Combining LDAP authentication and UNIX groups
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi list, Is it possible to authenticate users against LDAP and also check if the username exists in a local UNIX group. I can get both working independently i.e. in my users file - ---snip--- DEFAULT Auth-Type = LDAP Fall-Through = No DEFAULT Group == "paul", Auth-Type = System Fall-Through = No - ---snip--- I can auth users against LDAP successfully and I can auth users who are in the group "paul" successfully against the password file. I tried to combine these two in various way, e.g. - ---snip--- DEFAULT Group == "paul", Auth-Type = LDAP, Fall-Through = No - ---snip--- But I couldn't get this to work, probably because LDAP has no concept of a "Group". It might be possible to do this using two different definitions in "users" that where one falls through to another but I'm not sure how to implement this. Does anyone know if this is achievable? NOTE: Please don't ask why I'm trying to do this. I realise this is a slightly unusual concept, but I'd thought I'd ask. Thanks, Paul -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFFNd9+4qOLghPAuV0RAh6fAKCe8yPC49Ri6wXHAOXPGrbB2X+GWwCgt8hQ YWX30HRRls054OfH2LNHpv4= =p7Ww -----END PGP SIGNATURE-----
Paul Stepowski <p.stepowski@qut.edu.au> wrote:
Is it possible to authenticate users against LDAP and also check if the username exists in a local UNIX group.
Yes. But you really don't need to authenticate against LDAP. Configure the server to pull the cleartext password from LDAP, and the server will figure it out...
I tried to combine these two in various way, e.g.
- ---snip--- DEFAULT Group == "paul", Auth-Type = LDAP, Fall-Through = No - ---snip---
But I couldn't get this to work, probably because LDAP has no concept of a "Group".
Huh? No. That configuration will work IF the user is in a local Unix group. And PLEASE read the FAQ for questions like "it doesn't work". You're going out of your way to avoid giving information that may enable people to help you. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Thanks Alan, This answers my question. Now that I know that this can be done with freeradius, I can move on to figuring out how to get my configuration right. When I try to auth with a valid LDAP user and password with radclient, the authentication fails. e.g. $ (echo "User-Name = stepowsk" && echo "User-Password = ********") | radclient -r 1 -x css-radius auth testing123 Sending Access-Request of id 28 to 131.181.118.217:1812 User-Name = "stepowsk" User-Password = "********" rad_recv: Access-Reject packet from host 131.181.118.217:1812, id=28, length=20 Freeradius in debug mode tells me that the request is not matching on the entry in the users file. I have verified that the I can authenticate with the LDAP account. I have verified the user name is in the groups file. Freeradius debug output follows: ---snip--- rad_recv: Access-Request packet from host 131.181.118.217:34366, id=161, length=48 User-Name = "stepowsk" User-Password = "********" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "stepowsk", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 modcall[authorize]: module "files" returns notfound for request 0 modcall: group authorize returns ok for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 161 to 131.181.118.217:34366 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 161 with timestamp 4536c533 Nothing to do. Sleeping until we see a request. ---snip--- Any help would be much apprectiated. The following shows my system setup and config files: $ cat /etc/redhat-release Red Hat Enterprise Linux ES release 4 (Nahant Update 4) $ rpm -qi freeradius Name : freeradius Relocations: (not relocatable) Version : 1.0.1 Vendor: Red Hat, Inc. ---snip--- $ cat /etc/raddb/users DEFAULT Group == "paul", Auth-Type = LDAP Reply-Message = "LDAP auth", Fall-Through = No $ cat /etc/raddb/group users:x:1:csslog,csslog2 paul:x:2:stepowsk css:x:3:csslog2 $ cat /etc/raddb/radiusd.conf | grep -v '#' | grep -v ^$ prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = /usr/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd log_file = ${logdir}/radius.log libdir = /usr/lib pidfile = ${run_dir}/radiusd.pid user = radiusd group = radiusd max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 bind_address = 131.181.118.217 port = 0 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log_stripped_names = no log_auth = no log_auth_badpass = no log_auth_goodpass = no usercollide = no lower_user = no lower_pass = no nospace_user = no nospace_pass = no checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = no } proxy_requests = yes $INCLUDE ${confdir}/proxy.conf $INCLUDE ${confdir}/clients.conf snmp = no $INCLUDE ${confdir}/snmp.