Re: proxy request when database is referering to ldap server
Hi Alan,
Please find the configuration in the users file & proxy.conf file. Please let me know if i am missing or wrong configuration is done is achieve my objective.
Radiusd.conf file:
modules { pap { encryption_scheme = clear } chap { authtype = CHAP } pam { pam_auth = radiusd } unix { cache = no cache_reload = 600 radwtmp = /var/log/radius/radwtmp } mschap { authtype = MS-CHAP #use_mppe = no #require_encryption = yes #require_strong = yes #with_ntdomain_hack = no } ldap ldap_primary { server = 1.1.1.1 port = 1234 identity = "kjd" password = sdkjf basedn = sdjkf filter = "kjgf" start_tls = no access_attr = "dialupacces" dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 #password_header = "{SHA}" password_attribute = fdsjk groupname_attribute = dj groupmembership_filter = "kjf" groupmembership_attribute = jkl timeout = 4 timelimit = 3 net_timeout = 1 access_attr_used_for_allow = no } ldap ldap_secondary { server = 2.2.2.2 port = 1234 identity = "kjd" password = sdkjf basedn = sdjkf filter = "kjgf" start_tls = no access_attr = "dialupacces" dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 #password_header = "{SHA}" password_attribute = fdsjk groupname_attribute = dj groupmembership_filter = "kjf" groupmembership_attribute = jkl timeout = 4 timelimit = 3 net_timeout = 1 access_attr_used_for_allow = no } passwd etc_passwd { filename = /var/etc/passwd format = "*User-Name::User-Password" delimiter = : } passwd etc_group { filename = /var/etc/group format = "~Group-Name::*,User-Name" delimiter = : } realm suffix_oblic { format = suffix delimiter = / ignore_default = no ignore_null = no } realm prefix_oblic { format = prefix delimiter = / ignore_default = no ignore_null = no } realm suffix_at { format = suffix delimiter = @ ignore_default = no ignore_null = no } realm prefix_at { format = prefix delimiter = @ ignore_default = no ignore_null = no } realm suffix_percent { format = suffix delimiter = % ignore_default = no ignore_null = no } realm prefix_percent { format = prefix delimiter = % ignore_default = no ignore_null = no } checkval { item-name = Calling-Station-Id check-name = Calling-Station-Id data-type = string #notfound-reject = no } preprocess { huntgroups = ${confdir}/huntgroups hu_int32_ts = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users compat = no } .. .. } instantiate { #exec #expr ldap_primary ldap_secondary } authorize { preprocess #etc_passwd #etc_group chap mschap suffix_oblic prefix_oblic suffix_at prefix_at suffix_percent prefix_percent files redundant { ldap_primary ldap_secondary } eap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } Auth-Type LDAP { redundant { ldap_primary ldap_secondary } } #unix eap } post-auth { } pre-proxy { } post_proxy { eap } Users file: -------------- # primary ldap group policy configuration # WLAN Allow policy for the groups DEFAULT ldap_primary-Ldap-Group == "sales",VSA-Attr-4 =~ "1",Login-Time := "Any0000-2359" Tunnel-Type = 13, Tunnel-Medium-Type = 6, Tunnel-Private-Group-Id = 1 DEFAULT ldap_primary-Ldap-Group == "marketting",VSA-Attr-4 =~ "2",Login-Time := "Any0000-2359" Tunnel-Type = 13, Tunnel-Medium-Type = 6, Tunnel-Private-Group-Id = 10 # WLAN Deny policy for the groups DEFAULT ldap_primary-Ldap-Group == "sales",VSA-Attr-4 =~ "2|3|4|5|6|7|8|9|10|11|12|13|14|15|16|17|18|19|20|21|22|23|24|25|26|27|28|29|30|31|32",Auth-Type:=Reject DEFAULT ldap_primary-Ldap-Group == "marketting",VSA-Attr-4 =~ "1|3|4|5|6|7|8|9|10|11|12|13|14|15|16|17|18|19|20|21|22|23|24|25|26|27|28|29|30|31|32",Auth-Type:=Reject # secondary ldap group policy configuration # WLAN Allow policy for the groups DEFAULT ldap_secondary-Ldap-Group == "sales",VSA-Attr-4 =~ "1",Login-Time := "Any0000-2359" Tunnel-Type = 13, Tunnel-Medium-Type = 6, Tunnel-Private-Group-Id = 1 DEFAULT ldap_secondary-Ldap-Group == "marketting",VSA-Attr-4 =~ "2",Login-Time := "Any0000-2359" Tunnel-Type = 13, Tunnel-Medium-Type = 6, Tunnel-Private-Group-Id = 10 # WLAN Deny policy for the groups DEFAULT ldap_secondary-Ldap-Group == "sales",VSA-Attr-4 =~ "2|3|4|5|6|7|8|9|10|11|12|13|14|15|16|17|18|19|20|21|22|23|24|25|26|27|28|29|30|31|32",Auth-Type:=Reject DEFAULT ldap_secondary-Ldap-Group == "marketting",VSA-Attr-4 =~ "1|3|4|5|6|7|8|9|10|11|12|13|14|15|16|17|18|19|20|21|22|23|24|25|26|27|28|29|30|31|32",Auth-Type:=Reject anonymous Anonymous DEFAULT Realm != "NULL" DEFAULT Auth-Type := Reject Proxy.conf file --------------------- proxy server { synchronous = no retry_delay = 5 retry_count = 3 dead_time = 120 default_fallback = yes post_proxy_authorize = no } realm user\@myorg\.com { authhost = 192.168.2.2:1812 accthost = 192.168.2.2:1813 secret = symbol123 nostrip } the request was proxied to 192.168.2.2 but it still tries to connect to ldap_primary Please correct me if im doing any wrong configuration. Thanks. On 7/19/06, Alan DeKok <aland@nitros9.org> wrote:
"sumi thra" <sumi.techno@gmail.com> wrote:
What you are saying is correct. But, i want proxy the request for some users and for others i still want to use ldap .. in that case the users file will have the policy for using LDAP & the proxy.conf file will have the realms configured.
That's pretty trivial to do.
When the server finds a matching realm, why is it trying to do ldap authentication? ie, why the users policy is getting applied?
Because you told it to.
Read the debug log. It *will* tell you what's going on.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
"sumi thra" <sumi.techno@gmail.com> wrote:
Please find the configuration in the users file & proxy.conf file. Please let me know if i am missing or wrong configuration is done is achieve my objective.
Can you explain why you posted the configuration files when I told you the debug output was important? Alan DeKok.
participants (2)
-
Alan DeKok -
sumi thra