Freeradius with openldap
Hello, I've managed to set up freeradius with sql. When a user authenticates, the freeradius server returns the nas some attributes. In my case: Tunnel-Type = VLAN Tunnel-Medium-Type = IEEE-802 Tunnel-Private-Group-Id = 4 Now I'm trying to use openldap to authenticate my user # radtest myuser mypassword 127.0.0.1 1812 mysecret This command works. The mysecret is stored into the nas table and myuser/mypassword is stored in the openldap server. So I would say that the connectivity with the ldap server works perfectly But the command doesn't return the attributes I want. In the file sites-enabled/default I have authorize { #files #sql ldap I'm confuse how freeradius will proceed - Search for myuser in the ldap using the account I provided in modules/ldap - Check the users password - Should openldap return the attributes I mentioned above or can this be done with mysql ? - I'd like to return these attributes if myuser belongs to mygroup, mygroup is created in openldap and myuser belongs to mygroup I've seen the section in modules/ldap but I don't know how to test if I configured is correct groupname_attribute = cn groupmembership_filter = "(&(objectclass=posixGroup)(memberUid=%u))" Any advice is appreciated. Thank you
2013/11/12 Mik J <mikydevel@yahoo.fr>
I'm confuse how freeradius will proceed - Search for myuser in the ldap using the account I provided in modules/ldap - Check the users password
You can turn on LDAP debug, it helped me a lot. Check last section of ldap module config <------># ldap_debug: debug flag for LDAP SDK <------># (see OpenLDAP documentation). Set this to enable <------># huge amounts of LDAP debugging on the screen. <------># You should only use this if you are an LDAP expert. <------># <------>#<----->default: 0x0000 (no debugging messages) <------>#<----->Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS) <------>ldap_debug = 0x0028.
groupmembership_filter = "(&(objectclass=posixGroup)(memberUid=%u))"
My groupmembership filter in 2.1.1 looks like this <------>groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})) <------> groupmembership_attribute = radiusGroupName Config syntax seems to hint that you have very old freeradius. Which version? Groups can be checked via LDAP-group variable A.
Hello Andres, Thank you for your answer. I use radiusd version 2.2.0 I found that groupmembership_filter when I googled for some answers but I have set it back to groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}) as it was in the original file I have enabled the ldap debug but I don't see anything related to the groups and any specific reply if a member belongs to a group. What should I use for the groupmembership_attribute variable, do I have to replace "radiusGroupName" ? Regards Le Mardi 12 novembre 2013 8h25, Andres Septer <andres.septer@gmail.com> a écrit :
2013/11/12 Mik J <mikydevel@yahoo.fr>
I'm confuse how freeradius will proceed - Search for myuser in the ldap using the account I provided in modules/ldap - Check the users password
You can turn on LDAP debug, it helped me a lot. Check last section of ldap module config <------># ldap_debug: debug flag for LDAP SDK <------># (see OpenLDAP documentation). Set this to enable <------># huge amounts of LDAP debugging on the screen. <------># You should only use this if you are an LDAP expert. <------># <------>#<----->default: 0x0000 (no debugging messages) <------>#<----->Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS) <------>ldap_debug = 0x0028.
groupmembership_filter = "(&(objectclass=posixGroup)(memberUid=%u))"
My groupmembership filter in 2.1.1 looks like this
<------>groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})) <------> groupmembership_attribute = radiusGroupName
Config syntax seems to hint that you have very old freeradius. Which version?
Groups can be checked via LDAP-group variable
A.
How can I change the number of sessions per port in FreeRadius? Increase the number of sockets per port? Thanks
Clint Petty wrote:
How can I change the number of sessions per port in FreeRadius?
FreeRADIUS doesn't do port management.
Increase the number of sockets per port?
That makes absolutely no sense. Please don't invent your own words. Use words taken from the FreeRADIUS documentation and configuration files. If there's an error message, paste it into an email message. This is 2013. There's no excuse for re-phrasing things in your own words. Alan DeKok.
No error message, just asking the question, for fine tuning. Anyways, I figured it out. Thanks anyways -----Original Message----- From: freeradius-users-bounces+cpetty=luthresearch.com@lists.freeradius.org [mailto:freeradius-users-bounces+cpetty=luthresearch.com@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Tuesday, November 12, 2013 12:01 PM To: FreeRadius users mailing list Subject: Re: Increase the number of sessions per port, increase the number of sockets? Clint Petty wrote:
How can I change the number of sessions per port in FreeRadius?
