FreeRadius and LDAP/AD username/password check
Hi, Today I check the "etc/passwd" for the usernames and passwords and fetches the users default group from "etc/passwd". In the "users" file I have the rights for each group. My current config: OS: Solaris 10 FreeRadius: 1.1.7 Mysql: 5.0.51 - For logging and NAS clients OS packages installed: db-4.2.52.NC-sol9-sparc-local OS packages installed: freeradius-1.1.7-sol10-sparc-local OS packages installed: gcc-3.4.6-sol10-sparc-local OS packages installed: gdbm-1.8.3-sol9-sparc-local OS packages installed: libiconv-1.11-sol10-sparc-local OS packages installed: libtool-1.5.24-sol10-sparc-local OS packages installed: make-3.81-sol10-sparc-local OS packages installed: mysql-5.0.51-sol10-sparc-local OS packages installed: ncurses-5.6-sol10-sparc-local OS packages installed: netsnmp-5.4.1-sol10-sparc-local OS packages installed: openldap-2.3.35-sol10-sparc-local OS packages installed: openssl-0.9.8f-sol10-sparc-local OS packages installed: perl-5.8.8-sol10-sparc-local OS packages installed: sasl-2.1.21-sol10-sparc-local OS packages installed: zlib-1.2.3-sol10-sparc-local OS packages installed: Freeradius: 1.1.7 #etc/passwd testuser:x:103:500:Test User:/home/testuser:/bin/bash #etc/group admin-network::500: user-network::600: #/usr/local/etc/raddb/users DEFAULT Group == "admin-network", Auth-Type = System Service-Type = Administrative-User, Fall-Through = No #/usr/local/etc/raddb/huntgroups defaultgroup NAS-IP-Address == 192.168.1.20 Group = admin-network, Group = user-network Today the user "testuser" would get Administrative rights on the nas with IP=192.168.1.20 since he is a member of the group "admin-network". I have been browsing the mailing list, wiki and google trying to find out if anyone has done the following: 1. I want to check the username/password against LDAP/AD instead of directly towards "etc/passwd". 2. After that I would like to continue by fetching the user's default group from the Solaris 10 system (/"etc/passwd") to give it rights depending on which group the user belongs to. 3. I know that this means I still have to have the username in the "/etc/passwd" but this will keep the users from having different logins in our infrastructure. Best regards Mats Blomgren B - IP Engineer
Mats Blomgren B wrote:
Today I check the "etc/passwd" for the usernames and passwords and fetches the users default group from "etc/passwd".
I'm not so sure...
#/usr/local/etc/raddb/users DEFAULT Group == "admin-network", Auth-Type = System
This checks /etc/groups, via the getgrent() call. It sees if the user is a member of that group, not if that is the user's default group.
I have been browsing the mailing list, wiki and google trying to find out if anyone has done the following: 1. I want to check the username/password against LDAP/AD instead of directly towards "etc/passwd".
Configure the LDAP module. See the various howto's.
2. After that I would like to continue by fetching the user's default group from the Solaris 10 system (/"etc/passwd") to give it rights depending on which group the user belongs to.
You don't have to change anything in your current configuration. Alan DeKok.
participants (2)
-
Alan DeKok -
Mats Blomgren B