users advanced configuration
Hi I have a little hard to configure freeradius. here is what i want to do : I want to run an hotspot with different accounts which give different connection time. I have an openldap server with this organisation : dc=com | dc=exempl | | ou=heure ou=jour | | uid=user1 uid=user2 What i have running now : I can authenticate a users with a time limit. Here is my users file : DEFAULT Auth-Type = ldap,Max-Daily-Session := 3600 I want add a second line with correspond to a day like this : DEFAULT Auth-Type = ldap,Max-Daily-Session := 86400 and i want that user from ou=heure use the first one and user from ou=jour use the policy with a day time which attribute should i add to this line or how should i do to realize this. I haven t found any clue on the net how to do this. Here is my ldap conf in radiusd.conf : server = "192.168.20.240" # ip de la machine avec le serveur ldap identity = "cn=admin,dc=exempl,dc=lcom" # login sur le serveur ldap password = "******" # mots de passe sur le serveur ldap basedn = "dc=exempl,dc=com" # base de recherche sur le serveur ldap filter ="uid=%u" # filtre de recherche ( ici tout utilisateur ) ldap_connections_number = 5 # nombre de tentative de connection timeout = 4 timelimit = 3 net_timeout = 1 tls { start_tls = no } dictionary_mapping = ${raddbdir}/ldap.attrmap edir_account_policy_check = no Sorry for my bad english and thanks for your help If you need more informations just tell me Tribolet Thomas
Use groups in ldap and configure groupmembership part of radiusd.conf ldap configuration. Add users to the groups and use: DEFAULT Ldap-Group = "heure", Max-Daily-Session := 3600 to set the attributes. Don't use Auth-Type. Ldap module should set Auth-Type ldap (see set_auth_type configuration option) itself. Ivan Kalik Kalik Informatika ISP Dana 16/5/2008, "tribestom" <tribes.tom@gmail.com> piše:
Hi
I have a little hard to configure freeradius. here is what i want to do :
I want to run an hotspot with different accounts which give different connection time.
I have an openldap server with this organisation :
dc=com | dc=exempl
| | ou=heure ou=jour | | uid=user1 uid=user2
What i have running now :
I can authenticate a users with a time limit.
Here is my users file :
DEFAULT Auth-Type = ldap,Max-Daily-Session := 3600
I want add a second line with correspond to a day like this :
DEFAULT Auth-Type = ldap,Max-Daily-Session := 86400
and i want that user from ou=heure use the first one and user from ou=jour use the policy with a day time
which attribute should i add to this line or how should i do to realize this. I haven t found any clue on the net how to do this.
Here is my ldap conf in radiusd.conf :
server = "192.168.20.240" # ip de la machine avec le serveur ldap identity = "cn=admin,dc=exempl,dc=lcom" # login sur le serveur ldap password = "******" # mots de passe sur le serveur ldap basedn = "dc=exempl,dc=com" # base de recherche sur le serveur ldap filter ="uid=%u" # filtre de recherche ( ici tout utilisateur ) ldap_connections_number = 5 # nombre de tentative de connection timeout = 4 timelimit = 3 net_timeout = 1 tls { start_tls = no } dictionary_mapping = ${raddbdir}/ldap.attrmap edir_account_policy_check = no
Sorry for my bad english and thanks for your help
If you need more informations just tell me
Tribolet Thomas
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I have already test with group, it runs but i would like to avoir using groups if it s possible I prefer just use "ou". It will be much more easy for the administration. Thks for the tip about Auth-Type 2008/5/16 Ivan Kalik <tnt@kalik.net>:
Use groups in ldap and configure groupmembership part of radiusd.conf ldap configuration. Add users to the groups and use:
DEFAULT Ldap-Group = "heure", Max-Daily-Session := 3600
to set the attributes. Don't use Auth-Type. Ldap module should set Auth-Type ldap (see set_auth_type configuration option) itself.
Ivan Kalik Kalik Informatika ISP
Dana 16/5/2008, "tribestom" <tribes.tom@gmail.com> piše:
Hi
I have a little hard to configure freeradius. here is what i want to do :
I want to run an hotspot with different accounts which give different connection time.
