authorization based on ldap attribute
Hallo, I've configured freeradius to authenticate users with PEAP, using openldap to store NTLM hashes. It works fine. Now I'd like to authorize only people who have the ldap attribute "haDirittoEduroam" set to Y (or the other way round: not to authorize users with "haDirittoEduroam" set to N). Below an example openldap entry. Is there an easy way to achive this? dn: uid=uto.ughi@myorg.it,dc=myorg,dc=it objectClass: sambaSamAccount objectClass: inetOrgPerson objectClass: person objectClass: dirittoEduroam cn: Uto sn: Ughi uid: uto.ughi@myorg.it haDirittoEduroam: N sambaSID: 121212 userPassword: {SSHA}EnK9jqiVGSPNi6EQwpqdpjThBJHtZ1fi sambaNTPassword: 2B466E3D3FB6AA4BF8AAAFEF8F59F6F3 sambaLMPassword: E52CAC67419A9A224300941ECC02054C thanks a lot for your help, Stefano
On 19/09/12 17:03, Stefano Zanmarchi wrote:
Hallo, I've configured freeradius to authenticate users with PEAP, using openldap to store NTLM hashes. It works fine. Now I'd like to authorize only people who have the ldap attribute "haDirittoEduroam" set to Y (or the other way round: not to authorize users with "haDirittoEduroam" set to N). Below an example openldap entry. Is there an easy way to achive this?
1. Edit "raddb/dictionary" to define a local attribute to store the data ATTRIBUTE Eduroam-Enabled 3010 string 2. Modify "ldap.attrmap" to copy your LDAP attribute into this local RADIUS attribute: replyItem Eduroam-Enabled haDirittoEduroam 3. Check the attribute like so in "sites-enabled/inner-tunnel": authorize { ... ldap if (reply:Eduroam-Enabled != "Y") { reject } ... } There are probably other ways to do it, including using an "xlat" to lookup the attribute i.e. variation of step 2, or modifying the ldap queries to only "see" those users.
Thank you very much Phil! exactly what I needed, very well explained. I just did it the other way round "if (reply:Eduroam-Enabled == "N") { reject }" and it's working fine. Have a nice day, Stefano
1. Edit "raddb/dictionary" to define a local attribute to store the data
ATTRIBUTE Eduroam-Enabled 3010 string
2. Modify "ldap.attrmap" to copy your LDAP attribute into this local RADIUS attribute:
replyItem Eduroam-Enabled haDirittoEduroam
3. Check the attribute like so in "sites-enabled/inner-tunnel":
authorize { ... ldap if (reply:Eduroam-Enabled != "Y") { reject } ... }
With this reject command in the authorize section is there a method to
supply a custom reply message? An observation I made with the if statement as above, if the attribute is not present on the user object it will evaluate false, thus allowing the user access. Thu Sep 20 14:31:23 2012 : Info: ++? if (reply:RadiusAccess != "TRUE") Thu Sep 20 14:31:23 2012 : Info: (Attribute reply:RadiusAccess was not found) Thu Sep 20 14:31:23 2012 : Info: ? Evaluating (reply:RadiusAccess != "TRUE") -> FALSE Thu Sep 20 14:31:23 2012 : Info: ++? if (reply:RadiusAccess != "TRUE") -> FALSE This can prevented by following Phil's suggestion to only search for users with the required attribute filter = "(&(cn=%{%{Stripped-User-Name}:-%{User-Name}})(rADIUSEnableDialAccess=*))"
There are probably other ways to do it, including using an "xlat" to lookup the attribute i.e. variation of step 2, or modifying the ldap queries to only "see" those users. - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html <http://www.freeradius.org/list/users.html>
On 20/09/12 13:35, Gregg Douglas wrote:
With this reject command in the authorize section is there a method to supply a custom reply message?
Sure. if (...) { update reply { Reply-Message = "whatever you want" } reject } This is pretty basic use. I think people should be able to find this in the docs - do you have any suggestions where we should put (more) pointers?
An observation I made with the if statement as above, if the attribute is not present on the user object it will evaluate false, thus allowing the user access.
Again, sure. You can invert the sense of the check in whatever fashion suits you, as the OP did. You can also skip absence of the attribute e.g. if (reply:Eduroam-Enabled !* ANY) { # attr absent, permit noop } elsif (reply:Eduroam-Enabled == "N") { # definitely not permitted reject } ...and so on.
Thanks again, you pointed out a very important issue. I'll definitively apply one of the two suggested methods to check if the attribute is present before allowing a user access.
Hi stefano, I am trying to do similar what you have already done. I use AD for user authentication and trying to authorize users via our openldap based on group id (gid), I want to allow uses if they are exist in our LDAP from gid let say (600-700), if they are not in this range reject them with message "user doe not exist in LDAP". Do you have any suggestion or example ? K On Thu, Sep 20, 2012 at 3:44 PM, Stefano Zanmarchi <zanmarchi@gmail.com>wrote:
Thanks again, you pointed out a very important issue. I'll definitively apply one of the two suggested methods to check if the attribute is present before allowing a user access. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (4)
-
Gregg Douglas -
Khapare Joshi -
Phil Mayers -
Stefano Zanmarchi