----- Original Message ----- From: "Matthew Newton" <mcn4@leicester.ac.uk> Sent: Tue, 3.4.2012 13:01 To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Subject: Re: MSSCHAP auth + LDAP authorizaton [SNIP] The LDAP module can be configured for group lookups - look about half way down modules/ldap, you'll find the group settings. Check radiusd -X to see what it's doing, as usual. Use unlang in your inner-tunnel authorize section to check the ldap group, something along the lines of (very untested): if (!(Ldap-group == 'cn=group,dc=example,dc=com')) { reject } OK, thats an interesting idea. This should go to inner tunnel, and inner tunnel only??? I found some example on lists archives (fortunately, they work again) and follwed this one. It only used "filter" statement. I have read docs/rlm_ldap but still dont't quite get, whats "filter" and "group" filter are for. I tried this configuration: Ldap module conf ldap { <------>server = "local.track.ee" <------>identity = "CN=ldapbind,OU=SBSUsers,OU=Users,OU=Navirec,DC=local,DC=track,DC=ee" <------>password = "XXXXXXXXXXXXXXX" <------>basedn = "DC=local,DC=track,DC=ee" <------>filter = "(&(SAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})(memberOf=CN=VPNUsers,OU=SBSUsers,OU=Users,OU=Navirec,DC=local,DC=track,DC=ee))" <------>#base_filter = "(objectclass=radiusprofile)" #debugging purposes ldap_debug = 0x0028 LDAP bind and queries tested in JExplorer, they work ok commented ldap in on authorization stanzas of innter-tunnel and tested. Here's output rad_recv: Access-Request packet from host 127.0.0.1 port 34775, id=2, length=141 User-Name = "freeradius.test" NAS-IP-Address = 10.128.160.4 NAS-Port = 0 Message-Authenticator = 0x530dad2e80d15ff25193eb9ff5834f96 MS-CHAP-Challenge = 0x043031fc454d971c MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000093e05fd8f5df4a2ae229f031aa0f4290ea1debe45039c363 Wed Apr 4 12:50:29 2012 : Info: # Executing section authorize from file /etc/raddb/sites-enabled/default Wed Apr 4 12:50:29 2012 : Info: +- entering group authorize {...} Wed Apr 4 12:50:29 2012 : Info: ++[preprocess] returns ok Wed Apr 4 12:50:29 2012 : Info: ++[chap] returns noop Wed Apr 4 12:50:29 2012 : Info: [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' Wed Apr 4 12:50:29 2012 : Info: ++[mschap] returns ok Wed Apr 4 12:50:29 2012 : Info: ++[digest] returns noop Wed Apr 4 12:50:29 2012 : Info: [suffix] No '@' in User-Name = "freeradius.test", looking up realm NULL Wed Apr 4 12:50:29 2012 : Info: [suffix] No such realm "NULL" Wed Apr 4 12:50:29 2012 : Info: ++[suffix] returns noop Wed Apr 4 12:50:29 2012 : Info: [eap] No EAP-Message, not doing EAP Wed Apr 4 12:50:29 2012 : Info: ++[eap] returns noop Wed Apr 4 12:50:29 2012 : Info: ++[files] returns noop Wed Apr 4 12:50:29 2012 : Info: [ldap] performing user authorization for freeradius.test Wed Apr 4 12:50:29 2012 : Info: [ldap] expand: %{Stripped-User-Name} -> Wed Apr 4 12:50:29 2012 : Info: [ldap] ... expanding second conditional Wed Apr 4 12:50:29 2012 : Info: [ldap] expand: %{User-Name} -> freeradius.test Wed Apr 4 12:50:29 2012 : Info: [ldap] expand: (&(SAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})(memberOf=CN=VPNUsers,OU=SBSUsers,OU=Users,OU=Navirec,DC=local,DC=track,DC=ee)) -> (&(SAMAccountName=freeradius.test)(memberOf=CN=VPNUsers,OU=SBSUsers,OU=Users,OU=Navirec,DC=local,DC=track,DC=ee)) Wed Apr 4 12:50:29 2012 : Info: [ldap] expand: DC=local,DC=track,DC=ee -> DC=local,DC=track,DC=ee Wed Apr 4 12:50:29 2012 : Debug: [ldap] ldap_get_conn: Checking Id: 0 Wed Apr 4 12:50:29 2012 : Debug: [ldap] ldap_get_conn: Got Id: 0 Wed Apr 4 12:50:29 2012 : Debug: [ldap] attempting LDAP reconnection Wed Apr 4 12:50:29 2012 : Debug: [ldap] (re)connect to local.track.ee:389, authentication 0 Wed Apr 4 12:50:29 2012 : Debug: [ldap] bind as CN=ldapbind,OU=SBSUsers,OU=Users,OU=Navirec,DC=local,DC=track,DC=ee/XXXXXXXXXX to local.track.ee:389 Wed Apr 4 12:50:29 2012 : Debug: [ldap] waiting for bind result ... Wed Apr 4 12:50:29 2012 : Debug: [ldap] Bind was successful Wed Apr 4 12:50:29 2012 : Debug: [ldap] performing search in DC=local,DC=track,DC=ee, with filter (&(SAMAccountName=freeradius.test)(memberOf=CN=VPNUsers,OU=SBSUsers,OU=Users,OU=Navirec,DC=local,DC=track,DC=ee)) Wed Apr 4 12:50:29 2012 : Error: [ldap] ldap_search() failed: Operations error Wed Apr 4 12:50:29 2012 : Info: [ldap] search failed Wed Apr 4 12:50:29 2012 : Debug: [ldap] ldap_release_conn: Release Id: 0 Wed Apr 4 12:50:29 2012 : Info: ++[ldap] returns fail Wed Apr 4 12:50:29 2012 : Info: Using Post-Auth-Type Reject Wed Apr 4 12:50:29 2012 : Info: # Executing group from file /etc/raddb/sites-enabled/default Wed Apr 4 12:50:29 2012 : Info: +- entering group REJECT {...} Wed Apr 4 12:50:29 2012 : Info: [attr_filter.access_reject] expand: %{User-Name} -> freeradius.test Wed Apr 4 12:50:29 2012 : Debug: attr_filter: Matched entry DEFAULT at line 11 Wed Apr 4 12:50:29 2012 : Info: ++[attr_filter.access_reject] returns updated Wed Apr 4 12:50:29 2012 : Info: Delaying reject of request 0 for 1 seconds Wed Apr 4 12:50:29 2012 : Debug: Going to the next request Wed Apr 4 12:50:29 2012 : Debug: Waking up in 0.9 seconds. Wed Apr 4 12:50:30 2012 : Info: Sending delayed reject for request 0 Sending Access-Reject of id 2 to 127.0.0.1 port 34775 Why it fails on freeradius, though the query is correct. Am I following a wrong example afterall and Matthew's version is the way to go? Where goes initial LDAP configuration in Matthews suggestion? A.
participants (1)
-
Andres Septer