<div>Hello everyone,</div>
<div>i know this might be considered a bizarre situation but well... i was just wondering if it's possible to do such a thing.</div>
<div> </div>
<div>I'm in a situation now where i can successfully retrieve group membership of users in the active directory LDAP tree using rlm_ldap, and check them against files.</div>
<div> </div>
<div>so if i have a user with "memberOf" attribute set to groupA</div>
<div>and i set in the raddb/users the following entry:</div>
<div> </div>
<div>DEFAULTLdap-Group == "groupA", Auth-Type := Reject</div>
<div>Reply-Message = "Not Allowed."</div>
<div> </div>
<div>i successfully deny access to that user.</div>
<div> </div>
<div>Since i'm already using MySQL for storing accounting informations i was really interested in being able to use the same backend (mysql) also for performing checks against groups.</div>
<div> </div>
<div>If i perform checks against usernames using the table radcheck they work properly (users retrieved from the LDAP backend), i've tried setting a radcheck like the following:</div>
<div>userA Max-Daily-Session := 7200</div>
<div> </div>
<div>and after 2 hours the user is unable to authenticate to the NAS because the time allowed has expired.</div>
<div> </div>
<div> </div>
<div>But i cant seem to be able to do the same thing with the groups.</div>
<div> </div>
<div>i've configured sites-enabled/default like this:</div>
<div> </div>
<div>authorize {</div>
<div>preprocess</div>
<div>auth_log</div>
<div>chap</div>
<div>mschap</div>
<div>digest</div>
<div>suffix</div>
<div>eap {</div>
<div>ok = return</div>
<div>}</div>
<div>files</div>
<div>ldap</div>
<div>sql</div>
<div>expiration</div>
<div>logintime</div>
<div>pap</div>
<div>dailycounter</div>
<div>}</div>
<div> </div>
<div>authenticate {</div>
<div>Auth-Type PAP {</div>
<div>pap</div>
<div>}</div>
<div> </div>
<div>Auth-Type CHAP {</div>
<div>chap</div>
<div>}</div>
<div> </div>
<div>Auth-Type MS-CHAP {</div>
<div>mschap</div>
<div>}</div>
<div> </div>
<div>digest</div>
<div>unix</div>
<div> </div>
<div>Auth-Type LDAP {</div>
<div>ldap</div>
<div>}</div>
<div> </div>
<div>eap</div>
<div>}</div>
<div> </div>
<div>preacct {</div>
<div>preprocess</div>
<div>acct_unique</div>
<div>suffix</div>
<div>files</div>
<div>}</div>
<div> </div>
<div>accounting {</div>
<div>detail</div>
<div>sql</div>
<div>}</div>
<div> </div>
<div>session {</div>
<div>radutmp</div>
<div>}</div>
<div> </div>
<div> </div>
<div>post-auth {</div>
<div>ldap</div>
<div>exec</div>
<div>Post-Auth-Type REJECT {</div>
<div># log failed authentications in SQL, too.</div>
<div>attr_filter.access_reject</div>
<div>}</div>
<div>}</div>
<div> </div>
<div>pre-proxy {</div>
<div>}</div>
<div> </div>
<div>post-proxy {</div>
<div>eap</div>
<div>}</div>
<div> </div>
<div>radiusd.conf like this</div>
<div>prefix = /usr</div>
<div>exec_prefix = /usr</div>
<div>sysconfdir = /etc</div>
<div>localstatedir = /var</div>
<div>sbindir = ${exec_prefix}/sbin</div>
<div>logdir = /var/log/freeradius</div>
<div>raddbdir = /etc/freeradius</div>
<div>radacctdir = ${logdir}/radacct</div>
<div> </div>
<div>name = freeradius</div>
<div> </div>
<div>confdir = ${raddbdir}</div>
<div>run_dir = ${localstatedir}/run/${name}</div>
<div> </div>
<div>db_dir = ${raddbdir}</div>
<div> </div>
<div>libdir = /usr/lib/freeradius</div>
