Victor Tarhon-Onu wrote:
Before proceeding further I'm going to describe shortly what I want to do and what I did so far.
That's always a good idea.
Later the requirement was changed and I was asked to do some privilege separation based on the group each LDAP user is in. So it seemed to be easier just to map the LDAP gidNumber entry for each user to a radius check item:
/etc/raddb/ldap.attrmap:checkItem Group-ID gidNumber /etc/raddb/dictionary:ATTRIBUTE Group-ID 3000 integer
Hmm... I'd pick another name, but OK.
So in /etc/raddb/users I added something like
DEFAULT Auth-Type = LDAP Service-Type = Login, Fall-Through = Yes
DEFAULT Group-ID == 100 Service-Type := Shell-User
DEFAULT Group-ID == 101 Service-Type := Dialout-Framed-User
That should work.
The problem is that the Service-Type never changes because the Group-ID doesn't match any of those checks. It remains set to the value (Login) I've set as default at the beginning of the file. However, when running the radius server in debug mode, I can see that the Group-ID is set correctly for each authenticated user:
rlm_ldap: Adding gidNumber as Group-ID, value 100 & op=21
...but I'm not sure if it's exported (or even supposed to be) out from rlm_ldap.
If the ldap module says it's being added, it's being added.
The freeradius version is 1.1.3 (freeradius-1.1.3-1.6.el5).
Oh dear... that is very, very, very old.
I am inserting below the entire output of the radius server during an authentication/authorization attempt:
Which shows a pretty obvious problem.
modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 6 modcall[authorize]: module "files" returns ok for request 0 modcall: entering group redundant for request 0 rlm_ldap: - authorize
You're checking the "files" module BEFORE ldap. So the Group-Id will *never* be seen by the "users" file, because it hasn't been added. Swap the order. Put "files" after "ldap". Alan DeKok.