I'm setting up a new freeradius setup using many different authorization modules. Mostly ldap and sql modules. For authentication I'm hoping to use the default and as few custom as possible but I have to use some of the ldap backends for authentication as well. (simple bind) I wonder what are the best configuration practices. I've heard Alan DeKok many times; http://deployingradius.com/documents/configuration/setup.html. So I want to change the default config as little as possible. I was thinking to start adding a few custom files to include in the default config. $raddb/custom_mods.conf : the custom ldap and sql module definitions $raddb/custom_auth.conf : custom authentication entries $raddb/custom_autz.conf : custom authorization entries I'm using realms to link the different authorization modules. If I'm correct I need to add every realm to the proxy.conf file and set it to LOCAL. Is this really needed? realm test.com { type = radius authhost = LOCAL accthost = LOCAL } Finally I need to add the realms to users file DEFAULT Realm == "test.com", Autz-Type := test.com (Auth-Type should be figured out by freeradius) Is this the best way to setup a decent configuration? I'd like to skip the proxy.conf configuration since it's saying the same for all realms. Anyone some suggestions? Rg, Arnaud Loonstra -- View this message in context: http://www.nabble.com/Best-config-practices--tp18922693p18922693.html Sent from the FreeRadius - User mailing list archive at Nabble.com.
sphaero wrote:
I was thinking to start adding a few custom files to include in the default config.
$raddb/custom_mods.conf : the custom ldap and sql module definitions $raddb/custom_auth.conf : custom authentication entries $raddb/custom_autz.conf : custom authorization entries
In 2.0.5, the raddb/modules directory can hold modules. The raddb/sites-enabled/ directory holds custom virtual servers.
I'm using realms to link the different authorization modules.
I'm not sure what that means..
If I'm correct I need to add every realm to the proxy.conf file and set it to LOCAL. Is this really needed?
You need to add realms to proxy.conf. See the default proxy.conf, "realm LOCAL" for an example of configuring a local realm.
Finally I need to add the realms to users file
DEFAULT Realm == "test.com", Autz-Type := test.com
That will work. But in 2.0.5, I would suggest *not* using Autz-Type. The new virtual server functionality is much more powerful. Still... if this works for you, there's no harm in using it. Alan DeKok.
realm test.com { type = radius authhost = LOCAL accthost = LOCAL }
Finally I need to add the realms to users file
DEFAULT Realm == "test.com", Autz-Type := test.com
(Auth-Type should be figured out by freeradius)
Is this the best way to setup a decent configuration? I'd like to skip the proxy.conf configuration since it's saying the same for all realms. Anyone
some suggestions?
Well, if you have LOCAL for *every* realm, my suggestion would be not not call any realm module at all. Then the proxy.conf file is ignored and you can leave it untouched. Then, obviously using Realm == test.com in the users file should be replaced. You can do it by DEFAULT User-Name =~ ".*@test.com$", Autz-Type := test.com HTH, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473
Stefan Winter-4 wrote:
Well, if you have LOCAL for *every* realm, my suggestion would be not not call any realm module at all. Then the proxy.conf file is ignored and you can leave it untouched.
Then, obviously using Realm == test.com in the users file should be replaced. You can do it by
DEFAULT User-Name =~ ".*@test.com$", Autz-Type := test.com
HTH,
Stefan Winter
That's handy suggestion. But what if want to proxy certain realms to other radius servers. I would still need to use the proxy.conf file. I might set realm DEFAULT in proxy.conf and DEFAULT Realm == DEFAULT, User-Name =~ ".*@test.com$", Autz-Type := test.com and I'm back in business :) Thanks, Arnaud -- View this message in context: http://www.nabble.com/Best-config-practices--tp18922693p18923309.html Sent from the FreeRadius - User mailing list archive at Nabble.com.
Ok, To finalise for the archive: In the freeradius config directory I create the following 3 files: custom-mods.conf, custom-autz.conf, custom-auth.conf custommods.conf: ldap bla1 { server = "10.48.65.1" port = 636 basedn = "o=bla1" filter = "(cn=%{Stripped-User-Name:-%{User-Name}})" access_attr = "cn" tls_require_cert = "never" set_auth_type = yes } ldap bla2 { server = "10.60.65.1" port = 636 basedn = "o=bla2" filter = "(cn=%{Stripped-User-Name:-%{User-Name}})" access_attr = "cn" tls_require_cert = "never" set_auth_type = yes } sql bla3 { driver = "rlm_sql_unixodbc" # Connect info server = "mssql" login = "login_User" password = "passs" radius_db = "database" acct_table1 = "radacct" acct_table2 = "radacct" authcheck_table = "table_user" authreply_table = "table_user" groupcheck_table = "radgroupcheck" groupreply_table = "radgroupreply" usergroup_table = "usergroup" deletestalesessions = yes # Print all SQL statements when in debug mode (-x) sqltrace = no sqltracefile = ${logdir}/sqltrace.sql # number of sql connections to make to server num_sql_socks = 5 sql_user_name = "%{Stripped-User-Name:-%{User-Name:-none}}" # Custom query die attributen klaar zet! authorize_check_query = "SELECT UserID,Username,'SHA-Password' AS Attribute, Password, ':=' AS Op FROM ${authcheck_table} WHERE Username = '%{SQL-User-Name}' ORDER BY UserID" authorize_reply_query = "SELECT UserID,Username from {authreply_table} WHERE Username = '%{SQL-User-Name}' ORDER BY UserID" } custom-autz.conf: Autz-Type bla1 { bla1 } Autz-Type bla2 { bla2 } Autz-Type bla3 { bla3 } custom-auth.conf: Auth-Type bla1 { bla1 } Auth-Type bla2 { bla2 } add in proxy.conf : realm DEFAULT { type = radius authhost = LOCAL accthost = LOCAL } and finally in users: DEFAULT Realm == DEFAULT, User-Name =~ ".*@bla1$", Autz-Type := bla1 DEFAULT Realm == DEFAULT, User-Name =~ ".*@bla2$", Autz-Type := bla2 DEFAULT Realm == DEFAULT, User-Name =~ ".*@bla3$", Autz-Type := bla3 that's it. This is for the 1.1 series. 2.0 could be done differently. Correct? Rg, Arnaud -- View this message in context: http://www.nabble.com/Best-config-practices--tp18922693p18924526.html Sent from the FreeRadius - User mailing list archive at Nabble.com.
Oh forgot to tell to add the custom configs to radiusd.conf. So these custom file should be - near the ldap section - in the authorize {} section - in the authenticate {} section respectively :/etc/raddb # grep -n custom- radiusd.conf 720:$INCLUDE ${confdir}/custom-mods.conf 1856:$INCLUDE ${confdir}/custom-autz.conf 1959:$INCLUDE ${confdir}/custom-auth.conf -- View this message in context: http://www.nabble.com/Best-config-practices--tp18922693p18924598.html Sent from the FreeRadius - User mailing list archive at Nabble.com.
participants (3)
-
Alan DeKok -
sphaero -
Stefan Winter