I appear to have gotten this working by adding the following to my authorize {} section: if (Realm == "localdomain.edu") { files ldap } Obviously removing the reference to "files" and "ldap" from elsewhere in the authorize section. Then I do LDAP group checking in the users file like this: # Allow Students DEFAULT Ldap-Group == 30 # ...and Staff DEFAULT Ldap-Group == 40 # ...and Faculty DEFAULT Ldap-Group == 50 # ...and nobody else! DEFAULT Auth-Type := Reject Reply-Message = "Only current faculty, staff or students are allowed to log in." ...and in radiusd.conf, the following non-default config in the ldap section to establish how to find Ldap-Group: base_filter = "(objectclass=posixAccount)" groupname_attribute = gidNumber groupmembership_filter = "(&(objectClass=posixAccount)(uid=%{Stripped-User-Name}))" groupmembership_attribute = gidNumber And then I have set up my proxy hosts for other realms (domains) in proxy.conf This seems to accomplish what I want, which is to check LDAP groups during authorization only if the realm is local. I'm not sure what the syntax rules for the authorize{} section of the config files are; I was unable to find any description in the docs of how one goes about figuring out how to write these conditional statements. What language is it? It seems C-like, but only kindof. Did I miss this in the documentation? And the only way I could tell that I could use the variable "Realm" is because it was in the debugging output of freeradius. I couldn't find a list of available variables on the wiki, other than http://wiki.freeradius.org/Run-time_variables#Conditional_syntax , which is very incomplete non self-explanatory. I'm just confused as to how I was supposed to figure all this out without doing what I did, which was bang my head against the wall for a long time. I kinda figured there was some default way I was supposed to be doing what I was doing, but I gave up and did what feels like a "hack" to me. Is it OK? Am I missing a clear place where all of this is described? This is a fabulous piece of software, and I appreciate its license, its functionality, and its highly-configurable nature, I just feel like I'm missing something :) All the best, -Josiah Wm. Josiah Erikson wrote:
I see. I can, indeed, remove Auth-Type := LDAP from the users file and it still works. Cool!
However, the behavior described in the documentation is not what I'm seeing, and I'm still getting (contrary to what I said in my previous email) authorization requests not being proxied, even though I have, in my authorize section, the "suffix" directive previous to "files" and "ldap", which is where I check the LDAP group....
If my realm is @hampshire.edu, everything works as I want it to, because it doesn't proxy. But when I try to authenticate as a fake user in my test proxy realm (I just want to see it try to proxy), it looks in the local LDAP database! Huh? It says it's preparing to proxy <authentication>, as it should... how do I make it either proxy authorization as well, or skip authorization for non-local domains? How should I go about this?
I must be misunderstanding something. I don't want it to do anything locally if I've set it to proxy! I get the following relevant output from freeradius -X:
Listening on authentication address * port 1812 Listening on accounting address * port 1813 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 34022, id=118, length=66 User-Name = "dude@testdomain.edu" User-Password = "passwowrd" NAS-IP-Address = 172.20.66.104 NAS-Port = 1 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: Looking up realm "testdomain.edu" for User-Name = "dude@testdomain.edu" rlm_realm: Found realm "testdomain.edu" rlm_realm: Adding Stripped-User-Name = "dude" rlm_realm: Proxying request from user dude to realm testdomain.edu rlm_realm: Adding Realm = "testdomain.edu" rlm_realm: Preparing to proxy authentication request to realm "testdomain.edu" ++[suffix] returns updated ++[unix] returns notfound rlm_ldap: Entering ldap_groupcmp() expand: dc=hampshire, dc=edu -> dc=hampshire, dc=edu expand: (uid=%{Stripped-User-Name}) -> (uid=dude) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap.hampshire.edu:389, authentication 0 rlm_ldap: bind as uid=tu, ou=account, dc=hampshire, dc=edu/tp to ldap.hampshire.edu:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=hampshire, dc=edu, with filter (uid=dude) rlm_ldap: object not found or got ambiguous search result rlm_ldap::ldap_groupcmp: search failed rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: Entering ldap_groupcmp() expand: dc=hampshire, dc=edu -> dc=hampshire, dc=edu expand: (uid=%{Stripped-User-Name}) -> (uid=dude) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=hampshire, dc=edu, with filter (uid=dude) rlm_ldap: object not found or got ambiguous search result rlm_ldap::ldap_groupcmp: search failed rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: Entering ldap_groupcmp() expand: dc=hampshire, dc=edu -> dc=hampshire, dc=edu expand: (uid=%{Stripped-User-Name}) -> (uid=dude) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=hampshire, dc=edu, with filter (uid=dude) rlm_ldap: object not found or got ambiguous search result rlm_ldap::ldap_groupcmp: search failed rlm_ldap: ldap_release_conn: Release Id: 0 users: Matched entry DEFAULT at line 219 ++[files] returns ok rlm_ldap: - authorize rlm_ldap: performing user authorization for dude expand: (uid=%{Stripped-User-Name}) -> (uid=dude) expand: dc=hampshire, dc=edu -> dc=hampshire, dc=edu rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=hampshire, dc=edu, with filter (uid=dude) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns notfound Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> dude@testdomain.edu attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 118 to 127.0.0.1 port 34022 Reply-Message = "Only current faculty, staff or students are allowed to log in." Waking up in 4.9 seconds. Cleaning up request 0 ID 118 with timestamp +2 Ready to process requests.
Alan DeKok wrote:
Wm. Josiah Erikson wrote:
# Setting "Auth-Type = LDAP" is ALMOST ALWAYS WRONG. We # really can't emphasize this enough.
Uh. OK. That's exactly what I'm doing, and it's working :)
Then it works. It's fine.
That message is for the majority of people who force LDAP to be used for authentication, and the wonder why EAP doesn't work.
Remember: LDAP is a database. It's not an authentication server.
However, is there a better way to do this that I'm not understanding? Why shouldn't I set Auth-Type := LDAP ?
You probably don't need to set it. If you simply deleted that from the "users" file, your configuration would probably still work.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Wm. Josiah Erikson Computing Support School of Cognitive Science Hampshire College Amherst, MA 01002 (413) 559-6091