Troube with matching LDAP group membership in authorize
I'm trying to setup radius authentication for enable access on our networking gear and having a tough time getting a working config. I'd like to have FR check a group in LDAP for membership before authorizing. That is, I only want user's listed in the "uniquemember" attribute of the Operations group object to be granted access. Reading the FR docs this is possible -- I must be missing something. First, here are the relevant portions of my configs: Hint file: DEFAULT NAS-Port-Type == Virtual, Service-Type == NAS-Prompt-User, ldap_enable-Ldap-Group := "operations", Autz-Type := ldap_enable, Auth-Type := LDAP radius.conf: ldap ldap_enable{ server = "fds1.hq.powerset.com" basedn = "dc=powerset,dc=com" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" start_tls = yes tls_cacertfile = /opt/fedora-ds/alias/starfield.pem tls_require_cert = "demand" # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 # ldap_debug = 1 # groupname_attribute = cn groupmembership_filter = "(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))" timeout = 4 timelimit = 3 net_timeout = 3 # compare_check_items = yes # do_xlat = yes access_attr_used_for_allow = no set_auth_type = no } I have several LDAP instances defined in radius.config, but this is the one I want to use. I instantiate it first in radius.config so that hints can use it: instantiate { ldap_enable exec expr } And a corresponsing Autz-Type in radius.config: authorize { preprocess suffix ntdomain eap autztype ldap{ redundant { fds1 # fds2 } } autztype ldap_enable{ ldap_enable } files pap } Here's the debug output from when I try and connect: rad_recv: Access-Request packet from host 64.13.145.238:1024, id=96, length=71 User-Name = "dick" User-Password = "$$$$$$$$" NAS-IP-Address = 64.13.145.238 NAS-Identifier = "h2848-1" NAS-Port-Type = Virtual Service-Type = NAS-Prompt-User Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 hints: Matched DEFAULT at 35 <--- This is the correct entry modcall[authorize]: module "preprocess" returns ok for request 0 rlm_realm: No '@' in User-Name = "dick", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_realm: No '\' in User-Name = "dick", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "ntdomain" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 modcall[authorize]: module "files" returns notfound for request 0 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 0 modcall: leaving group authorize (returns ok) for request 0 It appears that FR is ignoring the Autz-Type I set in hints and just processes the entries in authorize in sequential order. This is the default behavior unless an Autz-Type is explicitly set (which I do in hints). How do I get the Autz-Type to kick-in and have FR send the request to the proper LDAP entry? Thanks in advance, -richard ____________________________________________________________________________________ Sucker-punch spam with award-winning protection. Try the free Yahoo! Mail Beta. http://advision.webevents.yahoo.com/mailbeta/features_spam.html
participants (1)
-
Richard Hesse