I have an openldap server with this organisation :
dc=com | dc=exempl
| | ou=heure ou=jour | | uid=user1 uid=user2
What i have running now :
I can authenticate a users with a time limit.
Here is my users file :
DEFAULT Auth-Type = ldap,Max-Daily-Session := 3600
I want add a second line with correspond to a day like this :
DEFAULT Auth-Type = ldap,Max-Daily-Session := 86400
and i want that user from ou=heure use the first one and user from ou=jour use the policy with a day time
which attribute should i add to this line or how should i do to realize this. I haven t found any clue on the net how to do this.
Here is my ldap conf in radiusd.conf :
server = "192.168.20.240" # ip de la machine avec le serveur ldap identity = "cn=admin,dc=exempl,dc=lcom" # login sur le serveur ldap password = "******" # mots de passe sur le serveur ldap basedn = "dc=exempl,dc=com" # base de recherche sur le serveur ldap filter ="uid=%u" # filtre de recherche ( ici tout utilisateur ) ldap_connections_number = 5 # nombre de tentative de connection timeout = 4 timelimit = 3 net_timeout = 1 tls { start_tls = no } dictionary_mapping = ${raddbdir}/ldap.attrmap edir_account_policy_check = no
Sorry for my bad english and thanks for your help
If you need more informations just tell me
Tribolet Thomas
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
UNCLASSIFIED Why not test Ldap-UserDN using a regexp. It will contain the users' OU as part of the full distinguished name. regards, Frank Ranner ________________________________ From: freeradius-users-bounces+frank.ranner=defence.gov.au@lists.freeradius.org [mailto:freeradius-users-bounces+frank.ranner=defence.gov.au@lists.freeradius.org] On Behalf Of Tribes Tom Sent: Friday, 16 May 2008 21:05 To: FreeRadius users mailing list Subject: Re: users advanced configuration I have already test with group, it runs but i would like to avoir using groups if it s possible I prefer just use "ou". It will be much more easy for the administration. Thks for the tip about Auth-Type 2008/5/16 Ivan Kalik <tnt@kalik.net>: Use groups in ldap and configure groupmembership part of radiusd.conf ldap configuration. Add users to the groups and use: DEFAULT Ldap-Group = "heure", Max-Daily-Session := 3600 to set the attributes. Don't use Auth-Type. Ldap module should set Auth-Type ldap (see set_auth_type configuration option) itself. Ivan Kalik Kalik Informatika ISP Dana 16/5/2008, "tribestom" <tribes.tom@gmail.com> piše: >Hi > >I have a little hard to configure freeradius. here is what i want to >do : > >I want to run an hotspot with different accounts which give different >connection time. > >I have an openldap server with this organisation : > > dc=com > | > dc=exempl > > | | > ou=heure ou=jour > | | > uid=user1 uid=user2 > > >What i have running now : > >I can authenticate a users with a time limit. > >Here is my users file : > >DEFAULT Auth-Type = ldap,Max-Daily-Session := 3600 > >I want add a second line with correspond to a day like this : > >DEFAULT Auth-Type = ldap,Max-Daily-Session := 86400 > > and i want that user from ou=heure use the first one and user from >ou=jour use the policy with a day time > >which attribute should i add to this line or how should i do to realize >this. I haven t found any clue on the net how to do this. > >Here is my ldap conf in radiusd.conf : > >server = "192.168.20.240" # ip de la machine avec le serveur ldap > identity = "cn=admin,dc=exempl,dc=lcom" # login sur le serveur ldap > password = "******" # mots de passe sur le serveur ldap > basedn = "dc=exempl,dc=com" # base de recherche sur le serveur ldap > filter ="uid=%u" # filtre de recherche ( ici tout utilisateur ) > ldap_connections_number = 5 # nombre de tentative de connection > timeout = 4 > timelimit = 3 > net_timeout = 1 > tls { > start_tls = no > } > dictionary_mapping = ${raddbdir}/ldap.attrmap > edir_account_policy_check = no > >Sorry for my bad english and thanks for your help > >If you need more informations just tell me > > >Tribolet >Thomas > > > > > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Can you explain how to do this ? I have try this : DEFAULT Auth-Type = ldap,Max-Daily-Session := 3600,Ldap-UserDN := `uid=%{User-Name},ou=heure,dc=network,dc=local` DEFAULT Auth-Type = ldap,Max-Daily-Session := 86400,Ldap-UserDN := `uid=%{User-Name},ou=jour,dc=network,dc=local` DEFAULT Auth-Type = ldap,Max-Daily-Session := 604800,Ldap-UserDN := `uid=%{User-Name},ou=semaine,dc=network,dc=local` But when i try with user from different ou, it always use the max-daily-session from the first policy Thanks for help Thomas Tribolet 2008/5/19 Ranner, Frank MR <Frank.Ranner@defence.gov.au>:
*UNCLASSIFIED*
Why not test Ldap-UserDN using a regexp. It will contain the users' OU as part of the full distinguished name.
