Freeradius 1.X.X and LDAP groups.
The scoop is I'm using Freeradius 1.1.3 under RHEL/Centos 5.2 and I'm trying to get authentication working so FreeRadius will authenticate a user OLNY if they are in a certain LDAP group.. In this case that group is called 'it'. Where I am at now is if the user is in or out of the 'it' group the authentication goes through ok (depending if the password is correct, of course). I would like the authenication to fail if the password is correct BUT the user is not in a certain ('it') group. Here are my configs snippets: ========= /etc/raddb/users =========== DEFAULT Auth-Type = LDAP Fall-Through = 1 DEFAULT LDAP-Group == it Service-Type = Administrative-User ========= /etc/raddb/radiusd.conf =========== ldap { server = "192.168.150.140" identity = "uid=admin,ou=People,dc=acme,dc=com" password = "BadPass" basedn = "dc=acme,dc=com" filter = "(uid=%u)" # base_filter = "(objectclass=radiusprofile)" start_tls = no # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" # profile_attribute = "radiusProfileDn" access_attr = uid # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 groupname_attribute = cn groupmembership_filter = "(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))" groupmembership_attribute = it timeout = 4 timelimit = 3 net_timeout = 1 compare_check_items = yes # do_xlat = yes access_attr_used_for_allow = yes } ====== Output when user is OUT of the 'it' group ====== rad_recv: Access-Request packet from host 127.0.0.1:32770, id=213, length=59 User-Name = "vpntest" User-Password = "ChangeMeToo" NAS-IP-Address = 255.255.255.255 NAS-Port = 10 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "vpntest", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 1 users: Matched entry DEFAULT at line 152 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'dc=acme,dc=com' radius_xlat: '(uid=vpntest)' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=acme,dc=com, with filter (uid=vpntest) rlm_ldap: ldap_release_conn: Release Id: 0 radius_xlat: '(&(objectClass=GroupOfNames)(member=uid\3dvpntest\2cou\3dPeople\2cdc\3dacme\2cdc\3dcom))' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=acme,dc=com, with filter (&(cn=it)(&(objectClass=GroupOfNames)(member=uid\3dvpntest\2cou\3dPeople\2cdc\3dacme\2cdc\3dcom))) rlm_ldap: object not found or got ambiguous search result rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in uid=vpntest,ou=People,dc=acme,dc=com, with filter (objectclass=*) rlm_ldap::ldap_groupcmp: ldap_get_values() failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "files" returns ok for request 1 modcall: leaving group authorize (returns ok) for request 1 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group LDAP for request 1 rlm_ldap: - authenticate rlm_ldap: login attempt by "vpntest" with password "ChangeMeToo" rlm_ldap: user DN: uid=vpntest,ou=People,dc=acme,dc=com rlm_ldap: (re)connect to 192.168.150.140:389, authentication 1 rlm_ldap: bind as uid=vpntest,ou=People,dc=acme,dc=com/ChangeMeToo to 192.168.150.140:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user vpntest authenticated succesfully modcall[authenticate]: module "ldap" returns ok for request 1 modcall: leaving group LDAP (returns ok) for request 1 Sending Access-Accept of id 213 to 127.0.0.1 port 32770 Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 213 with timestamp 4aa7438c Nothing to do. Sleeping until we see a request. ====== Output when user is IN of the 'it' group ====== rad_recv: Access-Request packet from host 127.0.0.1:32770, id=220, length=59 User-Name = "vpntest" User-Password = "ChangeMeToo" NAS-IP-Address = 255.255.255.255 NAS-Port = 10 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 modcall[authorize]: module "chap" returns noop for request 2 modcall[authorize]: module "mschap" returns noop for request 2 rlm_realm: No '@' in User-Name = "vpntest", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 2 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 2 users: Matched entry DEFAULT at line 152 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'dc=acme,dc=com' radius_xlat: '(uid=vpntest)' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=acme,dc=com, with filter (uid=vpntest) rlm_ldap: ldap_release_conn: Release Id: 0 radius_xlat: '(&(objectClass=GroupOfNames)(member=uid\3dvpntest\2cou\3dPeople\2cdc\3dacme\2cdc\3dcom))' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=acme,dc=com, with filter (&(cn=it)(&(objectClass=GroupOfNames)(member=uid\3dvpntest\2cou\3dPeople\2cdc\3dacme\2cdc\3dcom))) rlm_ldap::ldap_groupcmp: User found in group it rlm_ldap: ldap_release_conn: Release Id: 0 users: Matched entry DEFAULT at line 155 modcall[authorize]: module "files" returns ok for request 2 modcall: leaving group authorize (returns ok) for request 2 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group LDAP for request 2 rlm_ldap: - authenticate rlm_ldap: login attempt by "vpntest" with password "ChangeMeToo" rlm_ldap: user DN: uid=vpntest,ou=People,dc=acme,dc=com rlm_ldap: (re)connect to 192.168.150.140:389, authentication 1 rlm_ldap: bind as uid=vpntest,ou=People,dc=acme,dc=com/ChangeMeToo to 192.168.150.140:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user vpntest authenticated succesfully modcall[authenticate]: module "ldap" returns ok for request 2 modcall: leaving group LDAP (returns ok) for request 2 Sending Access-Accept of id 220 to 127.0.0.1 port 32770 Service-Type = Administrative-User Finished request 2 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 2 ID 220 with timestamp 4aa743f8 Nothing to do. Sleeping until we see a request.
