<html><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:12pt"><div><span>Hello Alan,</span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; background-color: transparent; font-style: normal;"><span><br></span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; background-color: transparent; font-style: normal;"><span>Thank you for your answer.</span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; background-color: transparent; font-style: normal;"><br><span></span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida
Grande,sans-serif; background-color: transparent; font-style: normal;"><span>I disabled SQL because I assumed radiusd shouldn't look into the radcheck table to perform an authentication since I wanted to use LDAP. To me it's a bit strange that radiusd will query this table everytime knowing that it won't be used because the authentication is based on LDAP.</span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; background-color: transparent; font-style: normal;"><br><span></span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; background-color: transparent; font-style: normal;"><span>To make my tests I have:</span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; background-color:
transparent; font-style: normal;"><span>1) Cleared any user's entry in the radcheck table</span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; background-color: transparent; font-style: normal;"><span>2) Added an entry into the radgroupcheck table as you suggested me</span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; background-color: transparent; font-style: normal;"><span>| 6 | testgroup | LDAP-Group | == | radiusldapgroup |</span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; background-color: transparent; font-style: normal;"><span>3) Created the </span><span>radiusldapgroup on my LDAP server and added a user</span></div><div style="color: rgb(0, 0, 0); font-size:
16px; font-family: HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; background-color: transparent; font-style: normal;"><span>4) Checked the entries I have created in the past for that group in the radgroupreply<br></span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; background-color: transparent; font-style: normal;"><span>+----+-----------+-------------------------+----+----------+<br>| id | groupname | attribute | op | value |<br>+----+-----------+-------------------------+----+----------+<br>| 3 | testgroup | Tunnel-Type | = | VLAN |<br>| 4 | testgroup | Tunnel-Medium-Type | = | IEEE-802
|<br>| 5 | testgroup | Tunnel-Private-Group-Id | = | 4 |<br>+----+-----------+-------------------------+----+----------+<br>5) In the file /etc/raddb/modules/ldap have my group settings like that<br></span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; background-color: transparent; font-style: normal;"><span>groupname_attribute = cn<br>groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"<br>groupmembership_attribute = radiusGroupName</span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; background-color: transparent; font-style: normal;"><span>6) Check that I have read_groups=yes in
sql.conf<br></span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; background-color: transparent; font-style: normal;"><span>7) Restarted the radiusd server (I always use option -X at the moment)</span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; background-color: transparent; font-style: normal;"><br></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; background-color: transparent; font-style: normal;">Unfortunately</div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; background-color: transparent; font-style: normal;"># radtest myuser mypassword 127.0.0.1 1812 mysecret</div><div style="color:
rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; background-color: transparent; font-style: normal;">doesn't send me the attributes. I received rad_recv: Access-Accept though</div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; background-color: transparent; font-style: normal;"><br></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; background-color: transparent; font-style: normal;"><br></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; background-color: transparent; font-style: normal;">I have a few questions:</div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida
Grande,sans-serif; background-color: transparent; font-style: normal;">a) My users are sitting in my ldap server and not in mysql so I'm not supposed to have a Fall-Through entry in the radreply table for myuser. Right ? And should I have <span>read_groups=yes in sql.conf (section authorize {) ?</span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; background-color: transparent; font-style: normal;"><span>b) In /etc/raddb/sites-enabled/default, is the order important: first sql then ldap (default) or should it be first ldap then sql. I've noticed the debug output is different when I change the order.</span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; background-color: transparent; font-style: normal;"><span>The reason is that, the user credential should be checked
against ldap first and then according to its group the attributes should be sent by radiusd. That's why I tried to put ldap before sql</span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; background-color: transparent; font-style: normal;"><span>c) I'm very confused about the line "</span><span>groupmembership_attribute = radiusGroupName". Should I replace </span><br><span>radiusGroupName by something else such as </span><span>radiusldapgroup ?</span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; background-color: transparent; font-style: normal;"><span>d) When I start radiusd -X (ldap_debug = 0x0028 is not commented), I don't see my ldap server returning a group in the output on the screen. I would like to make sure that my </span><span>groupname_attribute,
</span><span>groupmembership_filter and </span><span>groupmembership_attribute are correct. How can I see what user's groups are received by the radiusd server ?<br></span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; background-color: transparent; font-style: normal;"><span><br></span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; background-color: transparent; font-style: normal;">Regards<br><span></span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; background-color: transparent; font-style: normal;"><span><br></span></div><div style="display: block;" class="yahoo_quoted"> <br> <br> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande,
sans-serif; font-size: 12pt;"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 12pt;"> <div dir="ltr"> <font face="Arial" size="2"> Le Mardi 12 novembre 2013 20h37, Alan DeKok <aland@deployingradius.com> a écrit :<br> </font> </div> <blockquote style="border-left: 2px solid rgb(16, 16, 255); margin-left: 5px; margin-top: 5px; padding-left: 5px;"> <div class="y_msg_container">Mik J wrote:<br clear="none">> I've managed to set up freeradius with sql.<br clear="none">> When a user authenticates, the freeradius server returns the nas some<br clear="none">> attributes.<br clear="none"><br clear="none"> That's fine.<br clear="none"><br clear="none">> Now I'm trying to use openldap to authenticate my user<br clear="none">> # radtest myuser mypassword 127.0.0.1 1812 mysecret<br clear="none">> This command works. The mysecret is stored into the nas table and<br
clear="none">> myuser/mypassword is stored in the openldap server. So I would say that<br clear="none">> the connectivity with the ldap server works perfectly<br clear="none"><br clear="none"> You shouldn't have to do *anything* else. The two pieces are independent.<br clear="none"><br clear="none">> But the command doesn't return the attributes I want.<br clear="none">> <br clear="none">> In the file sites-enabled/default I have<br clear="none">> authorize {<br clear="none">> #files<br clear="none">> #sql<br clear="none">> ldap<br clear="none"><br clear="none"> OK... you disabled SQL. Why? It was returning attributes.<br clear="none"><br clear="none"> You really seem to be making random changes in the hope that it will<br clear="none">magically work. That is entirely the wrong approach.<br clear="none"><br clear="none">> I'm confuse how freeradius will proceed<br clear="none">>
- Search for myuser in the ldap using the account I provided in modules/ldap<br clear="none">> - Check the users password<br clear="none"><br clear="none"> That's how LDAP works. You have it working.<br clear="none"><br clear="none">> - Should openldap return the attributes I mentioned above or can this be<br clear="none">> done with mysql ?<br clear="none"><br clear="none"> You already did this with MySQL. Why did you change it?<div class="yqt7998825166" id="yqtfd09237"><br clear="none"><br clear="none">> - I'd like to return these attributes if myuser belongs to mygroup,<br clear="none">> mygroup is created in openldap and myuser belongs to mygroup<br clear="none">> I've seen the section in modules/ldap but I don't know how to test if I<br clear="none">> configured is correct<br clear="none">> groupname_attribute = cn<br clear="none">> groupmembership_filter =
"(&(objectclass=posixGroup)(memberUid=%u))"</div><br clear="none"><br clear="none"> You can do LDAP group checking via the LDAP-Group attribute. Put that<br clear="none">into the MySQL "check" items:<br clear="none"><br clear="none"> LDAP-Group == "name_of_group_to_check"<br clear="none"><br clear="none"> If the group matches, the reply attributes will be returned.<br clear="none"><br clear="none"> Alan DeKok.<div class="yqt7998825166" id="yqtfd79664"><br clear="none"></div><br><br></div> </blockquote> </div> </div> </div> </div></body></html>