On Sat, Sep 19, 2015 at 6:42 AM, Daniele Mantovani < dmantovani@salesianisesto.it> wrote:
Hi,
I've started using freeradius (current version 2.2.5) on a debian machine to authenticate user on a wifi hotspot.
I'm currently using it without any problem, and it work greats!
At the moment I'm using ldap (on a windows server 2008 active directory), pop and exec module to authenticate different realm.
I only need to improve a little bit the replay message when an authentication fail. Currently I've a generic replay message on the end of the users file, but I want to make some specific message for the ldap user: I'm checking if a user is part of an ldap group to give them access. Here's a little bit of configuration
users file DEFAULT Realm == NULL, osdbLDAP-Ldap-Group =="InternetAccess",Autz-Type := osdbLDAP, Auth-Type := osdbLDAP
DEFAULT Auth-Type := Reject Reply-Message = "You are not authorized"
radiusd.conf
ldap osdbLDAP{ dictionary_mapping = ${raddbdir}/ldap.attrmap server = "*****" basedn = "cn=Users,dc=osdbsesto,dc=local" filter = "(sAMAccountName=%{Stripped-User-Name})" identity = "cn=ldap-proxy,cn=Users,dc=osdbsesto,dc=local" password = "****" #groupmembership_filter = "(&(objectClass=group)(member=%{Ldap-UserDn}))" groupmembership_filter =
"(&(objectcategory=group)(member:1.2.840.113556.1.4.1941:=%{control:Ldap-UserDn}))" groupmembership_attribute = "memberOf" chase_referrals = yes rebind =yes }
My goal is to have an error message for not valid user credential, and one message for user not in group. I've red the documentation about the ldap module, and I've seen 2 possible way of get this: -using the post-auth in the virtual server, and checking the group: I've seen in the ldap module documentation that I can check the group in the post-auth of my virtual server, but it's not documented well, so I've many questions: --to do that, I simply need to remove the 'osdbLDAP-Ldap-Group == "InternetAccess"' part in users file, and add something like this in post-auth block?
if (osdbLDAP-Ldap-Group == "InternetAccess") { noop } else { reject }
-- can I user the unlang in this block? for example, can I do this?
else { Reply-Message = "You aren't in the right group" reject }
maybe... ? if (osdbLDAP-Ldap-Group) { if (osdbLDAP-Ldap-Group != "InternetAccess") { Reply-Message = "You aren't in the right group" reject } } else { reject }
-- does this check work with the recursive group filter? (I'm checking if user is in the group, or in a sub group) (groupmembership_filter =
"(&(objectcategory=group)(member:1.2.840.113556.1.4.1941:=%{control:Ldap-UserDn}))")
-- can I catch somewhere the "not authenticate" state? (where I can set a custom message)
- the other way I've found to do this is add a second line in the users file, after the line that authenticate if user is valid and in the group, and to the same check as before, but without the group. In that case, I can set a custom replay message (the user is valid but not in the group) and, stopping the fall trough, I think I can reject the user. This should work, but, if I'm not wrong, this will do another call to the ldap server
Any suggestion, tip, link or documentation I can read?
Thanks to all Best Regards Mix - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html