I've been playing around with this all day and I'm stumped. Does anyone have a config for ANY version of FreeRadius that works with LDAP groups? On Tue, Sep 8, 2009 at 11:17 PM, Michael March wrote:
The scoop is I'm using Freeradius 1.1.3 under RHEL/Centos 5.2 and I'm trying to get authentication working so FreeRadius will authenticate a user OLNY if they are in a certain LDAP group.. In this case that group is called 'it'.
Where I am at now is if the user is in or out of the 'it' group the authentication goes through ok (depending if the password is correct, of course). I would like the authenication to fail if the password is correct BUT the user is not in a certain ('it') group.
Here are my configs snippets:
========= /etc/raddb/users ===========
DEFAULT Auth-Type = LDAP Fall-Through = 1
DEFAULT LDAP-Group == it Service-Type = Administrative-User
========= /etc/raddb/radiusd.conf ===========
ldap { server = "192.168.150.140" identity = "uid=admin,ou=People,dc=acme,dc=com" password = "BadPass" basedn = "dc=acme,dc=com" filter = "(uid=%u)" # base_filter = "(objectclass=radiusprofile)"
start_tls = no
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" # profile_attribute = "radiusProfileDn" access_attr = uid
# Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
groupname_attribute = cn groupmembership_filter = "(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))" groupmembership_attribute = it timeout = 4 timelimit = 3 net_timeout = 1 compare_check_items = yes # do_xlat = yes access_attr_used_for_allow = yes }
Hello, In your LDAP config in radius, groupmembership_attribute = should correspond to the attribute name in your LDAP where you specify the group "it". And groupname_attribute should match in a standard config radiusGroupName. This is how it works on my config. Regards, Matt Michael March a écrit :
I've been playing around with this all day and I'm stumped.
Does anyone have a config for ANY version of FreeRadius that works with LDAP groups?
========= /etc/raddb/users ===========
DEFAULT Auth-Type = LDAP Fall-Through = 1
DEFAULT LDAP-Group == it Service-Type = Administrative-User
========= /etc/raddb/radiusd.conf ===========
ldap { server = "192.168.150.140" identity = "uid=admin,ou=People,dc=acme,dc=com" password = "BadPass" basedn = "dc=acme,dc=com" filter = "(uid=%u)" # base_filter = "(objectclass=radiusprofile)"
start_tls = no
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" # profile_attribute = "radiusProfileDn" access_attr = uid
# Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
groupname_attribute = cn groupmembership_filter = "(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))" groupmembership_attribute = it timeout = 4 timelimit = 3 net_timeout = 1 compare_check_items = yes # do_xlat = yes access_attr_used_for_allow = yes }
Michael March wrote:
I've been playing around with this all day and I'm stumped.
Please read the "man" page for the "users" file.
Does anyone have a config for ANY version of FreeRadius that works with LDAP groups?
Yes.
On Tue, Sep 8, 2009 at 11:17 PM, Michael March wrote:
The scoop is I'm using Freeradius 1.1.3 under RHEL/Centos 5.2 and I'm trying to get authentication working so FreeRadius will authenticate a user OLNY if they are in a certain LDAP group.. In this case that group is called 'it'.
