Hi Arran, I have used radiusReplyItem attribute in the user objects in openldap. I have modified the entries in openldap accordingly and can see the required attributes as a reply item in the Access-accept packet. Although not getting the attributes as I would expect. This has something to do with attribute mapping but I am not sure which parts of the FreeRADIUS server config require tweaks. Can anyone help me out with the same. This is how I would like the radtest to look like: $ radtest jsmith test 192.168.1.100 0 secret Sending Access-Request of id 187 to 192.168.1.100 port 1812 User-Name = "jsmith" User-Password = "test" NAS-IP-Address = 192.168.1.100 NAS-Port = 0 rad_recv: Access-Accept packet from host 192.168.1.100 port 1812, id=187, length=112 Service-Type = Framed-User Framed-Protocol = PPP Framed-Routing = Broadcast-Listen Filter-Id = "std.ppp" Framed-MTU = 1500 Framed-Compression = Van-Jacobson-TCP-IP * F5-LTM-User-Role = Manager* * F5-LTM-User-Info-1 = "mgmt"* * F5-LTM-User-Partition = "admin"* * F5-LTM-User-Shell = "tmsh"* And this is what it looks like right now: $ radtest -t mschap dawson wakkawakka 198.82.169.55:1830 234234 testing123 Sending Access-Request of id 48 from 0.0.0.0 port 33814 to 198.82.169.55 port 1830 User-Name = 'dawson' NAS-IP-Address = 198.82.169.55 NAS-Port = 234234 Message-Authenticator = 0x00 MS-CHAP-Challenge = 0x45c9d617e4bbadea MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000079a2d20cd58f9af0c5957ede5deaf85b04b2dd9bec6104eb rad_recv: Access-Accept packet from host 198.82.169.55 port 1830, id=48, length=153 *F5-LTM-User-Info-1 = 'F5-LTM-User-Info-1+=\"R&D\"'* * F5-LTM-User-Info-1 = 'F5-LTM-User-Partition+=\"RnD\"'* * F5-LTM-User-Info-1 = 'F5-LTM-User-Role+=\"100\"'* * F5-LTM-User-Info-1 = 'F5-LTM-User-Shell+=\"tmsh\"'* Below are the outputs for radius debug, radtest and some FreeRADIUS and OpenLDAP config. Would really appreciate any help. Thank you. *RADIUS debug* rad_recv: Access-Request packet from host 198.82.169.55 port 34716, id=142, length=132 User-Name = 'dawson' NAS-IP-Address = 198.82.169.55 NAS-Port = 234234 Message-Authenticator = 0xa28852d05f29ba0fac4c4b1046e4178c MS-CHAP-Challenge = 0x4e9904591878fd82 MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000606a875cc1203e10b37861612644c9e3f4e709f7e56f53b9 (0) # Executing section authorize from file /apps/home/radius/freeradius/load-balancing/etc/raddb/sites-enabled/default (0) authorize { (0) filter_username filter_username { (0) ? if (User-Name != "%{tolower:%{User-Name}}") (0) expand: "%{tolower:%{User-Name}}" -> 'dawson' (0) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (0) ? if (User-Name =~ / /) (0) ? if (User-Name =~ / /) -> FALSE (0) ? if (User-Name =~ /@.*@/ ) (0) ? if (User-Name =~ /@.*@/ ) -> FALSE (0) ? if (User-Name =~ /\\.\\./ ) (0) ? if (User-Name =~ /\\.\\./ ) -> FALSE (0) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (0) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (0) ? if (User-Name =~ /\\.$/) (0) ? if (User-Name =~ /\\.$/) -> FALSE (0) ? if (User-Name =~ /@\\./) (0) ? if (User-Name =~ /@\\./) -> FALSE (0) } # filter_username filter_username = notfound (0) [preprocess] = ok (0) auth_log : expand: "/apps/home/radius/freeradius/load-balancing/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" -> '/apps/home/radius/freeradius/load-balancing/var/log/radius/radacct/ 198.82.169.55/auth-detail-20140521' (0) auth_log : /apps/home/radius/freeradius/load-balancing/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /apps/home/radius/freeradius/load-balancing/var/log/radius/radacct/ 198.82.169.55/auth-detail-20140521 (0) auth_log : expand: "%t" -> 'Wed May 21 08:31:51 2014' (0) [auth_log] = ok (0) update control { (0) expand: "uid=%{User-Name},ou=People,ou=NIS,o=vt" -> 'uid=dawson,ou=People,ou=NIS,o=vt' (0) Ldap-UserDn := "uid=dawson,ou=People,ou=NIS,o=vt" (0) } # update control = noop rlm_ldap (ldap): Reserved connection (4) (0) ldap : expand: "(&(uid=%{%{Stripped-User-Name}:-%{User-Name}}))" -> '(&(uid=dawson))' (0) ldap : expand: "ou=People,ou=NIS,o=vt" -> 'ou=People,ou=NIS,o=vt' (0) ldap : Performing search in 'ou=People,ou=NIS,o=vt' with filter '(&(uid=dawson))' (0) ldap : Waiting for search result... (0) ldap : User object found at DN "uid=dawson,ou=People,ou=NIS,o=vt" (0) ldap : expand: "(&)" -> '(&)' (0) ldap : Performing search in 'cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt' with filter '(&)' (0) ldap : Waiting for search result... (0) ldap : Processing profile attributes (0) ldap : reply:F5-LTM-User-Info-1 := 'F5-LTM-User-Info-1+=\"R&D\"' (0) ldap : reply:F5-LTM-User-Info-1 := 'F5-LTM-User-Partition+=\"RnD\"' (0) ldap : reply:F5-LTM-User-Info-1 := 'F5-LTM-User-Role+=\"100\"' (0) ldap : reply:F5-LTM-User-Info-1 := 'F5-LTM-User-Shell+=\"tmsh\"' (0) ldap : Processing user attributes (0) ldap : control:Password-With-Header += '{nt}D3055AE4C0D68D8BA71C538D1518B5CD' (0) ldap : control:Password-With-Header += '{SSHA}omkfyFmnMrEq1jWG9T86Gh+XlpR87z11' (0) ldap : control:Prohibited := FALSE (0) ldap : control:Radius-Profile-DN := 'cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt' rlm_ldap (ldap): Released connection (4) *rlm_ldap (ldap): Closing connection (0): Too many free connections (5 > 3)* (0) [-ldap] = ok (0) pap : Normalizing NT-Password from hex encoding (0) pap : Normalizing SSHA1-Password from base64 encoding (0) pap : No clear-text password in the request. Not performing PAP. (0) [pap] = noop (0) mschap : Found MS-CHAP attributes. Setting 'Auth-Type = mschap' (0) [mschap] = ok (0) ? if (!(control:NT-Password) || control:Prohibited == TRUE) (0) ? if (!(control:NT-Password) || control:Prohibited == TRUE) -> FALSE (0) ? if (Ldap-Group != "%{control:Radius-Profile-DN}") (0) expand: "%{control:Radius-Profile-DN}" -> 'cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt' (0) Searching for user in group "cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt" rlm_ldap (ldap): Reserved connection (4) (0) Using user DN from request "uid=dawson,ou=People,ou=NIS,o=vt" (0) Checking for user in group objects (0) expand: "(&(objectClass=groupOfNames)(member=%{control:Ldap-UserDn}))" -> '(&(objectClass=groupOfNames)(member=uid\3ddawson\2cou\3dPeople\2cou\3dNIS\2co\3dvt))' (0) Performing search in 'cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt' with filter '(&(objectClass=groupOfNames)(member=uid\3ddawson\2cou\3dPeople\2cou\3dNIS\2co\3dvt))' (0) Waiting for search result... (0) User found in group object rlm_ldap (ldap): Released connection (4) (0) ? if (Ldap-Group != "%{control:Radius-Profile-DN}") -> FALSE (0) else else { (0) update control { (0) Auth-Type := Accept (0) } # update control = noop (0) } # else else = noop (0) } # authorize = ok (0) Found Auth-Type = Accept (0) Auth-Type = Accept, accepting the user *(0) WARNING: Empty post-auth section. Using default return values.* (0) # Executing section post-auth from file /apps/home/radius/freeradius/load-balancing/etc/raddb/sites-enabled/default Sending Access-Accept of id 142 from 198.82.169.55 port 1830 to 198.82.169.55 port 34716 F5-LTM-User-Info-1 = 'F5-LTM-User-Info-1+=\"R&D\"' F5-LTM-User-Info-1 = 'F5-LTM-User-Partition+=\"RnD\"' F5-LTM-User-Info-1 = 'F5-LTM-User-Role+=\"100\"' F5-LTM-User-Info-1 = 'F5-LTM-User-Shell+=\"tmsh\"' (0) Finished request 0. Waking up in 0.3 seconds. Waking up in 4.6 seconds. (0) Cleaning up request packet ID 142 with timestamp +12 *Ready to process requests.