Hi, I am new to freeradius and try to authenticate users with pam and authorize with ldap groups. I try to find a minimal configuration but have some problems forcing the Auth-Type to be PAM. I have radiusd.conf: prefix = /usr/local exec_prefix = ${prefix} sysconfdir = ${prefix}/etc localstatedir = ${prefix}/var sbindir = ${exec_prefix}/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd db_dir = $(raddbdir) libdir = ${exec_prefix}/lib pidfile = ${run_dir}/radiusd.pid max_request_time = 30 cleanup_delay = 5 max_requests = 1024 listen { ipaddr = * port = 0 type = auth } listen { ipaddr = * port = 0 type = acct } hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log { destination = files syslog_facility = daemon file = ${logdir}/radius.log stripped_names = no auth = yes auth_badpass = no auth_goodpass = no } checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = no } proxy_requests = no $INCLUDE clients.conf snmp = no thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { pam { pam_auth = radiusd } ldap { server = "192.168.2.1" port = 636 identity = "uid=ldapadmin,ou=external,dc=example,dc=com" password = controllme basedn = "ou=external,dc=example,dc=com" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls_mode = yes tls { start_tls = no cacertdir = /etc/certs } set_auth_type = no } detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 header = "%t" suppress { User-Password } } detail auth_log { detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d detailperm = 0600 suppress { User-Password } } detail reply_log { detailfile = ${radacctdir}/%{Client-IP-Address}/reply-detail-%Y%m%d detailperm = 0600 } acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } } $INCLUDE sites-enabled/ sites-enabled/default: authorize { auth_log ldap } authenticate { pam } preacct { acct_unique } accounting { detail } ldap.attrmap: checkItem $GENERIC$ radiusCheckItem replyItem $GENERIC$ radiusReplyItem If I run radiusd-X I get: rad_recv: Access-Request packet from host 127.0.0.1 port 63402, id=76, length=58 User-Name = "fred" User-Password = "hamster" NAS-IP-Address = 192.168.1.1 NAS-Port = 0 +- entering group authorize expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20080123 rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20080123 expand: %t -> Wed Jan 23 19:53:47 2008 ++[auth_log] returns ok rlm_ldap: - authorize rlm_ldap: performing user authorization for fred WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=fred) expand: ou=external,dc=example,dc=com -> ou=external,dc=example,dc=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: setting TLS CACert Directory to /etc/certs rlm_ldap: starting SSL rlm_ldap: (re)connect to 10.129.189.34:5636, authentication 0 rlm_ldap: bind as uid=ldapadmin,ou=external,dc=example,dc=com/controlme to 192.2.1.1:636 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=networks,ou=external,dc=example,dc=com, with filter (uid=fred) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? rlm_ldap: user fred authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [fred/hamster] (from client localhost port 0) Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 189 to 127.0.0.1 port 63418 Waking up in 4.9 seconds. Cleaning up request 0 ID 189 with timestamp +3 Ready to process requests. Only if I set set_auth_type = yes in radiusd.conf for ldap and change authorize in default to: Auth-Type LDAP { pam } I get a successful login. Is there any other way to force Auth-Type tp be PAM for all users ? Is there also a way to disable the use of the ldap.attribute mapping as I really don't need it ? Thank you Markus
Markus Moeller wrote:
I am new to freeradius and try to authenticate users with pam and authorize with ldap groups. I try to find a minimal configuration but have some problems forcing the Auth-Type to be PAM.
You are aware that this will make EAP and many other authentication methods impossible? ...
authorize { auth_log ldap }
You can add the following just after ldap: update control { Auth-Type := PAM }
Only if I set set_auth_type = yes in radiusd.conf for ldap and change authorize in default to: Auth-Type LDAP { pam }
Please don't do that.
Is there also a way to disable the use of the ldap.attribute mapping as I really don't need it ?
You'll have to edit the source code. Alan DeKok.
"Alan DeKok" <aland@deployingradius.com> wrote in message news:47982BF4.7090801@deployingradius.com...
Markus Moeller wrote:
I am new to freeradius and try to authenticate users with pam and authorize with ldap groups. I try to find a minimal configuration but have some problems forcing the Auth-Type to be PAM.
You are aware that this will make EAP and many other authentication methods impossible?
That is not my requirement right now
...
authorize { auth_log ldap }
You can add the following just after ldap:
update control { Auth-Type := PAM }
Only if I set set_auth_type = yes in radiusd.conf for ldap and change authorize in default to: Auth-Type LDAP { pam }
That was the only way I could get it to work. If I use update control anybody can login, whereas in my setup only a user who exits in ldap get AUth-Type set to LDAP all other users have an empty value and therefore can not authenticate.
Please don't do that.
Is there also a way to disable the use of the ldap.attribute mapping as I really don't need it ?
You'll have to edit the source code.
I have changed my setup to use files and a users file together with a "private" radius attribute mapped to an ldap entry. e.g. dictionary has: Attribute user-location 3000 string ldap.attrmap: checkitem user-location office-address in users I have DEFAULT user-location == "LDN", Auth-Type := Reject Reply-message = "You are not allowed to login" DEFAULT AUTH-Type := PAM in site-enabled/default I have Authorize { ldap files } authenticate { pam } Unfortunatly that does not work as I never hit the first default statement in users despite having a user-location of LDN. What do I do wrong here ? How can I use an ldap query result to deny/allow access ?
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thank you Markus
Markus Moeller wrote:
That was the only way I could get it to work. If I use update control anybody can login, whereas in my setup only a user who exits in ldap get AUth-Type set to LDAP all other users have an empty value and therefore can not authenticate.
