Groups in active directory and checks in MySQL
Hello everyone, i know this might be considered a bizarre situation but well... i was just wondering if it's possible to do such a thing. I'm in a situation now where i can successfully retrieve group membership of users in the active directory LDAP tree using rlm_ldap, and check them against files. so if i have a user with "memberOf" attribute set to groupA and i set in the raddb/users the following entry: DEFAULTLdap-Group == "groupA", Auth-Type := Reject Reply-Message = "Not Allowed." i successfully deny access to that user. Since i'm already using MySQL for storing accounting informations i was really interested in being able to use the same backend (mysql) also for performing checks against groups. If i perform checks against usernames using the table radcheck they work properly (users retrieved from the LDAP backend), i've tried setting a radcheck like the following: userA Max-Daily-Session := 7200 and after 2 hours the user is unable to authenticate to the NAS because the time allowed has expired. But i cant seem to be able to do the same thing with the groups. i've configured sites-enabled/default like this: authorize { preprocess auth_log chap mschap digest suffix eap { ok = return } files ldap sql expiration logintime pap dailycounter } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } digest unix Auth-Type LDAP { ldap } eap } preacct { preprocess acct_unique suffix files } accounting { detail sql } session { radutmp } post-auth { ldap exec Post-Auth-Type REJECT { # log failed authentications in SQL, too. attr_filter.access_reject } } pre-proxy { } post-proxy { eap } radiusd.conf like this prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = /var/log/freeradius raddbdir = /etc/freeradius radacctdir = ${logdir}/radacct name = freeradius confdir = ${raddbdir} run_dir = ${localstatedir}/run/${name} db_dir = ${raddbdir} libdir = /usr/lib/freeradius pidfile = ${run_dir}/${name}.pid user = freerad group = freerad max_request_time = 30 cleanup_delay = 5 max_requests = 1024 listen { type = auth ipaddr = * port = 0 } listen { ipaddr = * port = 0 type = acct } hostname_lookups = no allow_core_dumps = no regular_expressions= yes extended_expressions= yes log { destination = files file = ${logdir}/radius.log syslog_facility = daemon stripped_names = no auth = no auth_badpass = no auth_goodpass = no } checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = yes } proxy_requests = yes $INCLUDE proxy.conf $INCLUDE clients.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { $INCLUDE ${confdir}/modules/ $INCLUDE eap.conf $INCLUDE sql.conf $INCLUDE sql/mysql/counter.conf } instantiate { exec expr expiration logintime } and sql.conf sql { database = "mysql" driver = "rlm_sql_${database}" server = "localhost" #port = 3306 login = "radius" password = "<removed>" radius_db = "radius" acct_table1 = "radacct" acct_table2 = "radacct" postauth_table = "radpostauth" authcheck_table = "radcheck" authreply_table = "radreply" groupcheck_table = "radgroupcheck" groupreply_table = "radgroupreply" usergroup_table = "radusergroup" deletestalesessions = yes sqltrace = no sqltracefile = ${logdir}/sqltrace.sql num_sql_socks = 5 connect_failure_retry_delay = 60 lifetime = 0 max_queries = 0 nas_table = "nas" $INCLUDE sql/${database}/dialup.conf $INCLUDE sql/${database}/counter.conf } any help is really welcome. thanks and sorry if i couldn't explain myself properly please correct me. -- Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP autenticato? GRATIS solo con Email.it: http://www.email.it/f Sponsor: SUPERMARIO: Acquista Peluche e T-shirt Originali su mistercupido.com Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=12899&d=20130823 -- Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP autenticato? GRATIS solo con Email.it http://www.email.it/f Sponsor: SIMPSON: Acquista Peluche, Gadget e Abbigliamento Originale su mistercupido.com Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=12901&d=23-8
Atomikramp wrote:
I'm in a situation now where i can successfully retrieve group membership of users in the active directory LDAP tree using rlm_ldap, and check them against files.
OK.
so if i have a user with "memberOf" attribute set to groupA and i set in the raddb/users the following entry:
DEFAULTLdap-Group == "groupA", Auth-Type := Reject Reply-Message = "Not Allowed."
i successfully deny access to that user.
That should map directly to the SQL tables.
Since i'm already using MySQL for storing accounting informations i was really interested in being able to use the same backend (mysql) also for performing checks against groups.
If i perform checks against usernames using the table radcheck they work properly (users retrieved from the LDAP backend), i've tried setting a radcheck like the following: userA Max-Daily-Session := 7200
and after 2 hours the user is unable to authenticate to the NAS because the time allowed has expired.
But i cant seem to be able to do the same thing with the groups.
Post the debug output. And what do you have in SQL?
i've configured sites-enabled/default like this:
Note that the FAQ, README, "man" pages, and web pages ALL say to post the debug output. We really don't care about the configuration. It doesn't show what happens when the server receives a request. Alan DeKok.
Il 23/08/2013 21:31, Alan DeKok ha scritto:
Post the debug output. And what do you have in SQL?
Hello, thanks for your reply and apologizes for the mistake, unfortunately (depending from the point of view) since it's weekend i won't be able to post any debug log till monday as i didn't bring the server home for the weekend nor i have a VPN to the work site :) 'till then, again, thank you very much for the reply and support. Sincerely Francesco
participants (3)
-
Alan DeKok -
Atomikramp -
Rampage