<div> </div>
<div>pidfile = ${run_dir}/${name}.pid</div>
<div> </div>
<div>user = freerad</div>
<div>group = freerad</div>
<div> </div>
<div>max_request_time = 30</div>
<div> </div>
<div>cleanup_delay = 5</div>
<div> </div>
<div>max_requests = 1024</div>
<div> </div>
<div>listen {</div>
<div>type = auth</div>
<div>ipaddr = *</div>
<div>port = 0</div>
<div>}</div>
<div> </div>
<div>listen {</div>
<div>ipaddr = *</div>
<div>port = 0</div>
<div>type = acct</div>
<div>}</div>
<div> </div>
<div>hostname_lookups = no</div>
<div> </div>
<div>allow_core_dumps = no</div>
<div> </div>
<div>regular_expressions= yes</div>
<div>extended_expressions= yes</div>
<div> </div>
<div>log {</div>
<div>destination = files</div>
<div>file = ${logdir}/radius.log</div>
<div>syslog_facility = daemon</div>
<div>stripped_names = no</div>
<div>auth = no</div>
<div>auth_badpass = no</div>
<div>auth_goodpass = no</div>
<div>}</div>
<div> </div>
<div>checkrad = ${sbindir}/checkrad</div>
<div> </div>
<div>security {</div>
<div>max_attributes = 200</div>
<div>reject_delay = 1</div>
<div>status_server = yes</div>
<div>}</div>
<div> </div>
<div>proxy_requests = yes</div>
<div>$INCLUDE proxy.conf</div>
<div> </div>
<div>$INCLUDE clients.conf</div>
<div> </div>
<div>thread pool {</div>
<div>start_servers = 5</div>
<div>max_servers = 32</div>
<div>min_spare_servers = 3</div>
<div>max_spare_servers = 10</div>
<div>max_requests_per_server = 0</div>
<div>}</div>
<div> </div>
<div>modules {</div>
<div>$INCLUDE ${confdir}/modules/</div>
<div>$INCLUDE eap.conf</div>
<div>$INCLUDE sql.conf</div>
<div>$INCLUDE sql/mysql/counter.conf</div>
<div>}</div>
<div> </div>
<div>instantiate {</div>
<div>exec</div>
<div>expr</div>
<div>expiration</div>
<div>logintime</div>
<div>}</div>
<div> </div>
<div>and sql.conf</div>
<div> </div>
<div>sql {</div>
<div> database = "mysql"</div>
<div> driver = "rlm_sql_${database}"</div>
<div> server = "localhost"</div>
<div> #port = 3306</div>
<div> login = "radius"</div>
<div> password = "<removed>"</div>
<div> radius_db = "radius"</div>
<div> acct_table1 = "radacct"</div>
<div> acct_table2 = "radacct"</div>
<div> postauth_table = "radpostauth"</div>
<div> authcheck_table = "radcheck"</div>
<div> authreply_table = "radreply"</div>
<div> groupcheck_table = "radgroupcheck"</div>
<div> groupreply_table = "radgroupreply"</div>
<div> usergroup_table = "radusergroup"</div>
<div> deletestalesessions = yes</div>
<div> sqltrace = no</div>
<div> sqltracefile = ${logdir}/sqltrace.sql</div>
<div> num_sql_socks = 5</div>
<div> connect_failure_retry_delay = 60</div>
<div> lifetime = 0</div>
<div> max_queries = 0</div>
<div> nas_table = "nas"</div>
<div> $INCLUDE sql/${database}/dialup.conf</div>
<div> $INCLUDE sql/${database}/counter.conf</div>
<div>}</div>
<div> </div>
<div>any help is really welcome.</div>
<div>thanks and sorry if i couldn't explain myself properly please correct me.</div>
<div> </div><br><div><font face=Verdana,Arial size=2>----<br>
Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP autenticato? <a href="http://www.email.it/cgi-bin/start?sid=3"
target="_blank" >GRATIS solo con Email.it</a> <br>
<br>
Sponsor:<br>
SUPERMARIO: Acquista Peluche e T-shirt Originali su mistercupido.com<br>
<a href="http://adv.email.it/cgi-bin/foclick.cgi?mid=12899&d=20130823" target="_blank" >Clicca qui</a> </font><br>