We are seeing if we can avoid using LDAP as it requires exposing the credentials (to myself) used to bind to LDAP. We have audit requirements and our SysAdmins are the only persons who should know these credentials. With that being said we are trying to find any work around to avoid LDAP. I was able to find this page ( http://blog.chapus.net/freeradius-active-directory-group-check/) where the author states he had a working implementation that does not use LDAP. I have added the unix module to my authorize section and created if statements in my post-auth section: post-auth { exec if ((Group == 'DOMAIN\network admins') ) { update reply { Service-Type = NAS-Prompt-User, cisco-avpair :="shell:priv-lvl=15" } } else { update reply { Service-Type = NAS-Prompt-User, cisco-avpair :="shell:priv-lvl=3" } } Post-Auth-Type REJECT { attr_filter.access_reject } } But I am unsure where this "Group" attribute is coming from in the if condition (unix module?) and if it is populating correctly as the condition is not showing true, when it is (assuming the attribute is indeed the one needed). Below is relevant debug output: (0) authenticate { (0) ntlm_auth: Executing: /usr/local/bin/ntlm_auth --request-nt-key --domain=DOMAIN --username=%{mschap:User-Name} --password=%{User-Password} --require-membership-of='DOMAIN\noc_staff': (0) ntlm_auth: EXPAND --username=%{mschap:User-Name} (0) ntlm_auth: --> --username=rashad.hall (0) ntlm_auth: EXPAND --password=%{User-Password} (0) ntlm_auth: --> --password=password (0) ntlm_auth: Program returned code (0) and output 'NT_STATUS_OK: Success (0x0)' (0) ntlm_auth: Program executed successfully (0) [ntlm_auth] = ok (0) } # authenticate = ok (0) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/KIO (0) post-auth { (0) [exec] = noop (0) if ((Group == 'DOMAIN\network admins') ) { (0) if ((Group == 'DOMAIN\network admins') ) -> FALSE (0) else { (0) update reply { (0) Service-Type = NAS-Prompt-User (0) cisco-avpair := "shell:priv-lvl=3" (0) } # update reply = noop (0) } # else = noop (0) } # post-auth = noop (0) Sent Access-Accept Id 19 from 192.168.20.90:1812 to 192.168.20.138:1645 length 0 (0) Service-Type = NAS-Prompt-User (0) Cisco-AVPair := "shell:priv-lvl=3" (0) Finished request Any ideas? We will end up using LDAP if needed but if there is a decent workaround we are not concerned about optimal performance for the moment. Thanks. On Wed, Jan 6, 2016 at 4:59 AM, <A.L.M.Buxey@lboro.ac.uk> wrote:
Hi,
I was actually surprised how much I could easily port from a 2.x config to 3.0 without much effort, great job! (I know I'm late to game of FreeRADIUS 3.0). I actually like the changes that were made to the ldap module so far.
a lot of things cleaned up...and as for the changes to LDAP - so do we! :-) (we've now removed 90% of our usage of PERL and external hooks because of things that can be done natively in 3.1.x - looking at that last 10% ! ;-) )
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html