That's simple enough.
DEFAULT Auth-Type = LDAP Fall-Through = 1
DEFAULT LDAP-Group == it Service-Type = Administrative-User
That configuration does NOT match your requirements. It: a) sets authentication to LDAP b) adds Service-Type... for users in the "it" LDAP group It's really that simple. What you want is: a) for users in "it" group, set LDAP authentication b) reject everyone else i.e. For (a), put the configuration in ONE entry in the "users" file. DEFAULT LDAP-Group == "it", Auth-Type = LDAP # NO FALL-THROUGH DEFAULT Auth-Type := Reject Alan DeKok.
Hi all , I am on the same problem ...and I wanna say one thing: DEFAULT LDAP-Group == "it",* Auth-Type = LDAP* ....doesn't work (as it mentioned in etc/radb/modules/ldap file ...That's all!!! freeradiusServer 2.1.6 2009/9/10 Alan DeKok <aland@deployingradius.com>
Michael March wrote:
I've been playing around with this all day and I'm stumped.
Please read the "man" page for the "users" file.
Does anyone have a config for ANY version of FreeRadius that works with LDAP groups?
Yes.
On Tue, Sep 8, 2009 at 11:17 PM, Michael March wrote:
The scoop is I'm using Freeradius 1.1.3 under RHEL/Centos 5.2 and I'm trying to get authentication working so FreeRadius will authenticate a user OLNY if they are in a certain LDAP group.. In this case that group is called 'it'.
That's simple enough.
DEFAULT Auth-Type = LDAP Fall-Through = 1
DEFAULT LDAP-Group == it Service-Type = Administrative-User
That configuration does NOT match your requirements. It:
a) sets authentication to LDAP b) adds Service-Type... for users in the "it" LDAP group
It's really that simple.
What you want is:
a) for users in "it" group, set LDAP authentication b) reject everyone else
i.e. For (a), put the configuration in ONE entry in the "users" file.
DEFAULT LDAP-Group == "it", Auth-Type = LDAP # NO FALL-THROUGH
DEFAULT Auth-Type := Reject
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- JJohnny R. Phone: +212663682554, +212533158575 Tangier National School of Applied Sciences ZIP 1818 TANGIER 90000 ---------Morocco ---------------
I am on the same problem ...and I wanna say one thing: DEFAULT LDAP-Group == "it",* Auth-Type = LDAP* ....doesn't work (as it mentioned in etc/radb/modules/ldap file ...That's all!!! freeradiusServer 2.1.6
Yes, just that they are not talking about that version but about ancient one where you *do* have to set Auth-Type.
The scoop is I'm using Freeradius 1.1.3 under RHEL/Centos 5.2
Ivan Kalik Kalik Informatika ISP
This worked great.. thanks! On Thu, Sep 10, 2009 at 1:12 AM, Alan DeKok <aland@deployingradius.com> wrote:
Michael March wrote:
I've been playing around with this all day and I'm stumped.
Please read the "man" page for the "users" file.
Does anyone have a config for ANY version of FreeRadius that works with LDAP groups?
Yes.
On Tue, Sep 8, 2009 at 11:17 PM, Michael March wrote:
The scoop is I'm using Freeradius 1.1.3 under RHEL/Centos 5.2 and I'm trying to get authentication working so FreeRadius will authenticate a user OLNY if they are in a certain LDAP group.. In this case that group is called 'it'.
That's simple enough.
DEFAULT Auth-Type = LDAP Fall-Through = 1
DEFAULT LDAP-Group == it Service-Type = Administrative-User
That configuration does NOT match your requirements. It:
a) sets authentication to LDAP b) adds Service-Type... for users in the "it" LDAP group
It's really that simple.
What you want is:
a) for users in "it" group, set LDAP authentication b) reject everyone else
i.e. For (a), put the configuration in ONE entry in the "users" file.
DEFAULT LDAP-Group == "it", Auth-Type = LDAP # NO FALL-THROUGH
DEFAULT Auth-Type := Reject
participants (5)
-
Alan DeKok -
Ivan Kalik -
José Johnny RANDRIAMAMPIONONA -
Matthieu Lazaro -
Michael March