Radius authentication against LDAP question
How do I enable Freeradius to not only authenticate the a user but verify a specific attribute for the user? I've been going though the docs but this is escaping me. Thanks.
In Thu, May 31, 2012 at 10:05 AM, Jimmy <g17jimmy@gmail.com> wrote:
How do I enable Freeradius to not only authenticate the a user but verify a specific attribute for the user? I've been going though the docs but this is escaping me.
Thanks. -
I'm not sure if this will help, but i have tutorial on how to configure two-factor authentication through freeradius with authorization by openldap. The setup uses the access_attr = "dialupAccess". I bet you can use whatever. http://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-add-t... HTH, Nick -- -- Nick Owen WiKID Systems, Inc. http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication
Nick- I have found that we can use any attribute for the access, but I'm trying to expand our use of radius for another type of user login. In this case I've created an LDAP group for the new user role and have created a new radius virtual server to service the specific authentication and accounting. I have added the group membership checking to the ldap module, and set thefilter for posixGroup. The meaningful config changes and output are below- ===============/etc/raddb/modules/ldap (excerpt) groupname_attribute = cn groupmembership_filter = "(&(objectclass=posixGroup)(memberUid=%u))" ===============/etc/raddb/users DEFAULT LDAP-Group!="newgroup", Auth-Type:=Reject Reply-Message="You are not allowed to connect" ===============radiusd -X (excerpt) [files] expand: (&(objectclass=posixGroup)(memberUid=%u)) -> (&(objectclass=posixGroup)(memberUid=newhuser)) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=accounts,dc=abc,dc=xyz, with filter (&(cn=newgroup)(&(objectclass=posixGroup)(memberUid=newuser))) [ldap] object not found [ldap] ldap_release_conn: Release Id: 0 rlm_ldap::ldap_groupcmp: Group newgroup not found or user is not a member. [files] users: Matched entry DEFAULT at line 2 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = Reject ===============ldapsearch output # newgroup, groups, accounts, abc.xyz dn: cn=newgroup,cn=groups,cn=accounts,dc=abc,dc=xyz objectClass: top objectClass: groupofnames objectClass: nestedgroup objectClass: ldapusergroup objectClass: ldapobject objectClass: posixgroup cn: newgroup description: new group gidNumber: 895800006 ipaUniqueID: 5de42704-ab1d-11e1-8e07-525400579da7 member: uid=newuser,cn=users,cn=accounts,dc=abc,dc=xyz -- View this message in context: http://freeradius.1045715.n5.nabble.com/Radius-authentication-against-LDAP-q... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Playing with ldapsearch I see that the search string that radiusd -X is reporting to use indeed does not work: =====ldapsearch filter (from radiusd -X) performing search in cn=accounts,dc=abc,dc=xyz, with filter (&(cn=newgroup)(&(objectclass=posixGroup)(memberUid=newuser))) ===== Returns no entries. If I run ldap search with (&(cn=newgroup)(&(objectclass=posixGroup))) - removing the memberUid entry, it returns the entry for the group itself, so something is wrong with how I have the member uid configured. =====ldapsearch filter (filter trimmed to group) ldapsearch -x -b cn=accounts,dc=abc,dc=xyz "(&(cn=newgroup)(&(objectclass=posixGroup)))" # extended LDIF # # LDAPv3 # base <cn=accounts,dc=abc,dc=xyz> with scope subtree # filter: (&(cn=newgroup)(&(objectclass=posixGroup))) # requesting: ALL # # newgroup, groups, accounts, abc.xyz dn: cn=newgroup,cn=groups,cn=accounts,dc=abc,dc=xyz objectClass: top objectClass: groupofnames objectClass: nestedgroup objectClass: ldapsergroup objectClass: ldapobject objectClass: posixgroup cn: newgroup description: switch administrators gidNumber: 895800006 ipaUniqueID: 5de42704-ab1d-11e1-8e07-525400579da7 member: uid=newuser,cn=users,cn=accounts,dc=abc,dc=xyz # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 ============ Any ideas? Thanks. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Radius-authentication-against-LDAP-q... Sent from the FreeRadius - User mailing list archive at Nabble.com.
One question relating to this is about the /etc/raddb/users file- It doesn't seem to work as it's documented, If I have a group set to be rejected based on its membership like this: DEFAULT Group="disabled", Auth-Type:=Reject radius doesn't even check for group membership. The only way it seems to get directed to check membership is with a negative check (!=). DEFAULT LDAP-Group!="newgroup", Auth-Type:=Reject Regardless, I still can't figure out what filter would validate the user "newuser" as a member of "newgroup"- performing search in cn=accounts,dc=abc,dc=xyz, with filter (&(cn=newgroup)(&(memberOf="cn=newgroup,cn=groups,cn=accounts,dc=abc,dc=xyz")(uid=newuser))) This is the output of the ldapsearch that shows the group and the fact that the user is a member- # LDAPv3 # base <cn=accounts,dc=abc,dc=xyz> with scope subtree # filter: (&(cn=newgroup)) # requesting: ALL # # newgroup, groups, accounts, abc.xyz dn: cn=newgroup,cn=groups,cn=accounts,dc=abc,dc=xyz objectClass: top objectClass: groupofnames objectClass: nestedgroup objectClass: ldapsergroup objectClass: ldapobject objectClass: posixgroup cn: newgroup description: switch administrators gidNumber: 895800006 ipaUniqueID: 5de42704-ab1d-11e1-8e07-525400579da7 member: uid=newuser,cn=users,cn=accounts,dc=abc,dc=xyz -- View this message in context: http://freeradius.1045715.n5.nabble.com/Radius-authentication-against-LDAP-q... Sent from the FreeRadius - User mailing list archive at Nabble.com.
g17jimmy wrote:
One question relating to this is about the /etc/raddb/users file- It doesn't seem to work as it's documented,
Well... no.
If I have a group set to be rejected based on its membership like this:
DEFAULT Group="disabled", Auth-Type:=Reject
radius doesn't even check for group membership. The only way it seems to get directed to check membership is with a negative check (!=).
See "man users". Use Group == ... The operators do different things.
DEFAULT LDAP-Group!="newgroup", Auth-Type:=Reject
Regardless, I still can't figure out what filter would validate the user "newuser" as a member of "newgroup"-
LDAP-Group == "newgroup" Everyone else is using it. Alan DeKok.
Cool, thanks for pointing that out. My brain filtered out the '==', been staring at this screen too long. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Radius-authentication-against-LDAP-q... Sent from the FreeRadius - User mailing list archive at Nabble.com.
participants (4)
-
Alan DeKok -
g17jimmy -
Jimmy -
Nick Owen