The LDAP module setting Auth-Type to LDAP is a bit of a hack. I understand that you're depending on it, but the behavior may change in the future. It's changed (slightly) in the past, to fix some issues. It's better to have the policy *explicitly* state what you want.
I have changed my setup to use files and a users file together with a "private" radius attribute mapped to an ldap entry
That's reasonable. It's a pretty simple fix to permit an empty ldap.attrmap definition.
in users I have DEFAULT user-location == "LDN", Auth-Type := Reject Reply-message = "You are not allowed to login" DEFAULT AUTH-Type := PAM
That should mostly work. In 2.0, it's much easier just to put that directly in a policy in a configuration file.
Unfortunatly that does not work as I never hit the first default statement in users despite having a user-location of LDN. What do I do wrong here ? How can I use an ldap query result to deny/allow access ?
if ("%{ldap: stuff... }" == "bar") { ... } Alan DeKok.
"Alan DeKok" <aland@deployingradius.com> wrote in message news:4798BE25.6050300@deployingradius.com...
Markus Moeller wrote:
That was the only way I could get it to work. If I use update control anybody can login, whereas in my setup only a user who exits in ldap get AUth-Type set to LDAP all other users have an empty value and therefore can not authenticate.
The LDAP module setting Auth-Type to LDAP is a bit of a hack. I understand that you're depending on it, but the behavior may change in the future. It's changed (slightly) in the past, to fix some issues.
It's better to have the policy *explicitly* state what you want.
I have changed my setup to use files and a users file together with a "private" radius attribute mapped to an ldap entry
That's reasonable. It's a pretty simple fix to permit an empty ldap.attrmap definition.
in users I have DEFAULT user-location == "LDN", Auth-Type := Reject Reply-message = "You are not allowed to login" DEFAULT AUTH-Type := PAM
That should mostly work. In 2.0, it's much easier just to put that directly in a policy in a configuration file.
Unfortunatly that does not work as I never hit the first default statement in users despite having a user-location of LDN. What do I do wrong here ? How can I use an ldap query result to deny/allow access ?
if ("%{ldap: stuff... }" == "bar") { ... }
I didn't know that is possible. Where is this documented ? I thought I read all FAQ and documentations. The other questions I have is about the AV pairs used. As far as I understand freeradius uses request, reply, check_tmp, internal only AV pairs. Is there a document which module uses which for what purpose ? Is there a process flow diagram somewhere describing how freeradius works ? I understand 1)client -> server sends a request AV pair 2) server processes first authorisation modules and if fails end ? 3) server processes authentication modules and if fails end ? 4) server -> client sends reply AV pair What is the use of check(item) AV pairs ? Is it to communicate between modules ?
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thank you Markus
Markus Moeller wrote:
if ("%{ldap: stuff... }" == "bar") { ... I didn't know that is possible. Where is this documented ? I thought I read all FAQ and documentations.
It's not really well documented, because it's not well tested. If it works, great. If not...
The other questions I have is about the AV pairs used. As far as I understand freeradius uses request, reply, check_tmp, internal only AV pairs. Is there a document which module uses which for what purpose ?
doc/aaa.txt
Is there a process flow diagram somewhere describing how freeradius works ?
Nope.
I understand 1)client -> server sends a request AV pair 2) server processes first authorisation modules and if fails end ? 3) server processes authentication modules and if fails end ? 4) server -> client sends reply AV pair
What is the use of check(item) AV pairs ? Is it to communicate between modules ?
Among other things. It's for things associated with the request that don't need to go into a packet. Alan DeKok.
OK I think I understand it now better. And I can do everything with unlang and ldap and no files module as I didn't find a way to use control AV pairs in the users file. I do now in sites-enabled/default the following: authorize { auth_log ldap if (control:User-Location != "LDN" ) { update control { Auth-Type := PAM } update reply { Reply-Message = " Accepted " } } else { update control { Auth-Type := Reject } update reply { Reply-Message = " Rejected " } } } authenticate { pam } preacct { acct_unique } accounting { detail } with user-location being mapped in ldap.attrmap to an ldap attribute of the user. Does that look OK ? Thank you Markus BTW Are you intereseted in my Mozilla SDK patch for the ldap module ? "Alan DeKok" <aland@deployingradius.com> wrote in message news:479AF6D3.9070304@deployingradius.com...
Markus Moeller wrote:
if ("%{ldap: stuff... }" == "bar") { ... I didn't know that is possible. Where is this documented ? I thought I read all FAQ and documentations.
It's not really well documented, because it's not well tested. If it works, great. If not...
The other questions I have is about the AV pairs used. As far as I understand freeradius uses request, reply, check_tmp, internal only AV pairs. Is there a document which module uses which for what purpose ?
doc/aaa.txt
Is there a process flow diagram somewhere describing how freeradius works ?
Nope.
I understand 1)client -> server sends a request AV pair 2) server processes first authorisation modules and if fails end ? 3) server processes authentication modules and if fails end ? 4) server -> client sends reply AV pair
What is the use of check(item) AV pairs ? Is it to communicate between modules ?
Among other things. It's for things associated with the request that don't need to go into a packet.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Markus Moeller wrote:
OK I think I understand it now better. And I can do everything with unlang and ldap and no files module as I didn't find a way to use control AV pairs in the users file. ... Does that look OK ?
It looks fine. It could be simplified a little, but it's OK. Alan DeKok.
participants (2)
-
Alan DeKok -
Markus Moeller