FreeRADIUS doesn't do port management.
Increase the number of sockets per port?
That makes absolutely no sense. Please don't invent your own words. Use words taken from the FreeRADIUS documentation and configuration files. If there's an error message, paste it into an email message. This is 2013. There's no excuse for re-phrasing things in your own words. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mik J wrote:
I've managed to set up freeradius with sql. When a user authenticates, the freeradius server returns the nas some attributes.
That's fine.
Now I'm trying to use openldap to authenticate my user # radtest myuser mypassword 127.0.0.1 1812 mysecret This command works. The mysecret is stored into the nas table and myuser/mypassword is stored in the openldap server. So I would say that the connectivity with the ldap server works perfectly
You shouldn't have to do *anything* else. The two pieces are independent.
But the command doesn't return the attributes I want.
In the file sites-enabled/default I have authorize { #files #sql ldap
OK... you disabled SQL. Why? It was returning attributes. You really seem to be making random changes in the hope that it will magically work. That is entirely the wrong approach.
I'm confuse how freeradius will proceed - Search for myuser in the ldap using the account I provided in modules/ldap - Check the users password
That's how LDAP works. You have it working.
- Should openldap return the attributes I mentioned above or can this be done with mysql ?
You already did this with MySQL. Why did you change it?
- I'd like to return these attributes if myuser belongs to mygroup, mygroup is created in openldap and myuser belongs to mygroup I've seen the section in modules/ldap but I don't know how to test if I configured is correct groupname_attribute = cn groupmembership_filter = "(&(objectclass=posixGroup)(memberUid=%u))"
You can do LDAP group checking via the LDAP-Group attribute. Put that into the MySQL "check" items: LDAP-Group == "name_of_group_to_check" If the group matches, the reply attributes will be returned. Alan DeKok.
Hello Alan, Thank you for your answer. I disabled SQL because I assumed radiusd shouldn't look into the radcheck table to perform an authentication since I wanted to use LDAP. To me it's a bit strange that radiusd will query this table everytime knowing that it won't be used because the authentication is based on LDAP. To make my tests I have: 1) Cleared any user's entry in the radcheck table 2) Added an entry into the radgroupcheck table as you suggested me | 6 | testgroup | LDAP-Group | == | radiusldapgroup | 3) Created the radiusldapgroup on my LDAP server and added a user 4) Checked the entries I have created in the past for that group in the radgroupreply +----+-----------+-------------------------+----+----------+ | id | groupname | attribute | op | value | +----+-----------+-------------------------+----+----------+ | 3 | testgroup | Tunnel-Type | = | VLAN | | 4 | testgroup | Tunnel-Medium-Type | = | IEEE-802 | | 5 | testgroup | Tunnel-Private-Group-Id | = | 4 | +----+-----------+-------------------------+----+----------+ 5) In the file /etc/raddb/modules/ldap have my group settings like that groupname_attribute = cn groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))" groupmembership_attribute = radiusGroupName 6) Check that I have read_groups=yes in sql.conf 7) Restarted the radiusd server (I always use option -X at the moment) Unfortunately # radtest myuser mypassword 127.0.0.1 1812 mysecret doesn't send me the attributes. I received rad_recv: Access-Accept though I have a few questions: a) My users are sitting in my ldap server and not in mysql so I'm not supposed to have a Fall-Through entry in the radreply table for myuser. Right ? And should I have read_groups=yes in sql.conf (section authorize {) ? b) In /etc/raddb/sites-enabled/default, is the order important: first sql then ldap (default) or should it be first ldap then sql. I've noticed the debug output is different when I change the order. The reason is that, the user credential should be checked against ldap first and then according to its group the attributes should be sent by radiusd. That's why I tried to put ldap before sql c) I'm very confused about the line "groupmembership_attribute = radiusGroupName". Should I replace radiusGroupName by something else such as radiusldapgroup ? d) When I start radiusd -X (ldap_debug = 0x0028 is not commented), I don't see my ldap server returning a group in the output on the screen. I would like to make sure that my groupname_attribute, groupmembership_filter and groupmembership_attribute are correct. How can I see what user's groups are received by the radiusd server ? Regards Le Mardi 12 novembre 2013 20h37, Alan DeKok <aland@deployingradius.com> a écrit : Mik J wrote:
I've managed to set up freeradius with sql. When a user authenticates, the freeradius server returns the nas some attributes.