regards, Frank Ranner
------------------------------ *From:* freeradius-users-bounces+frank.ranner=defence.gov.au@ lists.freeradius.org [mailto:freeradius-users-bounces+frank.ranner<freeradius-users-bounces%2Bfrank.ranner> =defence.gov.au@lists.freeradius.org] *On Behalf Of *Tribes Tom *Sent:* Friday, 16 May 2008 21:05 *To:* FreeRadius users mailing list *Subject:* Re: users advanced configuration
I have already test with group, it runs but i would like to avoir using groups if it s possible
I prefer just use "ou". It will be much more easy for the administration.
Thks for the tip about Auth-Type
2008/5/16 Ivan Kalik <tnt@kalik.net>:
Use groups in ldap and configure groupmembership part of radiusd.conf ldap configuration. Add users to the groups and use:
DEFAULT Ldap-Group = "heure", Max-Daily-Session := 3600
to set the attributes. Don't use Auth-Type. Ldap module should set Auth-Type ldap (see set_auth_type configuration option) itself.
Ivan Kalik Kalik Informatika ISP
Dana 16/5/2008, "tribestom" <tribes.tom@gmail.com> piše:
Hi
I have a little hard to configure freeradius. here is what i want to do :
I want to run an hotspot with different accounts which give different connection time.
I have an openldap server with this organisation :
dc=com | dc=exempl
| | ou=heure ou=jour | | uid=user1 uid=user2
What i have running now :
I can authenticate a users with a time limit.
Here is my users file :
DEFAULT Auth-Type = ldap,Max-Daily-Session := 3600
I want add a second line with correspond to a day like this :
DEFAULT Auth-Type = ldap,Max-Daily-Session := 86400
and i want that user from ou=heure use the first one and user from ou=jour use the policy with a day time
which attribute should i add to this line or how should i do to realize this. I haven t found any clue on the net how to do this.
