{User-Name}"<br>
radutmp: case_sensitive = yes<br>
radutmp: check_with_nas = yes<br>
radutmp: perm = 384<br>
radutmp: callerid = yes<br>
Module: Instantiated radutmp (radutmp) <br>
Initializing the thread pool...<br>
thread: start_servers = 5<br>
thread: max_servers = 32<br>
thread: min_spare_servers = 3<br>
thread: max_spare_servers = 10<br>
thread: max_requests_per_server = 0<br>
thread: cleanup_delay = 5<br>
Thread spawned new child 1. Total threads in pool: 1<br>
Thread spawned new child 2. Total threads in pool: 2<br>
Thread spawned new child 3. Total threads in pool: 3<br>
Thread spawned new child 4. Total threads in pool: 4<br>
Thread spawned new child 5. Total threads in pool: 5<br>
Thread pool initialized<br>
Listening on authentication *:1812<br>
Listening on accounting *:1813<br>
Ready to process requests.<br>
Thread 1 waiting to be assigned a request<br>
Thread 2 waiting to be assigned a request<br>
Thread 3 waiting to be assigned a request<br>
Thread 4 waiting to be assigned a request<br>
Thread 5 waiting to be assigned a request<br>
rad_recv: Access-Request packet from host 127.0.0.1:32778, id=180,
length=58<br>
--- Walking the entire request list ---<br>
Waking up in 31 seconds...<br>
Threads: total/active/spare threads = 5/0/5<br>
Thread 1 got semaphore<br>
Thread 1 handling request 0, (1 handled so far)<br>
User-Name = "pbk105"<br>
User-Password = "xxxxxxxxxxxxx"<br>
NAS-IP-Address = 255.255.255.255<br>
NAS-Port = 0<br>
Processing the authorize section of radiusd.conf<br>
modcall: entering group authorize for request 0<br>
modcall[authorize]: module "preprocess" returns ok for request 0<br>
modcall[authorize]: module "chap" returns noop for request 0<br>
modcall[authorize]: module "mschap" returns noop for request 0<br>
rlm_realm: No '@' in User-Name = "pbk105", looking up realm NULL<br>
rlm_realm: No such realm "NULL"<br>
modcall[authorize]: module "suffix" returns noop for request 0<br>
rlm_eap: No EAP-Message, not doing EAP<br>
modcall[authorize]: module "eap" returns noop for request 0<br>
rlm_ldap: - authorize<br>
rlm_ldap: performing user authorization for pbk105<br>
radius_xlat: '(uid=pbk105)'<br>
radius_xlat: 'dc=psu,dc=edu'<br>
rlm_ldap: ldap_get_conn: Checking Id: 0<br>
rlm_ldap: ldap_get_conn: Got Id: 0<br>
rlm_ldap: attempting LDAP reconnection<br>
rlm_ldap: (re)connect to ldap.psu.edu:389, authentication 0<br>
rlm_ldap: bind as / to ldap.psu.edu:389<br>
rlm_ldap: waiting for bind result ...<br>
rlm_ldap: Bind was successful<br>
rlm_ldap: performing search in dc=psu,dc=edu, with filter (uid=pbk105)<br>
rlm_ldap: checking if remote access for pbk105 is allowed by psadminarea<br>
rlm_ldap: looking for check items in directory...<br>
rlm_ldap: Adding edupersonprimaryaffiliation as
Is_Smeal_Fac_Staff_Member, value STAFF & op=21<br>
rlm_ldap: Adding psadminarea as Is_Smeal_Member, value BUSINESS &
op=21<br>
rlm_ldap: looking for reply items in directory...<br>
rlm_ldap: user pbk105 authorized to use remote access<br>
rlm_ldap: ldap_release_conn: Release Id: 0<br>
modcall[authorize]: module "ldap" returns ok for request 0<br>
modcall: leaving group authorize (returns ok) for request 0<br>
rad_check_password: Found Auth-Type ldap<br>
auth: type "LDAP"<br>
Processing the authenticate section of radiusd.conf<br>
modcall: entering group LDAP for request 0<br>
rlm_krb5: verify_krb_v5_tgt: host key not found : No such file or
directory<br>
modcall[authenticate]: module "krb5" returns ok for request 0<br>
modcall: leaving group LDAP (returns ok) for request 0<br>
Sending Access-Accept of id 180 to 127.0.0.1 port 32778<br>
Finished request 0<br>
Going to the next request<br>
Thread 1 waiting to be assigned a request<br>
--- Walking the entire request list ---<br>
Cleaning up request 0 ID 180 with timestamp 44ce2b92<br>
<br>
<br>
<br>
In the ldap.attr file:<br>
checkitem Is_Smeal_Member psadminarea<br>
checkitem Is_Smeal_Fac_Staff_Member
edupersonprimaryaffiliation<br>
<br>
<br>
Debug Output:<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<pre class="moz-signature" cols="100">--
Paul Kuchinski
Network Administrator
Smeal College of Business Administration
Penn State University
email: <a class="moz-txt-link-abbreviated" href="mailto:pbk105@psu.edu">pbk105@psu.edu</a>
phone: (814)865-0366
fax: (814)865-1845</pre>
</body>
</html>