Help with LDAP groupOfNames?
Sorry to re-post, but I'm still banging my head against the wall with this... If anyone could help, or provide a pointer to something that (obviously) I'm missing, it would be greatly appreciated. Hi, I've googled this to no avail (have been working on it for about 4 hours now). I'm running FreeRADIUS 1.1.0 (SuSE package) and OpenLDAP 2.3.19. I have an access point that will do captive portal, but only via RADIUS, not via LDAP natively. I already have an LDAP server running, so I just added a new groupOfNames called "WirelessUsers". Basically, *all* I want RADIUS to do is check the username and password, and assuming they are correct, either allow or deny based on whether the user is a member of "WirelessUsers". According to radtest, I have it working with LDAP, but it allows everyone with a valid username and password access, regardless of the WirelessUsers group - and I'm not seeing anything related to that group in the LDAP logs. I can't seem to find anything online for freeradius1 relating to groupOfNames, so I've just been trying random things that I found online (for raddb/users) hoping one would work. radiusd.conf: ldap { server = "127.0.0.1" basedn = "dc=example,dc=com" filter = "(&(objectClass=posixAccount)(uid=%{Stripped-User-Name:-%{User-Name}}))" start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 password_attribute = userPassword groupname_attribute = cn groupmembership_filter = (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) groupmembership_attribute = "memberof" timeout = 4 timelimit = 3 net_timeout = 1 } users: #DEFAULT Auth-Type == LDAP # Fall-Through = Yes DEFAULT LDAP-Group == "WirelessUsers" Auth-Type := Reject #DEFAULT Ldap-Group != "WirelessUsers", Auth-Type := Reject # Reply-Message = "Sorry, your account has not yet been enabled for wireless access." #DEFAULT Huntgroup-Name == "wirelessusers", Ldap-Group=="WirelessUsers", Auth-Type = LDAP #DEFAULT Auth-Type := Reject #DEFAULT Ldap-Group == "WirelessUsers" # Fall-Through = no DEFAULT Ldap-Group == WirelessUsers Fall-Through = no DEFAULT Auth-Type := Reject I've tried all of the commented out stuff also, and none of it worked. All I want is (assuming username & password are correct) allow anyone who is in "WirelessUsers" group, deny everyone else. I'm sure this is horribly simple, but I just can't seem to figure it out from the docs or from extensive googling. Thanks for any help, Jason Antman
I've googled this to no avail (have been working on it for about 4 hours now). I'm running FreeRADIUS 1.1.0 (SuSE package) and OpenLDAP 2.3.19. I
Upgrade. This is much easier with unlang.
have an access point that will do captive portal, but only via RADIUS, not via LDAP natively. I already have an LDAP server running, so I just added a new groupOfNames called "WirelessUsers".
Basically, *all* I want RADIUS to do is check the username and password, and assuming they are correct, either allow or deny based on whether the user is a member of "WirelessUsers".
DEFAULT Ldap-Group == WirelessUsers DEFAULT Auth-Type := Reject That should work. Only members of WirelessUsers ldap group won't be rejected. Whatch the debug if something earlier in users file matches but hasn't got Fall-Through. Ivan Kalik Kalik Informatika ISP
participants (2)
-
Jason Antman -
tnt@kalik.net