We seek to take
advantage of FreeRadius 2.0.5's ability to run multiple virtual
servers.
All our other
servers are working except one, which has a complex
authentication.
As a stand-alone
configuration this looks as follows:
################################################################
##
MODULES
CONFIGURATION
##
################################################################
modules
{
ldap
dirnet{
server =
"directory.sub.main.com"
port =
389
identity =
"cn=acsAgent,ou=agents,ou=network,dc=main,dc=com"
password = xxxxxx
basedn =
"ou=network,dc=main,dc=com"
filter =
"(&(objectclass=kuAuthAccount)(uid=%{Stripped-User-Name:-%{User-Name}}))"
.
.
.
groupmembership_filter =
"(&(objectClass=GroupOfUniqueNames)(uniquemember=uid=%{Stripped-User-Name:-%{User-Name}}*))
.
.
}
ldap
dirnode{
server =
"directory.main.com"
port =
389
identity = "cn=wireless-agent,ou=agents,ou=Academic
Computing,ou=units,dc=main,dc=com"
password
= yyyyyyyyyyy
basedn =
"dc=main,dc=com"
filter =
"(&(objectclass=kuAuthAccount)(uid=%{Stripped-User-Name:-%{User-Name}}))"
groupmembership_filter =
"(&(objectClass=kuAuthAccount)(eduPersonEntitlement=*)(uid=%{Stripped-User-Name:-%{User-Name}}*))
groupmembership_attribute =
eduPersonEntitlement
groupname_attribute =
eduPersonEntitlement
access_attr = uid
.
.
.
}
server
{
authenticate {
## Use LDAP
Authentication
Auth-Type DIRNODE
{
dirnode
}
Auth-Type DIRNET
{
dirnet
}
}
authorize
{
## Use LDAP Authorization via
files config in 'users'
files
}
And the users file
looks like
DEFAULT dirnet-Ldap-Group ==
"cn=AuthorizedGuestVendorMAINAnywhereUsers,ou=IT,ou=groups,ou=network,dc=main,dc=com", Auth-Type :=
DIRNET
Class =
"%{dirnet:ldap:///ou=authaccounts,ou=network,dc=main,dc=com?eduPersonEntitlement?sub?uid=%{User-Name}",
Fall-Through = no
DEFAULT dirnet-Ldap-Group ==
"cn=VPNPHONES,ou=IT,ou=groups,ou=network,dc=main,dc=com", Auth-Type :=
DIRNET
Class = "urn:mace:main.com:RINGS:group:main_anywhere:vpnphone",
Fall-Through = no
DEFAULT User-Profile :=
"uid=%{Stripped-User-Name:-%{User-Name}},ou=authaccounts,dc=main,dc=com", Auth-Type :=
DIRNODE
Class =
"%{dirnode:ldap:///ou=authaccounts,dc=main,dc=com?eduPersonEntitlement?sub?uid=%{User-Name}",
Fall-Through = no
DEFAULT Auth-Type :=
REJECT
Reply-Message = "User Login
Rejected"
--------------------------
I've gotten as far
as:
modules {
## LDAP
Server configuration
ldap
{
}
## LDAP User-to-Group
mapping
files
{
usersfile =
${confdir}/guest_vendor_mainanywhere_users
acctusersfile =
/dev/null
preproxy_usersfile =
/dev/null
compat = no
}
}
authenticate
{
## Use LDAP Authentication
(entry in modules/ldap)
Auth-Type
LDAP
{
dirnode
}
Auth-Type LDAP
{
dirnet
}
}
authorize
{
## Use LDAP Authorization via
files config in 'users' (entry in
modules/
ldap)
dirnode
dirnet
}
and the ldap file
entries as
ldap dirnet
{
#
# Note that this needs to
match the name in the LDAP
#
server certificate, if you're using
ldaps.
server =
"directory.sub.main.com"
port =
389
identity =
"cn=acsAgent,ou=agents,ou=network,dc=main,dc=com"
password = xxxxxx
basedn =
"ou=network,dc=main,dc=com"
filter =
"(&(objectclass=kuAuthAccount)(uid=%{Stripped-User-Name:-%{User-Name}}))"
.
.
.
groupmembership_filter =
"(&(objectClass=GroupOfUniqueNames)(uniquemember=uid=%{Stripped-User-Name:-%{User-Name}}*))
.
.
}
ldap
dirnode{
server =
"directory.main.com"
port =
389
identity = "cn=wireless-agent,ou=agents,ou=Academic
Computing,ou=units,dc=main,dc=com"
password
= yyyyyyyyyyy
basedn =
"dc=main,dc=com"
filter =
"(&(objectclass=kuAuthAccount)(uid=%{Stripped-User-Name:-%{User-Name}}))"
groupmembership_filter =
"(&(objectClass=kuAuthAccount)(eduPersonEntitlement=*)(uid=%{Stripped-User-Name:-%{User-Name}}*))
groupmembership_attribute =
eduPersonEntitlement
groupname_attribute =
eduPersonEntitlement
access_attr = uid
.
.
.
}
with the users file
intact
Any suggestions as
to how to configure, especially the "authorize" section to allow trying both
dirnode and dirnet would be welcome.
(As it is now,
dirnode auth works, but dirnet doesn't.)
Thank
you!