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { pap { encryption_scheme = crypt } chap { authtype = CHAP } pam { pam_auth = radiusd } unix { cache = no cache_reload = 600 passwd = /etc/raddb/passwd shadow = /etc/raddb/shadow group = /etc/raddb/group radwtmp = ${logdir}/radwtmp } $INCLUDE ${confdir}/eap.conf mschap { authtype = MS-CHAP } ldap { server = "ldap.qut.edu.au" port = 389 basedn = "ou=people,dc=qut,dc=edu,dc=au" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" ldap_connections_number = 5 timeout = 3 timelimit = 3 net_timeout = 3 start_tls = yes tls_cacertfile = /etc/raddb/cacert.pem tls_require_cert = "demand" identity = "********" password = ******** password_attribute = ******** dictionary_mapping = ${raddbdir}/ldap.attrmap } realm IPASS { format = prefix delimiter = "/" ignore_default = no ignore_null = no } realm suffix { format = suffix delimiter = "@" ignore_default = no ignore_null = no } realm realmpercent { format = suffix delimiter = "%" ignore_default = no ignore_null = no } realm ntdomain { format = prefix delimiter = "\\" ignore_default = no ignore_null = no } checkval { item-name = Calling-Station-Id check-name = Calling-Station-Id data-type = string } preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users compat = no } detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 } acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } $INCLUDE ${confdir}/sql.conf radutmp { filename = ${logdir}/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 0600 callerid = "yes" } radutmp sradutmp { filename = ${logdir}/sradutmp perm = 0644 callerid = "no" } attr_filter { attrsfile = ${confdir}/attrs } counter daily { filename = ${raddbdir}/db.daily key = User-Name count-attribute = Acct-Session-Time reset = daily counter-name = Daily-Session-Time check-name = Max-Daily-Session allowed-servicetype = Framed-User cache-size = 5000 } always fail { rcode = fail } always reject { rcode = reject } always ok { rcode = ok simulcount = 0 mpp = no } expr { } digest { } exec { wait = yes input_pairs = request } exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = request output_pairs = reply } ippool main_pool { range-start = 192.168.1.1 range-stop = 192.168.3.254 netmask = 255.255.255.0 cache-size = 800 session-db = ${raddbdir}/db.ippool ip-index = ${raddbdir}/db.ipindex override = no maximum-timeout = 0 } } instantiate { exec expr } authorize { preprocess chap mschap suffix eap files } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix Auth-Type LDAP { ldap } eap } preacct { preprocess acct_unique suffix files } accounting { detail unix radutmp } session { radutmp } post-auth { } pre-proxy { } post-proxy { eap } Alan DeKok wrote:
Paul Stepowski <p.stepowski@qut.edu.au> wrote:
Is it possible to authenticate users against LDAP and also check if the username exists in a local UNIX group.
Yes. But you really don't need to authenticate against LDAP. Configure the server to pull the cleartext password from LDAP, and the server will figure it out...
I tried to combine these two in various way, e.g.
- ---snip--- DEFAULT Group == "paul", Auth-Type = LDAP, Fall-Through = No - ---snip---
But I couldn't get this to work, probably because LDAP has no concept of a "Group".
Huh? No.
That configuration will work IF the user is in a local Unix group.
And PLEASE read the FAQ for questions like "it doesn't work". You're going out of your way to avoid giving information that may enable people to help you.
Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Paul Stepowski <p.stepowski@qut.edu.au> wrote:
Freeradius in debug mode tells me that the request is not matching on the entry in the users file. I have verified that the I can authenticate with the LDAP account. I have verified the user name is in the groups file.
If each piece works in isolation, adding the pieces together should work. Something else is going on... Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Hi, I want to give certificat to my server freeradius. My CA is a Windows CA. Can you tell me how do it please, thank you?
participants (3)
-
Alan DeKok -
mkerkoub@free.fr -
Paul Stepowski