That's fine.
Now I'm trying to use openldap to authenticate my user # radtest myuser mypassword 127.0.0.1 1812 mysecret This command works. The mysecret is stored into the nas table and myuser/mypassword is stored in the openldap server. So I would say that the connectivity with the ldap server works perfectly
You shouldn't have to do *anything* else. The two pieces are independent.
But the command doesn't return the attributes I want.
In the file sites-enabled/default I have authorize { #files #sql ldap
OK... you disabled SQL. Why? It was returning attributes.
You really seem to be making random changes in the hope that it will magically work. That is entirely the wrong approach.
I'm confuse how freeradius will proceed - Search for myuser in the ldap using the account I provided in modules/ldap - Check the users password
That's how LDAP works. You have it working.
- Should openldap return the attributes I mentioned above or can this be done with mysql ?
You already did this with MySQL. Why did you change it?
- I'd like to return these attributes if myuser belongs to mygroup, mygroup is created in openldap and myuser belongs to mygroup I've seen the section in modules/ldap but I don't know how to test if I configured is correct groupname_attribute = cn groupmembership_filter = "(&(objectclass=posixGroup)(memberUid=%u))"
You can do LDAP group checking via the LDAP-Group attribute. Put that into the MySQL "check" items:
LDAP-Group == "name_of_group_to_check"
If the group matches, the reply attributes will be returned.
Alan DeKok.
Mik J wrote:
I disabled SQL because I assumed radiusd shouldn't look into the radcheck table to perform an authentication since I wanted to use LDAP.
That's your problem in a nutshell. You *assume* how things work. You don't *understand*. There's a huge difference between the two. The difference is why you're having problems.
To me it's a bit strange that radiusd will query this table everytime knowing that it won't be used because the authentication is based on LDAP.
Do you understand the difference between SQL and LDAP databases? Or the difference between the information FreeRADIUS gets from SQL and from LDAP?
To make my tests I have:
Maybe that works. I don't know, because you have divided the problem into pieces, and tested each piece. You're doing lots of things all at the same time.
Unfortunately # radtest myuser mypassword 127.0.0.1 1812 mysecret doesn't send me the attributes. I received rad_recv: Access-Accept though
So... you ran the server in debugging mode, but didn't bother to look at the output. Instead, you're only looking at the output of radtest. Do you want to solve the problem? If so, why are you trying HARD to avoid solving it?
I have a few questions:
So do I. Why am I answering your questions when you're not following instructions? You've followed some, sure. But the main one is to READ the output of debug mode, or at least post it here. You're not doing that.
a) My users are sitting in my ldap server and not in mysql so I'm not supposed to have a Fall-Through entry in the radreply table for myuser. Right ? And should I have read_groups=yes in sql.conf (section authorize {) ?
How about you read doc/rlm_sql? This is documented. I could cut & paste the answer here. But if you're too lazy to read the docs, I'm too lazy to cut & paste them here.
b) In /etc/raddb/sites-enabled/default, is the order important: first sql then ldap (default) or should it be first ldap then sql.
What do the docs say?
I've noticed the debug output is different when I change the order.
So you do read it... you just don't pay much attention to it.
The reason is that, the user credential should be checked against ldap first and then according to its group the attributes should be sent by radiusd. That's why I tried to put ldap before sql c) I'm very confused about the line "groupmembership_attribute = radiusGroupName". Should I replace radiusGroupName by something else such as radiusldapgroup ?
You should definitely NOT make random changes. It's clear you don't understand how it works. That's OK, but you should be asking questions about HOW it works, rather than looking for magical solutions.
d) When I start radiusd -X (ldap_debug = 0x0028 is not commented), I don't see my ldap server returning a group in the output on the screen.
It doesn't. It's not supposed to.
I would like to make sure that my groupname_attribute, groupmembership_filter and groupmembership_attribute are correct. How can I see what user's groups are received by the radiusd server ?
You don't. You use the LDAP-Group == "name" check, and the server does LDAP queries to see if the user is a member of that group. Again, you're stuck in magical thinking. You believe some random change will make it all magically work. It won't. You need to UNDERSTAND how it works. How the pieces work together. Only then will you be able to create a solution. Alan DeKok.
participants (4)
-
Alan DeKok -
Andres Septer -
Clint Petty -
Mik J