Here is my ldap conf in radiusd.conf :
server = "192.168.20.240" # ip de la machine avec le serveur ldap identity = "cn=admin,dc=exempl,dc=lcom" # login sur le serveur ldap password = "******" # mots de passe sur le serveur ldap basedn = "dc=exempl,dc=com" # base de recherche sur le serveur ldap filter ="uid=%u" # filtre de recherche ( ici tout utilisateur ) ldap_connections_number = 5 # nombre de tentative de connection timeout = 4 timelimit = 3 net_timeout = 1 tls { start_tls = no } dictionary_mapping = ${raddbdir}/ldap.attrmap edir_account_policy_check = no
Sorry for my bad english and thanks for your help
If you need more informations just tell me
Tribolet Thomas
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
UNCLASSIFIED From: freeradius-users-bounces+frank.ranner=defence.gov.au@lists.freeradius.or g [mailto:freeradius-users-bounces+frank.ranner=defence.gov.au@lists.freer adius.org] On Behalf Of Tribes Tom Sent: Monday, 19 May 2008 18:33 To: FreeRadius users mailing list Subject: Re: users advanced configuration [SEC=UNCLASSIFIED] Can you explain how to do this ? I have try this : DEFAULT Auth-Type = ldap,Max-Daily-Session := 3600,Ldap-UserDN := `uid=%{User-Name},ou=heure,dc=network,dc=local` All three element of your test are assignments that always return true. You compare using == not := Try: DEFAULT Ldap-UserDN == `uid=%{User-Name},ou=heure,dc=network,dc=local`, Max-Daily-Session := 3600 Or DEFAULT Ldap-UserDN =~ "^uid=.*,ou=heure,dc=network,dc=local$", Max-Daily-Session := 3600 Matching is done from left to right, so Max-Daily-Session is only set if the Ldap-UserDN matches. It is probably unnecessary to set Auth-Type. Regards, Frank Ranner
Thks for your help, it s very interesting. I have a little hard to understand how it works and it help me much. But I can t made it run :s When i try with line you have show me. I can't log with any user. My server openldap say there isn't any connection from freeradius in his log here is an exemple of one user : dn: uid=Thomas01,ou=heure,dc=network,dc=local objectClass: account objectClass: simpleSecurityObject objectClass: top uid: Thomas01 In freeradius here is result of : freeradius -xxyz Thread 2 handling request 1, (1 handled so far) User-Name = "Thomas01" User-Password = "*******" NAS-IP-Address = 0.0.0.0 Service-Type = Login-User Framed-IP-Address = 192.168.x.3 Calling-Station-Id = "00-18-DE-C8-D9-87" Called-Station-Id = "00-0C-29-8A-5B-1C" NAS-Identifier = "nas01" Acct-Session-Id = "48327d7900000001" NAS-Port-Type = Wireless-802.11 NAS-Port = 1 Message-Authenticator = 0x25d1a7b602061b5167c20539366b1e8d WISPr-Logoff-URL = "http://192.168.x.1:3990/logoff" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 1 modcall[authorize]: module "files" returns notfound for request 1 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 1 rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair modcall[authorize]: module "daily" returns noop for request 1 modcall: leaving group authorize (returns ok) for request 1 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [Thomas01] (from client hotspot port 1 cli 00-18-DE-C8-D9-87) Delaying request 1 for 1 seconds Finished request 1 Going to the next request Thread 2 waiting to be assigned a request --- Walking the entire request list --- Cleaning up request 0 ID 0 with timestamp 483280f4 Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... rad_recv: Access-Request packet from host 192.168.x.253:59308, id=0, length=198 Sending Access-Reject of id 0 to 192.168.x.253 port 59308 Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 0 with timestamp 483280fa Nothing to do. Sleeping until we see a request. If you have any idea it would help me much, i can provide my config files if u want. Thks a lot Thomas Tribolet 2008/5/20 Ranner, Frank MR <Frank.Ranner@defence.gov.au>:
UNCLASSIFIED
From: freeradius-users-bounces+frank.ranner=defence.gov.au@lists.freeradius.or g [mailto:freeradius-users-bounces+frank.ranner<freeradius-users-bounces%2Bfrank.ranner> =defence.gov.au@lists.freer adius.org] On Behalf Of Tribes Tom Sent: Monday, 19 May 2008 18:33 To: FreeRadius users mailing list Subject: Re: users advanced configuration [SEC=UNCLASSIFIED]
Can you explain how to do this ?
I have try this :
DEFAULT Auth-Type = ldap,Max-Daily-Session := 3600,Ldap-UserDN := `uid=%{User-Name},ou=heure,dc=network,dc=local`
All three element of your test are assignments that always return true. You compare using == not := Try: DEFAULT Ldap-UserDN == `uid=%{User-Name},ou=heure,dc=network,dc=local`, Max-Daily-Session := 3600
Or
DEFAULT Ldap-UserDN =~ "^uid=.*,ou=heure,dc=network,dc=local$", Max-Daily-Session := 3600
Matching is done from left to right, so Max-Daily-Session is only set if the Ldap-UserDN matches. It is probably unnecessary to set Auth-Type.
Regards, Frank Ranner
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (4)
-
Ivan Kalik -
Ranner, Frank MR -
Tribes Tom -
tribestom