* *radtest* $ radtest -t mschap dawson wakkawakka 198.82.169.55:1830 234234 testing123 Sending Access-Request of id 48 from 0.0.0.0 port 33814 to 198.82.169.55 port 1830 User-Name = 'dawson' NAS-IP-Address = 198.82.169.55 NAS-Port = 234234 Message-Authenticator = 0x00 MS-CHAP-Challenge = 0x45c9d617e4bbadea MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000079a2d20cd58f9af0c5957ede5deaf85b04b2dd9bec6104eb rad_recv: Access-Accept packet from host 198.82.169.55 port 1830, id=48, length=153 F5-LTM-User-Info-1 = 'F5-LTM-User-Info-1+=\"R&D\"' F5-LTM-User-Info-1 = 'F5-LTM-User-Partition+=\"RnD\"' F5-LTM-User-Info-1 = 'F5-LTM-User-Role+=\"100\"' F5-LTM-User-Info-1 = 'F5-LTM-User-Shell+=\"tmsh\"' *sites-enabled/default* authorize { filter_username preprocess auth_log update control{ Ldap-UserDn := "uid=%{User-Name},ou=People,ou=NIS,o=vt" } -ldap pap mschap if(!(control:NT-Password) || control:Prohibited == TRUE){ update control{ Auth-Type := Reject } } if(Ldap-Group != "%{control:Radius-Profile-DN}"){ update control{ Auth-Type:=Reject } } else{ update control{ Auth-Type:=Accept } } authenticate { mschap pap } *mods-enabled/ldap* update { control:Password-With-Header += 'userPassword' control:NT-Password := 'ntPassword' control:Prohibited := 'prohibited' control:Radius-Profile-DN := 'radiusProfileDn' reply:F5-LTM-User-Info-1 := 'radiusReplyItem' #reply:Reply-Message := 'radiusReplyMessage' } user { base_dn = "ou=People,${..base_dn}" filter = "(&(uid=%{%{Stripped-User-Name}:-%{User-Name}}))" scope = 'sub' } group { base_dn = "ou=Groups,ou=F5,ou=Configuration,${..base_dn}" filter = "(objectClass=groupOfNames)" scope = 'base' name_attribute = cn membership_filter = "(member=%{control:Ldap-UserDn})" } *OpenLDAP* # R&D, Groups, F5, Configuration, NIS, vt dn: cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt cn: R&D description: Entiries for the R&D group user accounts member: uid=dawson,ou=People,ou=NIS,o=vt radiusReplyItem: F5-LTM-User-Info-1+="R&D" radiusReplyItem: F5-LTM-User-Partition+="RnD" radiusReplyItem: F5-LTM-User-Role+=100 radiusReplyItem: F5-LTM-User-Shell+="tmsh" objectClass: groupOfNames objectClass: radiusprofile # dawson, People, NIS, vt dn: uid=dawson,ou=People,ou=NIS,o=vt cn: Jacob M. Dawson uid: dawson sn: Dawson givenName: Jacob objectClass: inetOrgPerson objectClass: nisUserAccount objectClass: radiusprofile prohibited: FALSE radiusProfileDn: cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt *F5 VSAs* VENDOR F5 3375 BEGIN-VENDOR F5 ATTRIBUTE F5-LTM-User-Role 1 integer ATTRIBUTE F5-LTM-User-Role-Universal 2 integer # enable/disable ATTRIBUTE F5-LTM-User-Partition 3 string ATTRIBUTE F5-LTM-User-Console 4 integer # enable/disable ATTRIBUTE F5-LTM-User-Shell 5 string # supported values are disable, tmsh, and bpsh ATTRIBUTE F5-LTM-User-Context-1 10 integer ATTRIBUTE F5-LTM-User-Context-2 11 integer ATTRIBUTE F5-LTM-User-Info-1 12 string ATTRIBUTE F5-LTM-User-Info-2 13 string VALUE F5-LTM-User-Role Administrator 0 VALUE F5-LTM-User-Role Resource-Admin 20 VALUE F5-LTM-User-Role User-Manager 40 VALUE F5-LTM-User-Role Manager 100 VALUE F5-LTM-User-Role App-Editor 300 VALUE F5-LTM-User-Role Operator 400 VALUE F5-LTM-User-Role Guest 700 VALUE F5-LTM-User-Role Policy-Editor 800 VALUE F5-LTM-User-Role No-Access 900 VALUE F5-LTM-User-Role-Universal Disabled 0 VALUE F5-LTM-User-Role-Universal Enabled 1 VALUE F5-LTM-User-Console Disabled 0 VALUE F5-LTM-User-Console Enabled 1 END-VENDOR F5 On Mon, May 19, 2014 at 4:26 PM, Arran Cudbard-Bell < a.cudbardb@freeradius.org> wrote:
On 19 May 2014, at 20:36, Ajinkya Fotedar <ajinkyafotedar@gmail.com> wrote:
Also, the update section under the ldap modules looks like this.
update { control:Password-With-Header += 'userPassword' control:NT-Password := 'ntPassword' control:Prohibited := 'prohibited' control:Group-Membership := 'groupMembership' reply:F5-LTM-User-Info-1 := 'userInfo' reply:F5-LTM-User-Role := 'userRole' reply:F5-LTM-User-Partition := 'userPartition' reply:F5-LTM-User-Shell := 'userShell' }
Attributes are not retrieved for groups. You need to add profiles with the various reply attributes, and add that profile to the user.
-Arran
Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html