FreeRADIUS and LDAP Groups
Now that I have FreeRADIUS authenticating users via MSCHAPv2 and the sambaNTPassword attributes, the next step in my project is to limit the system so that only users in certain user groups can log in. I'm using posixGroup groups, not groupOfNames or groupOfUniqueNames. In my modules/ldap files I have: groupname_attribute = "cn" groupmembership_attribute = "memberUid" groupmembership_filter = "(memberUid=%{Stripped-User-Name:-%{User-Name}})" In my users I have DEFAULT LDAP-Group == foo However, even with these configuration options set, anyone with a valid login and password can authenticate right now. In my "radiusd -X" I see: rlm_ldap: performing search in dc=blah, with filter (&(cn=foo)(memberUid=test)) rlm_ldap: object not found or got ambiguous search result But it then goes on the authenticate the user anyhow: rlm_ldap: user test authorized to use remote access I looked around on Google, and I see -lots- of stuff about configuring LDAP group checks, but I haven't found anything that's all too helpful right now. Is there some option that I have to set to tell the system to ignore a user that's not in the proper group? And then the follow-up question to this will be: is it possible to configure FreeRADIUS to check for membership in more than one group? Put another way, how can I let the system authenticate users in the "foo" group -or- in the "bar" group? Tim Gustafson SOE Webmaster UC Santa Cruz tjg@soe.ucsc.edu 831-459-5354
In my users I have
DEFAULT LDAP-Group == foo
However, even with these configuration options set, anyone with a valid login and password can authenticate right now. In my "radiusd -X" I see:
rlm_ldap: performing search in dc=blah, with filter (&(cn=foo)(memberUid=test)) rlm_ldap: object not found or got ambiguous search result
But it then goes on the authenticate the user anyhow:
rlm_ldap: user test authorized to use remote access
I looked around on Google, and I see -lots- of stuff about configuring LDAP group checks, but I haven't found anything that's all too helpful right now. Is there some option that I have to set to tell the system to ignore a user that's not in the proper group?
Add: DEFAULT Auth-Type := Reject at the end of the users file. If none of the groups match user will be rejected even with the correct password. Ivan Kalik Kalik Informatika ISP
Add: DEFAULT Auth-Type := Reject
Awesome, that worked. So, if I wanted to enable multiple LDAP groups, would this be the correct syntax: DEFAULT LDAP-Group == foo, Auth-Type := Accept DEFAULT LDAP-Group == bar, Auth-Type := Accept DEFAULT LDAP-Group == baz, Auth-Type := Accept DEFAULT Auth-Type := Reject Tim Gustafson SOE Webmaster UC Santa Cruz tjg@soe.ucsc.edu 831-459-5354
You don't need Auth-Type Accept (it will let people in even if the password is wrong). Processing of the users file stops with the first match without Fall-Trough. Ivan Kalik Kalik Informatika ISP Dana 12/12/2008, "Tim Gustafson" <tjg@soe.ucsc.edu> piše:
Add: DEFAULT Auth-Type := Reject
Awesome, that worked.
So, if I wanted to enable multiple LDAP groups, would this be the correct syntax:
DEFAULT LDAP-Group == foo, Auth-Type := Accept DEFAULT LDAP-Group == bar, Auth-Type := Accept DEFAULT LDAP-Group == baz, Auth-Type := Accept DEFAULT Auth-Type := Reject
Tim Gustafson SOE Webmaster UC Santa Cruz tjg@soe.ucsc.edu 831-459-5354 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Tim Gustafson -
tnt@kalik.net