I'm trying to understand the relationship between the modules in the authorize {} and authenticate {} sections and how it relates to the directives defined in users. EAP-TLS works fine, but I can't seem to figure how to get make the ldap authorization reject a user. DEFAULT Auth-Type := eap, Autz-Type := ldap authorize{ preprocess ldap eap } authenticate { eap } ldap { server = "our-server.itc.virginia.edu" identity = "uid=uva-all,ou=ITC-User,ou=It,o=University of Virginia,c=US" password = "our-password" basedn = "o=University of Virginia,c=US" filter = "(wirelessAccess=%{Stripped-User-Name:-%{User-Name}})" base_filter = "(objectclass=Person)" start_tls = no access_attr = "wirelessAccess" ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 access_attr_used_for_allow = yes } In the ldap server logs show multiple queries, which are not returning anything. This can be confirmed with: ldapsearch -b "o=University of Virginia,c=US" wirelessAccess=kmm6b wirelessAccess which returns nothing. If nothing is returned shouldn't the authorization fail? I'm missing something, hopefully not too obvious... ------------------------------------------------------------------------ Keith Moores <mailto:kmm6b@virginia.edu> Network Systems ITC-Communications and Systems Division University of Virginia, ITC-2015 Ivy Rd Phone (434) 924-0621 Box 400324, Charlottesville, VA 22904-4324 Fax (434) 982-4715
Keith Moores <kmm6b@virginia.edu> wrote:
I'm trying to understand the relationship between the modules in the authorize {} and authenticate {} sections and how it relates to the directives defined in users.
The "users" file is just another "authorization" module. See also doc/aaa.txt
EAP-TLS works fine, but I can't seem to figure how to get make the ldap authorization reject a user.
See the ldap section of radiusd.conf. You can say "user is not allowed for remote access"
In the ldap server logs show multiple queries, which are not returning anything. This can be confirmed with: ldapsearch -b "o=University of Virginia,c=US" wirelessAccess=kmm6b wirelessAccess which returns nothing. If nothing is returned shouldn't the authorization fail?
No. Why would it? LDAP is just one possible database out of many. You may have some users in LDAP, and others in SQL. See doc/configurable_failover. You can configure the server to reject users if the LDAP module returns NOOP. Alan DeKok.
participants (2)
-
Alan DeKok -
Keith Moores